Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/agent/protect/rule/sqli'
cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
cs__scoped_require 'contrast/utils/data_store_util'

module Contrast
  module CoreExtensions
    module Protect
      # This Module is how we apply the SQL Injection rule. It is called from
      # our patches of the targeted methods in which the execution of String
      # based SQL queries occur. It is responsible for deciding if the infilter
      # methods of the rule should be invoked.
      class AppliesSqliRule
        extend Contrast::CoreExtensions::Protect::RuleApplicator

        DATABASE_MYSQL =    'MySQL'
        DATABASE_SQLITE =   'SQLite3'
        DATABASE_PG =       'PostgreSQL'

        class << self
          def invoke _method, _exception, properties, _object, args
            database = properties['database']
            return unless database

            index = properties[Contrast::Utils::ObjectShare::INDEX]
            return unless valid_input?(index, args)
            return if skip_analysis?

            sql = args[index]
            rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
          end

          protected

          def name
            Contrast::Agent::Protect::Rule::Sqli::NAME
          end

          private

          def valid_input? index, args
            return false unless args && args.length > index

            sql = args[index]
            sql && !sql.empty?
          end
        end
      end
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
contrast-agent-3.11.0	lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb