lib/contrast/components/settings.rb in contrast-agent-3.11.0 vs lib/contrast/components/settings.rb in contrast-agent-3.12.0
- old
+ new
@@ -21,15 +21,10 @@
# tainted_columns are database columns that receive unsanitized input.
# this statefulness
attr_reader :tainted_columns # This can probably go into assess_state?
- # a vulnerability like padding oracle is exploited across
- # multiple requests, as a timing attack. these attempts must be
- # accumulated, in order to recognize the pattern and block the attack.
- attr_reader :accumulator_settings
-
# These three 'state' variables represent atomic config/setting state,
# outside of things like rule defs.
def assess_state
@assess_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
@@ -38,12 +33,11 @@
}
end
def protect_state
@protect_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
- enabled: false,
- accumulator_settings: Contrast::Api::Settings::AccumulatorSettings.new
+ enabled: false
}
end
def application_state
@application_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
@@ -56,11 +50,11 @@
# These are settings that we receive & store.
# Rules are settings too, but they're more involved.
# So, between this block and rules, that's setting state.
PROTECT_STATE_ATTRS = %i[].cs__freeze
ASSESS_STATE_ATTRS = %i[sampling_features].cs__freeze
- APPLICATION_STATE_ATTRS = %i[modes_by_id exclusion_matchers disabled_assess_rules session_id].cs__freeze
+ APPLICATION_STATE_ATTRS = %i[modes_by_id exclusion_matchers disabled_assess_rules].cs__freeze
# Meta-define an accessor for each state attribute.
begin
PROTECT_STATE_ATTRS.each do |attr|
define_method(attr) do
@@ -79,22 +73,44 @@
application_state[attr]
end
end
end
+ def session_id
+ # TODO: RUBY-900 we shouldn't send things w/o having session id,
+ # figure out how this happened and fix it.
+ application_state[:session_id] || Contrast::Utils::ObjectShare::EMPTY_STRING
+ end
+
def initialize
reset_state
end
+ def protect_enabled?
+ @_protect_enabled = !!protect_state[:enabled] if @_protect_enabled.nil?
+ @_protect_enabled
+ end
+
+ def assess_enabled?
+ @_assess_enabled = !!assess_state[:enabled] if @_assess_enabled.nil?
+ @_assess_enabled
+ end
+
+ def code_exclusions
+ exclusion_matchers.select(&:code?)
+ end
+
def update_from_server_features server_features
# protect
begin
+ @_protect_enabled = nil
protect_state[:enabled] = server_features.protect_enabled?
end
# assess
begin
+ @_assess_enabled = nil
assess_state[:enabled] = server_features.assess_enabled?
assess_state[:sampling_settings] = server_features.assess.sampling
Contrast::Utils::Assess::SamplingUtil.instance.update
end
end
@@ -116,11 +132,10 @@
end
def build_assess_rules
@assess_rules = {}
- Contrast::Agent::Assess::Rule::Csrf.new
Contrast::Agent::Assess::Rule::Redos.new
end
def build_protect_rules
@protect_rules = {}
@@ -133,18 +148,9 @@
Contrast::Agent::Protect::Rule::PathTraversal.new
Contrast::Agent::Protect::Rule::Sqli.new
Contrast::Agent::Protect::Rule::UnsafeFileUpload.new
Contrast::Agent::Protect::Rule::Xss.new
Contrast::Agent::Protect::Rule::Xxe.new
-
- # Beta Rules
- Contrast::Agent::Protect::Rule::Csrf.new
- end
-
- # these are less 'settings' and more 'how do I behave.'
- # relocate to Agent or Assess/Protect.
- def protect_rule_mode rule_id
- CONFIG.root.protect.rules[rule_id]&.mode || modes_by_id[rule_id] || :NO_ACTION
end
end
COMPONENT_INTERFACE = Interface.new
end