contrast-agent 6.7.0 → 6.9.0

data/lib/contrast/agent/protect/rule/base.rb

@@ -4,7 +4,7 @@
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/object_share'
-require 'contrast/api/decorators/response_type'
+require 'contrast/agent/reporting/attack_result/response_type'
 
 module Contrast
   module Agent
@@ -18,26 +18,18 @@ module Contrast
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Components::Scope::InstanceMethods
 
-          UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
-            user_input.input_type = :UNKNOWN
-          end
-
-          BLOCKING_MODES = Set.new([
-                                     Contrast::Api::Settings::ProtectionRule::Mode::BLOCK,
-                                     Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-                                   ]).cs__freeze
-          POSTFILTER_MODES = Set.new([
-                                       Contrast::Api::Settings::ProtectionRule::Mode::BLOCK,
-                                       Contrast::Api::Settings::ProtectionRule::Mode::PERMIT,
-                                       Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
-                                     ]).cs__freeze
+          BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
+          POSTFILTER_MODES = Set.new(%i[BLOCK MONITOR]).cs__freeze
           STACK_COLLECTION_RESULTS = Set.new([
-                                               Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED,
-                                               Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+                                               Contrast::Agent::Reporting::ResponseType::BLOCKED,
+                                               Contrast::Agent::Reporting::ResponseType::MONITORED
                                              ]).cs__freeze
           SUSPICIOUS_REPORTING_RULES = %w[
             unsafe-file-upload
             reflected-xss
+            cmd-injection-semantic-dangerous-paths
+            cmd-injection-semantic-chained-commands
+            path-traversal-semantic-file-security-bypass
             sql-injection-semantic-dangerous-functions
           ].cs__freeze
 
@@ -68,7 +60,7 @@ module Contrast
             return false if ::Contrast::PROTECT.rule_config&.disabled_rules&.include?(rule_name)
 
             # 3. it is enabled so long as its mode is not NO_ACTION
-            @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+            @mode != :NO_ACTION
           end
 
           def excluded? exclusions
@@ -127,22 +119,22 @@ module Contrast
           # A given input, candidate_string, was determined to violate a
           # protect rule and did exploit the application, or at least made it
           # to exploitable code in the case where we blocked the attack. As
-          # such, we need to build a result to report this violation to the
-          # Service.
+          # such, we need to build a result to report this violation to
+          # TeamServer.
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
           # @param candidate_string [String] the value of the input which may
           #   be an attack
           # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          #   need to build out details to send to the TeamServer to tell the
           #   story of the attack
-          # @return [Contrast::Api::Dtm::AttackResult] the attack result from
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
           #   this input
           def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
             result ||= build_attack_result(context)
@@ -154,19 +146,19 @@ module Contrast
 
           # A given input, candidate_string, was determined to violate a
           # protect rule but did not exploit the application. As such, we need
-          # to build a result to report this violation to the Service.
+          # to build a result to report this violation to TeamServer.
           #
-          # @param context [Contrast::Agent::RequestContext] the context of the
+          # @param context [Contrast::Agent::RequestContext, nil] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
-          # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          # @param kwargs [Hash, nil] key - value pairs of context individual rules
+          #   need to build out details to send to TeamServer to tell the
           #   story of the attack
-          # @return [Contrast::Api::Dtm::AttackResult] the attack result from
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
           #   this input
           def build_attack_without_match context, ia_result, result, **kwargs
             result ||= build_attack_result(context)
@@ -177,7 +169,7 @@ module Contrast
           end
 
           # Attach the given result to the current request's context to report
-          # it to the Service
+          # it to TeamServer
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
@@ -188,7 +180,7 @@ module Contrast
 
