Sha256: b64915ba93b06ac13da54affa304145a01aea3443399dca6efcddaf19292fd7d
Contents?: true
Size: 1.89 KB
Versions: 2
Compression:
Stored size: 1.89 KB
Contents
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
require 'contrast/agent/protect/rule/sqli'
require 'contrast/agent/protect/policy/rule_applicator'
module Contrast
module Agent
module Protect
module Policy
# This Module is how we apply the SQL Injection rule. It is called from
# our patches of the targeted methods in which the execution of String
# based SQL queries occur. It is responsible for deciding if the infilter
# methods of the rule should be invoked.
class AppliesSqliRule
extend Contrast::Agent::Protect::Policy::RuleApplicator
DATABASE_MYSQL = 'MySQL'
DATABASE_SQLITE = 'SQLite3'
DATABASE_PG = 'PostgreSQL'
class << self
def invoke _method, _exception, properties, _object, args
database = properties['database']
return unless database
index = properties[Contrast::Utils::ObjectShare::INDEX]
return unless valid_input?(index, args)
return if skip_analysis?
sql = args[index]
# Get the ia for current rule:
apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
end
protected
def rule_name
Contrast::Agent::Protect::Rule::Sqli::NAME
end
private
def valid_input? index, args
return false unless args && args.length > index
sql = args[index]
sql && !sql.empty?
end
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-6.11.0 | lib/contrast/agent/protect/policy/applies_sqli_rule.rb |
| contrast-agent-6.10.0 | lib/contrast/agent/protect/policy/applies_sqli_rule.rb |