contrast-agent 6.7.0 → 6.9.0

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -21,18 +21,6 @@ module Contrast
             MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
           ].cs__freeze
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  command: attack_sample.cmdi.command,
-                  startIndex: attack_sample.cmdi.start_idx,
-                  endIndex: attack_sample.cmdi.end_idx
-              }
-            end
-          end
-
           # CMDI infilter:
           #
           # @param context [Contrast::Agent::RequestContext] current request contest
@@ -65,11 +53,7 @@ module Contrast
                                       result,
                                       candidate_string,
                                       **kwargs)
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
+            return result if mode == :NO_ACTION || mode == :PERMIT
 
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -96,9 +80,9 @@ module Contrast
           #
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
-          # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
           # @param **kwargs
-          # @return [Contrast::Api::Dtm::AttackResult, nil]
+          # @return [Contrast::Agent::Reporting, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs) if ia_results
@@ -110,14 +94,15 @@ module Contrast
 
           # Build a subclass of the RaspRuleSample using the query string and the
           # evaluation
-          def build_sample context, input_analysis_result, candidate_string, **_kwargs
+          def build_sample context, input_analysis_result, candidate_string, **kwargs
             sample = build_base_sample(context, input_analysis_result)
             sample.details = Contrast::Agent::Reporting::Details::CmdInjectionDetails.new
 
+            # extract data from kwargs for the agent_lib check
+            agent_lib_result_struct = kwargs[:result_struct]
             command = candidate_string || input_analysis_result.value
             command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
-            sample.details.cmd = command
-            sample.details.end_idx = command.length
+            handle_with_agent_lib(sample, agent_lib_result_struct, command)
 
             # This is a special case where the user input is UNKNOWN_USER_INPUT but
             # we want to send the attack value
@@ -162,6 +147,21 @@ module Contrast
           def report_any_command_execution?
             ::Contrast::PROTECT.report_any_command_execution?
           end
+
+          # handle agent_lib data being attached
+          def handle_with_agent_lib sample, agent_lib_result_struct, command
+            sample.details.cmd = command
+            if agent_lib_result_struct&.cs__is_a?(Hash)
+              sample.details.start_idx = agent_lib_result_struct[:start_index]
+              sample.details.end_idx = if (agent_lib_result_struct[:end_index]).zero?
+                                         command.length
+                                       else
+                                         agent_lib_result_struct[:end_index]
+                                       end
+            else
+              sample.details.end_idx = command.length
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb

@@ -0,0 +1,64 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/request_context'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Command Injection Semantic
+        # Chained Command sub-rule. This rule should report
+        class CmdiChainedCommand < Contrast::Agent::Protect::Rule::CmdiBaseRule
+          NAME = 'cmd-injection-semantic-chained-commands'
+
+          def rule_name
+            NAME
+          end
+
+          def sub_rules
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+
+          protected
+
+          # Used to customize the raised error message.
+          #
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @raise [Contrast::SecurityException]
+          def raise_error classname, method
+            raise(Contrast::SecurityException.new(self,
+                                                  'Command Injection Semantic Chained Commands rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked."))
+          end
+
+          private
+
+          def find_probable_attacker context, potential_attack_string, _ia_results, **kwargs
+            chained = chained_command?(potential_attack_string)
+            return unless chained
+
+            build_attack_with_match(context, nil, nil, potential_attack_string, **kwargs)
+          end
+
+          # Check if potential chained attack is detected in user input.
+          #
+          # @param command [String] command to check.
+          # @return index[Boolean Returns the index of the command chaining if found.
+          # If the chaining index is >= 0, an injection is detected. Returns -1 when no
+          # command chaining is found.
+          def chained_command? command
+            return false unless (agent_lib = Contrast::AGENT_LIB) && command
+            return false if agent_lib.chained_cmdi_index(command).negative?
+
+            true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/request_context'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Command Injection Semantic
+        # Dangerous Path sub-rule. This rule should report
+        class CmdiDangerousPath < Contrast::Agent::Protect::Rule::CmdiBaseRule
+          NAME = 'cmd-injection-semantic-dangerous-paths'
+
+          def rule_name
+            NAME
+          end
+
+          def sub_rules
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+
+          protected
+
+          # Used to customize the raised error message.
+          #
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @raise [Contrast::SecurityException]
+          def raise_error classname, method
+            raise(Contrast::SecurityException.new(self,
+                                                  'Command Injection Dangerous Path rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked."))
+          end
+
+          private
+
+          def find_probable_attacker context, potential_attack_string, _ia_results, **kwargs
+            dangerous_path = dangerous_path?(potential_attack_string)
+            return unless dangerous_path
+
+            build_attack_with_match(context, nil, nil, potential_attack_string, **kwargs)
+          end
+
+          # Checks if a given shell command is trying to access a dangerous path.
+          # This is used for the cmd-injection-semantic-dangerous-paths rule.
+          #
+          # @param path [String] path to check.
+          # @return index[Boolean] Returns true if a dangerous path is found.
+          # Returns false if no dangerous paths are found.
+          def dangerous_path? path
+            return false unless (agent_lib = Contrast::AGENT_LIB) && path
+
+            agent_lib.dangerous_path?(path)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb

