contrast-agent 6.8.0 → 6.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c32847e196cdcf1540bd39373f9327a46e50cb1c4be6516f2ad5664696c0221
-  data.tar.gz: 03b9bc37cf6b8fe3fd0662f120f6f24cc9faf868cf91c7fb698ccbcb52f15aac
+  metadata.gz: 624b29e40ff797608bb6fef0ab00377cc1bc3e6756af01063d4768fad53bfbfa
+  data.tar.gz: 7380498d855e3f6b8a7387ee98351d118b6b70b7bc332536bf1124a870c1a48c
 SHA512:
-  metadata.gz: 204a13ebf2cc20d9302d55a1d2201cc0f8f2ba35b5bf1b3392f75c0636f8ab5224de54106af8349c16da111d86f2381e894d8925eccf2df1e46e4d04b99eb7be
-  data.tar.gz: ac50424a98754b82bab6576b7205cdb3f6243f5dc6aa9c55f817f15cfba61e1f0858c27a66efd18457442f0b4f2e8ea42cdfcbecdd67c6941edcd86c77b11164
+  metadata.gz: 44d0b0cc41d92f58cf048212295fdef8367a4aa4475e3d035c9ae09c80bbcad9de08ba2a63f321381de4af41fd90b581dca2710ef3641d8eb486e8664a3d18cf
+  data.tar.gz: cb2f9e2799f8ef7fff7da2ba6714e94022ad5495ddc57c448244c34f649cb70eb756d4f806c1f1274676cbdd37749bf0177cd8539b175ba7b8086857bd1f86a3

data/.gitignore

@@ -23,7 +23,7 @@ ruby-spec
 mspec
 
 # rspec generated files
-/spec/dummy_files/*
+/spec/dummy_files/
 
 # Funchook artifacts
 /ext/**/funchook.h

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/events/event_factory'
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/agent/excluder'
 require 'contrast/components/logger'
@@ -15,6 +14,7 @@ require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 require 'contrast/agent/reporting/reporting_utilities/build_preflight'
+require 'contrast/utils/assess/event_limit_utils'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/property/evented.rb

@@ -1,8 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/events/event_factory'
-require 'contrast/agent/assess/events/source_event'
+require 'contrast/agent/reporting/reporting_events/finding_event'
 
 module Contrast
   module Agent
@@ -25,7 +24,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event event_data, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(event_data, source_type, source_name)
+            @event = Contrast::Agent::Reporting::FindingEvent.new(event_data, source_type, source_name)
             report_sources(event_data.tagged, @event)
           end
 
@@ -35,21 +34,22 @@ module Contrast
           # context's observed route
           #
           # @param tagged [Object] The Target of the Event
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent]
+          # @param event [Contrast::Agent::Reporting::FindingEvent]
           def report_sources tagged, event
             return unless tagged && !tagged.to_s.empty?
-            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
-            if current_request.observed_route.sources.any? do |source|
-              source.type == event.source_type && source.name == event.source_name # rubocop:disable Security/Module/Name
-            end
+            event.event_sources&.each do |event_source|
+              if current_request.observed_route.sources.any? do |source|
+                source.source_type == event_source.source_type && source.source_name == event_source.source_name
+              end
 
-              return
-            end
+                next
+              end
 
-            current_request.observed_route.sources << event.event_source if event.event_source
+              current_request.observed_route.sources << event_source
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -50,7 +50,7 @@ module Contrast
 
               potential_elements(section, element_start_str).flatten.each do |potential_element|
                 next unless potential_element
-                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+                next unless element_openings.any? { |opening| potential_element.start_with?(opening) }
 
                 section_start = section.index(element_start_str, section_start)
                 next unless section_start

data/lib/contrast/agent/assess.rb

@@ -18,7 +18,6 @@ module Contrast
       # reporting / tracking
       require 'contrast/agent/assess/properties'
       require 'contrast/agent/assess/tag'
-      require 'contrast/agent/assess/events/event_factory'
     end
   end
 end

data/lib/contrast/agent/excluder.rb

@@ -82,7 +82,7 @@ module Contrast
         event_sources = finding.events.flat_map(&:event_sources)
         event_sources.each do |event_source|
           return false unless rule_input_exclusions.any? do |exclusion|
-            input_match?(exclusion, event_source.type, event_source.name) # rubocop:disable Security/Module/Name
+            input_match?(exclusion, event_source.source_type, event_source.source_name)
           end
         end
 

