Sha256: 5f925639a15ba14b55ce430ffce65a5ff1d17812816cf2941c0a1824d93c4c4b
Contents?: true
Size: 1.86 KB
Versions: 2
Compression:
Stored size: 1.86 KB
Contents
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
cs__scoped_require 'contrast/components/interface'
module Contrast
module CoreExtensions
module Protect
# This Module is how we apply the Deserialization rule. It is called from
# our patches of the targeted methods in which deserialization occurs.
# It is responsible for deciding if the infilter methods of the rule
# should be invoked.
module AppliesDeserializationRule
include Contrast::Components::Interface
access_component :logging, :analysis
class << self
def cs__patched_apply_deserialization_rule method, _exception, _properties, object, args
return unless valid_input?(args)
return if cs__skip_analysis?
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
rescue Contrast::SecurityException => e
raise e
rescue StandardError => e
logger.error(e, "Error running untrusted-deserialization rule in #{ object }.#{ method }")
end
def cs__patched_apply_deserialization_command_check command
return unless command
return if cs__skip_analysis?
rule.check_command_scope(command)
end
def rule
PROTECT.rule Contrast::Agent::Protect::Rule::Deserialization::NAME
end
def valid_input? args
return false unless args&.any?
input = args[0]
input.is_a?(String)
end
def cs__skip_analysis?
context = Contrast::Agent::REQUEST_TRACKER.current
return true unless context&.app_loaded?
return true unless rule&.enabled?
false
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-3.8.5 | lib/contrast/core_extensions/protect/applies_deserialization_rule.rb |
| contrast-agent-3.8.4 | lib/contrast/core_extensions/protect/applies_deserialization_rule.rb |