# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/protect/rule/base_service' require 'contrast/agent/request_context' require 'contrast/utils/object_share' require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule' module Contrast module Agent module Protect module Rule # The Ruby implementation of the Protect Command Injection Semantic # Dangerous Path sub-rule. This rule should report class CmdiDangerousPath < Contrast::Agent::Protect::Rule::CmdiBaseRule NAME = 'cmd-injection-semantic-dangerous-paths' def rule_name NAME end def sub_rules Contrast::Utils::ObjectShare::EMPTY_ARRAY end protected # Used to customize the raised error message. # # @param classname [String] Name of the class # @param method [String] name of the method triggering the rule # @raise [Contrast::SecurityException] def raise_error classname, method raise(Contrast::SecurityException.new(self, 'Command Injection Dangerous Path rule triggered. ' \ "Call to #{ classname }.#{ method } blocked.")) end private def find_probable_attacker context, potential_attack_string, _ia_results, **kwargs dangerous_path = dangerous_path?(potential_attack_string) return unless dangerous_path build_attack_with_match(context, nil, nil, potential_attack_string, **kwargs) end # Checks if a given shell command is trying to access a dangerous path. # This is used for the cmd-injection-semantic-dangerous-paths rule. # # @param path [String] path to check. # @return index[Boolean] Returns true if a dangerous path is found. # Returns false if no dangerous paths are found. def dangerous_path? path return false unless (agent_lib = Contrast::AGENT_LIB) && path agent_lib.dangerous_path?(path) end end end end end end