contrast-agent 3.8.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (500) hide show
  1. checksums.yaml +7 -0
  2. data/.clang-format +5 -0
  3. data/.dockerignore +10 -0
  4. data/.gitignore +58 -0
  5. data/.gitmodules +6 -0
  6. data/.rspec +6 -0
  7. data/.simplecov +4 -0
  8. data/Gemfile +7 -0
  9. data/LICENSE.txt +12 -0
  10. data/Rakefile +15 -0
  11. data/exe/contrast_service +29 -0
  12. data/ext/build_funchook.rb +48 -0
  13. data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
  14. data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
  15. data/ext/cs__assess_active_record_named/extconf.rb +2 -0
  16. data/ext/cs__assess_array/cs__assess_array.c +38 -0
  17. data/ext/cs__assess_array/cs__assess_array.h +9 -0
  18. data/ext/cs__assess_array/extconf.rb +2 -0
  19. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
  20. data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
  21. data/ext/cs__assess_basic_object/extconf.rb +2 -0
  22. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
  23. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
  24. data/ext/cs__assess_fiber_track/extconf.rb +2 -0
  25. data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
  26. data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
  27. data/ext/cs__assess_hash/extconf.rb +2 -0
  28. data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
  29. data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
  30. data/ext/cs__assess_kernel/extconf.rb +2 -0
  31. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
  32. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
  33. data/ext/cs__assess_marshal_module/extconf.rb +2 -0
  34. data/ext/cs__assess_module/cs__assess_module.c +78 -0
  35. data/ext/cs__assess_module/cs__assess_module.h +25 -0
  36. data/ext/cs__assess_module/extconf.rb +2 -0
  37. data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
  38. data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
  39. data/ext/cs__assess_regexp/extconf.rb +2 -0
  40. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
  41. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
  42. data/ext/cs__assess_regexp_track/extconf.rb +2 -0
  43. data/ext/cs__assess_string/cs__assess_string.c +38 -0
  44. data/ext/cs__assess_string/cs__assess_string.h +19 -0
  45. data/ext/cs__assess_string/extconf.rb +2 -0
  46. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
  47. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
  48. data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
  49. data/ext/cs__common/cs__common.c +60 -0
  50. data/ext/cs__common/cs__common.h +28 -0
  51. data/ext/cs__common/extconf.rb +20 -0
  52. data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
  53. data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
  54. data/ext/cs__contrast_patch/extconf.rb +2 -0
  55. data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
  56. data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
  57. data/ext/cs__protect_kernel/extconf.rb +2 -0
  58. data/ext/cs__scope/cs__scope.c +96 -0
  59. data/ext/cs__scope/cs__scope.h +33 -0
  60. data/ext/cs__scope/extconf.rb +2 -0
  61. data/ext/extconf_common.rb +49 -0
  62. data/funchook/LICENSE +360 -0
  63. data/funchook/Makefile +29 -0
  64. data/funchook/Makefile.in +29 -0
  65. data/funchook/README.md +121 -0
  66. data/funchook/appveyor.yml +42 -0
  67. data/funchook/autogen.sh +3 -0
  68. data/funchook/autom4te.cache/output.0 +4976 -0
  69. data/funchook/autom4te.cache/requests +78 -0
  70. data/funchook/autom4te.cache/traces.0 +364 -0
  71. data/funchook/config.guess +1530 -0
  72. data/funchook/config.log +490 -0
  73. data/funchook/config.status +1016 -0
  74. data/funchook/config.sub +1773 -0
  75. data/funchook/configure +4976 -0
  76. data/funchook/configure.ac +59 -0
  77. data/funchook/distorm/COPYING +26 -0
  78. data/funchook/distorm/MANIFEST +25 -0
  79. data/funchook/distorm/MANIFEST.in +4 -0
  80. data/funchook/distorm/README.md +12 -0
  81. data/funchook/distorm/disOps/disOps.py +795 -0
  82. data/funchook/distorm/disOps/x86db.py +404 -0
  83. data/funchook/distorm/disOps/x86header.py +247 -0
  84. data/funchook/distorm/disOps/x86sets.py +1664 -0
  85. data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
  86. data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
  87. data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
  88. data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
  89. data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
  90. data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
  91. data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
  92. data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
  93. data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
  94. data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
  95. data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
  96. data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
  97. data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
  98. data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
  99. data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
  100. data/funchook/distorm/examples/cs/readme +3 -0
  101. data/funchook/distorm/examples/ddk/README +48 -0
  102. data/funchook/distorm/examples/ddk/distorm.ini +11 -0
  103. data/funchook/distorm/examples/ddk/dummy.c +15 -0
  104. data/funchook/distorm/examples/ddk/main.c +91 -0
  105. data/funchook/distorm/examples/ddk/makefile +1 -0
  106. data/funchook/distorm/examples/ddk/sources +10 -0
  107. data/funchook/distorm/examples/java/Makefile +23 -0
  108. data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
  109. data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
  110. data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
  111. data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
  112. data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
  113. data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
  114. data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
  115. data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
  116. data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
  117. data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
  118. data/funchook/distorm/examples/java/jdistorm.c +405 -0
  119. data/funchook/distorm/examples/java/jdistorm.h +40 -0
  120. data/funchook/distorm/examples/java/jdistorm.sln +20 -0
  121. data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
  122. data/funchook/distorm/examples/linux/Makefile +15 -0
  123. data/funchook/distorm/examples/linux/main.c +181 -0
  124. data/funchook/distorm/examples/tests/Makefile +15 -0
  125. data/funchook/distorm/examples/tests/main.cpp +42 -0
  126. data/funchook/distorm/examples/tests/main.py +66 -0
  127. data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
  128. data/funchook/distorm/examples/tests/tests.sln +20 -0
  129. data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
  130. data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
  131. data/funchook/distorm/examples/win32/disasm.sln +25 -0
  132. data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
  133. data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
  134. data/funchook/distorm/examples/win32/main.cpp +163 -0
  135. data/funchook/distorm/include/distorm.h +482 -0
  136. data/funchook/distorm/include/mnemonics.h +301 -0
  137. data/funchook/distorm/make/linux/Makefile +28 -0
  138. data/funchook/distorm/make/mac/Makefile +24 -0
  139. data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
  140. data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
  141. data/funchook/distorm/make/win32/distorm.sln +25 -0
  142. data/funchook/distorm/make/win32/resource.h +14 -0
  143. data/funchook/distorm/make/win32/resource.rc +99 -0
  144. data/funchook/distorm/python/distorm3/__init__.py +957 -0
  145. data/funchook/distorm/python/distorm3/sample.py +51 -0
  146. data/funchook/distorm/setup.cfg +10 -0
  147. data/funchook/distorm/setup.py +266 -0
  148. data/funchook/distorm/src/config.h +169 -0
  149. data/funchook/distorm/src/decoder.c +641 -0
  150. data/funchook/distorm/src/decoder.h +33 -0
  151. data/funchook/distorm/src/distorm.c +413 -0
  152. data/funchook/distorm/src/instructions.c +597 -0
  153. data/funchook/distorm/src/instructions.h +463 -0
  154. data/funchook/distorm/src/insts.c +7939 -0
  155. data/funchook/distorm/src/insts.h +64 -0
  156. data/funchook/distorm/src/mnemonics.c +284 -0
  157. data/funchook/distorm/src/operands.c +1290 -0
  158. data/funchook/distorm/src/operands.h +28 -0
  159. data/funchook/distorm/src/prefix.c +368 -0
  160. data/funchook/distorm/src/prefix.h +64 -0
  161. data/funchook/distorm/src/textdefs.c +172 -0
  162. data/funchook/distorm/src/textdefs.h +57 -0
  163. data/funchook/distorm/src/wstring.c +47 -0
  164. data/funchook/distorm/src/wstring.h +35 -0
  165. data/funchook/distorm/src/x86defs.h +82 -0
  166. data/funchook/include/funchook.h +123 -0
  167. data/funchook/install-sh +527 -0
  168. data/funchook/src/Makefile +70 -0
  169. data/funchook/src/Makefile.in +70 -0
  170. data/funchook/src/__strerror.h +109 -0
  171. data/funchook/src/config.h +101 -0
  172. data/funchook/src/config.h.in +100 -0
  173. data/funchook/src/decoder.o +0 -0
  174. data/funchook/src/distorm.o +0 -0
  175. data/funchook/src/funchook.c +440 -0
  176. data/funchook/src/funchook.o +0 -0
  177. data/funchook/src/funchook_internal.h +155 -0