@@ -1,13 +1,10 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/object_share'
-require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/protect/rule/cmd_injection'
 require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification'
+require 'contrast/utils/input_classification_base'
 require 'contrast/components/logger'
 
 module Contrast
@@ -18,63 +15,10 @@ module Contrast
         # as a result input would be marked as WORTHWATCHING or IGNORE,
         # to be analyzed at the sink level.
         module CmdiInputClassification
+          WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'.cs__freeze
           class << self
             include InputClassificationBase
-            include Contrast::Agent::Protect::Rule::CmdiWorthWatching
             include Contrast::Components::Logger::InstanceMethods
-
-            WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
-            CMDI_KEYS_NEEDED = [
-              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
-            ].cs__freeze
-
-            # This method will determine actually if the user input is WORTHWATCHING
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
-            # @param value [String, Array<String>] the value of the input
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
-            # analysis from the current request.
-            def classify input_type, value, input_analysis
-              return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
-              return unless super
-
-              rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
-
-              Array(value).each do |val|
-                Array(val).each do |v|
-                  input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
-                end
-              end
-
-              input_analysis
-            rescue StandardError => e
-              logger.debug('An Error was recorded in the input classification of the cmdi.')
-              logger.debug(e)
-            end
-
-            private
-
-            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-            # key if needed and Creates new instance of InputAnalysisResult.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def cmdi_create_new_input_result request, rule_id, input_type, value
-              ia_result = new_ia_result(rule_id, input_type, request.path, value)
-              if cmdi_worth_watching?(value)
-                ia_result.score_level = WORTHWATCHING
-                ia_result.ids << WORTHWATCHING_MATCH
-              else
-                ia_result.score_level = IGNORE
-              end
-
-              add_needed_key(request, ia_result, input_type, value) if CMDI_KEYS_NEEDED.include?(input_type)
-              ia_result
-            end
           end
         end
       end

data/lib/contrast/agent/protect/rule/default_scanner.rb

@@ -5,7 +5,7 @@
 # state, indicating a successful attack using SQL or NoSQL Injection.
 #
 # @deprecated RUBY-356: this class and those that extend it are being phased out
-#   in favor of the more performant code in the Service.
+#   in favor of the more performant code in the Agent Library.
 class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/ClassAndModuleChildren
   OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
 

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -43,17 +43,6 @@ module Contrast
           # Used to indicate to TeamServer the gadget is an Arel module
           AREL = 'Arel'
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  command: attack_sample.untrusted_deserialization.command,
-                  deserializer: attack_sample.untrusted_deserialization.deserializer
-              }
-            end
-          end
-
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
           def rule_name
@@ -127,7 +116,7 @@ module Contrast
           # Build the RaspRuleSample for the detected Deserialization attack.
           # @param context [Contrast::Agent::RequestContext] the request
           #   context in which this attack is occurring.
-          # @param input_analysis_result [Contrast::Api::Settings::InputAnalysisResult]
+          # @param input_analysis_result [Contrast::Agent::Reporting::InputAnalysis]
           #   the result of the analysis done by this rule.
           # @param _candidate_string [nil] unused.
           # @param kwargs [Hash, nil] Hash of inputs used by this rule to flesh
@@ -156,10 +145,10 @@ module Contrast
           # @param gadget_string [String] the input to be deserialized in which
           #   the gadget exists or the command that resulted from deserializing
           #   an input not detected in the initial infilter.
-          # @return [Contrast::Api::Settings::InputAnalysisResult] the result
+          # @return [Contrast::Agent::Reporting::InputAnalysisResult] the result
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
-            ia_result = Contrast::Api::Settings::InputAnalysisResult.new
+            ia_result = Contrast::Agent::Reporting::InputAnalysisResult.new
             ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb

@@ -5,7 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/agent/reporting/attack_result/attack_result'
 require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
-require 'contrast/utils/input_classification'
+require 'contrast/utils/input_classification_base'
 
 module Contrast
   module Agent
@@ -36,7 +36,7 @@ module Contrast
           #
           #     attack_result = build_attack_result ia_result, rule_id
           #
-          #     if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+          #     if :BLOCK != Contrast::PROTECT.rule_mode(rule_id)
           #       attack_result.response = :EXPLOITED
           #       Contrast::Agent::EXPLOITS.push attack_result
           #       return input_analysis

