Contents

# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/protect/rule/sqli'
require 'contrast/agent/protect/policy/rule_applicator'

module Contrast
  module Agent
    module Protect
      module Policy
        # This Module is how we apply the SQL Injection rule. It is called from
        # our patches of the targeted methods in which the execution of String
        # based SQL queries occur. It is responsible for deciding if the infilter
        # methods of the rule should be invoked.
        class AppliesSqliRule
          extend Contrast::Agent::Protect::Policy::RuleApplicator

          DATABASE_MYSQL =    'MySQL'
          DATABASE_SQLITE =   'SQLite3'
          DATABASE_PG =       'PostgreSQL'

          class << self
            def invoke _method, _exception, properties, _object, args
              database = properties['database']
              return unless database

              index = properties[Contrast::Utils::ObjectShare::INDEX]
              return unless valid_input?(index, args)
              return if skip_analysis?

              sql = args[index]
              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
            end

            protected

            def name
              Contrast::Agent::Protect::Rule::Sqli::NAME
            end

            private

            def valid_input? index, args
              return false unless args && args.length > index

              sql = args[index]
              sql && !sql.empty?
            end
          end
        end
      end
    end
  end
end

Version data entries

2 entries across 2 versions & 1 rubygems

Version	Path
contrast-agent-4.6.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-4.5.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb