contrast-agent 6.9.0 → 6.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b850f63bce180f09f998f5363f58b01e9c69db61a2f98a31db97fb59b82564d7
-  data.tar.gz: 811072666998fb4daf0f49d2514d875b45c18d79d29398639862f1c2144aa930
+  metadata.gz: fddcf57afedf79d84cacef08c959a190f29f6db9248d34d1a01c3abe1b13553b
+  data.tar.gz: 599882cd812552c2cc12c86f6ecd526e7a7d1e458cf8ea4d961d17ef5179c9ad
 SHA512:
-  metadata.gz: ac0f4dcea0a62d6aa000659943f2b994a02940148fffdff2901ff4ff61d27fd257170ec4f48d0b1925d569dbc20de89a8866f76a17dd1c22aa15d9c80e4e9eb1
-  data.tar.gz: bd2490f015d1a5c8be5f0e7a0fc60e5acdc436b03e32420cbf19542a53b760c843cd84a17a0e7a8a3794ec69e3aa909e63fabdb32f4c32d5daa48ece261176aa
+  metadata.gz: e91dd42c9aa9f9cb934bfe878e0f6be951f9397978c874dd2a4b38c0a78f1cfe6b7e957ec6abaa3bb97a194f6494950f9ec93ebad408cf2767df06b1475bd373
+  data.tar.gz: ad17804c1abf24410ba2bbe7798ce142eba284cb0911830e40f6f92917a47961d4cfaefa79ed8affb8d1d821e27a85f57ace126a64417f6fe672f965916c3dba

data/.gitignore

@@ -23,7 +23,7 @@ ruby-spec
 mspec
 
 # rspec generated files
-/spec/dummy_files/*
+/spec/dummy_files/
 
 # Funchook artifacts
 /ext/**/funchook.h

data/ext/build_funchook.rb

@@ -17,7 +17,7 @@ unless find_header('funchook.h', ext_path)
     extension_paths = Dir[contrast_gem_dir_search]
     extension_paths.map! do |extension_path|
       target_path = File.join(extension_path, 'shared_libraries')
-      FileUtils.mkdir_p(target_path) unless File.exist?(target_path)
+      FileUtils.mkdir_p(target_path)
       target_path
     end
     bundler_install_target_paths += extension_paths

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -17,12 +17,11 @@ module Contrast
         module Propagator
           # This class is specifically for String#split & String#grapheme_clusters propagation
           # it propagates tag ranges from a string to elements within an untracked array
-          class Split < Contrast::Agent::Assess::Policy::Propagator::Base
+          class Split < Contrast::Agent::Assess::Policy::Propagator::Base # rubocop:disable  Metrics/ClassLength
             extend Contrast::Components::Scope::InstanceMethods
             extend Contrast::Components::Logger::InstanceMethods
             extend Contrast::Utils::Assess::SplitUtils
             extend Contrast::Utils::Assess::EventLimitUtils
-
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
 
             class << self
@@ -61,7 +60,6 @@ module Contrast
                 rescue Exception => e # rubocop:disable Lint/RescueException
                   logger.warn('Unable to record split context', e)
                 end
-
                 yield
               ensure
                 # String#split exit. Remove propagation context.
@@ -158,7 +156,6 @@ module Contrast
                   # Get tags for element from source by element range.
                   range = current_index...(current_index + target_elem.length)
                   tags = source_properties.tags_at_range(range)
-
                   # Set element properties accordingly.
                   elem_properties.clear_tags
                   tags.each_pair { |key, value| elem_properties.set_tags(key, value) }

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -50,7 +50,7 @@ module Contrast
 
               potential_elements(section, element_start_str).flatten.each do |potential_element|
                 next unless potential_element
-                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+                next unless element_openings.any? { |opening| potential_element.start_with?(opening) }
 
                 section_start = section.index(element_start_str, section_start)
                 next unless section_start

data/lib/contrast/agent/middleware.rb

@@ -14,6 +14,7 @@ require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 require 'contrast/agent/telemetry/events/startup_metrics_event'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'
 require 'contrast/utils/reporting/application_activity_batch_utils'
 require 'contrast/utils/timer'
@@ -23,7 +24,7 @@ module Contrast
     # This class allows the Agent to plug into the Rack middleware stack. When the application is first started, we
     # initialize ourselves as a rack middleware inside of #initialize. Afterwards, we process each http request and
     # response as it goes through the middleware stack inside of #call.
-    class Middleware
+    class Middleware # rubocop:disable Metrics/ClassLength
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
       include Contrast::Utils::MiddlewareUtils
@@ -43,7 +44,7 @@ module Contrast
         @app = app  # THIS MUST BE FIRST AND ALWAYS SET!
         setup_agent # THIS MUST BE SECOND AND ALWAYS CALLED!
         unless ::Contrast::AGENT.enabled?
-          logger.error('The Agent was unable to initialize before the application middleware was initialized. '\
+          logger.error('The Agent was unable to initialize before the application middleware was initialized. ' \
                        'Disabling permanently.')
           ::Contrast::AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
@@ -171,12 +172,13 @@ module Contrast
         with_contrast_scope do
           context.extract_after(response) # update context with final response information
 