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -20,17 +20,6 @@ module Contrast
           #   UNLOCK UPDATE VERSION-CONTROL
           # ].cs__freeze
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
-                  responseCode: attack_sample.method_tampering.response_code
-              }
-            end
-          end
-
           def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification'
+require 'contrast/utils/input_classification_base'
 
 module Contrast
   module Agent
@@ -50,33 +50,26 @@ module Contrast
             NOSQL_WORTH_WATCHING_THRESHOLD = 1
             NOSQL_CONFIDENCE_THRESHOLD = 3
             MAX_DISTANCE = 10
-
-            # Input Classification stage is done to determine if an user input is
-            # WORTHWATCHING or to be ignored.
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
-            def classify input_type, value, input_analysis
-              return unless input_analysis.request
-
-              rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
-
-              # double check the input to avoid calling match? on array
-              Array(value).each do |val|
-                Array(val).each do |v|
-                  input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
-                                                                           rule_id,
-                                                                           input_type,
-                                                                           v)
-                end
-              end
-
-              input_analysis
-            end
+            DEFAULT_RULE_DEFINITIONS = [
+              {
+                  keywords: [],
+                  name: 'nosql-injection',
+                  patterns: [
+                    {
+                        caseSensitive: false,
+                        id: 'NO-SQLI-1',
+                        score: 1,
+                        value: '(?:\\{\\s*\".*\"\\s*:.*\\})'
+                    },
+                    {
+                        id: 'NO-SQLI-2',
+                        caseSensitive: true,
+                        score: 3,
+                        value: "(?:\"|')?\\$(?:gte|gt|lt|lte|eq|ne|in|nin|where|mod|all|size|exists|type|slice|or)(?:\"|')?\\s*:.*" # rubocop:disable Layout/LineLength
+                    }
+                  ]
+              }
+            ].cs__freeze
 
             private
 
@@ -102,7 +95,7 @@ module Contrast
             # @param value [String, Array<String>] the value of the input.
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def nosqli_create_new_input_result request, rule_id, input_type, value
+            def create_new_input_result request, rule_id, input_type, value
               score = evaluate_patterns(value)
               score = evaluate_rules(value, score)
 
@@ -113,8 +106,9 @@ module Contrast
                             else
                               IGNORE
                             end
-
-              new_ia_result(rule_id, input_type, score_level, request.path, value)
+              result = new_ia_result(rule_id, input_type, score_level, request.path, value)
+              add_needed_key(request, result, input_type, value)
+              result
             end
 
             # This method evaluates the patterns relevant to NoSQL Injection to check whether
@@ -125,7 +119,7 @@ module Contrast
             # point is returned.
             #
             # @param value [String] the value of the input.
-            # @param value [Integer] the total score thus far.
+            # @param total_score [Integer] the total score thus far.
             #
             # @return res [Integer]
             def evaluate_patterns value, total_score = 0
@@ -159,7 +153,7 @@ module Contrast
             # point is returned.
             #
             # @param value [String] the value of the input.
-            # @param value [Integer] the total score thus far.
+            # @param total_score [Integer] the total score thus far.
             #
             # @return res [Integer]
             def evaluate_rules value, total_score = 0
@@ -209,7 +203,8 @@ module Contrast
             def nosqli_patterns
               server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
               rule_definitions = server_features&.protect&.rule_definition_list
-              rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
+              rule_definitions = DEFAULT_RULE_DEFINITIONS if rule_definitions.empty?
+              rule_definitions.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
             end
 
             def matches_by_position value, pattern

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/rule/sql_sample_builder'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
@@ -15,22 +16,16 @@ module Contrast
           include SqlSampleBuilder::NoSqliSample
           # Defining build_attack_with_match method
           include SqlSampleBuilder::AttackBuilder
+          include Contrast::Agent::Reporting::InputType
 
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  start: attack_sample.no_sqli.start_idx,
-                  end: attack_sample.no_sqli.end_idx,
-                  boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
-                  inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
-                  query: attack_sample.no_sqli.query
-              }
-            end
-          end
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
 
           def rule_name
             NAME
@@ -40,6 +35,10 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
+
           # @raise [Contrast::SecurityException] if the attack is blocked
           #   raised with BLOCK_MESSAGE
           def infilter context, database, query_string
@@ -55,11 +54,7 @@ module Contrast
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
+            return result if mode == :NO_ACTION || mode == :PERMIT
 
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -67,6 +62,18 @@ module Contrast
             result
           end
 
+          # @param context [Contrast::Agent::RequestContext]
+          def infilter? context
+            return false unless enabled?
+            return false unless context&.agent_input_analysis&.results&.any? do |result|
+              result.rule_id == rule_name
+            end
+
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
           protected
 
           def find_attacker context, potential_attack_string, **kwargs

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Path Traversal rule
+        # Input classification
+        module PathTraversalInputClassification
+          PATH_TRAVERSAL_MATCH = 'path-traversal-input-tracing-v1'
+          WORTHWATCHING_MATCH = 'path-traversal-worth-watching-v2'
+
+          THRESHOLD = 90.cs__freeze
+          class << self
+            include InputClassificationBase
+
+            private
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              return unless Contrast::AGENT_LIB
+
+              input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                          convert_input_type(input_type),
+                                                          Contrast::AGENT_LIB.rule_set[rule_id],
+                                                          Contrast::AGENT_LIB.eval_option[:WORTHWATCHING])
+
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              score = input_eval&.score || 0
+              if score >= THRESHOLD
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << PATH_TRAVERSAL_MATCH
+              elsif score == 10
+                # There is one pattern to match 10 and thus on its own will be reported as a probe.
+                # This rule can report WORTHWATCHING:
+                # https://protect-spec.prod.dotnet.contsec.com/rules/path-traversal.html#applicable-input-types
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              add_needed_key(request, ia_result, input_type, value)
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end