  178. data/funchook/src/funchook_io.c +182 -0
  179. data/funchook/src/funchook_io.h +64 -0
  180. data/funchook/src/funchook_io.o +0 -0
  181. data/funchook/src/funchook_syscall.S +134 -0
  182. data/funchook/src/funchook_syscall.o +0 -0
  183. data/funchook/src/funchook_unix.c +480 -0
  184. data/funchook/src/funchook_unix.o +0 -0
  185. data/funchook/src/funchook_windows.c +397 -0
  186. data/funchook/src/funchook_x86.c +622 -0
  187. data/funchook/src/funchook_x86.o +0 -0
  188. data/funchook/src/instructions.o +0 -0
  189. data/funchook/src/insts.o +0 -0
  190. data/funchook/src/libfunchook.so +0 -0
  191. data/funchook/src/mnemonics.o +0 -0
  192. data/funchook/src/operands.o +0 -0
  193. data/funchook/src/os_func.c +115 -0
  194. data/funchook/src/os_func.h +75 -0
  195. data/funchook/src/os_func.o +0 -0
  196. data/funchook/src/os_func_unix.c +94 -0
  197. data/funchook/src/os_func_unix.o +0 -0
  198. data/funchook/src/os_func_windows.c +32 -0
  199. data/funchook/src/prefix.o +0 -0
  200. data/funchook/src/printf_base.c +1688 -0
  201. data/funchook/src/printf_base.h +46 -0
  202. data/funchook/src/printf_base.o +0 -0
  203. data/funchook/src/textdefs.o +0 -0
  204. data/funchook/src/wstring.o +0 -0
  205. data/funchook/test/Makefile +43 -0
  206. data/funchook/test/Makefile.in +43 -0
  207. data/funchook/test/funchook_test +0 -0
  208. data/funchook/test/libfunchook_test.c +25 -0
  209. data/funchook/test/libfunchook_test.so +0 -0
  210. data/funchook/test/libfunchook_test2.c +18 -0
  211. data/funchook/test/suffix.list +600 -0
  212. data/funchook/test/test_main.c +430 -0
  213. data/funchook/test/test_main.o +0 -0
  214. data/funchook/test/x86_64_test.S +10 -0
  215. data/funchook/test/x86_64_test.o +0 -0
  216. data/funchook/test/x86_test.S +339 -0
  217. data/funchook/win32/config.h +1 -0
  218. data/funchook/win32/funchook.sln +52 -0
  219. data/funchook/win32/funchook.vcxproj +188 -0
  220. data/funchook/win32/funchook.vcxproj.filters +84 -0
  221. data/funchook/win32/funchook_test.vcxproj +170 -0
  222. data/funchook/win32/funchook_test.vcxproj.filters +22 -0
  223. data/funchook/win32/funchook_test_dll.vcxproj +184 -0
  224. data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
  225. data/funchook/win32/funchook_test_exe.def +3 -0
  226. data/lib/contrast-agent.rb +8 -0
  227. data/lib/contrast.rb +57 -0
  228. data/lib/contrast/agent.rb +80 -0
  229. data/lib/contrast/agent/assess.rb +45 -0
  230. data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
  231. data/lib/contrast/agent/assess/class_reverter.rb +82 -0
  232. data/lib/contrast/agent/assess/contrast_event.rb +398 -0
  233. data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
  234. data/lib/contrast/agent/assess/insulator.rb +53 -0
  235. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
  236. data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
  237. data/lib/contrast/agent/assess/policy/policy.rb +116 -0
  238. data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
  239. data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
  240. data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
  241. data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
  242. data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
  243. data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
  244. data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
  245. data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
  246. data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
  247. data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
  248. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
  249. data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
  250. data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
  251. data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
  252. data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
  253. data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
  254. data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
  255. data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
  256. data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
  257. data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
  258. data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
  259. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
  260. data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
  261. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
  262. data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
  263. data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
  264. data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
  265. data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
  266. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
  267. data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
  268. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
  269. data/lib/contrast/agent/assess/properties.rb +392 -0
  270. data/lib/contrast/agent/assess/rule.rb +18 -0
  271. data/lib/contrast/agent/assess/rule/base.rb +72 -0
  272. data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
  273. data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
  274. data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
  275. data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
  276. data/lib/contrast/agent/assess/rule/provider.rb +21 -0
  277. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
  278. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
  279. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
  280. data/lib/contrast/agent/assess/rule/redos.rb +68 -0
  281. data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
  282. data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
  283. data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
  284. data/lib/contrast/agent/assess/tag.rb +151 -0
  285. data/lib/contrast/agent/at_exit_hook.rb +33 -0
  286. data/lib/contrast/agent/class_reopener.rb +195 -0
  287. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
  288. data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
  289. data/lib/contrast/agent/disable_reaction.rb +24 -0
  290. data/lib/contrast/agent/exclusion_matcher.rb +190 -0
  291. data/lib/contrast/agent/feature_state.rb +379 -0
  292. data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
  293. data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
  294. data/lib/contrast/agent/logger_manager.rb +116 -0
  295. data/lib/contrast/agent/middleware.rb +352 -0
  296. data/lib/contrast/agent/module_data.rb +16 -0
  297. data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
  298. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
  299. data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
  300. data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
  301. data/lib/contrast/agent/patching/policy/patch.rb +312 -0
  302. data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
  303. data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
  304. data/lib/contrast/agent/patching/policy/policy.rb +138 -0
  305. data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
  306. data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
  307. data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
  308. data/lib/contrast/agent/protect/policy/policy.rb +37 -0
  309. data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
  310. data/lib/contrast/agent/protect/rule.rb +58 -0
  311. data/lib/contrast/agent/protect/rule/base.rb +300 -0
  312. data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
  313. data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
  314. data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
  315. data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
  316. data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
  317. data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
  318. data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
  319. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
  320. data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
  321. data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
  322. data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
  323. data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
  324. data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
  325. data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
  326. data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
  327. data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
  328. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
  329. data/lib/contrast/agent/protect/rule/xss.rb +24 -0
  330. data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
  331. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
  332. data/lib/contrast/agent/railtie.rb +30 -0
  333. data/lib/contrast/agent/reaction_processor.rb +47 -0
  334. data/lib/contrast/agent/request.rb +493 -0
  335. data/lib/contrast/agent/request_context.rb +225 -0
  336. data/lib/contrast/agent/require_state.rb +61 -0
  337. data/lib/contrast/agent/response.rb +215 -0
  338. data/lib/contrast/agent/rewriter.rb +244 -0
  339. data/lib/contrast/agent/scope.rb +28 -0
  340. data/lib/contrast/agent/service_heartbeat.rb +37 -0
  341. data/lib/contrast/agent/settings_state.rb +148 -0
  342. data/lib/contrast/agent/socket_client.rb +125 -0
  343. data/lib/contrast/agent/thread.rb +26 -0
  344. data/lib/contrast/agent/tracepoint_hook.rb +51 -0