-          # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
           # Process Worth Watching Inputs for v2 rules
           Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
+          # Now we can build the ia_results only for postfilter rules.
+          context.protect_postfilter_ia
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/patching/policy/method_policy_extend.rb

@@ -57,8 +57,12 @@ module Contrast
             nodes.find { |node| node }&.method_visibility
           end
 
-          def check_method_policy_nodes_empty?(source_node, propagation_node, trigger_node, protect_node,
-                                               inventory_node, deadzone_node)
+          def check_method_policy_nodes_empty?(source_node,
+                                               propagation_node,
+                                               trigger_node,
+                                               protect_node,
+                                               inventory_node,
+                                               deadzone_node)
             return false unless source_node.nil? && propagation_node.nil? && trigger_node.nil? && protect_node.nil? &&
                 inventory_node.nil? && deadzone_node.nil?
 

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -46,7 +46,7 @@ module Contrast
             super
             unless applicator.public_methods(false).any?(applicator_method)
               raise(ArgumentError,
-                    "#{ id } did not have a proper applicator method: "\
+                    "#{ id } did not have a proper applicator method: " \
                     "#{ applicator } does not respond to #{ applicator_method }. Unable to create.")
             end
             validate_properties

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -16,7 +16,6 @@ require 'contrast/agent/protect/rule/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'json'
@@ -29,7 +28,13 @@ module Contrast
       module InputAnalyzer
         DISPOSITION_NAME = 'name'
         DISPOSITION_FILENAME = 'filename'
-        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+        PREFILTER_RULES = %w[bot-blocker unsafe-file-upload reflected-xss].cs__freeze
+        INFILTER_RULES = %w[
+          sql-injection cmd-injection reflected-xss bot-blocker unsafe-file-upload path-traversal
+          nosql-injection
+        ].cs__freeze
+        POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
+        AGENTLIB_TIMEOUT = 5.cs__freeze
 
         class << self
           include Contrast::Agent::Reporting::InputType
@@ -37,44 +42,8 @@ module Contrast
           include Contrast::Utils::ObjectShare
           include Contrast::Components::Logger::InstanceMethods
 
-          PROTECT_RULES = {
-              sqli: {
-                  rule_name: 'sql-injection',
-                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-              },
-              cmdi: {
-                  rule_name: 'cmd-injection',
-                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-              },
-              # method_tampering: {
-              #     rule_name: 'method-tampering',
-              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-              # },
-              reflected_xss: {
-                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
-                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
-              },
-              bot_blocker: {
-                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
-                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
-              },
-              unsafe_file_upload: {
-                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
-                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-              },
-              path_traversal: {
-                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
-                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
-              },
-              nosqli: {
-                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
-                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-              }
-          }.cs__freeze
-
           # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
+          # current request and return new ia with extracted input types.
           #
           # @param request [Contrast::Agent::Request] current request context.
           # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
@@ -87,39 +56,8 @@ module Contrast
 
             input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
             input_analysis.request = request
-            # each rule against each input
-            input_classification(inputs, input_analysis)
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
-
-              PROTECT_RULES.each do |_key, rule|
-                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-
-                # check if rule is enabled
-                next unless protect_rule&.enabled?
-
-                # method tampering doesn't take value
-                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
-                else
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
-                end
-              end
-            end
+            # Save those for trigger time
+            input_analysis.inputs = extract_input(request)
             input_analysis
           end
 