           # With this we log to CEF
           #
-          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param result [Contrast::Agent::Reporting::AttackResult]
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value: nil
@@ -251,14 +243,14 @@ module Contrast
 
           def update_successful_attack_response context, ia_result, result, attack_string = nil
             case mode
-            when Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
+            when :MONITOR
               # We are checking the result as the ia_result would not contain the sub-rules.
               result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
                                   Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
                                 else
                                   Contrast::Agent::Reporting::ResponseType::MONITORED
                                 end
-            when Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+            when :BLOCK
               result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
             end
 
@@ -270,13 +262,13 @@ module Contrast
 
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult] previous
+          # @param result [Contrast::Agent::Reporting::AttackResult] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
           def update_perimeter_attack_response context, ia_result, result
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+            if mode == :BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED
                                 else
@@ -303,27 +295,27 @@ module Contrast
           end
 
           # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
-          #   in the case of multiple inputs being found to violate the protection criteria
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
           def append_stack sample, result
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
 
-            stack = Contrast::Utils::StackTraceUtils.build_protect_stack_array
+            stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
             return unless stack
 
-            sample.stack_trace_elements += stack
+            sample.stack.concat(stack)
           end
 
           # @param context [Contrast::Agent::RequestContext] the context of the request in which this input is
           #   evaluated.
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
-          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
-          #   in the case of multiple inputs being found to violate the protection criteria
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
           # @param candidate_string [String] the value of the input which may be an attack
           # @param kwargs [Hash] key - value pairs of context individual rules
-          #   need to build out details to send to the Service to tell the
+          #   need to build out details to send to TeamServer to tell the
           #   story of the attack
           def append_sample context, ia_result, result, candidate_string, **kwargs
             return unless result
@@ -340,8 +332,8 @@ module Contrast
           # build rasp rule sample.
           #
           # @param context [Contrast::Agent::RequestContext]
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
           # @param _candidate_string [String] potential attack value/ input containing attack value
           # @param _kwargs [Hash]
           # @return [Contrast::Agent::Reporting::RaspRuleSample]
@@ -350,8 +342,8 @@ module Contrast
           end
 
           # @param context [Contrast::Agent::RequestContext]
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
-          #   determined to be an attack
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
           # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build_base_sample context, ia_result
             Contrast::Agent::Reporting::RaspRuleSample.build(context, ia_result)
@@ -360,9 +352,9 @@ module Contrast
           def log_rule_matched _context, ia_result, response, _matched_string = nil
             logger.debug('A successful attack was detected',
                          rule: rule_name,
-                         type: ia_result&.input_type,
-                         name: ia_result&.key,
-                         input: ia_result&.value,
+                         type: ia_result&.input_type || '',
+                         name: ia_result&.key || '',
+                         input: ia_result&.value || '',
                          result: response)
           end
 
@@ -402,10 +394,10 @@ module Contrast
           # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
           # MONITORED mode.
           #
-          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the analysis of the input that was
           #   determined to be an attack
           def assign_reporter_response_type ia_result
-            if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
+            if suspicious_rule?(ia_result)
               Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             else
               Contrast::Agent::Reporting::ResponseType::PROBED

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -8,8 +8,7 @@ module Contrast
   module Agent
     module Protect
       module Rule
-        # Encapsulate common code for protect rules that do their
-        # input analysis on Speedracer rather in ruby code
+        # Encapsulate common code for protect rules that do their input analysis on agent-lib rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
           include Contrast::Components::Logger::InstanceMethods
 
@@ -21,12 +20,43 @@ module Contrast
             'Contrast Security Protect Rule Triggered. Response blocked.'
           end
 
