{ "sources":[ { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"params", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"body", "target":"R", "type":"BODY", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request::Env", "instance_method": true, "method_visibility": "public", "method_name":"get_header", "source": "P0", "target":"R", "type":"HEADER", "tags":["NO_NEWLINES", "CROSS_SITE"] }, { "class_name":"ActionDispatch::Request", "instance_method": true, "method_visibility": "public", "method_name": "raw_post", "target": "R", "type": "BODY", "tags":["NO_NEWLINES", "CROSS_SITE"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"POST", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"GET", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"cookies", "target":"R", "type":"COOKIE", "tags":["NO_NEWLINES"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"url", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request::Helpers", "instance_method": true, "method_visibility": "public", "method_name":"query_string", "target":"R", "type":"BODY", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"body", "target":"R", "type":"BODY", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"query_string", "target":"R", "type":"BODY", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"GET", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"POST", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"Rack::Request", "instance_method": true, "method_visibility": "public", "method_name":"cookies", "target":"R", "type":"COOKIE", "tags":["NO_NEWLINES"] }, { "class_name":"ActionController::Metal", "instance_method": true, "method_visibility": "public", "method_name":"params", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] }, { "class_name":"ActionController::StrongParameters", "instance_method": true, "method_visibility": "public", "method_name":"params", "target":"R", "type":"PARAMETER", "tags":["CROSS_SITE"] } ], "propagators":[ { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"dup", "source":"O", "target":"R", "action":"KEEP" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "to_s", "source": "O", "target": "R", "action": "KEEP" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "to_str", "source": "O", "target": "R", "action": "KEEP" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "split", "source": "O,P0", "target": "R", "action": "SPLIT" },{ "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "grapheme_clusters", "source": "O", "target": "R", "action": "SPLIT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"clone", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "private", "method_name":"initialize", "source":"P0", "target":"O", "action":"KEEP" }, { "class_name":"String", "instance_method": false, "method_visibility": "public", "method_name":"try_convert", "source":"P0", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"+@", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"capitalize", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"capitalize!", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"downcase", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"downcase!", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"swapcase", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"swapcase!", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"upcase", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"upcase!", "source":"O", "target":"R", "action":"KEEP" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"insert", "source":"O,P1", "target":"O", "action":"INSERT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"prepend", "source":"O,P0", "target":"O", "action":"PREPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"rjust", "source":"O,P1", "target":"R", "action":"PREPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"+", "source":"O,P0", "target":"R", "action":"APPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"concat", "source":"O,P0", "target":"O", "action":"APPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"<<", "source":"O,P0", "target":"O", "action":"APPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"ljust", "source":"O,P1", "target":"R", "action":"APPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"*", "source":"O", "target":"R", "action":"APPEND" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"center", "source":"O,P1", "target":"R", "action":"CENTER" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"inspect", "source":"O", "target":"R", "action":"CENTER" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"chomp", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"chomp!", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"chop", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"chop!", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"rstrip", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"rstrip!", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"lstrip", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"lstrip!", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"strip", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"strip!", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete!", "source":"O", "target":"R", "action":"REMOVE" },{ "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete_prefix", "source":"O", "target":"R", "action":"REMOVE" },{ "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete_suffix", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete_prefix!", "source":"O", "target":"O", "action":"REMOVE" },{ "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"delete_suffix!", "source":"O", "target":"O", "action":"REMOVE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"dump", "source":"O", "target":"R", "action":"SPLAT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"undump", "source":"O", "target":"R", "action":"SPLAT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"replace", "source":"P0", "target":"R", "action":"REPLACE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"next", "source":"O", "target":"R", "action":"NEXT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"next!", "source":"O", "target":"O", "action":"NEXT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"succ", "source":"O", "target":"R", "action":"NEXT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"succ!", "source":"O", "target":"O", "action":"NEXT" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"reverse", "source":"O", "target":"R", "action":"REVERSE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"reverse!", "source":"O", "target":"O", "action":"REVERSE" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"%", "source":"O,P0", "target":"R", "action":"SPLAT" }, { "class_name":"Regexp", "instance_method": true, "method_visibility": "public", "method_name":"match", "source":"P0", "target":"R", "action":"KEEP" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"post_match", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"pre_match", "source":"O", "target":"R", "action":"REMOVE" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"to_a", "source":"O", "target":"R", "action":"CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData", "patch_method": "to_a_tagger" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"[]", "source":"O", "target":"R", "action":"CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData", "patch_method": "square_bracket_tagger" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"captures", "source":"O", "target":"R", "action":"CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData", "patch_method": "captures_tagger" }, { "class_name":"MatchData", "instance_method": true, "method_visibility": "public", "method_name":"values_at", "source":"O", "target":"R", "action":"CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData", "patch_method": "values_at_tagger" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"to_sym", "source":"O", "target":"R", "action":"KEEP" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "gsub", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution", "patch_method": "gsub_tagger", "source": "O,P", "target": "R" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "gsub!", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution", "patch_method": "gsub_tagger", "source": "O,P", "target": "O" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "sub", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution", "patch_method": "sub_tagger", "source": "O,P", "target": "R" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "sub!", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution", "patch_method": "sub_tagger", "source": "O,P", "target": "O" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "tr", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim", "patch_method": "tr_tagger", "source": "O,P", "target": "R" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "tr!", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim", "patch_method": "tr_tagger", "source": "O,P", "target": "O" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "tr_s", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim", "patch_method": "tr_s_tagger", "source": "O,P", "target": "R" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "tr_s!", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim", "patch_method": "tr_s_tagger", "source": "O,P", "target": "O" }, { "class_name": "String", "instance_method": true, "method_visibility": "public", "method_name": "[]", "action": "CUSTOM", "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Select", "patch_method": "select_tagger", "source": "O", "target": "R" }, { "class_name":"CGI::Util", "method_name":"escapeHTML", "instance_method": true, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"CGI::Util", "method_name":"escape_html", "instance_method": true, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"CGI::Util", "method_name":"h", "instance_method": true, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"CGI::Util", "method_name":"unescapeHTML", "instance_method": true, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_DECODED"], "untags":["HTML_ENCODED"] }, { "class_name":"CGI::Util", "method_name":"unescape_html", "instance_method": true, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_DECODED"], "untags":["HTML_ENCODED"] }, { "class_name":"ERB::Util", "method_name":"html_escape", "instance_method": false, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"ERB::Util", "method_name":"h", "instance_method": false, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"ERB::Util", "method_name":"html_escape_once", "instance_method": false, "method_visibility": "public", "source":"P0", "target":"R", "action":"SPLAT", "tags":["HTML_ENCODED"], "untags":["HTML_DECODED"] }, { "class_name":"Pathname", "method_name":