  345. data/lib/contrast/agent/version.rb +8 -0
  346. data/lib/contrast/api.rb +17 -0
  347. data/lib/contrast/api/.gitkeep +0 -0
  348. data/lib/contrast/api/connection_status.rb +49 -0
  349. data/lib/contrast/api/socket.rb +43 -0
  350. data/lib/contrast/api/speedracer.rb +206 -0
  351. data/lib/contrast/api/tcp_socket.rb +31 -0
  352. data/lib/contrast/api/unix_socket.rb +25 -0
  353. data/lib/contrast/common_agent_configuration.rb +86 -0
  354. data/lib/contrast/components/agent.rb +85 -0
  355. data/lib/contrast/components/app_context.rb +188 -0
  356. data/lib/contrast/components/assess.rb +67 -0
  357. data/lib/contrast/components/config.rb +135 -0
  358. data/lib/contrast/components/contrast_service.rb +113 -0
  359. data/lib/contrast/components/heap_dump.rb +34 -0
  360. data/lib/contrast/components/interface.rb +178 -0
  361. data/lib/contrast/components/inventory.rb +23 -0
  362. data/lib/contrast/components/logger.rb +92 -0
  363. data/lib/contrast/components/protect.rb +38 -0
  364. data/lib/contrast/components/sampling.rb +41 -0
  365. data/lib/contrast/components/scope.rb +106 -0
  366. data/lib/contrast/components/settings.rb +140 -0
  367. data/lib/contrast/config.rb +33 -0
  368. data/lib/contrast/config/agent_configuration.rb +24 -0
  369. data/lib/contrast/config/application_configuration.rb +27 -0
  370. data/lib/contrast/config/assess_configuration.rb +22 -0
  371. data/lib/contrast/config/assess_rules_configuration.rb +18 -0
  372. data/lib/contrast/config/base_configuration.rb +105 -0
  373. data/lib/contrast/config/default_value.rb +16 -0
  374. data/lib/contrast/config/exception_configuration.rb +21 -0
  375. data/lib/contrast/config/heap_dump_configuration.rb +23 -0
  376. data/lib/contrast/config/inventory_configuration.rb +20 -0
  377. data/lib/contrast/config/logger_configuration.rb +20 -0
  378. data/lib/contrast/config/protect_configuration.rb +20 -0
  379. data/lib/contrast/config/protect_rule_configuration.rb +37 -0
  380. data/lib/contrast/config/protect_rules_configuration.rb +30 -0
  381. data/lib/contrast/config/root_configuration.rb +26 -0
  382. data/lib/contrast/config/ruby_configuration.rb +39 -0
  383. data/lib/contrast/config/sampling_configuration.rb +22 -0
  384. data/lib/contrast/config/server_configuration.rb +23 -0
  385. data/lib/contrast/config/service_configuration.rb +22 -0
  386. data/lib/contrast/configuration.rb +214 -0
  387. data/lib/contrast/core_extensions/assess.rb +51 -0
  388. data/lib/contrast/core_extensions/assess/array.rb +58 -0
  389. data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
  390. data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
  391. data/lib/contrast/core_extensions/assess/erb.rb +42 -0
  392. data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
  393. data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
  394. data/lib/contrast/core_extensions/assess/hash.rb +22 -0
  395. data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
  396. data/lib/contrast/core_extensions/assess/module.rb +14 -0
  397. data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
  398. data/lib/contrast/core_extensions/assess/string.rb +75 -0
  399. data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
  400. data/lib/contrast/core_extensions/delegator.rb +14 -0
  401. data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
  402. data/lib/contrast/core_extensions/inventory.rb +22 -0
  403. data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
  404. data/lib/contrast/core_extensions/module.rb +42 -0
  405. data/lib/contrast/core_extensions/object.rb +27 -0
  406. data/lib/contrast/core_extensions/protect.rb +20 -0
  407. data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
  408. data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
  409. data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
  410. data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
  411. data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
  412. data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
  413. data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
  414. data/lib/contrast/core_extensions/protect/psych.rb +7 -0
  415. data/lib/contrast/core_extensions/thread.rb +31 -0
  416. data/lib/contrast/internal_exception.rb +8 -0
  417. data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
  418. data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
  419. data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
  420. data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
  421. data/lib/contrast/rails_extensions/buffer.rb +30 -0
  422. data/lib/contrast/rails_extensions/rack.rb +45 -0
  423. data/lib/contrast/security_exception.rb +14 -0
  424. data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
  425. data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
  426. data/lib/contrast/tasks/service.rb +95 -0
  427. data/lib/contrast/utils/assess/sampling_util.rb +96 -0
  428. data/lib/contrast/utils/assess/tracking_util.rb +39 -0
  429. data/lib/contrast/utils/boolean_util.rb +33 -0
  430. data/lib/contrast/utils/cache.rb +69 -0
  431. data/lib/contrast/utils/class_util.rb +58 -0
  432. data/lib/contrast/utils/comment_range.rb +19 -0
  433. data/lib/contrast/utils/data_store_util.rb +23 -0
  434. data/lib/contrast/utils/duck_utils.rb +58 -0
  435. data/lib/contrast/utils/env_configuration_item.rb +52 -0
  436. data/lib/contrast/utils/environment_util.rb +152 -0
  437. data/lib/contrast/utils/freeze_util.rb +36 -0
  438. data/lib/contrast/utils/gemfile_reader.rb +191 -0
  439. data/lib/contrast/utils/hash_digest.rb +148 -0
  440. data/lib/contrast/utils/heap_dump_util.rb +113 -0
  441. data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
  442. data/lib/contrast/utils/inventory_util.rb +126 -0
  443. data/lib/contrast/utils/io_util.rb +61 -0
  444. data/lib/contrast/utils/object_share.rb +117 -0
  445. data/lib/contrast/utils/operating_environment.rb +38 -0
  446. data/lib/contrast/utils/os.rb +49 -0
  447. data/lib/contrast/utils/path_util.rb +151 -0
  448. data/lib/contrast/utils/performs_logging.rb +152 -0
  449. data/lib/contrast/utils/preflight_util.rb +13 -0
  450. data/lib/contrast/utils/prevent_serialization.rb +52 -0
  451. data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
  452. data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
  453. data/lib/contrast/utils/random_util.rb +22 -0
  454. data/lib/contrast/utils/resource_loader.rb +23 -0
  455. data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
  456. data/lib/contrast/utils/scope_util.rb +99 -0
  457. data/lib/contrast/utils/service_response_util.rb +116 -0
  458. data/lib/contrast/utils/service_sender_util.rb +98 -0
  459. data/lib/contrast/utils/sha256_builder.rb +69 -0
  460. data/lib/contrast/utils/sinatra_helper.rb +49 -0
  461. data/lib/contrast/utils/stack_trace_utils.rb +209 -0
  462. data/lib/contrast/utils/string_utils.rb +72 -0
  463. data/lib/contrast/utils/tag_util.rb +139 -0
  464. data/lib/contrast/utils/thread_tracker.rb +54 -0
  465. data/lib/contrast/utils/timer.rb +78 -0
  466. data/resources/assess/policy.json +1673 -0
  467. data/resources/csrf/inject.js +44 -0
  468. data/resources/deadzone/policy.json +55 -0
  469. data/resources/factory-bot-spec/spec_helper.rb +30 -0
  470. data/resources/inventory/policy.json +110 -0
  471. data/resources/protect/policy.json +417 -0
  472. data/resources/rubocops/kernel/catch_cop.rb +37 -0
  473. data/resources/rubocops/kernel/require_cop.rb +37 -0
  474. data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
  475. data/resources/rubocops/module/autoload_cop.rb +37 -0
  476. data/resources/rubocops/module/const_defined_cop.rb +37 -0
  477. data/resources/rubocops/module/const_get_cop.rb +37 -0
  478. data/resources/rubocops/module/const_set_cop.rb +37 -0
  479. data/resources/rubocops/module/constants_cop.rb +37 -0
  480. data/resources/rubocops/module/name_cop.rb +37 -0
  481. data/resources/rubocops/object/class_cop.rb +37 -0
  482. data/resources/rubocops/object/freeze_cop.rb +37 -0
  483. data/resources/rubocops/object/frozen_cop.rb +37 -0
  484. data/resources/rubocops/object/is_a_cop.rb +37 -0
  485. data/resources/rubocops/object/method_cop.rb +37 -0
  486. data/resources/rubocops/object/respond_to_cop.rb +37 -0
  487. data/resources/rubocops/object/singleton_class_cop.rb +37 -0
  488. data/resources/rubocops/regexp/spelling_cop.rb +44 -0
  489. data/resources/rubocops/thread/new_cop.rb +39 -0
  490. data/resources/ruby-spec/ancestors_spec.rb +70 -0
  491. data/resources/ruby-spec/modulo_spec.rb +831 -0
  492. data/resources/ruby-spec/parameters_spec.rb +261 -0
  493. data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
  494. data/resources/test_marker.txt +1 -0
  495. data/ruby-agent.gemspec +129 -0
  496. data/service_executables/.gitkeep +0 -0
  497. data/service_executables/VERSION +1 -0
  498. data/service_executables/linux/contrast-service +0 -0
  499. data/service_executables/mac/contrast-service +0 -0
  500. metadata +945 -0
@@ -0,0 +1,139 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Utils
6
+ # Utility methods for working with tag ranges
7
+ class TagUtil
8
+ class << self
9
+ # Determine if the given array of tags is covered by the other
10
+ # remaining_ranges: the tags left that haven't been covered by those given
11
+ # ranges: the tags that are covering the first
12
+ def covered? remaining_ranges, ranges
13
+ return true unless remaining_ranges&.any?
14
+
15
+ tag = remaining_ranges[0]
16
+ ranges.each do |range|
17
+ # If we covered the tag before using all the ranges, break
18
+ break if tag.length <= 0
19
+
20
+ relationship = tag.compare_range(range.start_idx, range.end_idx)
21
+ case relationship
22
+ when Contrast::Agent::Assess::Tag::BELOW
23
+ # since the tags are ordered, if we're below, nope out
24
+ return false
25
+ when Contrast::Agent::Assess::Tag::LOW_SPAN
26
+ # if we ever get a low span, that means a low part
27
+ # won't be covered. there's no need to continue
28
+ return false
29
+ when Contrast::Agent::Assess::Tag::WITHOUT
30
+ # if we ever get a without, that means a low part won't
31
+ # be covered. there's no need to continue
32
+ return false
33
+ when Contrast::Agent::Assess::Tag::WITHIN
34
+ # if we're within, then 0 out this tag since it is
35
+ # completely covered
36
+ tag.update_start(0)
37
+ tag.update_end(0)
38
+ when Contrast::Agent::Assess::Tag::HIGH_SPAN
39
+ tag.update_start(range.end_idx)
40
+ when Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/EmptyWhen
41
+ end
42
+ end
43
+ return false unless tag.length <= 0
44
+
45
+ remaining_ranges.shift
46
+ covered?(remaining_ranges, ranges)
47
+ end
48
+
49
+ # Given an array of tags, add all new tags to that array
50
+ #
51
+ # The addition is done such that the new entry(ies)
52
+ # are inserted so that the range they cover is in order
53
+ # Any overlapping ranges are merged before returning
54
+ #
55
+ # arr: the array of tags to which we are adding
56
+ # new_arr: misnomer. either an array of or a single Tag to be added
57
+ def ordered_merge arr, new_arr
58
+ # [Contrast::Agent::Assess::Tag, ...]
59
+ if new_arr.is_a?(Array)
60
+ return arr unless new_arr.any?
61
+ return new_arr unless arr&.any?
62
+
63
+ new_arr.each { |new_element| single_ordered_merge(arr, new_element) }
64
+ # Contrast::Agent::Assess::Tag
65
+ else
66
+ return arr unless new_arr
67
+ return [new_arr] unless arr
68
+
69
+ single_ordered_merge(arr, new_arr)
70
+ end
71
+ smallerize(arr)
72
+ end
73
+
74
+ # Given a collection of tags, merge any tags that are continuous
75
+ #
76
+ # If tags is a hash, it should be in the format label => [tags]
77
+ # The array of tags will each be merged
78
+ #
79
+ # If tags is an array in the format [tags], the array will be
80
+ # merged
81
+ #
82
+ # The original object is returned, although setters should not be
83
+ # necessary since tags is a collection in either case
84
+ def merge_tags tags
85
+ if tags.is_a?(Hash)
86
+ tags.each_value { |value| smallerize(value) }
87
+ else
88
+ smallerize(tags)
89
+ end
90
+ end
91
+
92
+ private
93
+
94
+ # Add one new element to the given array
95
+ #
96
+ # The addition is done such that the new entry(ies)
97
+ # are inserted so that the range they cover is in order
98
+ # Any overlapping ranges are merged before returning
99
+ #
100
+ # arr: the array to which the element is added
101
+ # new_element: the element to be added to the array
102
+ def single_ordered_merge arr, new_element
103
+ idx = 0
104
+ arr.each do |existing|
105
+ break unless existing.start_idx < new_element.start_idx
106
+
107
+ if existing.overlaps?(new_element)
108
+ existing.merge(new_element)
109
+ return # rubocop:disable Lint/NonLocalExitFromIterator
110
+ end
111
+ idx += 1
112
+ end
113
+ arr.insert(idx, new_element)
114
+ end
115
+
116
+ # Given an arry of tags, merge any that overlap
117
+ # The tag that was higher up is removed from the
118
+ # list of tags.
119
+ # ranges like [0-3][3-6]-6-9] that should become [0-9]
120
+ def smallerize tags
121
+ smallered = []
122
+ curr = nil
123
+ tags.each do |tag|
124
+ if curr.nil?
125
+ curr = tag
126
+ smallered << curr
127
+ elsif tag.start_idx <= curr.end_idx
128
+ curr.update_end(tag.end_idx) if tag.end_idx > curr.end_idx
129
+ else
130
+ curr = tag
131
+ smallered << curr
132
+ end
133
+ end
134
+ tags.delete_if { |tag| !smallered.include?(tag) }
135
+ end
136
+ end
137
+ end
138
+ end
139
+ end
@@ -0,0 +1,54 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Utils
6
+ # ThreadTracker allows tracking of singleton objects across threads
7
+ class ThreadTracker
8
+ def initialize logger = nil
9
+ @logger = logger
10
+ end
11
+
12
+ # Note about Ruby -- thread#[] is fiber-local,
13
+ # #thread_variables is not.
14
+
15
+ def get key, default = nil
16
+ log(key)
17
+ Thread.current[key] || default
18
+ end
19
+
20
+ def set key, value
21
+ Thread.current[key] = value
22
+ end
23
+
24
+ def delete key
25
+ Thread.current[key] = nil
26
+ end
27
+
28
+ def lifespan obj
29
+ set(:current_context, obj)
30
+ response = yield(obj)
31
+ delete(:current_context)
32
+ response
33
+ end
34
+
35
+ def current
36
+ get(:current_context)
37
+ end
38
+
39
+ def update_current_context context
40
+ set(:current_context, context)
41
+ end
42
+
43
+ # logger may be nil so use this utility method instead
44
+ def log key, msg = nil
45
+ return unless @logger
46
+ return unless @logger.debug?
47
+
48
+ @logger.debug("Thread Tracker[#{ key }] :: #{ Process.pid }.#{ Thread.current.object_id } => #{ msg }")
49
+ rescue StandardError
50
+ false # NOOP
51
+ end
52
+ end
53
+ end
54
+ end
@@ -0,0 +1,78 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Utils
6
+ # Timer is class that can track state about when an event starts and how long it takes
7
+ # Also containes utility methods to get time values in milliseconds
8
+ class Timer
9
+ attr_reader :start_at, :start_ms, :events
10
+
11
+ def initialize time = Time.now
12
+ @start_at = time
13
+ @start_ms = (@start_at.to_f * 1000).to_i
14
+ @events = {}
15
+ end
16
+
17
+ def elapsed label
18
+ before = Time.now
19
+ result = yield if block_given?
