Module: Contrast::Agent::Assess::Policy::SourceMethod

Includes:

Components::Interface

Included in:

Patching::Policy::Patch

Defined in:

lib/contrast/agent/assess/policy/source_method.rb

Overview

This class controls the actions we take on Sources, as determined by our Assess policy. It indicates what actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows used in Assess vulnerability detection.

Constant Summary

PARAMETER_TYPE =

'PARAMETER'

PARAMETER_KEY_TYPE =

'PARAMETER_KEY'

HEADER_TYPE =

'HEADER'

HEADER_KEY_TYPE =

'HEADER_KEY'

COOKIE_TYPE =

'COOKIE'

COOKIE_KEY_TYPE =

'COOKIE_KEY'

Class Method Summary

• .source_patchers(method_policy, object, ret, args) ⇒ Object^?

  This is called from within our woven proc.

Methods included from Components::Interface

included

Class Method Details

.source_patchers(method_policy, object, ret, args) ⇒ Object^?

This is called from within our woven proc. It will be called as if it were inline in the Rack application.

Parameters:

• method_policy (Contrast::Agent::Patching::Policy::MethodPolicy) —

  the policy that applies to the method being called

• object (Object) —

  the Object on which the method was invoked

• ret (Object) —

  the Return of the invoked method

• args (Array<Object>) —

  the Arguments with which the method was invoked

Returns:

• (Object, nil) —

  the tracked Return or nil if no changes were made

# File 'lib/contrast/agent/assess/policy/source_method.rb', line 41

def source_patchers method_policy, object, ret, args
  return if method_policy.source_node.nil?

  current_context = Contrast::Agent::REQUEST_TRACKER.current
  return unless current_context&.analyze_request? && ASSESS.enabled?

  source_node = method_policy.source_node
  target = determine_target(source_node, object, ret, args)
  restore_frozen_state = false
  if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
    return unless ASSESS.track_frozen_sources?
    return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY

    dup = safe_dup(ret)
    return unless dup

    restore_frozen_state = true
    ret = dup
    target = ret
    Contrast::Agent::Assess::Tracker.pre_freeze(ret)
    ret.cs__freeze
    # double check that we were able to finalize the replaced return
    return unless Contrast::Agent::Assess::Tracker.trackable?(target)
  end
  apply_source(current_context, source_node, target, object, ret, source_node.type, nil, *args)
  restore_frozen_state ? ret : nil
end