Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/at_exit_hook'

module Contrast
  module Extension
    module Assess
      # This Module allows us to track calls to the Kernel#exec method, which
      # violates the design of most methods we track in that we have to apply
      # the trigger at the start in order to account for the process hand off.
      module ExecTrigger
        def apply_trigger source
          current_context = Contrast::Agent::REQUEST_TRACKER.current
          return unless current_context

          # Since we know this is the source of the trigger, we can do some
          # optimization here and return when it is not tracked
          return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)

          # source might not be all the args passed in, but it is the one we care
          # about. we could pass in all the args in the last param here if it
          # becomes an issue in rendering on TS
          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
              current_context,
              trigger_node,
              source,
              Kernel,
              nil,
              [source])
        end

        private

        def trigger_node
          @_trigger_node ||= begin
            Contrast::Agent::Assess::Policy::Policy.instance.find_node('cmd-injection', 'Kernel', :exec, false)
          end
        end
      end
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
contrast-agent-4.2.0	lib/contrast/extension/assess/exec_trigger.rb