Contents

# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/protect/rule/sqli'
require 'contrast/agent/protect/policy/rule_applicator'

module Contrast
  module Agent
    module Protect
      module Policy
        # This Module is how we apply the SQL Injection rule. It is called from
        # our patches of the targeted methods in which the execution of String
        # based SQL queries occur. It is responsible for deciding if the infilter
        # methods of the rule should be invoked.
        class AppliesSqliRule
          extend Contrast::Agent::Protect::Policy::RuleApplicator

          DATABASE_MYSQL =    'MySQL'
          DATABASE_SQLITE =   'SQLite3'
          DATABASE_PG =       'PostgreSQL'

          class << self
            def invoke _method, _exception, properties, _object, args
              database = properties['database']
              return unless database

              index = properties[Contrast::Utils::ObjectShare::INDEX]
              return unless valid_input?(index, args)
              return if skip_analysis?

              sql = args[index]
              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
            end

            protected

            def rule_name
              Contrast::Agent::Protect::Rule::Sqli::NAME
            end

            private

            def valid_input? index, args
              return false unless args && args.length > index

              sql = args[index]
              sql && !sql.empty?
            end
          end
        end
      end
    end
  end
end

Version data entries

19 entries across 19 versions & 1 rubygems

Version	Path
contrast-agent-6.6.5	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.6.4	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.6.3	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.6.2	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.6.1	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.6.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.5.1	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.5.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.4.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.3.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.2.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.1.2	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.1.1	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.1.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-6.0.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-5.3.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-5.2.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-5.1.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb
contrast-agent-5.0.0	lib/contrast/agent/protect/policy/applies_sqli_rule.rb