# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/protect/rule/sqli' require 'contrast/agent/protect/policy/rule_applicator' module Contrast module Agent module Protect module Policy # This Module is how we apply the SQL Injection rule. It is called from # our patches of the targeted methods in which the execution of String # based SQL queries occur. It is responsible for deciding if the infilter # methods of the rule should be invoked. class AppliesSqliRule extend Contrast::Agent::Protect::Policy::RuleApplicator DATABASE_MYSQL = 'MySQL' DATABASE_SQLITE = 'SQLite3' DATABASE_PG = 'PostgreSQL' class << self def invoke _method, _exception, properties, _object, args database = properties['database'] return unless database index = properties[Contrast::Utils::ObjectShare::INDEX] return unless valid_input?(index, args) return if skip_analysis? sql = args[index] rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql) rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) } end protected def rule_name Contrast::Agent::Protect::Rule::Sqli::NAME end private def valid_input? index, args return false unless args && args.length > index sql = args[index] sql && !sql.empty? end end end end end end end