# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/agent/protect/rule/base_service'

module Contrast
  module Agent
    module Protect
      module Rule
        # The Ruby implementation of the Protect NoSQL Injection rule.
        class NoSqli < Contrast::Agent::Protect::Rule::BaseService
          NAME = 'nosql-injection'
          BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'

          def name
            NAME
          end

          def block_message
            BLOCK_MESSAGE
          end

          def infilter context, database, query_string
            return nil unless infilter?(context)

            result = find_attacker(context, query_string, database: database)
            return nil unless result

            append_to_activity(context, result)

            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
          end

          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
            return result if mode == :NO_ACTION || mode == :PERMIT

            attack_string = input_analysis_result.value
            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
            return nil unless query_string.match?(regexp)

            scanner = select_scanner
            ss = StringScanner.new(query_string)
            length = attack_string.length
            while ss.scan_until(regexp)
              # the pos of StringScanner is at the end of the regexp (input string),
              # we need the beginning
              idx = ss.pos - attack_string.length
              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
              next unless last_boundary && boundary

              kwargs[:start_idx] = idx
              kwargs[:end_idx] = idx + length
              kwargs[:boundary_overrun_idx] = boundary
              kwargs[:input_boundary_idx] = last_boundary

              result ||= build_attack_result(context)
              update_successful_attack_response(context, input_analysis_result, result, query_string)
              append_sample(context, input_analysis_result, result, query_string, **kwargs)
            end

            result
          end

          protected

          def find_attacker context, potential_attack_string, **kwargs
            if potential_attack_string
              # We need the query hash to be a JSON string to match on JSON input attacks
              begin
                potential_attack_string = JSON.generate(potential_attack_string).to_s
              rescue JSON::GeneratorError
                logger.trace('Error in JSON::generate', input: potential_attack_string)
                nil
              end
            end
            super(context, potential_attack_string, **kwargs)
          end

          def build_sample context, input_analysis_result, candidate_string, **kwargs
            input = input_analysis_result.value

            sample = build_base_sample(context, input_analysis_result)
            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
            sample
          end

          private

          def select_scanner
            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
          end
        end
      end
    end
  end
end