20
+ events[label.to_s] = ((Time.now - before) * 1000).to_i
21
+ result
22
+ end
23
+
24
+ def ms key
25
+ events[key.to_s] || 0
26
+ end
27
+
28
+ def abs key
29
+ start_ms + (events[key.to_s] || 0)
30
+ end
31
+
32
+ def to_s
33
+ pairs = events.to_a.map { |pair| "#{ pair[0] }=#{ pair[1] }ms" }
34
+ start_at.strftime('%Y-%m-%d %H:%M:%S.%L') + pairs.join(Contrast::Utils::ObjectShare::SPACE)
35
+ end
36
+
37
+ def diff_s start_ms
38
+ (now_ms - start_ms) / 1000
39
+ end
40
+
41
+ def now_ms
42
+ (Time.now.to_f * 1000).to_i
43
+ end
44
+
45
+ def self.now_ms
46
+ (Time.now.to_f * 1000).to_i
47
+ end
48
+
49
+ def self.earliest lhs, rhs
50
+ if lhs && rhs
51
+ [lhs, rhs].min
52
+ elsif lhs
53
+ lhs
54
+ else
55
+ rhs
56
+ end
57
+ end
58
+
59
+ def self.latest lhs, rhs
60
+ if lhs && rhs
61
+ [lhs, rhs].max
62
+ elsif lhs
63
+ lhs
64
+ else
65
+ rhs
66
+ end
67
+ end
68
+
69
+ def now_sec
70
+ now_ms / 1000
71
+ end
72
+
73
+ def elapsed_ms
74
+ now_ms - start_ms
75
+ end
76
+ end
77
+ end
78
+ end
@@ -0,0 +1,1673 @@
1
+ {
2
+ "tracked_classes": [
3
+ "ActionDispatch::Http::UploadedFile",
4
+ "Symbol",
5
+ "Pathname",
6
+ "File",
7
+ "MatchData",
8
+ "URI::Generic",
9
+ "Rack::File::Iterator"
10
+ ],
11
+ "sources":[
12
+ {
13
+ "class_name":"Rack::Request",
14
+ "instance_method": true,
15
+ "method_visibility": "public",
16
+ "method_name":"params",
17
+ "target":"R",
18
+ "type":"PARAMETER",
19
+ "tags":["CROSS_SITE"]
20
+ }, {
21
+ "class_name":"Rack::Request::Helpers",
22
+ "instance_method": true,
23
+ "method_visibility": "public",
24
+ "method_name":"body",
25
+ "target":"R",
26
+ "type":"BODY"
27
+ }, {
28
+ "class_name":"Rack::Request::Env",
29
+ "instance_method": true,
30
+ "method_visibility": "public",
31
+ "method_name":"get_header",
32
+ "target":"R",
33
+ "type":"HEADER",
34
+ "tags":["NO_NEWLINES"]
35
+ }, {
36
+ "class_name":"ActionDispatch::Request",
37
+ "instance_method": true,
38
+ "method_visibility": "public",
39
+ "method_name": "raw_post",
40
+ "target": "R",
41
+ "type": "BODY",
42
+ "tags":["NO_NEWLINES"]
43
+ }, {
44
+ "class_name":"Rack::Request::Helpers",
45
+ "instance_method": true,
46
+ "method_visibility": "public",
47
+ "method_name":"POST",
48
+ "target":"R",
49
+ "type":"PARAMETER"
50
+ }, {
51
+ "class_name":"Rack::Request::Helpers",
52
+ "instance_method": true,
53
+ "method_visibility": "public",
54
+ "method_name":"GET",
55
+ "target":"R",
56
+ "type":"PARAMETER"
57
+ }, {
58
+ "class_name":"Rack::Request::Helpers",
59
+ "instance_method": true,
60
+ "method_visibility": "public",
61
+ "method_name":"cookies",
62
+ "target":"R",
63
+ "type":"PARAMETER",
64
+ "tags":["NO_NEWLINES"]
65
+ }, {
66
+ "class_name":"Rack::Request::Helpers",
67
+ "instance_method": true,
68
+ "method_visibility": "public",
69
+ "method_name":"url",
70
+ "target":"R",
71
+ "type":"PARAMETER"
72
+ }, {
73
+ "class_name":"Rack::Request::Helpers",
74
+ "instance_method": true,
75
+ "method_visibility": "public",
76
+ "method_name":"query_string",
77
+ "target":"R",
78
+ "type":"PARAMETER"
79
+ }, {
80
+ "class_name":"Rack::Request",
81
+ "instance_method": true,
82
+ "method_visibility": "public",
83
+ "method_name":"body",
84
+ "target":"R",
85
+ "type":"BODY"
86
+ }, {
87
+ "class_name":"Rack::Request",
88
+ "instance_method": true,
89
+ "method_visibility": "public",
90
+ "method_name":"query_string",
91
+ "target":"R",
92
+ "type":"BODY"
93
+ }, {
94
+ "class_name":"Rack::Request",
95
+ "instance_method": true,
96
+ "method_visibility": "public",
97
+ "method_name":"GET",
98
+ "target":"R",
99
+ "type":"PARAMETER"
100
+ }, {
101
+ "class_name":"Rack::Request",
102
+ "instance_method": true,
103
+ "method_visibility": "public",
104
+ "method_name":"POST",
105
+ "target":"R",
106
+ "type":"PARAMETER"
107
+ }, {
108
+ "class_name":"Rack::Request",
109
+ "instance_method": true,
110
+ "method_visibility": "public",
111
+ "method_name":"cookies",
112
+ "target":"R",
113
+ "type":"PARAMETER",
114
+ "tags":["NO_NEWLINES"]
115
+ }, {
116
+ "class_name":"Rack::Request",
117
+ "instance_method": true,
118
+ "method_visibility": "public",
119
+ "method_name":"url",
120
+ "target":"R",
121
+ "type":"BODY"
122
+ }, {
123
+ "class_name":"ActionController::Metal",
124
+ "instance_method": true,
125
+ "method_visibility": "public",
126
+ "method_name":"params",
127
+ "target":"R",
128
+ "type":"PARAMETER"
129
+ }, {
130
+ "class_name":"ActionController::StrongParameters",
131
+ "instance_method": true,
132
+ "method_visibility": "public",
133
+ "method_name":"params",
134
+ "target":"R",
135
+ "type":"PARAMETER"
136
+ }
137
+ ],
138
+ "propagators":[
139
+ {
140
+ "class_name":"String",
141
+ "instance_method": true,
142
+ "method_visibility": "public",
143
+ "method_name":"dup",
144
+ "source":"O",
145
+ "target":"R",
146
+ "action":"KEEP"
147
+ }, {
148
+ "class_name": "String",
149
+ "instance_method": true,
150
+ "method_visibility": "public",
151
+ "method_name": "split",
152
+ "source": "O,P0",
153
+ "target": "R",
154
+ "action": "SPLIT"
155
+ },{
156
+ "class_name": "String",
157
+ "instance_method": true,
158
+ "method_visibility": "public",
159
+ "method_name": "grapheme_clusters",
160
+ "source": "O",
161
+ "target": "R",
162
+ "action": "SPLIT"
163
+ }, {
164
+ "class_name":"String",
165
+ "instance_method": true,
166
+ "method_visibility": "public",
167
+ "method_name":"clone",
168
+ "source":"O",
169
+ "target":"R",
170
+ "action":"KEEP"
171
+ }, {
172
+ "class_name":"String",
173
+ "instance_method": true,
174
+ "method_visibility": "private",
175
+ "method_name":"initialize",
176
+ "source":"P0",
177
+ "target":"O",
178
+ "action":"KEEP"
179
+ }, {
180
+ "class_name":"String",
181
+ "instance_method": false,
182
+ "method_visibility": "public",
183
+ "method_name":"try_convert",
184
+ "source":"P0",
185
+ "target":"R",
186
+ "action":"KEEP"
187
+ }, {
188
+ "class_name":"String",
189
+ "instance_method": true,
190
+ "method_visibility": "public",
191
+ "method_name":"+@",
192
+ "source":"O",
193
+ "target":"R",
194
+ "action":"KEEP"
195
+ }, {
196
+ "class_name":"String",
197
+ "instance_method": true,
198
+ "method_visibility": "public",
199
+ "method_name":"capitalize",
200
+ "source":"O",
201
+ "target":"R",
202
+ "action":"KEEP"
203
+ }, {
204
+ "class_name":"String",
205
+ "instance_method": true,
206
+ "method_visibility": "public",
207
+ "method_name":"capitalize!",
208
+ "source":"O",
209
+ "target":"R",
210
+ "action":"KEEP"
211
+ }, {
212
+ "class_name":"String",
213
+ "instance_method": true,
214
+ "method_visibility": "public",
215
+ "method_name":"downcase",
216
+ "source":"O",
217
+ "target":"R",
