Module: Contrast::Agent::Protect::Policy::AppliesDeserializationRule

Extended by:

RuleApplicator

Defined in:

lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

Overview

This Module is how we apply the Deserialization rule. It is called from our patches of the targeted methods in which deserialization occurs. It is responsible for deciding if the infilter methods of the rule should be invoked.

Class Method Summary

• .apply_deserialization_command_check(command) ⇒ Object

  Allow the rule to check if the given input is an attempt to deserialize something in a way that will result in a command execution.

• .invoke(_method, _exception, _properties, _object, args) ⇒ Object

  Calls the actual rule for this applicator, if required.

• .prepended_invoke(arg) ⇒ Object

  Calls the actual rule for this applicator, if required, when the triggering method is called from Marshal.load when it has been prepended.

Methods included from RuleApplicator

apply_classification, apply_rule

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Class Method Details

.apply_deserialization_command_check(command) ⇒ Object

Allow the rule to check if the given input is an attempt to deserialize something in a way that will result in a command execution

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 63

def apply_deserialization_command_check command
  return unless command
  return if skip_analysis?

  rule.check_command_scope(command)
  # add rescue here
end

.invoke(_method, _exception, _properties, _object, args) ⇒ Object

Calls the actual rule for this applicator, if required. Most rules invoke this from within their apply_rule method after doing whatever transformations they need to get into this common format.

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 34

def invoke _method, _exception, _properties, _object, args
  return unless valid_input?(args)
  return if skip_analysis?

  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
  # add rescue here
end

.prepended_invoke(arg) ⇒ Object

Calls the actual rule for this applicator, if required, when the triggering method is called from Marshal.load when it has been prepended.

# File 'lib/contrast/agent/protect/policy/applies_deserialization_rule.rb', line 48

def prepended_invoke arg
  return unless arg&.cs__is_a?(String)
  return if skip_analysis?

  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
  # add rescue here
end