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results(context)
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              build_attack_without_match(context, ia_result, result)
+              append_to_activity(context, result)
+
+              cef_logging(result, :successful_attack)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+            end
+          end
+
           # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
           def infilter? context
             return false unless enabled?
-            return false unless context&.speedracer_input_analysis&.results&.any? do |result|
-                                  result.rule_id == rule_name
-                                end
+            return false unless gather_ia_results(context).any?
+            return false if protect_excluded_by_code?
+            return false if protect_excluded_by_url?(context)
+
+            true
+          end
+
+          # Base method for prefilter check. Extend if rule needs more
+          # specific conditioning.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def prefilter? context
+            return false unless context
+            return false unless enabled?
+            return false unless context.agent_input_analysis&.results&.any? do |result|
+              result.rule_id == rule_name && result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
+            end
 
             return false if protect_excluded_by_code?
             return false if protect_excluded_by_url?(context)
@@ -41,11 +71,7 @@ module Contrast
           # @raise [Contrast::SecurityException]
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return
-            end
+            return if mode == :NO_ACTION || mode == :PERMIT
 
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
@@ -60,28 +86,31 @@ module Contrast
           protected
 
           # @param context [Contrast::Agent::RequestContext]
-          # @return [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
           def gather_ia_results context
-            context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
+
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name &&
+                  ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
             end
           end
 
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
           # @param **kwargs
-          # @return [Contrast::Api::Dtm::AttackResult]
+          # @return [Contrast::Agent::Reporting]
           def find_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end
 
-          # Allows for the InputAnalysis from service to be extracted early
+          # Allows for the InputAnalysis from Agent Library to be extracted early
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
-          # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
           # @param **kwargs
-          # @return [Contrast::Api::Dtm::AttackResult, nil]
+          # @return [Contrast::Agent::Reporting, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
 
@@ -103,16 +132,11 @@ module Contrast
 
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
-          # @return [Contrast::Api::Dtm::AttackResult, nil]
+          # @return [Contrast::Agent::Reporting, nil]
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
-                                 Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
-                               else
-                                 Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
-                               end
-              ia_result.score_level == required_level
+              ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -0,0 +1,98 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/details/bot_blocker_details'
+require 'contrast/utils/input_classification_base'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of CMD Injection rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module BotBlockerInputClassification
+          USER_AGENT = 'USER_AGENT'
+          AGENT_LIB_HEADER_NAME = 'user-agent'
+          BOT_BLOCKER_MATCH = 'bot-blocker-input-tracing-v1'
+
+          class << self
+            include InputClassificationBase
+
+            # Input Classification stage is done to determine if an user input is
+            # DEFINITEATTACK or to be ignored.
+            #
+            # @param rule_id [String] Name of the protect rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [Hash<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+            def classify rule_id, input_type, value, input_analysis
+              return unless (rule = Contrast::PROTECT.rule(rule_id))
+              return unless rule.applicable_user_inputs.include?(input_type)
+              return unless input_analysis.request
+
+              value.each_value do |val|
+                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, val)
+                input_analysis.results << result if result
+              end
+
+              input_analysis
+            rescue StandardError => e
+              logger.debug("An Error was recorded in the input classification of the #{ rule_id }", error: e)
+            end
+
+            private
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              return unless request.headers.key(value) == USER_AGENT
+              return unless Contrast::AGENT_LIB
+
+              # If there is no match this would return nil.
+              header_eval = Contrast::AGENT_LIB.eval_header(AGENT_LIB_HEADER_NAME,
+                                                            value,
+                                                            Contrast::AGENT_LIB.rule_set[rule_id],
+                                                            Contrast::AGENT_LIB.eval_option[:NONE])
+
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              score = header_eval&.score || 0
+              if score >= THRESHOLD
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << BOT_BLOCKER_MATCH
+                ia_result.details = Contrast::Agent::Reporting::BotBlockerDetails.new
+                # details:
+                add_details(ia_result, value)
+              else
+                ia_result.score_level = IGNORE
+              end
+              add_needed_key(request, ia_result, input_type, value)
+              ia_result
+            end
+
+            def add_details ia_result, value
+              ia_result.details.bot = value.downcase
+              if value.include?(Contrast::Utils::ObjectShare::CARROT)
+                ia_result.details.bot.delete!(Contrast::Utils::ObjectShare::CARROT)
+              end
+              ia_result.details.user_agent = value
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/bot_blocker.rb

