# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true module Contrast module Agent module Assess module Policy # This class functions to translate our policy.json into an actionable # Ruby object, allowing for dynamic patching over hardcoded patching, # specifically for those methods which result in the source of # untrusted data (indicate points in the application where user # controlled input is accessed). class SourceNode < PolicyNode attr_accessor :type DB_SOURCE_TYPE = 'TAINTED_DATABASE' def self.build_dynamic_source _id, dynamic_source dynamic_source_hash = { JSON_CLASS_NAME => dynamic_source.class_name, JSON_METHOD_NAME => dynamic_source.method_name, JSON_INSTANCE_METHOD => dynamic_source.instance_method, JSON_TYPE => DB_SOURCE_TYPE, JSON_METHOD_VISIBILITY => 'public', JSON_TARGET => dynamic_source.target, JSON_PROPERTIES => dynamic_source.properties } Contrast::Agent::Assess::Policy::SourceNode.new(dynamic_source_hash) end JSON_TYPE = 'type' JSON_SOURCE_NAME = 'source_name' SOURCE_TAG = 'UNTRUSTED' def initialize source_hash = {} super(source_hash) @type = source_hash[JSON_TYPE] @tags << SOURCE_TAG end SOURCE = 'Source' def node_class SOURCE end # This is confusing. Sources are Creation action but # Propagation type. Oh and also Type refers to input type, # like parameter, so we have to call this node_type. :-/ def node_type :TYPE_PROPAGATION end # Standard validation + TS trace version two rules: # Must have source and type def validate super raise(ArgumentError, "Source #{ id } did not have a proper target. Unable to create.") unless targets&.any? raise(ArgumentError, "Source #{ id } did not have a proper type. Unable to create.") unless type end end end end end end