Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/utils/object_share'
cs__scoped_require 'contrast/components/interface'

module Contrast
  module Agent
    module Assess
      module Rule
        class Csrf
          # This class is called by our patches to determine if a CSRF
          # vulnerability exists within an application. It is used through a
          # CUSTOM propagation in order to capture that a Database call was
          # made in response to a request that did not have the Contrast CSRF
          # token.
          class CsrfApplicator
            include Contrast::Components::Interface
            access_component :analysis, :logging, :scope

            class << self
              def csrf_tagger patcher, preshift, _ret, _block
                return unless rule&.enabled?

                idx = patcher.sources[0].to_i
                args = preshift.args
                return unless args&.length.to_i > idx

                sql = args[idx]
                return unless sql

                with_contrast_scope do
                  rule.record_db_state_change(
                      Contrast::Agent::REQUEST_TRACKER.current,
                      sql)
                end
              rescue StandardError => e
                logger.warn('Error running CSRF assess rule', e)
              end

              private

              def rule
                @_rule ||= Contrast::Agent::FeatureState.instance.assess_rule(
                    Contrast::Agent::Assess::Rule::Csrf::NAME)
              end
            end
          end
        end
      end
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
contrast-agent-3.11.0	lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb