Sha256: 86f29a0171b22cc218a96b84061b0000d1d162eadc213876741861d2e560271a
Contents?: true
Size: 2 KB
Versions: 8
Compression:
Stored size: 2 KB
Contents
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Assess
module Rule
# The Ruby implementation of the CSRF Assess Rule.
class Csrf < Contrast::Agent::Assess::Rule::ResponseScanningRule
NAME = 'csrf'
def name
NAME
end
DB_STATE_CHANGE = 'db'
ACTION_LIMIT = 3
QUERY_SIZE_LIMIT = 50
STATE_CHANGING_ACTIONS_KEY = 'csrf.statechange.actions'
def record_db_state_change context, query
return unless context
changes = context.get_property(STATE_CHANGING_ACTIONS_KEY)
changes ||= []
return unless changes.length < ACTION_LIMIT
return unless state_change?(query)
action = Contrast::Agent::Assess::Rule::Csrf::CsrfAction.new
action.type = DB_STATE_CHANGE
action.evidence = query[0..QUERY_SIZE_LIMIT]
changes << action
context.add_property(STATE_CHANGING_ACTIONS_KEY, changes)
end
STATE_CHANGE_QUERY_ACTIONS = %w[
insert
update
delete
drop
create
alter
upsert
].cs__freeze
# Returns true if the given query starts with any
# of the STATE_CHANGE_QUERY_ACTIONS listed above
def state_change? query
return false unless query.is_a?(String) && !query.empty?
query.downcase.start_with?(*STATE_CHANGE_QUERY_ACTIONS)
end
# some watchers keep state and need to be reset in each request.
# this one is not one of those.
def watcher
@_watcher ||= Contrast::Agent::Assess::Rule::Csrf::Watcher.new
end
# Indicates if this request has been checked for a CSRF token
CHECKED = 'csrf.token.checked'
end
end
end
end
end
Version data entries
8 entries across 8 versions & 1 rubygems