resources/assess/policy.json in contrast-agent-4.9.1 vs resources/assess/policy.json in contrast-agent-4.10.0
- old
+ new
@@ -32,10 +32,27 @@
"method_name": "raw_post",
"target": "R",
"type": "BODY",
"tags":["NO_NEWLINES", "CROSS_SITE"]
}, {
+ "class_name":"ActionDispatch::Request",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name": "body",
+ "source": "P0",
+ "target": "R",
+ "type": "BODY",
+ "tags":["NO_NEWLINES", "CROSS_SITE"]
+ }, {
+ "class_name":"ActionDispatch::Cookies::CookieJar",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name": "[]",
+ "target": "R",
+ "type": "COOKIE",
+ "tags":["NO_NEWLINES", "CROSS_SITE"]
+ }, {
"class_name":"Rack::Request::Helpers",
"instance_method": true,
"method_visibility": "public",
"method_name":"POST",
"target":"R",
@@ -127,22 +144,57 @@
"method_visibility": "public",
"method_name":"params",
"target":"R",
"type":"PARAMETER",
"tags":["CROSS_SITE"]
+ }, {
+ "class_name":"Grape::Env",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"[]",
+ "source": "P0",
+ "target":"R",
+ "type":"HEADER",
+ "tags":["CROSS_SITE"]
+ }, {
+ "class_name":"Grape::Request",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"headers",
+ "source": "P0",
+ "target":"R",
+ "type":"HEADER",
+ "tags":["NO_NEWLINES", "CROSS_SITE"]
+ }, {
+ "class_name":"Grape::Request",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"body",
+ "target":"R",
+ "type":"BODY",
+ "tags":["CROSS_SITE"]
+ }, {
+ "class_name":"Grape::Validations::Base",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"validate!",
+ "source": "P0",
+ "target":"R",
+ "type":"PARAMETER",
+ "tags":["CROSS_SITE"]
}
],
"propagators":[
- {
+ {
"class_name":"String",
"instance_method": true,
"method_visibility": "public",
"method_name":"dup",
"source":"O",
"target":"R",
"action":"KEEP"
- }, {
+ }, {
"class_name": "String",
"instance_method": true,
"method_visibility": "public",
"method_name": "to_s",
"source": "O",
@@ -720,11 +772,29 @@
"action": "CUSTOM",
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::Select",
"patch_method": "select_tagger",
"source": "O",
"target": "R"
+ },{
+ "class_name":"CGI::Util",
+ "method_name":"unescape",
+ "instance_method": true,
+ "method_visibility": "public",
+ "source":"P0",
+ "target":"R",
+ "action":"SPLAT",
+ "tags":[],
+ "untags":[]
}, {
+ "class_name":"StringIO",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name": "read",
+ "source": "O",
+ "target": "R",
+ "action": "SPLAT"
+ }, {
"class_name":"CGI::Util",
"method_name":"escapeHTML",
"instance_method": true,
"method_visibility": "public",
"source":"P0",
@@ -741,10 +811,20 @@
"target":"R",
"action":"SPLAT",
"tags":["HTML_ENCODED"],
"untags":["HTML_DECODED"]
}, {
+ "class_name":"Rack::Utils",
+ "method_name":"escape_html",
+ "instance_method": false,
+ "method_visibility": "public",
+ "source":"P0",
+ "target":"R",
+ "action":"SPLAT",
+ "tags":["HTML_ENCODED"],
+ "untags":["HTML_DECODED"]
+ }, {
"class_name":"CGI::Util",
"method_name":"h",
"instance_method": true,
"method_visibility": "public",
"source":"P0",
@@ -1286,10 +1366,22 @@
"method_name":"write",
"instance_method": true,
"method_visibility": "public",
"source":"P0"
}, {
+ "class_name":"Rack::Response",
+ "method_name":"body=",
+ "instance_method": true,
+ "method_visibility": "public",
+ "source":"P0"
+ }, {
+ "class_name":"Rack::Response",
+ "method_name":"write",
+ "instance_method": true,
+ "method_visibility": "public",
+ "source":"P0"
+ }, {
"class_name":"Sinatra::Helpers",
"method_name":"body",
"instance_method": true,
"method_visibility": "public",
"source":"P0"
@@ -1346,15 +1438,111 @@
"instance_method": true,
"method_visibility": "public",
"method_name":"async_exec",
"source":"P0"
}, {
+ "class_name":"ActiveRecord::Relation::Calculations",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"calculate",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::FinderMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"exists?",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::FinderMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"find_by",
+ "source":"P0"
+ }, {
"class_name":"ActiveRecord::Querying",
"instance_method": false,
"method_visibility": "public",
"method_name":"select",
"source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"from",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"group",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"having",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"joins",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"lock",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"select",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"reselect",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"where",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"rewhere",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::QueryMethods::WhereChain",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"not",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::Relation",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"delete_by",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::Relation",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"destroy_by",
+ "source":"P0"
+ }, {
+ "class_name":"ActiveRecord::Relation",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name":"update_all",
+ "source":"P0"
}
]
}, {
"name": "reflection-injection",
"triggers": [
@@ -1682,9 +1870,16 @@
{
"class_name": "ActionController::Redirecting",
"instance_method": true,
"method_visibility": "public",
"method_name": "redirect_to",
+ "source": "P0"
+ },
+ {
+ "class_name": "Grape::DSL::InsideRoute",
+ "instance_method": true,
+ "method_visibility": "public",
+ "method_name": "redirect",
"source": "P0"
}
]
}, {
"name": "untrusted-deserialization",