contrast-agent 6.6.3 → 6.7.0

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/reporting/details/untrusted_deserialization_details'
 require 'contrast/components/logger'
 
 module Contrast
@@ -68,9 +69,10 @@ module Contrast
           # Per the spec, this rule applies regardless of input. Only the mode
           # of the rule and code exclusions apply at this point.
           # @return [Boolean] should the rule apply to this call.
-          def infilter? _context
+          def infilter? context
             return false unless enabled?
             return false if protect_excluded_by_code?
+            return false if protect_excluded_by_url?(context)
 
             true
           end
@@ -116,7 +118,7 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack, gadget_command)
+            cef_logging(result, :successful_attack, value: gadget_command)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
 
@@ -135,13 +137,13 @@ module Contrast
           #   to render this attack event in TeamServer.
           def build_sample context, input_analysis_result, _candidate_string, **kwargs
             sample = build_base_sample(context, input_analysis_result)
-            sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::UntrustedDeserializationDetails.new
 
             deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
-            sample.untrusted_deserialization.deserializer = deserializer
+            sample.details.deserializer = deserializer
 
             command = !!kwargs[:COMMAND_SCOPE]
-            sample.untrusted_deserialization.command = command
+            sample.details.cmd = command
 
             sample
           end

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
+require 'contrast/agent/reporting/details/path_traversal_details'
+require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
 
 module Contrast
   module Agent
@@ -48,7 +50,7 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            cef_logging(result, :successful_attack, path)
+            cef_logging(result, :successful_attack)
             raise(Contrast::SecurityException.new(self,
                                                   "Path Traversal rule triggered. Call to File.#{ method } blocked."))
           end
@@ -65,9 +67,9 @@ module Contrast
           # evaluation
           def build_sample context, input_analysis_result, path, **_kwargs
             sample = build_base_sample(context, input_analysis_result)
-            sample.path_traversal = Contrast::Api::Dtm::PathTraversalDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::PathTraversalDetails.new
             path ||= input_analysis_result.value
-            sample.path_traversal.path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
+            sample.details.path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
             sample
           end
 
@@ -76,17 +78,17 @@ module Contrast
           # Build a subclass of the RaspRuleSample if the sample matches
           def build_rep_sample context, path
             sample = build_base_sample(context, nil)
-            sample.path_traversal_semantic = Contrast::Api::Dtm::PathTraversalSemanticAnalysisDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
             path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
-            sample.path_traversal_semantic.path = path
+            sample.details.path = path
 
             if custom_code_access_sysfile_enabled? && custom_code_accessing_system_file?(path)
-              sample.path_traversal_semantic.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
+              sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
               return sample
             end
 
             if common_file_exploits_enabled? && contains_known_attack_signatures?(path)
-              sample.path_traversal_semantic.findings << :COMMON_FILE_EXPLOITS
+              sample.details.findings << :COMMON_FILE_EXPLOITS
               return sample
             end
 

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/details/sqli_details'
+require 'contrast/agent/reporting/details/no_sqli_details'
 
 module Contrast
   module Agent
@@ -18,16 +20,16 @@ module Contrast
           # @candidate_string [String] the value of the input which may be an attack
           # @kwargs [Hash] key - value pairs of context individual rules need to build out details
           #   to send to the Service to tell the story of the attack
-          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
           module SqliSample
             def build_sample context, input_analysis_result, candidate_string, **kwargs
               sqli_sample = build_base_sample(context, input_analysis_result)
-              sqli_sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
-              sqli_sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-              sqli_sample.sqli.start_idx = kwargs[:start_idx]
-              sqli_sample.sqli.end_idx = kwargs[:end_idx]
-              sqli_sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-              sqli_sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample.details = Contrast::Agent::Reporting::Details::SqliDetails.new
+              sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.details.start_idx = kwargs[:start_idx]
+              sqli_sample.details.end_idx = kwargs[:end_idx]
+              sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
               sqli_sample
             end
           end
@@ -41,16 +43,16 @@ module Contrast
           # @candidate_string [String] the value of the input which may be an attack
           # @kwargs [Hash] key - value pairs of context individual rules need to build out details
           #   to send to the Service to tell the story of the attack
-          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
           module NoSqliSample
             def build_sample context, input_analysis_result, candidate_string, **kwargs
               no_sqli_sample = build_base_sample(context, input_analysis_result)
-              no_sqli_sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-              no_sqli_sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-              no_sqli_sample.no_sqli.start_idx = kwargs[:start_idx].to_i
-              no_sqli_sample.no_sqli.end_idx = kwargs[:end_idx].to_i
-              no_sqli_sample.no_sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-              no_sqli_sample.no_sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample.details = Contrast::Agent::Reporting::Details::NoSqliDetails.new
+              no_sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.details.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.details.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
               no_sqli_sample
             end
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This is the Base Rule
+        class SqliBaseRule < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
+
+          BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
+
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
+
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.sqli.start_idx,
+                  end: attack_sample.sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
+                  query: attack_sample.sqli.query
+              }
+            end
+          end
+
+          def infilter context, database, query_string
+            return unless infilter?(context)
+
+            result = find_attacker(context, query_string, database: database)
+            return unless result
+
+            append_to_activity(context, result)
+
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -0,0 +1,67 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/sqli_dangerous_functions'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This class will include the check for SQL Injection Semantic Dangerous Functions
+        class SqliDangerousFunctions < Contrast::Agent::Protect::Rule::SqliBaseRule
+          NAME = 'sql-injection-semantic-dangerous-functions'
+          BLOCK_MESSAGE = 'SQLi Semantic Dangerous Functions rule triggered. Response blocked.'
+
+          SQL_DANGEROUS_FUNCTIONS = %w[unhex waitfor xp_cmdshell exec].cs__freeze
+
+          def rule_name
+            NAME
+          end
+
+          def infilter context, query_string
+            return unless infilter?(context)
+            return unless violated?(query_string)
+
+            result = build_violation(context, query_string)
+            return unless result
+
+            append_to_activity(context, result)
+
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+
+          protected
+
+          def violated? attack_string
+            SQL_DANGEROUS_FUNCTIONS.any? { |dang_func| attack_string.downcase.include?(dang_func) }
+          end
+
+          def build_violation context, potential_attack_string
+            result = build_attack_result(context)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
+            append_sample(context, nil, result, potential_attack_string)
+            result
+          end
+
+          # Override if rule can make use of the candidate string or kwargs to
+          # build rasp rule sample.
+          def build_sample context, ia_result, candidate_string, **_kwargs
+            sample = build_base_sample(context, nil)
+            sample.details = Contrast::Agent::Reporting::Details::SqliDangerousFunctions.new
+            sample.details.query = candidate_string
+
+            if ia_result.nil?
+              ui = Contrast::Agent::Reporting::UserInput.new
+              ui.input_type = :UNKNOWN
+              ui.value = candidate_string
+              sample.user_input = ui
+            end
+
+            sample
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -5,13 +5,15 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
 require 'contrast/agent/protect/rule/sql_sample_builder'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/sqli/sqli_base_rule'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
-        class Sqli < Contrast::Agent::Protect::Rule::BaseService
+        class Sqli < Contrast::Agent::Protect::Rule::SqliBaseRule
           # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
           # by TeamServer
           include SqlSampleBuilder::SqliSample
@@ -22,28 +24,9 @@ module Contrast
             include Contrast::Agent::Reporting::InputType
           end
 
-          APPLICABLE_USER_INPUTS = [
-            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
-            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
-            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
-            XML_VALUE, DWR_VALUE
-          ].cs__freeze
           NAME = 'sql-injection'
-          BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  start: attack_sample.sqli.start_idx,
-                  end: attack_sample.sqli.end_idx,
-                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
-                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
-                  query: attack_sample.sqli.query
-              }
-            end
-          end
+          SUB_RULES = [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
 
           def rule_name
             NAME
@@ -53,16 +36,8 @@ module Contrast
             BLOCK_MESSAGE
           end
 
-          def infilter context, database, query_string
-            return unless infilter?(context)
-
-            result = find_attacker(context, query_string, database: database)
-            return unless result
-
-            append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack, query_string)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          def sub_rules
+            SUB_RULES
           end
         end
       end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -2,6 +2,9 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/reporting/details/xxe_details'
+require 'contrast/agent/reporting/details/xxe_match'
+require 'contrast/agent/reporting/details/xxe_wrapper'
 require 'contrast/utils/timer'
 require 'contrast/components/logger'
 
@@ -56,13 +59,15 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
+            return if protect_excluded_by_url?(context)
+
             result = find_attacker(context, xml, framework: framework)
             return unless result
 
             append_to_activity(context, result)
             return unless blocked?
 