@@ -0,0 +1,81 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent_lib/interface'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect BotBlocker rule.
+        class BotBlocker < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
+
+          NAME = 'bot-blocker'
+          APPLICABLE_USER_INPUTS = [HEADER].cs__freeze
+
+          def rule_name
+            NAME
+          end
+
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
+
+          # BotBlocker prefilter:
+          #
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          # @raise [Contrast::SecurityException] if the rule mode ise set
+          # to BLOCK and valid bot is detected.
+          def prefilter context
+            return unless prefilter?(context)
+            # We expect only one result per request since the user-agent Header is one.
+            # And the IA analysis explicitly searches for the key match before starting
+            # the analysis.
+            return unless (ia_result = gather_ia_results(context)[0]) &&
+                ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
+
+            result = build_attack_without_match(context, ia_result, nil)
+            append_to_activity(context, result) if result
+            cef_logging(result, :successful_attack) if result
+            return unless blocked?
+
+            # Raise BotBlocker error
+            exception_message = "#{ rule_name } rule triggered. Unsafe Bot blocked."
+            raise(Contrast::SecurityException.new(self, exception_message))
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          def gather_ia_results context
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
+
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
+
+          # Adding bot blocker details
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysisResult]
+          # @param _candidate_string
+          # @param **_kwargs
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_sample context, ia_result, _candidate_string, **_kwargs
+            sample = build_base_sample(context, ia_result)
+            sample.details = Contrast::Agent::Reporting::BotBlockerDetails.new
+            sample.details.bot = ia_result.value
+            sample.details.user_agent = context&.request&.user_agent
+            sample
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -6,6 +6,9 @@ require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent_lib/interface'
+require 'contrast/agent/protect/rule/cmdi/cmdi_chained_command'
+require 'contrast/agent/protect/rule/cmdi/cmdi_dangerous_path'
 require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule'
 require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
@@ -18,14 +21,29 @@ module Contrast
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Agent::Reporting::InputType
           NAME = 'cmd-injection'
-          SUB_RULES = [Contrast::Agent::Protect::Rule::CmdiBackdoors.new].cs__freeze
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
 
           def rule_name
             NAME
           end
 
+          # Array of sub_rules:
+          #
+          # @return [Array]
           def sub_rules
-            SUB_RULES
+            @_sub_rules ||= [
+              Contrast::Agent::Protect::Rule::CmdiBackdoors.new,
+              Contrast::Agent::Protect::Rule::CmdiChainedCommand.new,
+              Contrast::Agent::Protect::Rule::CmdiDangerousPath.new
+            ].cs__freeze
+          end
+
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
           end
 
           # CMDI infilter:

data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb

@@ -52,7 +52,7 @@ module Contrast
             return false unless enabled?
             # This rule does not have input tracing stage so we need to check the results of
             # the main rule instead.
-            return false unless context&.speedracer_input_analysis&.results&.any? do |result|
+            return false unless context&.agent_input_analysis&.results&.any? do |result|
               result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
             end
 
@@ -103,9 +103,9 @@ module Contrast
           # the applicable input type is already checked before input
           # classification. Only thing left is the match check.
           #
-          # @param ia_results [Contrast::Api::Settings::InputAnalysisResult] gathered results
+          # @param ia_results [Contrast::Agent::Reporting::Settings::InputAnalysisResult] gathered results
           # @param cmd [String] potential attack vector
-          # @return [Contrast::Api::Settings::InputAnalysisResult, nil] matched input_type
+          # @return [Contrast::Agent::Reporting::Settings::InputAnalysisResult, nil] matched input_type
           def match_applicable_input_type ia_results, cmd
             ia_results.each do |ia_result|
               return ia_result if ia_result.value == cmd
@@ -118,8 +118,11 @@ module Contrast
           #
           # @param context [Contrast::Agent::RequestContext]
           def gather_ia_results context
-            context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
+
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME &&
+                  ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
             end
           end
         end