# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true module Contrast module Agent module Assess module Policy # This class functions to translate our policy.json into an actionable # Ruby object, allowing for dynamic patching over hardcoded patching, # specifically for those methods which result in the source of # untrusted data (indicate points in the application where user # controlled input is accessed). class SourceNode < PolicyNode attr_accessor :type JSON_TYPE = 'type' SOURCE_TAG = 'UNTRUSTED' def initialize source_hash = {} super(source_hash) @type = source_hash[JSON_TYPE] @tags << SOURCE_TAG end SOURCE = 'Source' def node_class SOURCE end # This is confusing. Sources are Creation action but # Propagation type. Oh and also Type refers to input type, # like parameter, so we have to call this node_type. :-/ def node_type :TYPE_PROPAGATION end # Standard validation + TS trace version two rules: # Must have source and type def validate super raise(ArgumentError, "Source #{ id } did not have a proper target. Unable to create.") unless targets&.any? raise(ArgumentError, "Source #{ id } did not have a proper type. Unable to create.") unless type end end end end end end