-            cef_logging(result, :successful_attack, xml)
+            cef_logging(result, :successful_attack, value: xml)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
 
@@ -105,7 +110,7 @@ module Contrast
               entity_wrapper = Contrast::Agent::Protect::Rule::Xxe::EntityWrapper.new(ss.matched)
               next unless entity_wrapper.external_entity?
 
-              xxe_details ||= Contrast::Api::Dtm::XxeDetails.new
+              xxe_details ||= Contrast::Agent::Reporting::Details::XxeDetails.new
               xxe_details.declared_entities << build_match(ss)
               xxe_details.entities_resolved << build_wrapper(entity_wrapper)
             end
@@ -119,12 +124,12 @@ module Contrast
           def build_sample context, ia_result, _url, **kwargs
             sample = build_base_sample(context, ia_result)
             sample.user_input = build_user_input(ia_result)
-            sample.xxe = kwargs[:details]
+            sample.details = kwargs[:details]
             sample
           end
 
           def build_user_input ia_result
-            input = Contrast::Api::Dtm::UserInput.new
+            input = Contrast::Agent::Reporting::UserInput.new
             input.key = INPUT_NAME
             input.input_type = :UNKNOWN
             input.document_type = :XML
@@ -146,14 +151,14 @@ module Contrast
           end
 
           def build_match string_scanner
-            match = Contrast::Api::Dtm::XxeMatch.new
+            match = Contrast::Agent::Reporting::Details::XxeMatch.new
             match.end_idx = string_scanner.pos.to_i
             match.start_idx = match.end_idx - string_scanner.matched_size
             match
           end
 
           def build_wrapper entity_wrapper
-            wrapper = Contrast::Api::Dtm::XxeWrapper.new
+            wrapper = Contrast::Agent::Reporting::Details::XxeWrapper.new
             wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
             wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper

data/lib/contrast/agent/protect/rule.rb

@@ -28,12 +28,14 @@ require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 # The classes required for Path Traversal
 require 'contrast/agent/protect/rule/path_traversal'
 
-# The classes required for Command Injection
+# The classes required for Command Injection and sub-rules
 require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
 # The classes required for XXE
 require 'contrast/agent/protect/rule/xxe'

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -57,6 +57,14 @@ module Contrast
         def tags= tags
           @_tags = tags if tags.is_a?(String)
         end
+
+        def details
+          @_details ||= {}
+        end
+
+        def details= protect_details
+          @_details = protect_details if protect_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb

@@ -4,48 +4,103 @@
 require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
 require 'contrast/agent/reporting/attack_result/user_input'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/details/protect_rule_details'
 