218
+ "action":"KEEP"
219
+ }, {
220
+ "class_name":"String",
221
+ "instance_method": true,
222
+ "method_visibility": "public",
223
+ "method_name":"downcase!",
224
+ "source":"O",
225
+ "target":"R",
226
+ "action":"KEEP"
227
+ }, {
228
+ "class_name":"String",
229
+ "instance_method": true,
230
+ "method_visibility": "public",
231
+ "method_name":"swapcase",
232
+ "source":"O",
233
+ "target":"R",
234
+ "action":"KEEP"
235
+ }, {
236
+ "class_name":"String",
237
+ "instance_method": true,
238
+ "method_visibility": "public",
239
+ "method_name":"swapcase!",
240
+ "source":"O",
241
+ "target":"R",
242
+ "action":"KEEP"
243
+ }, {
244
+ "class_name":"String",
245
+ "instance_method": true,
246
+ "method_visibility": "public",
247
+ "method_name":"to_s",
248
+ "source":"O",
249
+ "target":"R",
250
+ "action":"KEEP"
251
+ }, {
252
+ "class_name":"String",
253
+ "instance_method": true,
254
+ "method_visibility": "public",
255
+ "method_name":"to_str",
256
+ "source":"O",
257
+ "target":"R",
258
+ "action":"KEEP"
259
+ }, {
260
+ "class_name":"String",
261
+ "instance_method": true,
262
+ "method_visibility": "public",
263
+ "method_name":"upcase",
264
+ "source":"O",
265
+ "target":"R",
266
+ "action":"KEEP"
267
+ }, {
268
+ "class_name":"String",
269
+ "instance_method": true,
270
+ "method_visibility": "public",
271
+ "method_name":"upcase!",
272
+ "source":"O",
273
+ "target":"R",
274
+ "action":"KEEP"
275
+ }, {
276
+ "class_name":"String",
277
+ "instance_method": true,
278
+ "method_visibility": "public",
279
+ "method_name":"insert",
280
+ "source":"P1",
281
+ "target":"O",
282
+ "action":"INSERT"
283
+ }, {
284
+ "class_name":"String",
285
+ "instance_method": true,
286
+ "method_visibility": "public",
287
+ "method_name":"prepend",
288
+ "source":"O,P0",
289
+ "target":"O",
290
+ "action":"PREPEND"
291
+ }, {
292
+ "class_name":"String",
293
+ "instance_method": true,
294
+ "method_visibility": "public",
295
+ "method_name":"rjust",
296
+ "source":"O,P1",
297
+ "target":"R",
298
+ "action":"PREPEND"
299
+ }, {
300
+ "class_name":"String",
301
+ "instance_method": true,
302
+ "method_visibility": "public",
303
+ "method_name":"+",
304
+ "source":"O,P0",
305
+ "target":"R",
306
+ "action":"APPEND"
307
+ }, {
308
+ "class_name":"String",
309
+ "instance_method": true,
310
+ "method_visibility": "public",
311
+ "method_name":"concat",
312
+ "source":"O,P0",
313
+ "target":"O",
314
+ "action":"APPEND"
315
+ }, {
316
+ "class_name":"String",
317
+ "instance_method": true,
318
+ "method_visibility": "public",
319
+ "method_name":"<<",
320
+ "source":"O,P0",
321
+ "target":"O",
322
+ "action":"APPEND"
323
+ }, {
324
+ "class_name":"String",
325
+ "instance_method": true,
326
+ "method_visibility": "public",
327
+ "method_name":"ljust",
328
+ "source":"O,P1",
329
+ "target":"R",
330
+ "action":"APPEND"
331
+ }, {
332
+ "class_name":"String",
333
+ "instance_method": true,
334
+ "method_visibility": "public",
335
+ "method_name":"*",
336
+ "source":"O",
337
+ "target":"R",
338
+ "action":"APPEND"
339
+ }, {
340
+ "class_name":"String",
341
+ "instance_method": true,
342
+ "method_visibility": "public",
343
+ "method_name":"center",
344
+ "source":"O,P1",
345
+ "target":"R",
346
+ "action":"CENTER"
347
+ }, {
348
+ "class_name":"String",
349
+ "instance_method": true,
350
+ "method_visibility": "public",
351
+ "method_name":"inspect",
352
+ "source":"O",
353
+ "target":"R",
354
+ "action":"CENTER"
355
+ }, {
356
+ "class_name":"String",
357
+ "instance_method": true,
358
+ "method_visibility": "public",
359
+ "method_name":"chomp",
360
+ "source":"O",
361
+ "target":"R",
362
+ "action":"REMOVE"
363
+ }, {
364
+ "class_name":"String",
365
+ "instance_method": true,
366
+ "method_visibility": "public",
367
+ "method_name":"chomp!",
368
+ "source":"O",
369
+ "target":"R",
370
+ "action":"REMOVE"
371
+ }, {
372
+ "class_name":"String",
373
+ "instance_method": true,
374
+ "method_visibility": "public",
375
+ "method_name":"chop",
376
+ "source":"O",
377
+ "target":"R",
378
+ "action":"REMOVE"
379
+ }, {
380
+ "class_name":"String",
381
+ "instance_method": true,
382
+ "method_visibility": "public",
383
+ "method_name":"chop!",
384
+ "source":"O",
385
+ "target":"R",
386
+ "action":"REMOVE"
387
+ }, {
388
+ "class_name":"String",
389
+ "instance_method": true,
390
+ "method_visibility": "public",
391
+ "method_name":"rstrip",
392
+ "source":"O",
393
+ "target":"R",
394
+ "action":"REMOVE"
395
+ }, {
396
+ "class_name":"String",
397
+ "instance_method": true,
398
+ "method_visibility": "public",
399
+ "method_name":"rstrip!",
400
+ "source":"O",
401
+ "target":"R",
402
+ "action":"REMOVE"
403
+ }, {
404
+ "class_name":"String",
405
+ "instance_method": true,
406
+ "method_visibility": "public",
407
+ "method_name":"lstrip",
408
+ "source":"O",
409
+ "target":"R",
410
+ "action":"REMOVE"
411
+ }, {
412
+ "class_name":"String",
413
+ "instance_method": true,
414
+ "method_visibility": "public",
415
+ "method_name":"lstrip!",
416
+ "source":"O",
417
+ "target":"R",
418
+ "action":"REMOVE"
419
+ }, {
420
+ "class_name":"String",
421
+ "instance_method": true,
422
+ "method_visibility": "public",
423
+ "method_name":"strip",
424
+ "source":"O",
425
+ "target":"R",
426
+ "action":"REMOVE"
427
+ }, {
428
+ "class_name":"String",
429
+ "instance_method": true,
430
+ "method_visibility": "public",
431
+ "method_name":"strip!",
432
+ "source":"O",
433
+ "target":"R",
434
+ "action":"REMOVE"
435
+ }, {
436
+ "class_name":"String",
437
+ "instance_method": true,
438
+ "method_visibility": "public",
439
+ "method_name":"delete",
440
+ "source":"O",
441
+ "target":"R",
442
+ "action":"REMOVE"
443
+ }, {
444
+ "class_name":"String",
445
+ "instance_method": true,
446
+ "method_visibility": "public",
447
+ "method_name":"delete!",
448
+ "source":"O",
449
+ "target":"R",
450
+ "action":"REMOVE"
451
+ },{
452
+ "class_name":"String",
453
+ "instance_method": true,
454
+ "method_visibility": "public",
455
+ "method_name":"delete_prefix",
456
+ "source":"O",
457
+ "target":"R",
458
+ "action":"REMOVE"
459
+ },{
460
+ "class_name":"String",
461
+ "instance_method": true,
462
+ "method_visibility": "public",
463
+ "method_name":"delete_suffix",
464
+ "source":"O",
465
+ "target":"R",
466
+ "action":"REMOVE"
467
+ }, {
468
+ "class_name":"String",
469
+ "instance_method": true,
470
+ "method_visibility": "public",
471
+ "method_name":"delete_prefix!",
472
+ "source":"O",
473
+ "target":"O",
474
+ "action":"REMOVE"
475
+ },{
476
+ "class_name":"String",
477
+ "instance_method": true,
478
+ "method_visibility": "public",
479
+ "method_name":"delete_suffix!",
