Class: Contrast::Agent::Protect::Policy::AppliesSqliRule

Inherits:

Object
Contrast::Agent::Protect::Policy::AppliesSqliRule

Extended by:: RuleApplicator

Defined in:: lib/contrast/agent/protect/policy/applies_sqli_rule.rb

Overview

This Module is how we apply the SQL Injection rule. It is called from our patches of the targeted methods in which the execution of String based SQL queries occur. It is responsible for deciding if the infilter methods of the rule should be invoked.

Constant Summary collapse

DATABASE_MYSQL =

'MySQL'

DATABASE_SQLITE =

'SQLite3'

DATABASE_PG =

'PostgreSQL'

Class Method Summary collapse

.invoke(_method, _exception, properties, _object, args) ⇒ Object

Methods included from RuleApplicator

apply_classification, apply_rule

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Class Method Details

.invoke(_method, _exception, properties, _object, args) ⇒ `Object`

# File 'lib/contrast/agent/protect/policy/applies_sqli_rule.rb', line 23

def invoke _method, _exception, properties, _object, args
  database = properties['database']
  return unless database

  index = properties[Contrast::Utils::ObjectShare::INDEX]
  return unless valid_input?(index, args)
  return if skip_analysis?

  sql = args[index]

  # Get the ia for current rule:
  apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
  rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
end