Class: Contrast::Agent::ExclusionMatcher

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Includes:
Components::Logger::InstanceMethods
Defined in:
lib/contrast/agent/excluder/exclusion_matcher.rb

Overview

Exclusions are ways for the User to tell the Agent to ignore sections of the Application. If a request or an event matches one of these, the functions of the Agent are suppressed for that request or event.

Constant Summary collapse

MATCH_ALL = 
'ALL'.cs__freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Constructor Details

#initialize(excl) ⇒ Contrast::Agent::ExclusionMatcher

Create a matcher around an exclusion sent from TeamServer.

Parameters:



28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 28

def initialize excl
  @exclusion = excl
  @protect = @exclusion.protect
  @assess = @exclusion.assess

  case excl
  when Contrast::Agent::Reporting::Settings::InputExclusion
    handle_wildcard_input
    @exclusion_type = :INPUT
  when Contrast::Agent::Reporting::Settings::UrlExclusion
    handle_wildcard_url
    @exclusion_type = :URL
  end
end

Instance Attribute Details

#assessObject (readonly)

Returns the value of attribute assess.



18
19
20
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 18

def assess
  @assess
end

#exclusion_typeObject (readonly)

Returns the value of attribute exclusion_type.



18
19
20
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 18

def exclusion_type
  @exclusion_type
end

#protectObject (readonly)

Returns the value of attribute protect.



18
19
20
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 18

def protect
  @protect
end

#wildcard_inputObject (readonly)

Returns the value of attribute wildcard_input.



18
19
20
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 18

def wildcard_input
  @wildcard_input
end

#wildcard_urlObject (readonly)

Returns the value of attribute wildcard_url.



18
19
20
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 18

def wildcard_url
  @wildcard_url
end

Instance Method Details

#assess?Boolean

Returns:

  • (Boolean) 


85
86
87
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 85

def assess?
  @assess
end

#assess_rule?(rule) ⇒ Boolean

Determine if the given rule is excluded by this exclusion. In this case, the ‘assessment_rules` being empty means apply to all rules, not no rules

Parameters:

  • rule

    • the id of the rule which we’re checking for exclusion

Returns:

  • (Boolean) 


107
108
109
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 107

def assess_rule? rule
  assess? && (@exclusion.assess_rules.empty? || @exclusion.assess_rules.include?(rule))
end

#build_regexp(pattern, start_anchor: false, end_anchor: false) ⇒ Object 



73
74
75
76
77
78
79
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 73

def build_regexp pattern, start_anchor: false, end_anchor: false
  pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
  pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
  Regexp.compile(pattern)
rescue RegexpError => e
  logger.error('Unable to generate a pattern for exclusion matching.', e, pattern: pattern)
end

#handle_wildcard_inputObject

According to the docs for exclusions, user input applies to all inputs if the name supplied is an ‘*’ or ‘.*’. The name matcher does NOT support regexp beyond this. docs.contrastsecurity.com/admin-policymgmt.html#exclude



47
48
49
50
51
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 47

def handle_wildcard_input
  return unless @exclusion.name # rubocop:disable Security/Module/Name

  @wildcard_input = @exclusion.name == '.*' || @exclusion.name == Contrast::Utils::ObjectShare::ASTERISK # rubocop:disable Security/Module/Name
end

#handle_wildcard_urlObject

According to the docs for exclusions, urls apply to all urls if the url supplied is ‘/.*’ or if the URL mode is all. Otherwise, the URL supplied is to be treated as a regular expression that must match the entire URL against which it is tested. docs.contrastsecurity.com/admin-policymgmt.html#exclude



58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 58

def handle_wildcard_url
  @wildcard_url = match_all?
  return if @wildcard_url
  return unless @exclusion.urls&.any?

  @wildcard_url ||= @exclusion.urls.any?('/.*')
  return if @wildcard_url

  @urls = []
  @exclusion.urls.each do |url|
    url_pattern = build_regexp(url, start_anchor: true, end_anchor: true)
    @urls << url_pattern if url_pattern
  end
end

#match_all?Boolean

Returns:

  • (Boolean) 


89
90
91
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 89

def match_all?
  (@exclusion.urls.nil? || @exclusion.urls.empty?) && @exclusion.match_strategy == MATCH_ALL
end

#protect?Boolean

Returns:

  • (Boolean) 


81
82
83
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 81

def protect?
  @protect
end

#protection_rule?(rule) ⇒ Boolean

Determine if the given rule is excluded by this exclusion. In this case, the ‘protect_rules` being empty means apply to all rules, not no rules

Parameters:

  • rule

    • the id of the rule which we’re checking for exclusion

Returns:

  • (Boolean) 


98
99
100
 
# File 'lib/contrast/agent/excluder/exclusion_matcher.rb', line 98

def protection_rule? rule
  protect? && (@exclusion.protect_rules.empty? || @exclusion.protect_rules.include?(rule))
end