@@ -146,22 +84,77 @@ module Contrast
             inputs
           end
 
+          # classify input by rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from
+          # analyze method.
+          def input_classification_for rule_id, input_analysis
+            return unless input_analysis&.inputs
+            return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
+
+            input_analysis.inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              # append to results.
+              protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+            end
+            input_analysis
+          end
+
+          # classify input by array of rules. There is a timeout for the AgentLib analysis if not set it
+          # will use the default 5s.
+          #
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @param prefilter [Boolean] flag to set input analysis for prefilter rules only
+          # @param postfilter [Boolean] flag to set input analysis for postfilter rules.
+          # @param infilter [Boolean]
+          # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          # @raise [Timeout::Error] If timeout is met.
+          def input_classification(input_analysis,
+                                   prefilter: false,
+                                   postfilter: false,
+                                   infilter: false,
+                                   interval: AGENTLIB_TIMEOUT)
+            return unless input_analysis
+
+            rules = if prefilter
+                      PREFILTER_RULES
+                    elsif postfilter
+                      POSTFILTER_RULES
+                    else
+                      INFILTER_RULES
+                    end
+
+            rules.each do |rule_id|
+              # Check to see if rules is already triggered only for infilter:
+              next if input_analysis.triggered_rules.include?(rule_id) && infilter
+
+              Timeout.timeout(interval) do
+                input_classification_for(rule_id, input_analysis)
+              end
+            end
+            input_analysis
+          rescue Timeout::Error => e
+            logger.warn('AgentLib timed out when processing InputAnalysisResult', e, ia_result)
+            nil
+          end
+
+          private
+
           # Extract the filename and name of the  Content Disposition Header.
           #
           # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
           # @param request [Contrast::Agent::Request] current request context.
           def extract_multipart inputs, request
-            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
-            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
-            return unless disposition
-
-            pairs = {}
-            disposition.split(SEMICOLON).each do |elem|
-              new_pair = elem.strip.split(EQUALS, 2)
-              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-            end
-            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+            return unless (parsed_data = Rack::Multipart.parse_multipart(request.rack_request.env))
+
+            filename = parsed_data[DISPOSITION_FILENAME]
+            inputs[MULTIPART_FIELD_NAME] = filename[DISPOSITION_FILENAME.to_sym] if filename
+            name = filename[DISPOSITION_NAME.to_sym]
+            inputs[MULTIPART_NAME] = name if name
           end
         end
       end

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/reporting_events/application_activity'
 require 'contrast/utils/input_classification_base'
@@ -28,69 +29,73 @@ module Contrast
           return if running?
 
           @_thread = Contrast::Agent::Thread.new do
-            logger.info('Starting Worth Watching Analyzer thread.')
+            logger.info('[WorthWatchingAnalyzer] Starting thread.')
             loop do
               sleep(REPORT_INTERVAL_SECOND)
               next if queue.empty?
 
               report = false
-              num_to_report = queue.length
+              # build attack_results for all infilter active protect rules.
+              results = build_results(queue.pop)
               activity = Contrast::Agent::Reporting::ApplicationActivity.new
-              num_to_report.times do
-                next unless (attack_result = eval_input(queue.pop))
+              results.each do |result|
+                next unless (attack_result = eval_input(result))
 
                 activity.attach_defend(attack_result)
                 report = true
               end
               Contrast::Agent.reporter.send_event_immediately(activity) if report
             rescue StandardError => e
-              logger.debug('Worth Watching Analyzer thread could not process result because of:', e)
+              logger.debug('[WorthWatchingAnalyzer] thread could not process result because of:', e)
             end
           end
         end
 
-        # param Contrast::Agent::Reporting::InputAnalysis
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
         def add_to_queue input_analysis
-          return if input_analysis&.results&.empty?
+          return unless input_analysis
 
           if queue.size >= QUEUE_SIZE
-            logger.debug('WorthWatching queue at max size, skip input_result')
+            logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
             return
           end
-          input_analysis.results.select { |val| val.score_level == WORTHWATCHING }.
-              each do |ia_result|
-            queue << ia_result
-          end
+          # There will be no results here because of the delay of the protect rule analysis,
+          # we need to save the ia which contains the request and saved extracted user inputs to
+          # be evaluated on the thread rather than building results here. This way we allow the
+          # request to continue and will build the attack results later.
+          queue << input_analysis
         end
 
         private
 
+        # This method will build the attack results from the saved ia.
+        #
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        # @return attack_results [array<Contrast::Agent::Reporting::InputAnalysisResult>] all the results
+        # from the input analysis.
+        def build_results input_analysis
+          # Construct the input analysis for the all the infilter rules that were not triggered.
+          # There is a set timeout for each rule to be analyzed in. The infilter flag will make
+          # sure that if a rule is already triggered during the infilter phase it will not be analyzed
+          # now, making sure we don't report same rule twice.
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(input_analysis, infilter: true)
+          results = []
+          input_analysis.results.reject { |val| val.score_level == SCORE_LEVEL::IGNORE }.
+              each do |ia_result|
+            results << ia_result
+          end
+
+          results
+        end
+
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
-        # @return [Contrast::Agent::Reporting::InputAnalysisResult, nil] InputAnalysisResult updated Result or nil
+        # @return [Contrast::Agent::Reporting::AttackResult, nil] InputAnalysisResult updated Result or nil
         def eval_input ia_result
-          return if ia_result.nil?
-
-          if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
-            logger.debug("Skip anaylsis: Input size is larger than #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
-            return
-          end
+          return build_attack_result(ia_result) unless ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
 
-          begin
-            input_eval = Timeout.timeout(AGENTLIB_TIMEOUT) do
-              Contrast::AGENT_LIB.eval_input(ia_result.value,
-                                             convert_input_type(ia_result.input_type),
-                                             Contrast::AGENT_LIB.rule_set[ia_result.rule_id],
-                                             Contrast::AGENT_LIB.eval_option[:NONE])
-            end
-            score = input_eval&.score || 0
-            return if score <= THRESHOLD
-
-            ia_result.score_level = DEFINITEATTACK
-            build_attack_result(ia_result)
-          rescue Timeout::Error => e
-            logger.warn('AgentLib timed out when processing WORTHWATCHING InputAnalysisResult', e, ia_result)
-            nil
-          end
+          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
+                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+          nil
         end
 
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -32,6 +32,8 @@ module Contrast
 
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
               # invoke cmdi sub-rules.
               rule.sub_rules.each do |sub_rule|

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -20,6 +20,8 @@ module Contrast
               return unless valid_input?(args)
               return if skip_analysis?
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               database = properties['database']
               operations = args[0]
               context = Contrast::Agent::REQUEST_TRACKER.current
@@ -48,10 +50,11 @@ module Contrast
             end
 
             def handle_operation context, database, _action, operation
-              data = extract_mongo_data(operation)
-              return unless data && !data.empty?
+              # TODO: RUBY-1991 Expand NoSQLI triggers
+              # data = extract_mongo_data(operation)
+              # return unless data && !data.empty?
 
-              rule.infilter(context, database, data)
+              rule.infilter(context, database, operation)
             end
 
             def extract_mongo_data operation

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
+
               # Invoke semantic rules from here, not in a separate protect policy
               invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)
@@ -98,10 +101,10 @@ module Contrast
             CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
             def safer_abs_paths
               @_safer_abs_paths ||= begin
-                pwd = ENV['PWD']
+                pwd = ENV.fetch('PWD', nil)
                 if pwd
                   tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
-                  gems = ENV['GEM_PATH']
+                  gems = ENV.fetch('GEM_PATH', nil)
                   tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
                   tmp.map!(&:downcase)
                   tmp

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               return if skip_analysis?
 
               sql = args[index]
+
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
               rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 
 module Contrast
   module Agent
@@ -44,6 +45,17 @@ module Contrast
                                                            rule: rule_name)
           end
 
+          # applies input_analysis for the invoked rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          def apply_classification rule_id, context
+            return unless context
+            return unless (ia = context.agent_input_analysis)
+
+            Contrast::Agent::Protect::InputAnalyzer.input_classification_for(rule_id, ia)
+          end
+
           protected
 
           # Calls the actual rule for this applicator, if required. Most rules

data/lib/contrast/agent/protect/rule/base.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/attack_result'
 
 module Contrast
   module Agent
@@ -51,6 +52,23 @@ module Contrast
             Contrast::Utils::ObjectShare::EMPTY_ARRAY
           end
 
+          # The classification module used for each specific rule to
+          # classify input data and score it. Extend for each rule.
+          def classification; end
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [Hash<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify input_type, value, input_analysis
+            classification.classify(rule_name, input_type, value, input_analysis)
+          end
+
           def enabled?
             # 1. it is not enabled because protect is not enabled
             return false unless ::Contrast::AGENT.enabled?
@@ -288,11 +306,7 @@ module Contrast
           # @param _context [Contrast::Agent::RequestContext] the context of
           #   the current request
           # @return [Contrast::Agent::Reporting::AttackResult]
-          def build_attack_result _context
-            result = Contrast::Agent::Reporting::AttackResult.new
-            result.rule_id = rule_name
-            result
-          end
+          def build_attack_result _context; end
 
           # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
           # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -91,11 +91,16 @@ module Contrast
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
 
             context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name &&
-                  ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
+              ia_result.rule_id == rule_name && ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
             end
           end
 
+          def build_attack_result _context
+            result = Contrast::Agent::Reporting::AttackResult.new
+            result.rule_id = rule_name
+            result
+          end
+
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
           # @param **kwargs

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -39,7 +39,7 @@ module Contrast
 
               value.each_value do |val|
                 result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, val)
-                input_analysis.results << result if result
+                append_result(input_analysis, result)
               end
 
               input_analysis

data/lib/contrast/agent/protect/rule/bot_blocker.rb

@@ -6,6 +6,7 @@ require 'contrast/components/logger'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent_lib/interface'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
 
 module Contrast
   module Agent
@@ -27,6 +28,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Bot blocker input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::BotBlockerInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::BotBlockerInputClassification.cs__freeze
+          end
+
           # BotBlocker prefilter:
           #
           # @param context [Contrast::Agent::RequestContext] current request contest