Module: Contrast::Agent::Assess::Policy::SourceMethod

Extended by:

Components::Logger::InstanceMethods, Utils::Assess::EventLimitUtils, Utils::Assess::SourceMethodUtils

Included in:

Patching::Policy::Patch

Defined in:

lib/contrast/agent/assess/policy/source_method.rb

Overview

This class controls the actions we take on Sources, as determined by our Assess policy. It indicates what actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows used in Assess vulnerability detection.

Constant Summary

PARAMETER_TYPE =

'PARAMETER'

PARAMETER_KEY_TYPE =

'PARAMETER_KEY'

HEADER_TYPE =

'HEADER'

HEADER_KEY_TYPE =

'HEADER_KEY'

COOKIE_TYPE =

'COOKIE'

COOKIE_KEY_TYPE =

'COOKIE_KEY'

Class Method Summary

• .apply_source(method_policy, object, ret, args) ⇒ Object

  This is called from within our woven proc.

Methods included from Components::Logger::InstanceMethods

cef_logger, logger

Methods included from Utils::Assess::SourceMethodUtils

analyze?, determine_source_name, safe_invocation?

Methods included from Utils::Assess::EventLimitUtils

event_limit?, event_limit_for_rule?, increment_event_count

Class Method Details

.apply_source(method_policy, object, ret, args) ⇒ Object

This is called from within our woven proc. It will be called as if it were inline in the Rack application.

Parameters:

• method_policy (Contrast::Agent::Patching::Policy::MethodPolicy) —

  the policy that applies to the method being called

• object (Object) —

  the Object on which the method was invoked

• ret (Object) —

  the Return of the invoked method

• args (Array<Object>) —

  the Arguments with which the method was invoked

# File 'lib/contrast/agent/assess/policy/source_method.rb', line 41

def apply_source method_policy, object, ret, args
  logger.trace_with_time('Elapsed time for Contrast::Agent::Assess::Policy::SourceMethod#apply_source') do
    return unless analyze?(method_policy, object, ret, args)
    return if event_limit?(method_policy)
    return unless (source_node = method_policy.source_node)
    # Exclusions makes method slow:
    return if excluded_by_url?

    # Check to see if the source node is to be used for response as source.
    if method_policy.source_node.response_source_node? && !method_policy.source_node.use_response_as_source?
      return
    end

    # used to hold the object and ret
    source_data = Contrast::Agent::Assess::Events::EventData.new(nil, nil, object, ret, nil)

    return unless (target = determine_target(source_node, source_data, args))
    return if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)

    process_source(source_node, target, source_data, source_node.type, nil, *args)
  end
end