Module: Contrast::Agent::Protect::Policy::AppliesDeserializationRule

Extended by:

RuleApplicator

Defined in:

lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

Overview

This Module is how we apply the Deserialization rule. It is called from our patches of the targeted methods in which deserialization occurs. It is responsible for deciding if the infilter methods of the rule should be invoked.

Class Method Summary

• .apply_deserialization_command_check(command) ⇒ Object

  Allow the rule to check if the given input is an attempt to deserialize something in a way that will result in a command execution.

• .invoke(_method, _exception, _properties, _object, args) ⇒ Object

  Calls the actual rule for this applicator, if required.

• .prepended_invoke(arg) ⇒ Object

  Calls the actual rule for this applicator, if required, when the triggering method is called from Marshal.load when it has been prepended.

Methods included from RuleApplicator

apply_classification, apply_rule

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Class Method Details

.apply_deserialization_command_check(command) ⇒ Object

Allow the rule to check if the given input is an attempt to deserialize something in a way that will result in a command execution

Parameters:

• command (String) —

  user input that potentially contains a Gadget, a Module that results in code execution on deserialization, and some form of command.

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 63

def apply_deserialization_command_check command
  return unless command
  return if skip_analysis?

  rule.check_command_scope(command)
  # add rescue here
end

.invoke(_method, _exception, _properties, _object, args) ⇒ Object

Calls the actual rule for this applicator, if required. Most rules invoke this from within their apply_rule method after doing whatever transformations they need to get into this common format.

Parameters:

• _method (Symbol) —

  the name of the method for which this rule is invoked

• _exception (Exception) —

  any exception raised; used for rules like Padding Oracle Attack (now defunct), which determine if the number and type of exceptions are an attack

• _properties (Hash) —

  set of extra information provided by the applicator in an attempt to build a better story for the user

• _object (Object) —

  the thing on which the triggering method was invoked

• args (Array<Object>) —

  the arguments passed to the triggering method at invocation

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 34

def invoke _method, _exception, _properties, _object, args
  return unless valid_input?(args)
  return if skip_analysis?

  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
  # add rescue here
end

.prepended_invoke(arg) ⇒ Object

Calls the actual rule for this applicator, if required, when the triggering method is called from Marshal.load when it has been prepended.

Parameters:

• arg (Object) —

  the argument passed to the triggering method at invocation

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 48

def prepended_invoke arg
  return unless arg&.cs__is_a?(String)
  return if skip_analysis?

  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
  # add rescue here
end