Module: Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule

Includes:: Components::Logger::InstanceMethods

Included in:: HardcodedKey, HardcodedPassword

Defined in:: lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

Overview

Hardcoded rules detect if any secret value has been written directly into the sourcecode of the application. To use this base class, a provider must implement three methods: 1) name_passes? : does the constant name match a given value set 2) value_node_passes? : does the value of the constant match a

given value set

3) redacted_marker : the value to plug in for the obfuscated value

Constant Summary collapse

CONSTANT_NAME_KEY = The name of the field

'name'

CODE_SOURCE_KEY = The code line, recreated, with the password obfuscated

'codeSource'

SOURCE_KEY = The constant name

'source'

Instance Method Summary collapse

#disabled? ⇒ Boolean
#parse(trace_point, ast) ⇒ Object

Parse the file pertaining to the given TracePoint to walk its AST to determine if a Constant is hardcoded.

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Instance Method Details

#disabled? ⇒ `Boolean`

Returns:

(Boolean)



24
25
26

# File 'lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb', line 24

def disabled?
  !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
end

#parse(trace_point, ast) ⇒ `Object`

Parse the file pertaining to the given TracePoint to walk its AST to determine if a Constant is hardcoded. For our purposes, this hard coding means directly set rather than as an interpolated String or through a method call.

Note: This is a top layer check, we make no assertions about what the methods or interpolations do. Their presence, even if only calling a hardcoded thing, causes this check to not report.

Parameters:

trace_point (TracePoint) —

the TracePoint event created on the :end of a Module being loaded
ast (RubyVM::AbstractSyntaxTree::Node) —

the abstract syntax tree of the Module defined in the TracePoint end event

# File 'lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb', line 38

def parse trace_point, ast
  return if disabled?

  parse_ast(trace_point.self, ast)
rescue StandardError => e
  logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
end