# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
require 'contrast/agent/assess/policy/policy_node'
require 'contrast/api/decorators/trace_taint_range_tags'
module Contrast
module Agent
module Assess
module Policy
# This class functions to translate our policy.json into an actionable
# Ruby object, allowing for dynamic patching over hardcoded patching,
# specifically for those methods which result in the transformation of
# untrusted data (indicate points in the application where user
# controlled input is modified).
class PropagationNode < PolicyNode
JSON_ACTION = 'action'
JSON_UNTAGS = 'untags'
JSON_PATCH_CLASS = 'patch_class'
JSON_PATCH_METHOD = 'patch_method'
attr_reader :untags, :patch_method
attr_accessor :action, :patch_class
# Most things here carry over from PolicyNode.
# A couple things are new / have new rules
#
# Source - from where the tainted data flows, cannot be nil
# Target - to where the tainted data flows, cannot be nil
# Action - how the tainted data flows from source to target, should not be nil
# Tags - array of tags to apply to the target, can be nil if no tags are added
# Untags - array of tags to remove from the target, can be nil if not tags are removed
# id, class_name, instance_method, method_name, source, target, action, tags = nil, untags = nil
def initialize propagation_hash = {}
super(propagation_hash)
@action = propagation_hash[JSON_ACTION]
@untags = Set.new(propagation_hash[JSON_UNTAGS])
@patch_class = propagation_hash[JSON_PATCH_CLASS]
@patch_method = propagation_hash[JSON_PATCH_METHOD]
@patch_method = @patch_method.to_sym if @patch_method
validate
end
TAGGER = 'Tagger'
PROPAGATOR = 'Propagator'
def node_class
@_node_class ||= tagger? ? TAGGER : PROPAGATOR
end
# Unlike the other agents, we don't have separate tag & propagation
# events. To make TS happy, we need to have different types though.
# Pretty straight forward: if there's a tag, this is a tagger
def node_type
tagger? ? :TYPE_TAG : :TYPE_PROPAGATION
end
# Standard validation + TS trace version two rules:
# Must have source, target, and action
def validate
super
raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action
if @action == 'CUSTOM'
unless patch_class
raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
end
unless patch_method.is_a?(Symbol)
raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
end
else
unless targets&.any?
raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
end
unless sources&.any?
raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
end
end
validate_untags
end
def validate_untags
return unless untags
untags.each do |tag|
unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
raise(ArgumentError,
"#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
end
if tags&.include?(tag)
raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
end
end
end
def needs_object?
if @_needs_object.nil?
@_needs_object = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
end
@_needs_object
end
def needs_args?
if @_needs_args.nil?
@_needs_args = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
end
@_needs_args
end
# This is a tagger if it has a tag or an untag.
# It indicates this method is more than just a transformation,
# it is an interesting security event that has a meaningful
# change.
def tagger?
@_tagger = tags&.any? || untags&.any? if @_tagger.nil?
@_tagger
end
end
end
end
end
end