Class: Contrast::Agent::Assess::Policy::Trigger::ReflectedXss

Inherits:
Object
  • Object
show all
Defined in:
lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

Overview

This acts a trigger to handle the special cases of the Tilt library gem. Reflected XSS data may come into the trigger methods from these classes.

Constant Summary collapse

NODE_HASH = 
{
    'class_name' => 'Tilt::Template',
    'instance_method' => true,
    'method_name' => 'render',
    'method_visibility' => 'public',
    'action' => 'CUSTOM',
    'source' => 'O,P0',
    'target' => 'R',
    'patch_class' => 'Contrast::Agent::Assess::Policy::Trigger::ReflectedXss',
    'patch_method' => 'xss_tilt_trigger'
}.cs__freeze
TEMPLATE_PROPAGATION_NODE = 
Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)

Class Method Summary collapse

Class Method Details

.xss_tilt_trigger(trigger_node, _source, object, ret, *args) ⇒ Object

Parameters:

  • trigger_node (Contrast::Agent::Assess::Policy::MethodPolicy)

    the node that governs this propagation event.

  • _source (Object)

    the source of the propagation

  • object (Object)

    the object to which the source is being appended

  • args (Array)

    the arguments to the method

  • ret (Object)

    the return value of the method



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'lib/contrast/agent/assess/policy/trigger/reflected_xss.rb', line 33

def xss_tilt_trigger trigger_node, _source, object, ret, *args
  return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))

  scope = args[0]
  erb_template_prerender = object.instance_variable_get(:@data)
  interpolated_inputs = []
  handle_binding_variables(scope, erb_template_prerender, ret, properties, interpolated_inputs)
  handle_local_variables(args, erb_template_prerender, ret, properties, interpolated_inputs)
  event_data = Contrast::Agent::Assess::Events::EventData.new(TEMPLATE_PROPAGATION_NODE,
                                                              ret,
                                                              erb_template_prerender,
                                                              ret,
                                                              interpolated_inputs)
  properties.build_event(event_data)
  properties.copy_from(erb_template_prerender, ret, 0)
  unless interpolated_inputs.empty?
    current_event = properties.event
    interpolated_inputs.each do |input|
      input_properties = Contrast::Agent::Assess::Tracker.properties(input)
      next unless input_properties&.event

      current_event.parent_events << input_properties.event
    end
  end

  if Contrast::Agent::Assess::Tracker.tracked?(ret)
    finding = Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
                                                                           ret,
                                                                           erb_template_prerender,
                                                                           ret,
                                                                           interpolated_inputs)
    Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding) if finding
  end

  ret
end