Sha256: be3331719fc5818d414696ca9427945c4ec97b19e49bdacb60027f8557c0f838
Contents?: true
Size: 1.52 KB
Versions: 5
Compression:
Stored size: 1.52 KB
Contents
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
cs__scoped_require 'contrast/components/interface'
# This module acts a trigger to handle the special cases of the XPath library gem
# and the Oga gem. Untrusted data may come into either of the trigger methods from
# these classes as an array or hash, respectively. Since untrusted user input comes
# into these triggers as a splat argument or an options hash, we need to iterate
# thorugh these objects to see if we were tracking on any of them and report a finding
# if so.
module XPathLibraryTrigger
include Contrast::Components::Interface
class << self
def xpath_trigger_check context, trigger_node, _source, object, ret, invoked, *args
return ret unless args
# convert the options arg in Oga::XML::CharacterNode#initialize into an
# array of its values so we can check if any are unsafe
args = args.first.values if oga_defined? && object.cs__is_a?(Oga::XML::CharacterNode) && args.first.cs__is_a?(Hash)
args.each do |arg|
next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
next unless arg.cs__tracked?
next unless trigger_node.violated?(arg)
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
context, trigger_node, arg, object, ret, invoked + 1, args)
end
ret
end
private
def oga_defined?
@_oga_defined ||= defined?(Oga::XML::CharacterNode)
end
end
end
Version data entries
5 entries across 5 versions & 1 rubygems