480
+ "source":"O",
481
+ "target":"O",
482
+ "action":"REMOVE"
483
+ }, {
484
+ "class_name":"String",
485
+ "instance_method": true,
486
+ "method_visibility": "public",
487
+ "method_name":"dump",
488
+ "source":"O",
489
+ "target":"R",
490
+ "action":"SPLAT"
491
+ },
492
+ {
493
+ "class_name":"String",
494
+ "instance_method": true,
495
+ "method_visibility": "public",
496
+ "method_name":"undump",
497
+ "source":"O",
498
+ "target":"R",
499
+ "action":"SPLAT"
500
+ },
501
+ {
502
+ "class_name":"String",
503
+ "instance_method": true,
504
+ "method_visibility": "public",
505
+ "method_name":"replace",
506
+ "source":"P0",
507
+ "target":"R",
508
+ "action":"REPLACE"
509
+ }, {
510
+ "class_name":"String",
511
+ "instance_method": true,
512
+ "method_visibility": "public",
513
+ "method_name":"next",
514
+ "source":"O",
515
+ "target":"R",
516
+ "action":"NEXT"
517
+ }, {
518
+ "class_name":"String",
519
+ "instance_method": true,
520
+ "method_visibility": "public",
521
+ "method_name":"next!",
522
+ "source":"O",
523
+ "target":"O",
524
+ "action":"NEXT"
525
+ }, {
526
+ "class_name":"String",
527
+ "instance_method": true,
528
+ "method_visibility": "public",
529
+ "method_name":"succ",
530
+ "source":"O",
531
+ "target":"R",
532
+ "action":"NEXT"
533
+ }, {
534
+ "class_name":"String",
535
+ "instance_method": true,
536
+ "method_visibility": "public",
537
+ "method_name":"succ!",
538
+ "source":"O",
539
+ "target":"O",
540
+ "action":"NEXT"
541
+ }, {
542
+ "class_name":"String",
543
+ "instance_method": true,
544
+ "method_visibility": "public",
545
+ "method_name":"reverse",
546
+ "source":"O",
547
+ "target":"R",
548
+ "action":"REVERSE"
549
+ }, {
550
+ "class_name":"String",
551
+ "instance_method": true,
552
+ "method_visibility": "public",
553
+ "method_name":"reverse!",
554
+ "source":"O",
555
+ "target":"O",
556
+ "action":"REVERSE"
557
+ }, {
558
+ "class_name":"String",
559
+ "instance_method": true,
560
+ "method_visibility": "public",
561
+ "method_name":"%",
562
+ "source":"O,P0",
563
+ "target":"R",
564
+ "action":"SPLAT"
565
+ }, {
566
+ "class_name":"Regexp",
567
+ "instance_method": true,
568
+ "method_visibility": "public",
569
+ "method_name":"match",
570
+ "source":"P0",
571
+ "target":"R",
572
+ "action":"KEEP"
573
+ }, {
574
+ "class_name":"MatchData",
575
+ "instance_method": true,
576
+ "method_visibility": "public",
577
+ "method_name":"post_match",
578
+ "source":"O",
579
+ "target":"R",
580
+ "action":"REMOVE"
581
+ }, {
582
+ "class_name":"MatchData",
583
+ "instance_method": true,
584
+ "method_visibility": "public",
585
+ "method_name":"pre_match",
586
+ "source":"O",
587
+ "target":"R",
588
+ "action":"REMOVE"
589
+ }, {
590
+ "class_name":"MatchData",
591
+ "instance_method": true,
592
+ "method_visibility": "public",
593
+ "method_name":"to_a",
594
+ "source":"O",
595
+ "target":"R",
596
+ "action":"SPLAT"
597
+ }, {
598
+ "class_name":"MatchData",
599
+ "instance_method": true,
600
+ "method_visibility": "public",
601
+ "method_name":"[]",
602
+ "source":"O",
603
+ "target":"R",
604
+ "action":"SPLAT"
605
+ }, {
606
+ "class_name":"MatchData",
607
+ "instance_method": true,
608
+ "method_visibility": "public",
609
+ "method_name":"captures",
610
+ "source":"O",
611
+ "target":"R",
612
+ "action":"SPLAT"
613
+ }, {
614
+ "class_name":"MatchData",
615
+ "instance_method": true,
616
+ "method_visibility": "public",
617
+ "method_name":"values_at",
618
+ "source":"O",
619
+ "target":"R",
620
+ "action":"SPLAT"
621
+ }, {
622
+ "class_name":"String",
623
+ "instance_method": true,
624
+ "method_visibility": "public",
625
+ "method_name":"to_sym",
626
+ "source":"O",
627
+ "target":"R",
628
+ "action":"KEEP"
629
+ }, {
630
+ "class_name": "String",
631
+ "instance_method": true,
632
+ "method_visibility": "public",
633
+ "method_name": "gsub",
634
+ "action": "CUSTOM",
635
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
636
+ "patch_method": "gsub_tagger"
637
+ }, {
638
+ "class_name": "String",
639
+ "instance_method": true,
640
+ "method_visibility": "public",
641
+ "method_name": "gsub!",
642
+ "action": "CUSTOM",
643
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
644
+ "patch_method": "gsub_tagger"
645
+ }, {
646
+ "class_name": "String",
647
+ "instance_method": true,
648
+ "method_visibility": "public",
649
+ "method_name": "sub",
650
+ "action": "CUSTOM",
651
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
652
+ "patch_method": "sub_tagger"
653
+ }, {
654
+ "class_name": "String",
655
+ "instance_method": true,
656
+ "method_visibility": "public",
657
+ "method_name": "sub!",
658
+ "action": "CUSTOM",
659
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
660
+ "patch_method": "sub_tagger"
661
+ }, {
662
+ "class_name": "String",
663
+ "instance_method": true,
664
+ "method_visibility": "public",
665
+ "method_name": "tr",
666
+ "action": "CUSTOM",
667
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
668
+ "patch_method": "tr_tagger"
669
+ }, {
670
+ "class_name": "String",
671
+ "instance_method": true,
672
+ "method_visibility": "public",
673
+ "method_name": "tr!",
674
+ "action": "CUSTOM",
675
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
676
+ "patch_method": "tr_tagger"
677
+ }, {
678
+ "class_name": "String",
679
+ "instance_method": true,
680
+ "method_visibility": "public",
681
+ "method_name": "tr_s",
682
+ "action": "CUSTOM",
683
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
684
+ "patch_method": "tr_s_tagger"
685
+ }, {
686
+ "class_name": "String",
687
+ "instance_method": true,
688
+ "method_visibility": "public",
689
+ "method_name": "tr_s!",
690
+ "action": "CUSTOM",
691
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
692
+ "patch_method": "tr_s_tagger"
693
+ }, {
694
+ "class_name": "String",
695
+ "instance_method": true,
696
+ "method_visibility": "public",
697
+ "method_name": "[]",
698
+ "action": "CUSTOM",
699
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Select",
700
+ "patch_method": "select_tagger"
701
+ }, {
702
+ "class_name":"CGI::Util",
703
+ "method_name":"escapeHTML",
704
+ "instance_method": true,
705
+ "method_visibility": "public",
706
+ "source":"P0",
707
+ "target":"R",
708
+ "action":"SPLAT",
709
+ "tags":["HTML_ENCODED"],
710
+ "untags":["HTML_DECODED"]
711
+ }, {
712
+ "class_name":"CGI::Util",
713
+ "method_name":"escape_html",
714
+ "instance_method": true,
715
+ "method_visibility": "public",
716
+ "source":"P0",
717
+ "target":"R",
718
+ "action":"SPLAT",
719
+ "tags":["HTML_ENCODED"],
720
+ "untags":["HTML_DECODED"]
721
+ }, {
722
+ "class_name":"CGI::Util",
723
+ "method_name":"h",
