Class: Contrast::Agent::Assess::Policy::DynamicSourceFactory

Inherits:

Object

• Object
• Contrast::Agent::Assess::Policy::DynamicSourceFactory

Defined in:

lib/contrast/agent/assess/policy/dynamic_source_factory.rb

Overview

This class is used to create dynamic source nodes & source nodes from a db model that receives untrusted data

Constant Summary

DB_SOURCE_TYPE =

'TAINTED_DATABASE'

WRITE_QUERY_TIME =

'writeDateTimeUtc'

WRITE_QUERY_URL =

'writeRequestUrl'

READ_TABLE =

'readTable'

READ_COLUMN =

'readColumn'

Class Method Summary

• .create_sources(klass, tainted_columns) ⇒ Object

  Given a Class representing a table in a Database and a map of methods representing columns, generate sources for each method such that calls to that method will result in a Source Event.

Class Method Details

.create_sources(klass, tainted_columns) ⇒ Object

Given a Class representing a table in a Database and a map of methods representing columns, generate sources for each method such that calls to that method will result in a Source Event.

Parameters:

• klass (Class) —

  the Class to taint

• tainted_columns (Hash{String => Contrast::Agent::Assess::Properties}) —

  the name of the method to taint, mapped to the properties it should apply

# File 'lib/contrast/agent/assess/policy/dynamic_source_factory.rb', line 26

def create_sources klass, tainted_columns
  class_name = klass.cs__name
  instance_methods = klass.instance_methods
  instance_methods.concat(klass.private_instance_methods)
  tainted_columns.each_pair do |field, properties|
    next unless properties

    method_name = field.to_sym
    # Move on if we already know about this Dynamic Source
    next if Contrast::Agent::Assess::Policy::Policy.instance.find_source_node(class_name, method_name, true)

    dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys))
    Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
    method_policy = build_source_policy(method_name, dynamic_source_node)
    Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
    current_context = Contrast::Agent::REQUEST_TRACKER.current
    next unless current_context

    dynamic_source = create_dynamic_source(current_context, dynamic_source_node, field, properties)
    node_id = Contrast::Utils::StringUtils.force_utf8(dynamic_source_node.id)
    current_context.activity.dynamic_sources[node_id] = dynamic_source
  end
end