 module Contrast
   module Agent
     module Reporting
       # This class will hold the new RaspRuleSample.
-      # protect rules.
-      class RaspRuleSample # rubocop:disable Lint/EmptyClass
-        # def timestamp
-        #   @_timestamp ||= 0
-        # end
+      # It is mainly used to build samples for each
+      # protect rule, and translate data from SP IA.
+      # It is not a reporting event.
+      class RaspRuleSample
+        # Any rules specific details
         #
-        # def timestamp= timestamp_ms
-        #   @_timestamp = timestamp_ms
-        # end
-        #
-        # def user_input
-        #   @_user_input ||= Contrast::Agent::Reporting::UserInput.new
-        # end
-        #
-        # def user_input= input
-        #   @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
-        # end
-        #
-        # def build context, ia_result
-        #   sample = self
-        #   sample.timestamp = context&.timer&.start_ms
-        #   sample.user_input = build_user_input_from_ia(ia_result)
-        #   sample.user_input.document_type = if context&.request
-        #                                       Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
-        #                                     end
-        #   sample
-        # end
-        #
-        # def build_user_input_from_ia ia_result
-        #   user_input = Contrast::Agent::Reporting::UserInput.new
-        #   user_input.input_type = ia_result.input_type
-        #   user_input.matcher_ids = ia_result.ids
-        #   user_input.path = ia_result.path
-        #   user_input.key = ia_result.key if ia_result.key
-        #   user_input.value = ia_result.value if ia_result.value
-        #   user_input
-        # end
+        # @return [Contrast::Agent::Reporting::Details::ProtectRuleDetails, nil]
+        attr_accessor :details
+        # @return [Contrast::Agent::Reporting::Details::IpDenylistDetails, nil]
+        attr_accessor :ip_denylist
+        # @return [Contrast::Agent::Reporting::Details::VirtualPatchDetails, nil]
+        attr_accessor :virtual_patch
+
+        class << self
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build context, ia_result
+            sample = new
+            sample.time_stamp = context&.timer&.start_ms
+            sample.user_input = build_user_input_from_ia(ia_result)
+            sample.user_input.document_type = if context&.request
+                                                Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+                                              end
+            sample
+          end
+
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          def build_user_input_from_ia ia_result
+            # TODO: RUBY-99999 remove once only using Agent IA
+            result = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
+                       transform_ia_result(ia_result)
+                     else
+                       # Use Agent ia_result
+                       ia_result
+                     end
+            user_input = Contrast::Agent::Reporting::UserInput.new
+            return user_input unless result
+
+            user_input.input_type = result.input_type
+            user_input.matcher_ids = result.ids
+            user_input.path = result.path
+            user_input.key = result.key if result.key
+            user_input.value = result.value if result.value
+            user_input
+          end
+
+          # @param [Contrast::Api::Settings::InputAnalysisResult]
+          # @return [Contrast::Agent::Reporting::InputAnalysisResult]
+          def transform_ia_result dtm_ia_result
+            ia_result = Contrast::Agent::Reporting::InputAnalysisResult.new
+            ia_result.input_type = Contrast::Agent::Reporting::InputType.to_a.find do |value|
+              value == dtm_ia_result.input_type.name # rubocop:disable Security/Module/Name
+            end
+            ia_result.score_level = dtm_ia_result.score_level.name # rubocop:disable Security/Module/Name
+            ia_result.value = dtm_ia_result.value
+            ia_result.key = dtm_ia_result.key
+            ia_result.path = dtm_ia_result.path
+            ia_result.rule_id = dtm_ia_result.rule_id
+            ia_result.attack_count = dtm_ia_result.attack_count
+            ia_result.ids = dtm_ia_result.ids
+            ia_result
+          end
+        end
+
+        def time_stamp
+          @_time_stamp ||= Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
+        end
+
+        def time_stamp= timestamp_ms
+          @_time_stamp = timestamp_ms
+        end
+
+        def user_input
+          @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        end
+
+        def user_input= input
+          @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        end
+
+        def to_controlled_hash
+          {
+              timeStamp: Time.at(time_stamp).iso8601,
+              userInput: user_input.to_controlled_hash,
+              details: details&.to_controlled_hash
+          }
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/attack_result/user_input.rb

@@ -81,6 +81,17 @@ module Contrast
         def matcher_ids= ids
           @_matcher_ids = ids if ids.is_a?(Array) && ids.any?(String)
         end
+
+        def to_controlled_hash
+          {
+              path: path,
+              key: key,
+              value: value,
+              inputType: input_type.to_s,
+              documentType: document_type.to_s,
+              matcherIds: matcher_ids&.map(&:to_s)
+          }
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/details/bot_blocker_details.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Bot blocker IA result details info.
+        class BotBlockerDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :bot
+          # User agent header value
+          #
+          # @return [String]
+          attr_accessor :user_agent
+
+          def to_controlled_hash
+            {
+                bot: bot,
+                userAgent: user_agent
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/cmd_injection_details.rb

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # CMDI IA result details info.
+        class CmdInjectionDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :cmd
+          # @return [Integer]
+          attr_accessor :start_idx
+          # @return [Integer]
+          attr_accessor :end_idx
+
+          def to_controlled_hash
+            {
+                command: cmd,
+                startIndex: start_idx,
+                endIndex: end_idx
+            }
+          end
+        end
+      end
+    end
+  end
+end