data/lib/contrast/agent/middleware.rb

@@ -14,8 +14,9 @@ require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 require 'contrast/agent/telemetry/events/startup_metrics_event'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'
-
+require 'contrast/utils/reporting/application_activity_batch_utils'
 require 'contrast/utils/timer'
 
 module Contrast
@@ -23,10 +24,11 @@ module Contrast
     # This class allows the Agent to plug into the Rack middleware stack. When the application is first started, we
     # initialize ourselves as a rack middleware inside of #initialize. Afterwards, we process each http request and
     # response as it goes through the middleware stack inside of #call.
-    class Middleware
+    class Middleware # rubocop:disable Metrics/ClassLength
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
       include Contrast::Utils::MiddlewareUtils
+      include Contrast::Utils::Reporting::ApplicationActivityBatchUtils
 
       attr_reader :app
 
@@ -62,6 +64,7 @@ module Contrast
       #   the Rack framework.
       def call env
         logger.trace_with_time('Elapsed time for Contrast::Agent::Middleware#call') do
+          ::Contrast::Agent::ThreadWatcher.check_before_start
           return app.call(env) unless ::Contrast::AGENT.enabled?
 
           Contrast::Agent.heapdump_util.start_thread!
@@ -169,17 +172,22 @@ module Contrast
         with_contrast_scope do
           context.extract_after(response) # update context with final response information
 
-          # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
+          # Process Worth Watching Inputs for v2 rules
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
+          # Now we can build the ia_results only for postfilter rules.
+          context.protect_postfilter_ia
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
             request_handler.stream_safe_postfilter
           else
             request_handler.ruleset.postfilter
-            request_handler.report_activity
+            request_handler.report_observed_route
+            add_activity_to_batch(context.activity)
+            report_batch
           end
         end
       # unsuccessful attack

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -16,7 +16,6 @@ require 'contrast/agent/protect/rule/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'json'
@@ -29,7 +28,13 @@ module Contrast
       module InputAnalyzer
         DISPOSITION_NAME = 'name'
         DISPOSITION_FILENAME = 'filename'
-        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+        PREFILTER_RULES = %w[bot-blocker unsafe-file-upload reflected-xss].cs__freeze
+        INFILTER_RULES = %w[
+          sql-injection cmd-injection reflected-xss bot-blocker unsafe-file-upload path-traversal
+          nosql-injection
+        ].cs__freeze
+        POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
+        AGENTLIB_TIMEOUT = 5.cs__freeze
 
         class << self
           include Contrast::Agent::Reporting::InputType
@@ -37,44 +42,8 @@ module Contrast
           include Contrast::Utils::ObjectShare
           include Contrast::Components::Logger::InstanceMethods
 
-          PROTECT_RULES = {
-              sqli: {
-                  rule_name: 'sql-injection',
-                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-              },
-              cmdi: {
-                  rule_name: 'cmd-injection',
-                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-              },
-              # method_tampering: {
-              #     rule_name: 'method-tampering',
-              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-              # },
-              reflected_xss: {
-                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
-                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
-              },
-              bot_blocker: {
-                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
-                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
-              },
-              unsafe_file_upload: {
-                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
-                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-              },
-              path_traversal: {
-                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
-                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
-              },
-              nosqli: {
-                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
-                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-              }
-          }.cs__freeze
-
           # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
+          # current request and return new ia with extracted input types.
           #
           # @param request [Contrast::Agent::Request] current request context.
           # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
@@ -87,39 +56,8 @@ module Contrast
 
             input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
             input_analysis.request = request
-            # each rule against each input
-            input_classification(inputs, input_analysis)
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
-
-              PROTECT_RULES.each do |_key, rule|
-                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-
-                # check if rule is enabled
-                next unless protect_rule&.enabled?
-
-                # method tampering doesn't take value
-                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
-                else
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
-                end
-              end
-            end
+            # Save those for trigger time
+            input_analysis.inputs = extract_input(request)
             input_analysis
           end
 
