lib/contrast/agent/protect/rule/no_sqli.rb in contrast-agent-6.9.0 vs lib/contrast/agent/protect/rule/no_sqli.rb in contrast-agent-6.10.0
- old
+ new
@@ -2,10 +2,11 @@
# frozen_string_literal: true
require 'contrast/agent/protect/rule/base_service'
require 'contrast/agent/protect/rule/sql_sample_builder'
require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
module Contrast
module Agent
module Protect
module Rule
@@ -37,10 +38,17 @@
def applicable_user_inputs
APPLICABLE_USER_INPUTS
end
+ # NoSQLI input classification
+ #
+ # @return [module<Contrast::Agent::Protect::Rule::NoSqliInputClassification>]
+ def classification
+ @_classification ||= Contrast::Agent::Protect::Rule::NoSqliInputClassification.cs__freeze
+ end
+
# @raise [Contrast::SecurityException] if the attack is blocked
# raised with BLOCK_MESSAGE
def infilter context, database, query_string
return unless infilter?(context)
@@ -76,18 +84,32 @@
protected
def find_attacker context, potential_attack_string, **kwargs
if potential_attack_string
- # We need the query hash to be a JSON string to match on JSON input attacks
+ # We need the query hash to be a JSON string to match on JSON input attacks.
+ # Before that we need to check if a string is already in json form.
begin
- potential_attack_string = JSON.generate(potential_attack_string).to_s
+ potential_attack_string = if json?(potential_attack_string)
+ potential_attack_string
+ else
+ JSON.generate(potential_attack_string).to_s
+ end
rescue JSON::GeneratorError
logger.trace('Error in JSON::generate', input: potential_attack_string)
nil
end
end
super(context, potential_attack_string, **kwargs)
+ end
+
+ # Check to see if a string is in JSON form.
+ #
+ # @return [Boolean]
+ def json? string
+ return true if JSON.parse(string)
+ rescue StandardError
+ false
end
end
end
end
end