Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/components/interface'

# This module is used to track propagation through ERB template rendering
module ERBPropagator
  class << self
    include Contrast::Components::Interface
    access_component :logging

    def result_tagger patcher, preshift, ret, _block
      return unless preshift.args.length >= 1

      logger.debug('ERBPropagator - running propagation')
      used_binding = preshift.args[0]
      binding_variable_set = used_binding.local_variables

      erb_pre_result = preshift.object.src
      binding_variable_set.each do |bound_var_symbol|
        bound_variable_value = used_binding.local_variable_get(bound_var_symbol)
        next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
        next unless erb_pre_result.include?(bound_var_symbol.to_s)

        start_index = ret.index(bound_variable_value)
        next if start_index.nil?

        logger.debug('ERBPropagator - found bound_variable in erb template result')
        ret.cs__copy_from(bound_variable_value, start_index)
      end
      ret.cs__properties.build_event(
          patcher,
          ret,
          preshift.object,
          ret,
          preshift.args,
          1)
      logger.debug('ERBPropgator - Finished erb result propagation')
      ret
    end
  end
end

Version data entries

7 entries across 7 versions & 1 rubygems

Version	Path
contrast-agent-3.10.2	lib/contrast/extensions/ruby_core/assess/erb.rb
contrast-agent-3.10.1	lib/contrast/extensions/ruby_core/assess/erb.rb
contrast-agent-3.10.0	lib/contrast/extensions/ruby_core/assess/erb.rb
contrast-agent-3.9.1	lib/contrast/extensions/ruby_core/assess/erb.rb
contrast-agent-3.9.0	lib/contrast/extensions/ruby_core/assess/erb.rb
contrast-agent-3.8.5	lib/contrast/core_extensions/assess/erb.rb
contrast-agent-3.8.4	lib/contrast/core_extensions/assess/erb.rb