@@ -146,22 +84,77 @@ module Contrast
             inputs
           end
 
+          # classify input by rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from
+          # analyze method.
+          def input_classification_for rule_id, input_analysis
+            return unless input_analysis&.inputs
+            return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
+
+            input_analysis.inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              # append to results.
+              protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+            end
+            input_analysis
+          end
+
+          # classify input by array of rules. There is a timeout for the AgentLib analysis if not set it
+          # will use the default 5s.
+          #
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @param prefilter [Boolean] flag to set input analysis for prefilter rules only
+          # @param postfilter [Boolean] flag to set input analysis for postfilter rules.
+          # @param infilter [Boolean]
+          # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          # @raise [Timeout::Error] If timeout is met.
+          def input_classification(input_analysis,
+                                   prefilter: false,
+                                   postfilter: false,
+                                   infilter: false,
+                                   interval: AGENTLIB_TIMEOUT)
+            return unless input_analysis
+
+            rules = if prefilter
+                      PREFILTER_RULES
+                    elsif postfilter
+                      POSTFILTER_RULES
+                    else
+                      INFILTER_RULES
+                    end
+
+            rules.each do |rule_id|
+              # Check to see if rules is already triggered only for infilter:
+              next if input_analysis.triggered_rules.include?(rule_id) && infilter
+
+              Timeout.timeout(interval) do
+                input_classification_for(rule_id, input_analysis)
+              end
+            end
+            input_analysis
+          rescue Timeout::Error => e
+            logger.warn('AgentLib timed out when processing InputAnalysisResult', e, ia_result)
+            nil
+          end
+
+          private
+
           # Extract the filename and name of the  Content Disposition Header.
           #
           # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
           # @param request [Contrast::Agent::Request] current request context.
           def extract_multipart inputs, request
-            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
-            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
-            return unless disposition
-
-            pairs = {}
-            disposition.split(SEMICOLON).each do |elem|
-              new_pair = elem.strip.split(EQUALS, 2)
-              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-            end
-            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+            return unless (parsed_data = Rack::Multipart.parse_multipart(request.rack_request.env))
+
+            filename = parsed_data[DISPOSITION_FILENAME]
+            inputs[MULTIPART_FIELD_NAME] = filename[DISPOSITION_FILENAME.to_sym] if filename
+            name = filename[DISPOSITION_NAME.to_sym]
+            inputs[MULTIPART_NAME] = name if name
           end
         end
       end

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -0,0 +1,121 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/input_analysis/input_analysis_result'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/reporting_events/application_activity'
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      # WorthWatchingInputAnalyzer Perform analysis of input tracing v2 worthwatching results in a
+      # separate thread, should only be run at the end of the request.
+      # Currently only includes: cmd_injection & sqli_injection rules
+      class WorthWatchingInputAnalyzer < WorkerThread
+        include Timeout
+        include Contrast::Agent::Protect::Rule::InputClassificationBase
+
+        QUEUE_SIZE = 1000.cs__freeze
+        AGENTLIB_TIMEOUT = 5.cs__freeze
+        # max size of inputs to evaluate
+        INPUT_BYTESIZE_THRESHOLD = 100_000.cs__freeze
+        REPORT_INTERVAL_SECOND = 30.cs__freeze
+
+        # Thread that will process all the InputAnalysisResults that have a score level of WORTHWATCHING and
+        # sends results to TeamServer
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('[WorthWatchingAnalyzer] Starting thread.')
+            loop do
+              sleep(REPORT_INTERVAL_SECOND)
+              next if queue.empty?
+
+              report = false
+              # build attack_results for all infilter active protect rules.
+              results = build_results(queue.pop)
+              activity = Contrast::Agent::Reporting::ApplicationActivity.new
+              results.each do |result|
+                next unless (attack_result = eval_input(result))
+
+                activity.attach_defend(attack_result)
+                report = true
+              end
+              Contrast::Agent.reporter.send_event_immediately(activity) if report
+            rescue StandardError => e
+              logger.debug('[WorthWatchingAnalyzer] thread could not process result because of:', e)
+            end
+          end
+        end
+
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        def add_to_queue input_analysis
+          return unless input_analysis
+
+          if queue.size >= QUEUE_SIZE
+            logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
+            return
+          end
+          # There will be no results here because of the delay of the protect rule analysis,
+          # we need to save the ia which contains the request and saved extracted user inputs to
+          # be evaluated on the thread rather than building results here. This way we allow the
+          # request to continue and will build the attack results later.
+          queue << input_analysis
+        end
+
+        private
+
+        # This method will build the attack results from the saved ia.
+        #
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        # @return attack_results [array<Contrast::Agent::Reporting::InputAnalysisResult>] all the results
+        # from the input analysis.
+        def build_results input_analysis
+          # Construct the input analysis for the all the infilter rules that were not triggered.
+          # There is a set timeout for each rule to be analyzed in. The infilter flag will make
+          # sure that if a rule is already triggered during the infilter phase it will not be analyzed
+          # now, making sure we don't report same rule twice.
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(input_analysis, infilter: true)
+          results = []
+          input_analysis.results.reject { |val| val.score_level == SCORE_LEVEL::IGNORE }.
+              each do |ia_result|
+            results << ia_result
+          end
+
+          results
+        end
+
+        # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
+        # @return [Contrast::Agent::Reporting::AttackResult, nil] InputAnalysisResult updated Result or nil
+        def eval_input ia_result
+          return build_attack_result(ia_result) unless ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
+
+          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
+                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+          nil
+        end
+
+        # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult
+        # with a score of :DEFINITEATTACK
+        # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
+        #   this input
+        def build_attack_result ia_result
+          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(nil, ia_result, nil)
+        end
+
+        def queue
+          @_queue ||= Queue.new
+        end
+
+        def delete_queue!
+          @_queue&.clear
+          @_queue&.close
+          @_queue = nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -32,6 +32,8 @@ module Contrast
 
