Class: Contrast::Agent::Excluder

Inherits:

Object

• Object
• Contrast::Agent::Excluder

Includes:

Reporting::InputType

Defined in:

lib/contrast/agent/excluder/excluder.rb

Overview

Given an array of exclusion matcher instances provides methods to determine if the exclusions apply to particular urls.

Constant Summary

Constants included from Reporting::InputType

Reporting::InputType::BODY, Reporting::InputType::COOKIE_NAME, Reporting::InputType::COOKIE_VALUE, Reporting::InputType::DWR_VALUE, Reporting::InputType::HEADER, Reporting::InputType::JSON_ARRAYED_VALUE, Reporting::InputType::JSON_VALUE, Reporting::InputType::METHOD, Reporting::InputType::MULTIPART_CONTENT_TYPE, Reporting::InputType::MULTIPART_FIELD_NAME, Reporting::InputType::MULTIPART_NAME, Reporting::InputType::MULTIPART_VALUE, Reporting::InputType::PARAMETER_NAME, Reporting::InputType::PARAMETER_VALUE, Reporting::InputType::QUERYSTRING, Reporting::InputType::REQUEST, Reporting::InputType::SOCKET, Reporting::InputType::UNDEFINED_TYPE, Reporting::InputType::UNKNOWN, Reporting::InputType::URI, Reporting::InputType::URL_PARAMETER, Reporting::InputType::XML_VALUE

Instance Attribute Summary

• #exclusions ⇒ Array<Contrast::Agent::ExclusionMatcher> readonly

Instance Method Summary

• #assess_excluded_by_input?(source_type, source_name) ⇒ Boolean

  If an assess INPUT exclusion rule applies to the current url, and also covers all rules, then we can avoid tracking this entry.

• #assess_excluded_by_input_and_rule?(finding, rule) ⇒ Boolean

  If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we can avoid tracking this entry.

• #assess_excluded_by_url? ⇒ Boolean

  If an assess URL exclusion rule applies to the current url, and is defined as “All Rules” then we can avoid any tracking for the request.

• #assess_excluded_by_url_and_rule?(rule_id) ⇒ Boolean

  If an assess URL exclusion rule applies to the current url, and also covers the provided rule_id, then we can avoid tracking this entry.

• #cached_paths ⇒ Object
• #initialize(exclusions = []) ⇒ Excluder constructor

  A new instance of Excluder.

• #protect_excluded_by_input?(results) ⇒ Boolean

  Determine if an input is excluded for protect rule.

• #protect_excluded_by_url?(rule_id) ⇒ Boolean

  If a protect URL exclusion rule applies to the current url, and is defined as “All Rules” then we can avoid using the rule for the request.

Methods included from Reporting::InputType

to_a

Constructor Details

#initialize(exclusions = []) ⇒ Excluder

Returns a new instance of Excluder.

Parameters:

• exclusions (Array<Contrast::Agent::ExclusionMatcher>) (defaults to: [])

# File 'lib/contrast/agent/excluder/excluder.rb', line 20

def initialize exclusions = []
  @exclusions = exclusions
end

Instance Attribute Details

#exclusions ⇒ Array<Contrast::Agent::ExclusionMatcher> (readonly)

Returns:

• (Array<Contrast::Agent::ExclusionMatcher>)

# File 'lib/contrast/agent/excluder/excluder.rb', line 17

def exclusions
  @exclusions
end

Instance Method Details

#assess_excluded_by_input?(source_type, source_name) ⇒ Boolean

If an assess INPUT exclusion rule applies to the current url, and also covers all rules, then we can avoid tracking this entry.

return [Boolean]

Parameters:

• source_type (String)
• source_name (String)

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 80

def assess_excluded_by_input?source_type, source_name
  assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
    input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher)
  end
end

#assess_excluded_by_input_and_rule?(finding, rule) ⇒ Boolean

If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we can avoid tracking this entry. If any event source *isn’t excluded* then we don’t exclude the finding.

return [Boolean]

Parameters:

• finding (Contrast::Agent::Reporting::Finding)
• rule (String)

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 92

def assess_excluded_by_input_and_rule?finding, rule
  return false if finding.events.empty?

  # We need to check for url exclusions here for the input rules as the url exclusions
  # that have already been checked didn't include the INPUT exclusions. So we look for
  # any INPUT exclusions that apply to the current url and the supplied rule.
  rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
    (exclusion_matcher.protect_rules.empty? || exclusion_matcher.protect_rules.include?(rule)) &&
        path_match?(exclusion_matcher)
  end
  return false if rule_input_exclusions.empty?

  event_sources = finding.events.flat_map(&:event_sources)
  event_sources.each do |event_source|
    return false unless rule_input_exclusions.any? do |exclusion|
      input_match?(exclusion, event_source.source_type, event_source.source_name)
    end
  end

  # If we reach here, and we have event sources then all of them matched so we should exclude
  # this finding. On the other hand, if there were no event sources we have nothing to exclude.
  event_sources.any?
end

#assess_excluded_by_url? ⇒ Boolean

If an assess URL exclusion rule applies to the current url, and is defined as “All Rules” then we can avoid any tracking for the request.

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 56

def assess_excluded_by_url?
  assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
    path_match?(exclusion_matcher)
  end
end

#assess_excluded_by_url_and_rule?(rule_id) ⇒ Boolean

If an assess URL exclusion rule applies to the current url, and also covers the provided rule_id, then we can avoid tracking this entry.

return [Boolean]

Parameters:

• rule_id (String)

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 67

def assess_excluded_by_url_and_rule?rule_id
  assess_url_exclusions.any? do |exclusion_matcher|
    path_match?(exclusion_matcher) &&
        (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
  end
end

#cached_paths ⇒ Object

# File 'lib/contrast/agent/excluder/excluder.rb', line 24

def cached_paths
  @_cached_paths ||= Contrast::Utils::Assess::ObjectStore.new(10)
end

#protect_excluded_by_input?(results) ⇒ Boolean

Determine if an input is excluded for protect rule.

Parameters:

• results (Array<Contrast::Agent::Reporting::InputAnalysisResult>)

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 31

def protect_excluded_by_input? results
  return false unless results.any?

  exclusion_matched = 0
  protect_input_exclusions.any? do |exclusion_match|
    # each exclusion against each input result
    results.each do |rule_result|
      # check and see the rule_id match first or if this applicable for all protect rules.
      next unless exclusion_match.protection_rule?(rule_result.rule_id)

      # Based on strategy:
      match = input_match_strategy(exclusion_match,
                                   input_match?(exclusion_match, rule_result.input_type, rule_result.key))
      exclusion_matched += 1 if match
    end
  end
  return false if exclusion_matched.zero?

  true
end

#protect_excluded_by_url?(rule_id) ⇒ Boolean

If a protect URL exclusion rule applies to the current url, and is defined as “All Rules” then we can avoid using the rule for the request.

return [Boolean]

Parameters:

• rule_id (String)

Returns:

• (Boolean)

# File 'lib/contrast/agent/excluder/excluder.rb', line 121

def protect_excluded_by_url? rule_id
  protect_url_exclusions.any? do |exclusion_matcher|
    next unless exclusion_matcher.protection_rule?(rule_id)

    return true if path_match?(exclusion_matcher)
  end
end