# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true module Contrast module Components # This component encapsulates the statefulness of settings. # When we say 'settings', we're referring specifically to external # directives (likely provided by TeamServer) about product operation. # 'Settings' is not a generic term for 'configurable stuff'. module Settings # This is a class. class Interface include Contrast::Components::ComponentBase include Contrast::Components::Interface access_component :config attr_reader :assess_rules, :protect_rules # Other stateful information that doesn't yet cleanly fit anywhere: # tainted_columns are database columns that receive unsanitized input. # this statefulness attr_reader :tainted_columns # This can probably go into assess_state? # These three 'state' variables represent atomic config/setting state, # outside of things like rule defs. def assess_state @assess_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName enabled: false, sampling_features: nil } end def protect_state @protect_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName enabled: false } end def application_state @application_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName modes_by_id: Hash.new(:NO_ACTION), exclusion_matchers: [], disabled_assess_rules: [] } end # These are settings that we receive & store. # Rules are settings too, but they're more involved. # So, between this block and rules, that's setting state. PROTECT_STATE_ATTRS = %i[].cs__freeze ASSESS_STATE_ATTRS = %i[sampling_features].cs__freeze APPLICATION_STATE_ATTRS = %i[modes_by_id exclusion_matchers disabled_assess_rules].cs__freeze # Meta-define an accessor for each state attribute. begin PROTECT_STATE_ATTRS.each do |attr| define_method(attr) do protect_state[attr] end end ASSESS_STATE_ATTRS.each do |attr| define_method(attr) do assess_state[attr] end end APPLICATION_STATE_ATTRS.each do |attr| define_method(attr) do application_state[attr] end end end def initialize reset_state end def protect_enabled? @_protect_enabled = !!protect_state[:enabled] if @_protect_enabled.nil? @_protect_enabled end def assess_enabled? @_assess_enabled = !!assess_state[:enabled] if @_assess_enabled.nil? @_assess_enabled end def code_exclusions exclusion_matchers.select(&:code?) end def update_from_server_features server_features # protect begin @_protect_enabled = nil protect_state[:enabled] = server_features.protect_enabled? end # assess begin @_assess_enabled = nil assess_state[:enabled] = server_features.assess_enabled? assess_state[:sampling_settings] = server_features.assess.sampling Contrast::Utils::Assess::SamplingUtil.instance.update end end def update_from_application_settings application_settings application_state.merge!(application_settings.application_state_translation) end # Wipe state to zero. def reset_state @assess_rules = {} @protect_rules = {} @tainted_columns = {} @assess_state = nil @protect_state = nil @application_state = nil end def build_assess_rules @assess_rules = {} Contrast::Agent::Assess::Rule::Redos.new end def build_protect_rules @protect_rules = {} # rules Contrast::Agent::Protect::Rule::CmdInjection.new Contrast::Agent::Protect::Rule::Deserialization.new Contrast::Agent::Protect::Rule::HttpMethodTampering.new Contrast::Agent::Protect::Rule::NoSqli.new Contrast::Agent::Protect::Rule::PathTraversal.new Contrast::Agent::Protect::Rule::Sqli.new Contrast::Agent::Protect::Rule::UnsafeFileUpload.new Contrast::Agent::Protect::Rule::Xss.new Contrast::Agent::Protect::Rule::Xxe.new end end COMPONENT_INTERFACE = Interface.new end end end