"initialize", "instance_method": true, "method_visibility": "private", "source":"P0", "target":"O", "action":"SPLAT" }, { "class_name":"File", "method_name":"initialize", "instance_method": true, "method_visibility": "private", "source":"P0", "target":"O", "action":"SPLAT" }, { "class_name":"File", "method_name":"path", "instance_method": true, "method_visibility": "public", "source":"O", "target":"R", "action":"SPLAT" }, { "class_name":"File", "method_name":"to_path", "instance_method": true, "method_visibility": "public", "source":"O", "target":"R", "action":"SPLAT" }, { "class_name": "ActiveModel::AttributeAssignment", "method_name": "assign_attributes", "instance_method": true, "method_visibility": "public", "source": "P0", "target": "O", "action": "DB_WRITE", "tags": ["DATABASE_WRITE"] }, { "class_name": "ActiveModel::AttributeAssignment", "method_name": "attributes=", "instance_method": true, "method_visibility": "public", "source": "P0", "target": "O", "action": "DB_WRITE", "tags": ["DATABASE_WRITE"] }, { "class_name": "JSON", "method_name": "parse", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "JSON", "method_name": "[]", "instance_method": false, "method_visibility": "public", "source": "O", "target": "R", "action": "SPLAT" }, { "class_name": "JSON", "method_name": "dump", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "Zlib::Deflate", "method_name": "deflate", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "Zlib::Inflate", "method_name": "inflate", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "Base64", "method_name": "decode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_DECODED"], "untags":["BASE64_ENCODED"] }, { "class_name": "Base64", "method_name": "encode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_ENCODED"], "untags":["BASE64_DECODED"] }, { "class_name": "Base64", "method_name": "strict_decode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_DECODED"], "untags":["BASE64_ENCODED"] }, { "class_name": "Base64", "method_name": "strict_encode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_ENCODED"], "untags":["BASE64_DECODED"] }, { "class_name": "Base64", "method_name": "urlsafe_decode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_DECODED"], "untags":["BASE64_ENCODED"] }, { "class_name": "Base64", "method_name": "urlsafe_encode64", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT", "tags":["BASE64_ENCODED"], "untags":["BASE64_DECODED"] }, { "class_name": "Marshal", "method_name": "dump", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "Marshal", "method_name": "load", "instance_method": false, "method_visibility": "public", "source": "P0", "target": "R", "action": "SPLAT" }, { "class_name": "URI::Generic", "method_name": "initialize", "instance_method": true, "method_visibility": "private", "source": "P0", "target": "O", "action": "SPLAT" }, { "class_name": "Kernel", "instance_method": true, "method_visibility": "private", "method_name": "sprintf", "action": "CUSTOM", "patch_class": "Contrast::Extension::Assess::KernelPropagator", "patch_method": "sprintf_tagger", "source": "O,P", "target": "R" }, { "class_name":"ActiveRecord::ConnectionAdapters::Quoting", "instance_method": true, "method_visibility": "public", "method_name":"quote", "source": "P0", "target": "R", "action": "SPLAT", "tags":["SQL_ENCODED"], "untags":["SQL_DECODED"] }, { "class_name":"ActiveRecord::ConnectionAdapters::Quoting", "instance_method": true, "method_visibility": "public", "method_name":"quote_string", "source": "P0", "target": "R", "action": "SPLAT", "tags":["SQL_ENCODED"], "untags":["SQL_DECODED"] }, { "class_name":"IO", "method_name":"initialize", "instance_method": true, "method_visibility": "private", "source":"P0", "target":"O", "action":"SPLAT" }, { "class_name": "ERB", "method_name": "result", "method_visibility": "public", "instance_method": true, "source": "P0", "target": "O", "action": "CUSTOM", "patch_class": "ERBPropagator", "patch_method": "result_tagger" } ], "rules":[ { "name":"cmd-injection", "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED"], "triggers":[ { "class_name":"IO", "instance_method": false, "method_visibility": "public", "method_name":"popen", "source":"P0" }, { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"`", "source":"P0" }, { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"exec", "source":"P0", "custom_patch": true }, { "class_name":"Kernel", "instance_method": true, "method_visibility": "private", "method_name":"exec", "source":"P0", "custom_patch": true }, { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"spawn", "source":"P0" }, { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"system", "source":"P0" }, { "class_name":"Kernel", "instance_method": true, "method_visibility": "private", "method_name":"`", "source":"P0" }, { "class_name":"Kernel", "instance_method": true, "method_visibility": "private", "method_name":"spawn", "source":"P0" }, { "class_name":"Kernel", "instance_method": true, "method_visibility": "private", "method_name":"system", "source":"P0" } ] },{ "name":"path-traversal", "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED", "NO_CONTROL_CHARS"], "triggers":[ { "class_name":"IO", "method_name":"open", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"initialize", "instance_method": true, "method_visibility": "private", "source":"P0" }, { "class_name":"IO", "method_name":"binread", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"binwrite", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"read", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"readlines", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"copy_stream", "instance_method": false, "method_visibility": "public", "source":"P0,P1" }, { "class_name":"IO", "method_name":"foreach", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"sysopen", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"IO", "method_name":"write", "instance_method": false, "method_visibility": "public", "source":"P0" }, { "class_name":"File", "method_name":"initialize", "instance_method": true, "method_visibility": "private", "source":"P0" } ] }, { "name": "redos", "triggers": [ { "class_name":"Regexp", "instance_method": true, "method_visibility": "public", "method_name":"match", "source":"P0", "trigger_class": "Contrast::Agent::Assess::Rule::Redos", "trigger_method": "regexp_complexity_check" }, { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"=~", "source":"O", "trigger_class": "Contrast::Agent::Assess::Rule::Redos", "trigger_method": "regexp_complexity_check" }, { "class_name":"Regexp", "instance_method": true, "method_visibility": "public", "method_name":"=~", "source":"P0", "trigger_class": "Contrast::Agent::Assess::Rule::Redos", "trigger_method": "regexp_complexity_check" } ] }, { "name":"reflected-xss", "required_tags": ["CROSS_SITE"], "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED"], "triggers":[ { "class_name": "Tilt::Template", "method_name": "evaluate", "instance_method": true, "method_visibility": "public", "source": "O", "trigger_class": "Contrast::Agent::Assess::Policy::Trigger::ReflectedXss", "trigger_method": "xss_tilt_trigger" }, { "class_name":"String", "method_name":"html_safe", "instance_method": true, "method_visibility": "public", "source":"O" }, { "class_name":"ActionView::Helpers::OutputSafetyHelper", "method_name":"raw", "instance_method": true, "method_visibility": "public", "source":"P0" }, { "class_name":"ActionView::Helpers::RawOutputHelper", "method_name":"raw", "instance_method": true, "method_visibility": "public", "source":"P0" }, { "class_name":"ActionDispatch::Response", "method_name":"body=", "instance_method": true, "method_visibility": "public", "source":"P0" }, { "class_name":"ActionDispatch::Response::Buffer", "method_name":"write", "instance_method": true, "method_visibility": "public", "source":"P0" }, { "class_name":"Sinatra::Helpers", "method_name":"body", "instance_method": true, "method_visibility": "public", "source":"P0" }, { "class_name":"Sinatra::Response", "method_name":"body=", "instance_method": true, "method_visibility": "public", "source":"P0" } ] }, { "name":"sql-injection", "disallowed_tags":["SQL_ENCODED"], "triggers":[ { "class_name":"SQLite3::Database", "instance_method": true, "method_visibility": "public", "method_name":"execute", "source":"P0" }, { "class_name":"SQLite3::Statement", "instance_method": true, "method_visibility": "private", "method_name":"initialize", "source":"P1" }, { "class_name":"Mysql2::Client", "instance_method": true, "method_visibility": "public", "method_name":"query", "source":"P0" }, { "class_name":"Mysql2::Statement", "instance_method": true, "method_visibility": "public", "method_name":"execute", "source":"P0" }, { "class_name":"PG::Connection", "instance_method": true, "method_visibility": "public", "method_name":"exec", "source":"P0" }, { "class_name":"PG::Connection", "instance_method": true, "method_visibility": "public", "method_name":"exec_params", "source":"P0" }, { "class_name":"PG::Connection", "instance_method": true, "method_visibility": "public", "method_name":"async_exec", "source":"P0" }, { "class_name":"ActiveRecord::Querying", "instance_method": false, "method_visibility": "public", "method_name":"select", "source":"P0" } ] }, { "name": "reflection-injection", "triggers": [ { "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"constantize", "source":"O" },{ "class_name":"String", "instance_method": true, "method_visibility": "public", "method_name":"safe_constantize", "source":"O" }, { "class_name":"Module", "instance_method": false, "method_visibility": "public", "method_name":"const_get", "source":"P0" }, { "class_name":"Module", "instance_method": true, "method_visibility": "public", "method_name":"const_get", "source":"P0" } ] },{ "name":"unsafe-code-execution", "triggers":[ { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"eval", "source":"P0" },{ "class_name": "Kernel", "instance_method": true, "method_visibility": "private", "method_name": "eval", "source": "P0" }, { "class_name": "ActiveSupport::Tryable", "instance_method": true, "method_visibility": "public", "method_name":"try", "source":"P0" }, { "class_name": "ActiveSupport::Tryable", "instance_method": true, "method_visibility": "public", "method_name":"try!", "source":"P0" }, { "class_name": "BasicObject", "instance_method": false, "method_visibility": "public", "method_name":"instance_eval", "source":"P0", "custom_patch": true }, { "class_name": "Module", "instance_method": true, "method_visibility": "public", "method_name":"class_eval", "source":"P0", "custom_patch": true }, { "class_name": "Module", "instance_method": true, "method_visibility": "public", "method_name":"module_eval", "source":"P0", "custom_patch": true },{ "class_name": "Object", "instance_method": true, "method_visibility": "public", "method_name": "try", "source": "P0" }, { "class_name": "Object", "instance_method": true, "method_visibility": "public", "method_name": "try!", "source": "P0" } ] }, { "name":"crypto-weak-randomness", "dataflow": false, "triggers":[ { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"rand" }, { "class_name":"Kernel", "instance_method": false, "method_visibility": "public", "method_name":"srand" }, { "class_name":"Random", "instance_method": false, "method_visibility": "public", "method_name":"rand" }, { "class_name":"Random", "instance_method": false, "method_visibility": "public", "method_name":"srand" }, { "class_name":"Random", "instance_method": true, "method_visibility": "public", "method_name":"rand" } ] }, { "name":"crypto-bad-mac", "dataflow": false, "triggers":[ { "class_name":"OpenSSL::Digest", "instance_method": true, "method_visibility": "private", "method_name":"initialize", "source":"P0", "good_value":"^(?:MDC2|RIPEMD160|SHA224|SHA256|SHA384|SHA512)" }, { "class_name":"Digest::MD5", "instance_method": true, "method_visibility": "public", "method_name":"initialize" },{ "class_name":"Digest::SHA1", "instance_method": true, "method_visibility": "public", "method_name":"initialize" } ] }, { "name":"crypto-bad-ciphers", "dataflow": false, "triggers":[ { "class_name":"OpenSSL::Cipher", "instance_method": true, "method_visibility": "private", "method_name":"initialize", "source":"P0", "good_value":"^(?:AES|CAMELLIA|CAST|DES-EDE|DES-EDE3|DES3|DESX|SEED).*" } ] }, { "name": "ssrf", "triggers": [ { "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "get", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "post", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "head", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "put", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "patch", "source": "P0" },{ "class_name": "Net::HTTP", "instance_method": true, "method_visibility": "public", "method_name": "delete", "source": "P0" },{ "class_name": "Excon", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0" }, { "class_name": "Typhoeus::Request", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0" } ] }, { "name": "nosql-injection", "disallowed_tags":["JAVASCRIPT_ENCODED"], "triggers": [ { "class_name": "Mongo::Protocol::Query", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P2" }, { "class_name": "Mongo::Operation::Specifiable", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0" } ] }, { "name": "xxe", "triggers": [ { "class_name": "Ox", "instance_method": false, "method_visibility": "public", "method_name": "parse", "source": "P0" }, { "class_name": "Ox", "instance_method": false, "method_visibility": "public", "method_name": "load", "source": "P0" }, { "class_name": "Oga::XML::Parser", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0" }, { "class_name": "Oga::XML::SaxParser", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P1" }, { "class_name": "Nokogiri::XML::Document", "instance_method": false, "method_visibility": "public", "method_name": "parse", "source": "P0" }, { "class_name": "Nokogiri::XML::SAX::Parser", "instance_method": true, "method_visibility": "public", "method_name": "parse", "source": "P0" } ] }, { "name": "trust-boundary-violation", "triggers": [ { "class_name": "ActionDispatch::Request::Session", "instance_method": true, "method_visibility": "public", "method_name": "[]=", "source": "P0,P1" },{ "class_name": "Rack::Session::Cookie::Identity", "instance_method": true, "method_visibility": "public", "method_name": "encode", "source": "P0" },{ "class_name": "Rack::Session::Cookie::Base64", "instance_method": true, "method_visibility": "public", "method_name": "encode", "source": "P0" } ] }, { "name": "unvalidated-redirect", "disallowed_tags":["URL_ENCODED"], "triggers": [ { "class_name": "Sinatra::Helpers", "instance_method": true, "method_visibility": "public", "method_name": "redirect", "source": "P0" }, { "class_name": "ActionController::Redirecting", "instance_method": true, "method_visibility": "public", "method_name": "redirect_to", "source": "P0" } ] }, { "name": "untrusted-deserialization", "triggers": [ { "class_name": "Marshal", "instance_method": false, "method_visibility": "public", "method_name": "load", "source": "P0" }, { "class_name": "Psych", "instance_method": false, "method_visibility": "public", "method_name": "load", "source": "P0" } ] }, { "name": "xpath-injection", "disallowed_tags":["XPATH_ENCODED"], "triggers": [ { "class_name": "XPath::Expression", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P1", "trigger_class": "Contrast::Agent::Assess::Policy::Trigger::Xpath", "trigger_method": "xpath_expression_trigger" }, { "class_name": "Oga::XML::CharacterNode", "instance_method": true, "method_visibility": "private", "method_name": "initialize", "source": "P0", "trigger_class": "Contrast::Agent::Assess::Policy::Trigger::Xpath", "trigger_method": "xpath_oga_trigger" }, { "class_name": "XPather", "instance_method": true, "method_visibility": "public", "method_name": "get", "source": "P0" }, { "class_name": "XPather", "instance_method": true, "method_visibility": "public", "method_name": "search", "source": "P0" }, { "class_name": "Ox::HasAttrs", "instance_method": true, "method_visibility": "public", "method_name": "[]=", "source": "P1" }, { "class_name": "Nokogiri::XML::Node", "instance_method": true, "method_visibility": "public", "method_name": "[]=", "source": "P1" } ] } ] }