Sha256: b4ab62d80596fc4761b4ef7874afbef2b65b24ff24e9785157d169268f9c0e0d
Contents?: true
Size: 1.93 KB
Versions: 2
Compression:
Stored size: 1.93 KB
Contents
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Assess
module Policy
module Trigger
# This acts a trigger to handle the special cases of the XPath
# library gem and the Oga gem. Untrusted data may come into the
# trigger methods from these classes as an array or hash,
# respectively. Since untrusted user input comes into these triggers
# as a splat argument or an options hash, we need to iterate through
# these objects to see if we were tracking on any of them and report
# a finding if so.
class Xpath
class << self
def xpath_expression_trigger trigger_node, _source, object, ret, *args
return ret unless args
process(trigger_node, object, ret, *args)
end
def xpath_oga_trigger trigger_node, _source, object, ret, *args
return ret unless args
# convert the options arg in Oga::XML::CharacterNode#initialize into an
# array of its values so we can check if any are unsafe
args = args.first.values if args.first.cs__is_a?(Hash)
process(trigger_node, object, ret, *args)
end
private
def process trigger_node, object, ret, *args
args.each do |arg|
next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
next unless trigger_node.violated?(arg)
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
end
ret
end
end
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-4.9.1 | lib/contrast/agent/assess/policy/trigger/xpath.rb |
| contrast-agent-4.9.0 | lib/contrast/agent/assess/policy/trigger/xpath.rb |