Module: Contrast::Agent::Assess::Policy::TriggerMethod

Includes:

Components::Interface

Included in:

Patching::Policy::Patch

Defined in:

lib/contrast/agent/assess/policy/trigger_method.rb

Overview

A trigger method is one which can perform a dangerous action, as described by the Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after invocation in order to determine if the call was done safely. In those cases where it was not, a Finding report is issued to the Service

Constant Summary

MINIMUM_FINDING_VERSION =

The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules without routes

3

CURRENT_FINDING_VERSION =

The level of TeamServer compliance our traces meet

4

Class Method Summary

• .apply_eval_trigger(context, trigger_node, source, object, ret, *args) ⇒ Object
• .apply_trigger_rule(trigger_node, object, ret, args) ⇒ Object

  This is called from within our woven proc.

• .build_finding(context, trigger_node, source, object, ret, *args) ⇒ Contrast::Api::Dtm::Finding^?

  This converts the source of the finding, and the events leading up to it into a Finding.

• .report_finding(finding) ⇒ Object

  Append the given finding to the given context to be reported when the Context’s activity is sent to the Service or, in the absence of that Context, generate an Activity and queue it manually.

Methods included from Components::Interface

included

Class Method Details

.apply_eval_trigger(context, trigger_node, source, object, ret, *args) ⇒ Object

# File 'lib/contrast/agent/assess/policy/trigger_method.rb', line 83

def apply_eval_trigger context, trigger_node, source, object, ret, *args
  apply_trigger(context, trigger_node, source, object, ret, *args)
end

.apply_trigger_rule(trigger_node, object, ret, args) ⇒ Object

This is called from within our woven proc. It will be called as if it were inline in the Rack application.

Parameters:

• trigger_node (Contrast::Agent::Assess::Policy::TriggerNode) —

  the node that applies to the method being called

• object (Object) —

  the Object on which the method was invoked

• ret (Object) —

  the Return of the invoked method

• args (Array<Object>) —

  the Arguments with which the method was invoked

# File 'lib/contrast/agent/assess/policy/trigger_method.rb', line 57

def apply_trigger_rule trigger_node, object, ret, args
  return if trigger_node.nil?

  current_context = Contrast::Agent::REQUEST_TRACKER.current
  return unless current_context&.analyze_request? && ASSESS.enabled?

  if trigger_node.sources&.any?
    trigger_node.sources.each do |marker|
      source = determine_source(marker, object, ret, args)
      apply_trigger(current_context,
                    trigger_node,
                    source,
                    object,
                    ret,
                    *args)
    end
  else
    apply_trigger(current_context,
                  trigger_node,
                  nil,
                  object,
                  ret,
                  *args)
  end
end

.build_finding(context, trigger_node, source, object, ret, *args) ⇒ Contrast::Api::Dtm::Finding^?

This converts the source of the finding, and the events leading up to it into a Finding

Parameters:

• context (Contrast::Agent::RequestContext) —

  the current request context

• trigger_node (Contrast::Agent::Assess::Policy::TriggerNode) —

  the node to direct applying this trigger event

• source (Object) —

  the source of the Trigger Event

• object (Object) —

  the Object on which the method was invoked

• ret (Object) —

  the Return of the invoked method

• args (Array<Object>) —

  the Arguments with which the method was invoked

Returns:

• (Contrast::Api::Dtm::Finding, nil) —

  the Contrast::Api::Dtm::Finding to send to TeamServer or nil if conditions were not met

# File 'lib/contrast/agent/assess/policy/trigger_method.rb', line 102

def build_finding context, trigger_node, source, object, ret, *args
  return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)

  request = context.request
  env = request.env
  return if defined?(ActionController::Live) &&
      env &&
      env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)

  finding = Contrast::Api::Dtm::Finding.new
  finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
  build_from_source(finding, source)
  trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
  finding.events << trigger_event
  build_hash(finding, source)
  finding.routes << context.route if context.route
  finding.version = determine_compliance_version(finding)
  logger.trace('Finding created',
               node_id: trigger_node.id,
               source_id: source.__id__,
               rule: trigger_node.rule_id)
  report_finding(finding)
rescue StandardError => e
  logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
end

.report_finding(finding) ⇒ Object

Append the given finding to the given context to be reported when the Context’s activity is sent to the Service or, in the absence of that Context, generate an Activity and queue it manually

Parameters:

• finding (Contrast::Api::Dtm::Finding)

# File 'lib/contrast/agent/assess/policy/trigger_method.rb', line 34

def report_finding finding
  context = Contrast::Agent::REQUEST_TRACKER.current
  if context
    context.activity.findings << finding
  else
    activity = Contrast::Api::Dtm::Activity.new
    activity.findings << finding

    Contrast::Agent.messaging_queue.send_event_eventually(activity)
  end
  logger.debug('Finding reported',
               rule: finding.rule_id)
end