# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/utils/object_share'
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
require 'contrast/agent/protect/input_analyzer/input_analyzer'
require 'contrast/agent/protect/rule/input_classification/base'

module Contrast
  module Agent
    module Protect
      module Rule
        # This module will do the Input Classification stage of Unsafe File Upload
        # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
        module UnsafeFileUploadInputClassification
          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'

          class << self
            include Contrast::Agent::Protect::Rule::InputClassification::Base

            private

            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
            #
            # @param rule_id [String] The name of the Protect Rule.
            # @param _input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
            # @param value [String, Array<String>] the value of the input.
            def build_input_eval rule_id, _input_type, value
              Contrast::AGENT_LIB.eval_input(value,
                                             Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
                                             Contrast::AGENT_LIB.rule_set[rule_id],
                                             Contrast::AGENT_LIB.eval_option[:NONE])
            end

            # Creates specific result from the AgentLib evaluation.
            #
            # @param rule_id [String] The name of the Protect Rule.
            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
            # @param value [String, Array<String>] the value of the input.
            # @param request [Contrast::Agent::Request] the current request context.
            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
            def build_ia_result rule_id, input_type, value, request, input_eval
              ia_result = new_ia_result(rule_id, input_type, request.path, value)
              if input_eval.score >= THRESHOLD
                ia_result.score_level = DEFINITEATTACK
                ia_result.ids << UNSAFE_UPLOAD_MATCH
              else
                ia_result.score_level = IGNORE
              end
              ia_result.key = case input_type
                              when MULTIPART_FIELD_NAME
                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
                              when MULTIPART_NAME
                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
                              else
                                Contrast::Utils::ObjectShare::EMPTY_STRING
                              end
              ia_result
            end
          end
        end
      end
    end
  end
end