Class: Contrast::Agent::Assess::Policy::SourceNode

Inherits:

PolicyNode

• Object
• Patching::Policy::PolicyNode
• PolicyNode
• Contrast::Agent::Assess::Policy::SourceNode

Defined in:

lib/contrast/agent/assess/policy/source_node.rb

Overview

This class functions to translate our policy.json into an actionable Ruby object, allowing for dynamic patching over hardcoded patching, specifically for those methods which result in the source of untrusted data (indicate points in the application where user controlled input is accessed).

Constant Summary

JSON_TYPE =

'type'

SOURCE_TAG =

'UNTRUSTED'

SOURCE =

'Source'

Constants inherited from PolicyNode

PolicyNode::ALL_TYPE, PolicyNode::JSON_DATAFLOW, PolicyNode::JSON_SOURCE, PolicyNode::JSON_TAGS, PolicyNode::JSON_TARGET, PolicyNode::ORIGINAL_OBJECT_METHODS, PolicyNode::RESPONSE_SOURCES, PolicyNode::TO_MARKER, PolicyNode::TO_S

Constants inherited from Patching::Policy::PolicyNode

Patching::Policy::PolicyNode::JSON_CLASS_NAME, Patching::Policy::PolicyNode::JSON_INSTANCE_METHOD, Patching::Policy::PolicyNode::JSON_METHOD_NAME, Patching::Policy::PolicyNode::JSON_METHOD_SCOPE, Patching::Policy::PolicyNode::JSON_METHOD_VISIBILITY, Patching::Policy::PolicyNode::JSON_PROPERTIES

Instance Attribute Summary

• #type ⇒ Object

  Returns the value of attribute type.

Attributes inherited from PolicyNode

#source_string, #sources, #tags, #target_string, #targets

Attributes inherited from Patching::Policy::PolicyNode

#class_name, #instance_method, #method_name, #method_scope, #method_visibility, #properties

Instance Method Summary

• #initialize(source_hash = {}) ⇒ SourceNode constructor

  A new instance of SourceNode.

• #node_class ⇒ Object
• #node_type ⇒ Object

  This is confusing.

• #validate ⇒ Object

  Standard validation + TS trace version two rules: Must have source and type @raise raises if any of the required fields is missing or invalid.

Methods inherited from PolicyNode

#add_property, #assign_on_bang_check, #build_action, #feature, #get_property, #response_source_node?, #use_original_object?, #use_original_on_bang_method?, #use_response_as_source?, #validate_tags

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Methods inherited from Patching::Policy::PolicyNode

#feature, #id, #instance_method?

Methods included from Components::Scope::InstanceMethods

#contrast_enter_method_scopes!, #contrast_exit_method_scopes!, #with_app_scope, #with_contrast_scope, #with_deserialization_scope, #with_split_scope

Constructor Details

#initialize(source_hash = {}) ⇒ SourceNode

Returns a new instance of SourceNode.

# File 'lib/contrast/agent/assess/policy/source_node.rb', line 19

def initialize source_hash = {}
  super(source_hash)
  @type = source_hash[JSON_TYPE]
  @tags << SOURCE_TAG
end

Instance Attribute Details

#type ⇒ Object

Returns the value of attribute type.

# File 'lib/contrast/agent/assess/policy/source_node.rb', line 14

def type
  @type
end

Instance Method Details

#node_class ⇒ Object

# File 'lib/contrast/agent/assess/policy/source_node.rb', line 25

def node_class
  SOURCE
end

#node_type ⇒ Object

This is confusing. Sources are Creation action but Propagation type. Oh and also Type refers to input type, like parameter, so we have to call this node_type. :-/

# File 'lib/contrast/agent/assess/policy/source_node.rb', line 32

def node_type
  :TYPE_PROPAGATION
end

#validate ⇒ Object

Standard validation + TS trace version two rules: Must have source and type @raise raises if any of the required fields is missing or invalid

Raises:

• (ArgumentError)

# File 'lib/contrast/agent/assess/policy/source_node.rb', line 39

def validate
  super
  raise(ArgumentError, "Source #{ id } did not have a proper target. Unable to create.") unless targets&.any?
  raise(ArgumentError, "Source #{ id } did not have a proper type. Unable to create.") unless type
end