Contents

# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

module Contrast
  module Agent
    module Assess
      module Policy
        # This class functions to translate our policy.json into an actionable
        # Ruby object, allowing for dynamic patching over hardcoded patching,
        # specifically for those methods which result in the source of
        # untrusted data (indicate points in the application where user
        # controlled input is accessed).
        class SourceNode < PolicyNode
          attr_accessor :type

          JSON_TYPE = 'type'
          SOURCE_TAG = 'UNTRUSTED'
          SOURCE = 'Source'
          def initialize source_hash = {}
            super(source_hash)
            @type = source_hash[JSON_TYPE]
            @tags << SOURCE_TAG
          end

          def node_class
            SOURCE
          end

          # This is confusing. Sources are Creation action but
          # Propagation type. Oh and also Type refers to input type,
          # like parameter, so we have to call this node_type. :-/
          def node_type
            :TYPE_PROPAGATION
          end

          # Standard validation + TS trace version two rules:
          # Must have source and type
          def validate
            super
            raise(ArgumentError, "Source #{ id } did not have a proper target. Unable to create.") unless targets&.any?
            raise(ArgumentError, "Source #{ id } did not have a proper type. Unable to create.") unless type
          end
        end
      end
    end
  end
end

Version data entries

3 entries across 3 versions & 1 rubygems

Version	Path
contrast-agent-6.2.0	lib/contrast/agent/assess/policy/source_node.rb
contrast-agent-6.1.2	lib/contrast/agent/assess/policy/source_node.rb
contrast-agent-6.1.1	lib/contrast/agent/assess/policy/source_node.rb