# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/protect/rule/sqli'
require 'contrast/agent/protect/policy/rule_applicator'

module Contrast
  module Agent
    module Protect
      module Policy
        # This Module is how we apply the SQL Injection rule. It is called from
        # our patches of the targeted methods in which the execution of String
        # based SQL queries occur. It is responsible for deciding if the infilter
        # methods of the rule should be invoked.
        class AppliesSqliRule
          extend Contrast::Agent::Protect::Policy::RuleApplicator

          DATABASE_MYSQL =    'MySQL'
          DATABASE_SQLITE =   'SQLite3'
          DATABASE_PG =       'PostgreSQL'

          class << self
            def invoke _method, _exception, properties, _object, args
              database = properties['database']
              return unless database

              index = properties[Contrast::Utils::ObjectShare::INDEX]
              return unless valid_input?(index, args)
              return if skip_analysis?

              sql = args[index]

              # Get the ia for current rule:
              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
              rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
            end

            protected

            def rule_name
              Contrast::Agent::Protect::Rule::Sqli::NAME
            end

            private

            def valid_input? index, args
              return false unless args && args.length > index

              sql = args[index]
              sql && !sql.empty?
            end
          end
        end
      end
    end
  end
end