contrast-agent 6.7.0 → 6.8.0

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,14 +4,21 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/bot_blocker'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
+require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
+require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
-require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'json'
 
 module Contrast
@@ -20,131 +27,143 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        # DISPOSITION_NAME = 'name'
-        # DISPOSITION_FILENAME = 'filename'
-        #
-        # class << self
-        #   include Contrast::Agent::Reporting::InputType
-        #   include Contrast::Agent::Reporting::ScoreLevel
-        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
-        #   include Contrast::Utils::ObjectShare
-        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
-        #
-        #   PROTECT_RULES = {
-        #       sqli: {
-        #           rule_name: 'sql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-        #       },
-        #       cmdi: {
-        #           rule_name: 'cmd-injection',
-        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-        #       },
-        #       method_tampering: {
-        #           rule_name: 'method-tampering',
-        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-        #       },
-        #       unsafe_file_upload: {
-        #           rule_name: 'unsafe-file-upload',
-        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-        #       },
-        #       nosqli: {
-        #           rule_name: 'nosql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-        #       }
-        #   }.cs__freeze
-        #
-        #   # This method with analyze the user input from the context of the
-        #   # current request and run each of the protect rules against all
-        #   # found input types
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def analyse request
-        #     return unless Contrast::PROTECT.enabled?
-        #     return if request.nil?
-        #
-        #     inputs = extract_input request
-        #     return unless inputs
-        #
-        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-        #     input_analysis.request = request
-        #     # each rule against each input
-        #     input_classification inputs, input_analysis
-        #     input_analysis
-        #   end
-        #
-        #   private
-        #
-        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-        #   #
-        #   # @param inputs [String, Array<String>] user input to be analysed.
-        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-        #   #                                                       for each protect rule.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def input_classification inputs, input_analysis
-        #     # key = input type, value = user_input
-        #     inputs.each do |input_type, value|
-        #       next if value.nil? || value.empty?
-        #
-        #       PROTECT_RULES.each do |_key, rule|
-        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-        #
-        #         # check if rule is enabled
-        #         next unless protect_rule&.enabled?
-        #
-        #         # method tampering doesn't take value
-        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-        #           rule[:classification].send(:classify, input_type, input_analysis)
-        #         else
-        #           rule[:classification].send(:classify, input_type, value, input_analysis)
-        #         end
-        #       end
-        #     end
-        #     input_analysis
-        #   end
-        #
-        #   # Extract the inputs from the request context and label them with Protect
-        #   # input type tags. Each tag will contain one or more user inputs.
-        #   #
-        #   # This methods is to be expanded and modified as needed by other Protect rules
-        #   # and sub-rules for their requirements.
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   def extract_input request
-        #     inputs = {}
-        #     inputs[BODY] = request.body
-        #     inputs[COOKIE_NAME] = request.cookies.keys
-        #     inputs[COOKIE_VALUE] = request.cookies.values
-        #     inputs[HEADER] = request.headers
-        #     inputs[PARAMETER_NAME] = request.parameters.keys
-        #     inputs[PARAMETER_VALUE] = request.parameters.values
-        #     inputs[QUERYSTRING] = request.query_string
-        #     inputs[METHOD] = request.request_method
-        #     extract_multipart inputs, request
-        #     inputs.compact!
-        #     inputs
-        #   end
-        #
-        #   # Extract the filename and name of the  Content Disposition Header.
-        #   #
-        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   def extract_multipart inputs, request
-        #     disposition = request.rack_request.env['Content-Disposition']
-        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
-        #     return unless disposition
-        #
-        #     pairs = {}
-        #     disposition.split(SEMICOLON).each do |elem|
-        #       new_pair = elem.strip.split(EQUALS, 2)
-        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-        #     end
-        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
-        #   end
-        # end
+        DISPOSITION_NAME = 'name'
+        DISPOSITION_FILENAME = 'filename'
+        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Utils::ObjectShare
+          include Contrast::Components::Logger::InstanceMethods
+
+          PROTECT_RULES = {
+              sqli: {
+                  rule_name: 'sql-injection',
+                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+              },
+              cmdi: {
+                  rule_name: 'cmd-injection',
+                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+              },
+              # method_tampering: {
+              #     rule_name: 'method-tampering',
+              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+              # },
+              reflected_xss: {
+                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
+                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
+              },
+              bot_blocker: {
+                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
+                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
+              },
+              unsafe_file_upload: {
+                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+              },
+              path_traversal: {
+                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
+                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
+              },
+              nosqli: {
+                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
+                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+              }
+          }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::PROTECT.enabled?
+            return if request.nil?
+
+            inputs = extract_input(request)
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification(inputs, input_analysis)
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              PROTECT_RULES.each do |_key, rule|
+                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+
+                # check if rule is enabled
+                next unless protect_rule&.enabled?
+
+                # method tampering doesn't take value
+                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
+                else
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs[METHOD] = request.request_method
+            extract_multipart(inputs, request)
+            inputs.compact!
+            inputs
+          end
+
+          # Extract the filename and name of the  Content Disposition Header.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_multipart inputs, request
+            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
+            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
+            return unless disposition
+
+            pairs = {}
+            disposition.split(SEMICOLON).each do |elem|
+              new_pair = elem.strip.split(EQUALS, 2)
+              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+            end
+            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'
 
@@ -27,6 +28,9 @@ module Contrast
               action = properties['action']
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
+
+              # Invoke semantic rules from here, not in a separate protect policy
+              invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)
 
               # If the action was copy, we need to handle the write half of it.
@@ -37,6 +41,7 @@ module Contrast
               dst = args[1]
               return unless dst.is_a?(String)
 
+              invoke_semantic_rules(dst, true, object, method)
               path_traversal_rule(dst, true, object, method)
             end
 
@@ -75,6 +80,21 @@ module Contrast
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end
 
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
+            def invoke_semantic_rules path, possible_write, object, method
+              return unless applies_to?(path, possible_write: possible_write)
+
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+              end
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              logger.error('Error applying path traversal semantic rule', e,
+                           module: object.cs__class.cs__name,
+                           method: method)
+            end
+
             CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
             def safer_abs_paths
               @_safer_abs_paths ||= begin

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -66,7 +66,7 @@ module Contrast
             raise(NoMethodError, 'This is abstract, override it.')
           end
 
-          # The name of the rule, as expected by the Contrast Service and Contrast UI.
+          # The name of the rule, as expected by the Contrast UI.
           #
           # @return [String]
           # @raise [NoMethodError] This is abstract method

data/lib/contrast/agent/protect/rule/base.rb

@@ -4,7 +4,7 @@
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/object_share'
-require 'contrast/api/decorators/response_type'
+require 'contrast/agent/reporting/attack_result/response_type'
 
 module Contrast
   module Agent
@@ -18,26 +18,18 @@ module Contrast
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Components::Scope::InstanceMethods
 
-          UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
-            user_input.input_type = :UNKNOWN
-          end
-
-          BLOCKING_MODES = Set.new([
-                                     Contrast::Api::Settings::ProtectionRule::Mode::BLOCK,
-                                     Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-                                   ]).cs__freeze
-          POSTFILTER_MODES = Set.new([
-                                       Contrast::Api::Settings::ProtectionRule::Mode::BLOCK,
-                                       Contrast::Api::Settings::ProtectionRule::Mode::PERMIT,
-                                       Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
-                                     ]).cs__freeze
+          BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
+          POSTFILTER_MODES = Set.new(%i[BLOCK MONITOR]).cs__freeze
           STACK_COLLECTION_RESULTS = Set.new([
-                                               Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED,
-                                               Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+                                               Contrast::Agent::Reporting::ResponseType::BLOCKED,
+                                               Contrast::Agent::Reporting::ResponseType::MONITORED
                                              ]).cs__freeze
           SUSPICIOUS_REPORTING_RULES = %w[
             unsafe-file-upload
             reflected-xss
+            cmd-injection-semantic-dangerous-paths
+            cmd-injection-semantic-chained-commands
+            path-traversal-semantic-file-security-bypass
             sql-injection-semantic-dangerous-functions
           ].cs__freeze
 
@@ -68,7 +60,7 @@ module Contrast
             return false if ::Contrast::PROTECT.rule_config&.disabled_rules&.include?(rule_name)
 
             # 3. it is enabled so long as its mode is not NO_ACTION
-            @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+            @mode != :NO_ACTION
           end
 
           def excluded? exclusions
@@ -127,22 +119,22 @@ module Contrast
           # A given input, candidate_string, was determined to violate a
           # protect rule and did exploit the application, or at least made it
           # to exploitable code in the case where we blocked the attack. As
-          # such, we need to build a result to report this violation to the
-          # Service.
+          # such, we need to build a result to report this violation to
+          # TeamServer.
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
           # @param candidate_string [String] the value of the input which may
           #   be an attack
           # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          #   need to build out details to send to the TeamServer to tell the
           #   story of the attack
-          # @return [Contrast::Api::Dtm::AttackResult] the attack result from
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
           #   this input
           def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
             result ||= build_attack_result(context)
@@ -154,19 +146,19 @@ module Contrast
 
           # A given input, candidate_string, was determined to violate a
           # protect rule but did not exploit the application. As such, we need
-          # to build a result to report this violation to the Service.
+          # to build a result to report this violation to TeamServer.
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
           # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          #   need to build out details to send to TeamServer to tell the
           #   story of the attack
-          # @return [Contrast::Api::Dtm::AttackResult] the attack result from
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
           #   this input
           def build_attack_without_match context, ia_result, result, **kwargs
             result ||= build_attack_result(context)
@@ -177,7 +169,7 @@ module Contrast
           end
 
           # Attach the given result to the current request's context to report
-          # it to the Service
+          # it to TeamServer
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
@@ -188,7 +180,7 @@ module Contrast
 
           # With this we log to CEF
           #
-          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param result [Contrast::Agent::Reporting::AttackResult]
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value: nil
@@ -251,14 +243,14 @@ module Contrast
 
           def update_successful_attack_response context, ia_result, result, attack_string = nil
             case mode
-            when Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
+            when :MONITOR
               # We are checking the result as the ia_result would not contain the sub-rules.
               result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
                                   Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
                                 else
                                   Contrast::Agent::Reporting::ResponseType::MONITORED
                                 end
-            when Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+            when :BLOCK
               result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
             end
 
@@ -270,13 +262,13 @@ module Contrast
 
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
           def update_perimeter_attack_response context, ia_result, result
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+            if mode == :BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED
                                 else
@@ -303,27 +295,27 @@ module Contrast
           end
 
           # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
-          #   in the case of multiple inputs being found to violate the protection criteria
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
           def append_stack sample, result
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
 
-            stack = Contrast::Utils::StackTraceUtils.build_protect_stack_array
+            stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
             return unless stack
 
-            sample.stack_trace_elements += stack
+            sample.stack.concat(stack)
           end
 
           # @param context [Contrast::Agent::RequestContext] the context of the request in which this input is
           #   evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
-          #   in the case of multiple inputs being found to violate the protection criteria
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
           # @param candidate_string [String] the value of the input which may be an attack
           # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          #   need to build out details to send to TeamServer to tell the
           #   story of the attack
           def append_sample context, ia_result, result, candidate_string, **kwargs
             return unless result
@@ -340,8 +332,8 @@ module Contrast
           # build rasp rule sample.
           #
           # @param context [Contrast::Agent::RequestContext]
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
           # @param _candidate_string [String] potential attack value/ input containing attack value
           # @param _kwargs [Hash]
           # @return [Contrast::Agent::Reporting::RaspRuleSample]
@@ -350,8 +342,8 @@ module Contrast
           end
 
           # @param context [Contrast::Agent::RequestContext]
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
           # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build_base_sample context, ia_result
             Contrast::Agent::Reporting::RaspRuleSample.build(context, ia_result)
@@ -360,9 +352,9 @@ module Contrast
           def log_rule_matched _context, ia_result, response, _matched_string = nil
             logger.debug('A successful attack was detected',
                          rule: rule_name,
-                         type: ia_result&.input_type,
-                         name: ia_result&.key,
-                         input: ia_result&.value,
+                         type: ia_result&.input_type || '',
+                         name: ia_result&.key || '',
+                         input: ia_result&.value || '',
                          result: response)
           end
 
@@ -402,10 +394,10 @@ module Contrast
           # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
           # MONITORED mode.
           #
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the analysis of the input that was
           #   determined to be an attack
           def assign_reporter_response_type ia_result
-            if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
+            if suspicious_rule?(ia_result)
               Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             else
               Contrast::Agent::Reporting::ResponseType::PROBED