# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/components/interface' module Contrast module Extension module Assess # This is our patch of the Array class required to handle propagation # Disclaimer: there may be a better way, but we're in a 'get it work' state. # Hopefully, we'll be in a 'get it right' state soon. # This module is used for our Marshal#load patches class MarshalPropagator include Contrast::Components::Interface access_component :logging class << self def cs__load_trigger_check source, ret current_context = Contrast::Agent::REQUEST_TRACKER.current return unless current_context # Since we know this is the source of the trigger, we can do some # optimization here and return when it is not tracked return unless Contrast::Agent::Assess::Tracker.tracked?(source) args = [source] # source might not be all the args passed in, but it is the one we care # about. we could pass in all the args in the last param here if it # becomes an issue in rendering on TS Contrast::Agent::Assess::Policy::TriggerMethod.build_finding( current_context, trigger_node('Marshal', :load), source, self, ret, args) properties = Contrast::Agent::Assess::Tracker.properties(ret) properties.copy_from(source, ret) node = Contrast::Agent::Assess::Policy::Policy.instance.find_propagator_node('Marshal', :load, false) properties.build_event(node, ret, self, ret, args) rescue StandardError => e logger.error('Unable to determine if a trigger occurred in Marshal.load', e) end def instrument_marshal_load @_instrument_marshal_load ||= begin require 'cs__assess_marshal_module/cs__assess_marshal_module' true end rescue StandardError, LoadError => e logger.error('Error loading marshal load patch', e) false end def trigger_node clazz, method triggers = Contrast::Agent::Assess::Policy::Policy.instance.triggers return unless triggers triggers.find { |node| node.class_name == clazz && node.method_name == method } end end end end end end