Class: Contrast::Agent::Protect::Rule::BaseService

Inherits:

Base

Object
Base
Contrast::Agent::Protect::Rule::BaseService

show all

Defined in:: lib/contrast/agent/protect/rule/base_service.rb

Overview

Encapsulate common code for protect rules that do their input analysis on Speedracer rather in ruby code

Direct Known Subclasses

CmdInjection, HttpMethodTampering, NoSqli, PathTraversal, Sqli, UnsafeFileUpload, Xss

Constant Summary

Constants inherited from Base

Contrast::Agent::Protect::Rule::Base::BLOCKING_MODES, Contrast::Agent::Protect::Rule::Base::OFF, Contrast::Agent::Protect::Rule::Base::POSTFILTER_MODES, Contrast::Agent::Protect::Rule::Base::STACK_COLLECTION_RESULTS, Contrast::Agent::Protect::Rule::Base::UNKNOWN_USER_INPUT

Instance Attribute Summary

Attributes inherited from Base

#mode

Instance Method Summary collapse

#block_message ⇒ Object
#infilter?(context) ⇒ Boolean
#name ⇒ Object
#postfilter(context) ⇒ Object

Override for rules that need the response Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify the response streamed responses will break.

Methods inherited from Base

#append_to_activity, #build_attack_with_match, #build_attack_without_match, #enabled?, #excluded?, #infilter, #initialize, #prefilter, #stream_safe?

Methods included from Components::Interface

included

Constructor Details

This class inherits a constructor from Contrast::Agent::Protect::Rule::Base

Instance Method Details

#block_message ⇒ `Object`



17
18
19

# File 'lib/contrast/agent/protect/rule/base_service.rb', line 17

def block_message
  'Contrast Security Protect Rule Triggered. Response blocked.'
end

#infilter?(context) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/contrast/agent/protect/rule/base_service.rb', line 21

def infilter? context
  return false unless context&.speedracer_input_analysis&.results
  return false unless enabled?
  return false if protect_excluded_by_code?

  true
end

#name ⇒ `Object`



13
14
15

# File 'lib/contrast/agent/protect/rule/base_service.rb', line 13

def name
  'base-service'
end

#postfilter(context) ⇒ `Object`

Override for rules that need the response Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify the response streamed responses will break

Raises:

(Contrast::SecurityException)

# File 'lib/contrast/agent/protect/rule/base_service.rb', line 33

def postfilter context
  return unless enabled? && POSTFILTER_MODES.include?(mode)
  return if mode == :NO_ACTION || mode == :PERMIT

  result = find_postfilter_attacker(context, nil)
  return unless result&.samples&.any?

  append_to_activity(context, result)
  return unless result.response == :BLOCKED

  raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
end