Sha256: ef8751fede6a7cb3e6bc2551dbd78bccd36f15ddb88c4cc042bde61a2fc03f15
Contents?: true
Size: 1.67 KB
Versions: 6
Compression:
Stored size: 1.67 KB
Contents
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
cs__scoped_require 'contrast/agent/protect/rule/sqli'
cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
module Contrast
module Agent
module Protect
module Policy
# This Module is how we apply the SQL Injection rule. It is called from
# our patches of the targeted methods in which the execution of String
# based SQL queries occur. It is responsible for deciding if the infilter
# methods of the rule should be invoked.
class AppliesSqliRule
extend Contrast::Agent::Protect::Policy::RuleApplicator
DATABASE_MYSQL = 'MySQL'
DATABASE_SQLITE = 'SQLite3'
DATABASE_PG = 'PostgreSQL'
class << self
def invoke _method, _exception, properties, _object, args
database = properties['database']
return unless database
index = properties[Contrast::Utils::ObjectShare::INDEX]
return unless valid_input?(index, args)
return if skip_analysis?
sql = args[index]
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
end
protected
def name
Contrast::Agent::Protect::Rule::Sqli::NAME
end
private
def valid_input? index, args
return false unless args && args.length > index
sql = args[index]
sql && !sql.empty?
end
end
end
end
end
end
end
Version data entries
6 entries across 6 versions & 1 rubygems