Class: Contrast::Agent::Protect::Rule::PathTraversal

Inherits:

Base

• Object
• Base
• Contrast::Agent::Protect::Rule::PathTraversal

Includes:

Reporting::InputType

Defined in:

lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb

Overview

This class handles our implementation of the Path Traversal Protect rule.

Constant Summary

NAME =

'path-traversal'

APPLICABLE_USER_INPUTS =

[
  BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_VALUE, PARAMETER_NAME,
  JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
].cs__freeze

BLOCK_MESSAGE =

'Path Traversal rule triggered. Request blocked.'

Constants included from Reporting::InputType

Reporting::InputType::BODY, Reporting::InputType::COOKIE_NAME, Reporting::InputType::COOKIE_VALUE, Reporting::InputType::DWR_VALUE, Reporting::InputType::HEADER, Reporting::InputType::JSON_ARRAYED_VALUE, Reporting::InputType::JSON_VALUE, Reporting::InputType::METHOD, Reporting::InputType::MULTIPART_CONTENT_TYPE, Reporting::InputType::MULTIPART_FIELD_NAME, Reporting::InputType::MULTIPART_NAME, Reporting::InputType::MULTIPART_VALUE, Reporting::InputType::PARAMETER_NAME, Reporting::InputType::PARAMETER_VALUE, Reporting::InputType::QUERYSTRING, Reporting::InputType::REQUEST, Reporting::InputType::SOCKET, Reporting::InputType::UNDEFINED_TYPE, Reporting::InputType::UNKNOWN, Reporting::InputType::URI, Reporting::InputType::URL_PARAMETER, Reporting::InputType::XML_VALUE

Constants inherited from Base

Base::BLOCKING_MODES, Base::RULE_NAME, Base::STACK_COLLECTION_RESULTS, Base::SUSPICIOUS_REPORTING_RULES

Constants included from Filters

Filters::POSTFILTER_MODES

Instance Attribute Summary

Attributes inherited from Base

#mode

Instance Method Summary

• #applicable_user_inputs ⇒ Object
• #block_message ⇒ String

  Return the specific blocking message for this rule.

• #classification ⇒ module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>

  Path Traversal input classification.

• #infilter(context, _method, path) ⇒ Object
• #rule_name ⇒ Object
• #semantic_file_security_bypass ⇒ Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass
• #sub_rules ⇒ Array

  Array of sub_rules.

Methods included from Reporting::InputType

to_a

Methods inherited from Base

#append_to_activity, #cef_logging, #classify, #enabled?, #excluded?, #initialize, #stream_safe?, #update

Methods included from Filters

#infilter?, #postfilter, #postfilter?, #prefilter, #prefilter?

Methods included from Builders

#build_attack_result, #build_attack_with_match, #build_attack_without_match, #build_base_sample, #build_violation

Methods included from Components::Scope::InstanceMethods

#contrast_enter_method_scopes!, #contrast_exit_method_scopes!, #with_app_scope, #with_contrast_scope, #with_deserialization_scope, #with_split_scope

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Constructor Details

This class inherits a constructor from Contrast::Agent::Protect::Rule::Base

Instance Method Details

#applicable_user_inputs ⇒ Object

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 49

def applicable_user_inputs
  APPLICABLE_USER_INPUTS
end

#block_message ⇒ String

Return the specific blocking message for this rule.

Returns:

• (String) —

  the reason for the raised security exception.

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 56

def block_message
  BLOCK_MESSAGE
end

#classification ⇒ module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>

Path Traversal input classification

Returns:

• (module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>)

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 63

def classification
  @_classification ||= Contrast::Agent::Protect::Rule::PathTraversalInputClassification.cs__freeze
end

#infilter(context, _method, path) ⇒ Object

Raises:

• (Contrast::SecurityException)

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 67

def infilter context, _method, path
  return unless infilter?(context)

  result = find_attacker(context, path)
  return unless result

  append_to_activity(context, result)
  record_triggered(context)
  raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
end

#rule_name ⇒ Object

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 31

def rule_name
  NAME
end

#semantic_file_security_bypass ⇒ Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass

Returns:

• (Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass)

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 38

def semantic_file_security_bypass
  @_semantic_file_security_bypass ||= Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new
end

#sub_rules ⇒ Array

Array of sub_rules

Returns:

• (Array)

# File 'lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb', line 45

def sub_rules
  @_sub_rules ||= [semantic_file_security_bypass].cs__freeze
end