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
               # invoke cmdi sub-rules.
               rule.sub_rules.each do |sub_rule|

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -20,6 +20,8 @@ module Contrast
               return unless valid_input?(args)
               return if skip_analysis?
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               database = properties['database']
               operations = args[0]
               context = Contrast::Agent::REQUEST_TRACKER.current
@@ -48,10 +50,11 @@ module Contrast
             end
 
             def handle_operation context, database, _action, operation
-              data = extract_mongo_data(operation)
-              return unless data && !data.empty?
+              # TODO: RUBY-1991 Expand NoSQLI triggers
+              # data = extract_mongo_data(operation)
+              # return unless data && !data.empty?
 
-              rule.infilter(context, database, data)
+              rule.infilter(context, database, operation)
             end
 
             def extract_mongo_data operation

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
+
               # Invoke semantic rules from here, not in a separate protect policy
               invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               return if skip_analysis?
 
               sql = args[index]
+
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
               rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 
 module Contrast
   module Agent
@@ -44,6 +45,17 @@ module Contrast
                                                            rule: rule_name)
           end
 
+          # applies input_analysis for the invoked rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          def apply_classification rule_id, context
+            return unless context
+            return unless (ia = context.agent_input_analysis)
+
+            Contrast::Agent::Protect::InputAnalyzer.input_classification_for(rule_id, ia)
+          end
+
           protected
 
           # Calls the actual rule for this applicator, if required. Most rules

data/lib/contrast/agent/protect/rule/base.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/attack_result'
 
 module Contrast
   module Agent
@@ -51,6 +52,23 @@ module Contrast
             Contrast::Utils::ObjectShare::EMPTY_ARRAY
           end
 
+          # The classification module used for each specific rule to
+          # classify input data and score it. Extend for each rule.
+          def classification; end
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [Hash<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify input_type, value, input_analysis
+            classification.classify(rule_name, input_type, value, input_analysis)
+          end
+
           def enabled?
             # 1. it is not enabled because protect is not enabled
             return false unless ::Contrast::AGENT.enabled?
@@ -148,14 +166,14 @@ module Contrast
           # protect rule but did not exploit the application. As such, we need
           # to build a result to report this violation to TeamServer.
           #
-          # @param context [Contrast::Agent::RequestContext] the context of the
+          # @param context [Contrast::Agent::RequestContext, nil] the context of the
           #   request in which this input is evaluated.
           # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
           #   analysis of the input that was determined to be an attack
           # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
           #   attack result for this rule, if one exists, in the case of
           #   multiple inputs being found to violate the protection criteria
-          # @param kwargs [Hash] key - value pairs of context individual rules
+          # @param kwargs [Hash, nil] key - value pairs of context individual rules
           #   need to build out details to send to TeamServer to tell the
           #   story of the attack
           # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
@@ -288,11 +306,7 @@ module Contrast
           # @param _context [Contrast::Agent::RequestContext] the context of
           #   the current request
           # @return [Contrast::Agent::Reporting::AttackResult]
-          def build_attack_result _context
-            result = Contrast::Agent::Reporting::AttackResult.new
-            result.rule_id = rule_name
-            result
-          end
+          def build_attack_result _context; end
 
           # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
           # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -96,6 +96,12 @@ module Contrast
             end
           end
 
+          def build_attack_result _context
+            result = Contrast::Agent::Reporting::AttackResult.new
+            result.rule_id = rule_name
+            result
+          end
+
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
           # @param **kwargs