Sha256: 52217d56ddd4446d9e48298b79764e7afc696f8ce65dd3d7f22b165094841821

Contents?: true

Size: 1.84 KB

Versions: 5

Compression:

Stored size: 1.84 KB

Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/components/interface'

module Contrast
  module CoreExtensions
    module Protect
      # This Module is how we apply the Deserialization rule. It is called from
      # our patches of the targeted methods in which deserialization occurs.
      # It is responsible for deciding if the infilter methods of the rule
      # should be invoked.
      module AppliesDeserializationRule
        include Contrast::Components::Interface
        access_component :logging, :analysis

        class << self
          def apply_deserialization_rule method, _exception, _properties, object, args
            return unless valid_input?(args)
            return if skip_analysis?

            rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
          rescue Contrast::SecurityException => e
            raise e
          rescue StandardError => e
            logger.error(e, "Error running untrusted-deserialization rule in #{ object }.#{ method }")
          end

          def apply_deserialization_command_check command
            return unless command
            return if skip_analysis?

            rule.check_command_scope(command)
          end

          private

          def rule
            PROTECT.rule Contrast::Agent::Protect::Rule::Deserialization::NAME
          end

          def valid_input? args
            return false unless args&.any?

            input = args[0]
            input.is_a?(String)
          end

          def skip_analysis?
            context = Contrast::Agent::REQUEST_TRACKER.current
            return true unless context&.app_loaded?
            return true unless rule&.enabled?

            false
          end
        end
      end
    end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version Path
contrast-agent-3.10.2 lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb
contrast-agent-3.10.1 lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb
contrast-agent-3.10.0 lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb
contrast-agent-3.9.1 lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb
contrast-agent-3.9.0 lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb