lib/contrast/agent/protect/policy/applies_deserialization_rule.rb in contrast-agent-6.2.0 vs lib/contrast/agent/protect/policy/applies_deserialization_rule.rb in contrast-agent-6.3.0
- old
+ new
@@ -29,32 +29,30 @@
# applicator in an attempt to build a better story for the user
# @param _object [Object] the thing on which the triggering method
# was invoked
# @param args [Array<Object>] the arguments passed to the triggering
# method at invocation
- # @raise [Contrast::SecurityException] on block, will pass the
- # exception from the rule
def invoke _method, _exception, _properties, _object, args
return unless valid_input?(args)
return if skip_analysis?
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+ # add rescue here
end
# Calls the actual rule for this applicator, if required, when the
# triggering method is called from Marshal.load when it has been
# prepended.
#
# @param arg [Object] the argument passed to the triggering method
# at invocation
- # @raise [Contrast::SecurityException] on block, will pass the
- # exception from the rule
def prepended_invoke arg
return unless arg&.cs__is_a?(String)
return if skip_analysis?
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
+ # add rescue here
end
# Allow the rule to check if the given input is an attempt to
# deserialize something in a way that will result in a command
# execution
@@ -65,9 +63,10 @@
def apply_deserialization_command_check command
return unless command
return if skip_analysis?
rule.check_command_scope(command)
+ # add rescue here
end
protected
def rule_name