Module: Contrast::Agent::Protect::Policy::AppliesXxeRule

Extended by:
RuleApplicator
Defined in:
lib/contrast/agent/protect/policy/applies_xxe_rule.rb

Overview

This Module is how we apply the XXE rule. It is called from our patches of the targeted methods in which XML parsing and entity resolution occurs. It is responsible for deciding if the infilter methods of the rule should be invoked.

Class Method Summary collapse

Methods included from RuleApplicator

apply_classification, apply_rule

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Class Method Details

.apply_rule(method, _exception, _properties, object, args) ⇒ Object 



20
21
22
23
 
# File 'lib/contrast/agent/protect/policy/applies_xxe_rule.rb', line 20

def apply_rule method, _exception, _properties, object, args
  xml = args[0]
  xxe_check(method, xml, object)
end

.apply_rule__io(method, _exception, _properties, object, args) ⇒ Object

IO is tricky. If we can’t rewind it, we can’t fix it back to the original state. To be safe, we’ll skip non-rewindable IO objects.



27
28
29
30
31
32
33
34
35
36
37
 
# File 'lib/contrast/agent/protect/policy/applies_xxe_rule.rb', line 27

def apply_rule__io method, _exception, _properties, object, args
  need_rewind = false
  potential_xml = args[0]
  return unless potential_xml.cs__respond_to?(:rewind)

  xml = potential_xml.read
  need_rewind = true
  xxe_check(method, xml, object)
ensure
  potential_xml.rewind if need_rewind
end

.apply_rule__lexer(method, _exception, _properties, object, _args) ⇒ Object

Oga’s Lexer is a special case b/c the information we need is on the object itself – specifically in the @data instance variable



41
42
43
44
45
46
47
48
 
# File 'lib/contrast/agent/protect/policy/applies_xxe_rule.rb', line 41

def apply_rule__lexer method, _exception, _properties, object, _args
  return unless valid_data_input?(object)

  data = object.instance_variable_get(DATA_KEY)
  xxe_check(method, data, object)
ensure
  data.rewind if data&.cs__respond_to?(:rewind)
end