Module: Contrast::Agent::Assess::Policy::TriggerValidation::REDOSValidator

Defined in:
lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

Overview

Validator used to assert a REDOS finding is actually vulnerable before serializing that finding as a Event to report to the TeamServer.

Constant Summary collapse

RULE_NAME = 
'redos'
POSITIVE_INFINITY =

If Regexp is set to Float::Infinite this is the maximum number it will receive

18_446_744_073.709553
NEGATIVE_INFINITY =

We are checking and for negative infinity (-1.0/0.0 )

-POSITIVE_INFINITY

Class Method Summary collapse

Class Method Details

.valid?(_patcher, object, _ret, args) ⇒ Boolean

Parameters:

  • _patcher (Contrast::Agent::Patcher)

    the patcher instance

  • object (Object)

    the object that was called

  • _ret (Object)

    the return value of the method

  • args (Array<Object>)

    the arguments passed to the method

Returns:

  • (Boolean) 


23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# File 'lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb', line 23

def valid? _patcher, object, _ret, args
  # Can arrive here from either:
  #   regexp =~ string
  #   string =~ regexp
  #   regexp.match string
  #
  # Thus object/args[0] can be string/regexp or regexp/string.
  regexp = object.is_a?(Regexp) ? object : args[0]

  # regexp must be exploitable.
  return false unless regexp_vulnerable?(regexp)

  true
end