724
+ "instance_method": true,
725
+ "method_visibility": "public",
726
+ "source":"P0",
727
+ "target":"R",
728
+ "action":"SPLAT",
729
+ "tags":["HTML_ENCODED"],
730
+ "untags":["HTML_DECODED"]
731
+ }, {
732
+ "class_name":"CGI::Util",
733
+ "method_name":"unescapeHTML",
734
+ "instance_method": true,
735
+ "method_visibility": "public",
736
+ "source":"P0",
737
+ "target":"R",
738
+ "action":"SPLAT",
739
+ "tags":["HTML_DECODED"],
740
+ "untags":["HTML_ENCODED"]
741
+ }, {
742
+ "class_name":"CGI::Util",
743
+ "method_name":"unescape_html",
744
+ "instance_method": true,
745
+ "method_visibility": "public",
746
+ "source":"P0",
747
+ "target":"R",
748
+ "action":"SPLAT",
749
+ "tags":["HTML_DECODED"],
750
+ "untags":["HTML_ENCODED"]
751
+ }, {
752
+ "class_name":"ERB::Util",
753
+ "method_name":"html_escape",
754
+ "instance_method": false,
755
+ "method_visibility": "public",
756
+ "source":"P0",
757
+ "target":"R",
758
+ "action":"SPLAT",
759
+ "tags":["HTML_ENCODED"],
760
+ "untags":["HTML_DECODED"]
761
+ }, {
762
+ "class_name":"ERB::Util",
763
+ "method_name":"h",
764
+ "instance_method": false,
765
+ "method_visibility": "public",
766
+ "source":"P0",
767
+ "target":"R",
768
+ "action":"SPLAT",
769
+ "tags":["HTML_ENCODED"],
770
+ "untags":["HTML_DECODED"]
771
+ }, {
772
+ "class_name":"ERB::Util",
773
+ "method_name":"html_escape_once",
774
+ "instance_method": false,
775
+ "method_visibility": "public",
776
+ "source":"P0",
777
+ "target":"R",
778
+ "action":"SPLAT",
779
+ "tags":["HTML_ENCODED"],
780
+ "untags":["HTML_DECODED"]
781
+ }, {
782
+ "class_name":"Pathname",
783
+ "method_name":"initialize",
784
+ "instance_method": true,
785
+ "method_visibility": "private",
786
+ "source":"P0",
787
+ "target":"O",
788
+ "action":"SPLAT"
789
+ }, {
790
+ "class_name":"File",
791
+ "method_name":"initialize",
792
+ "instance_method": true,
793
+ "method_visibility": "private",
794
+ "source":"P0",
795
+ "target":"O",
796
+ "action":"SPLAT"
797
+ }, {
798
+ "class_name":"File",
799
+ "method_name":"path",
800
+ "instance_method": true,
801
+ "method_visibility": "public",
802
+ "source":"O",
803
+ "target":"R",
804
+ "action":"SPLAT"
805
+ }, {
806
+ "class_name":"File",
807
+ "method_name":"to_path",
808
+ "instance_method": true,
809
+ "method_visibility": "public",
810
+ "source":"O",
811
+ "target":"R",
812
+ "action":"SPLAT"
813
+ }, {
814
+ "class_name": "ActiveModel::AttributeAssignment",
815
+ "method_name": "assign_attributes",
816
+ "instance_method": true,
817
+ "method_visibility": "public",
818
+ "source": "P0",
819
+ "target": "O",
820
+ "action": "DB_WRITE",
821
+ "tags": ["DATABASE_WRITE"]
822
+ }, {
823
+ "class_name": "ActiveModel::AttributeAssignment",
824
+ "method_name": "attributes=",
825
+ "instance_method": true,
826
+ "method_visibility": "public",
827
+ "source": "P0",
828
+ "target": "O",
829
+ "action": "DB_WRITE",
830
+ "tags": ["DATABASE_WRITE"]
831
+ }, {
832
+ "class_name": "JSON",
833
+ "method_name": "parse",
834
+ "instance_method": false,
835
+ "method_visibility": "public",
836
+ "source": "P0",
837
+ "target": "R",
838
+ "action": "SPLAT"
839
+ }, {
840
+ "class_name": "JSON",
841
+ "method_name": "[]",
842
+ "instance_method": false,
843
+ "method_visibility": "public",
844
+ "source": "O",
845
+ "target": "R",
846
+ "action": "SPLAT"
847
+ }, {
848
+ "class_name": "JSON",
849
+ "method_name": "dump",
850
+ "instance_method": false,
851
+ "method_visibility": "public",
852
+ "source": "P0",
853
+ "target": "R",
854
+ "action": "SPLAT"
855
+ }, {
856
+ "class_name": "Zlib::Deflate",
857
+ "method_name": "deflate",
858
+ "instance_method": false,
859
+ "method_visibility": "public",
860
+ "source": "P0",
861
+ "target": "R",
862
+ "action": "SPLAT"
863
+ }, {
864
+ "class_name": "Zlib::Inflate",
865
+ "method_name": "inflate",
866
+ "instance_method": false,
867
+ "method_visibility": "public",
868
+ "source": "P0",
869
+ "target": "R",
870
+ "action": "SPLAT"
871
+ }, {
872
+ "class_name": "Base64",
873
+ "method_name": "decode64",
874
+ "instance_method": false,
875
+ "method_visibility": "public",
876
+ "source": "P0",
877
+ "target": "R",
878
+ "action": "SPLAT",
879
+ "tags":["BASE64_DECODED"],
880
+ "untags":["BASE64_ENCODED"]
881
+ }, {
882
+ "class_name": "Base64",
883
+ "method_name": "encode64",
884
+ "instance_method": false,
885
+ "method_visibility": "public",
886
+ "source": "P0",
887
+ "target": "R",
888
+ "action": "SPLAT",
889
+ "tags":["BASE64_ENCODED"],
890
+ "untags":["BASE64_DECODED"]
891
+ }, {
892
+ "class_name": "Base64",
893
+ "method_name": "strict_decode64",
894
+ "instance_method": false,
895
+ "method_visibility": "public",
896
+ "source": "P0",
897
+ "target": "R",
898
+ "action": "SPLAT",
899
+ "tags":["BASE64_DECODED"],
900
+ "untags":["BASE64_ENCODED"]
901
+ }, {
902
+ "class_name": "Base64",
903
+ "method_name": "strict_encode64",
904
+ "instance_method": false,
905
+ "method_visibility": "public",
906
+ "source": "P0",
907
+ "target": "R",
908
+ "action": "SPLAT",
909
+ "tags":["BASE64_ENCODED"],
910
+ "untags":["BASE64_DECODED"]
911
+ }, {
912
+ "class_name": "Base64",
913
+ "method_name": "urlsafe_decode64",
914
+ "instance_method": false,
915
+ "method_visibility": "public",
916
+ "source": "P0",
917
+ "target": "R",
918
+ "action": "SPLAT",
919
+ "tags":["BASE64_DECODED"],
920
+ "untags":["BASE64_ENCODED"]
921
+ }, {
922
+ "class_name": "Base64",
923
+ "method_name": "urlsafe_encode64",
924
+ "instance_method": false,
925
+ "method_visibility": "public",
926
+ "source": "P0",
927
+ "target": "R",
928
+ "action": "SPLAT",
929
+ "tags":["BASE64_ENCODED"],
930
+ "untags":["BASE64_DECODED"]
931
+ }, {
932
+ "class_name": "Marshal",
933
+ "method_name": "dump",
934
+ "instance_method": false,
935
+ "method_visibility": "public",
936
+ "source": "P0",
937
+ "target": "R",
938
+ "action": "SPLAT"
939
+ }, {
940
+ "class_name": "Marshal",
941
+ "method_name": "load",
942
+ "instance_method": false,
943
+ "method_visibility": "public",
944
+ "source": "P0",
945
+ "target": "R",
946
+ "action": "SPLAT"
947
+ }, {
948
+ "class_name": "URI::Generic",
949
+ "method_name": "initialize",
950
+ "instance_method": true,
951
+ "method_visibility": "private",
952
+ "source": "P0",
953
+ "target": "O",
954
+ "action": "SPLAT"
955
+ }, {
956
+ "class_name": "Kernel",
957
+ "instance_method": true,
958
+ "method_visibility": "private",
959
+ "method_name": "sprintf",
960
+ "action": "CUSTOM",
961
+ "patch_class": "KernelPropagator",
962
+ "patch_method": "sprintf_tagger"
963
+ }, {
964
+ "class_name":"SQLite3::Statement",
965
+ "instance_method": true,
966
+ "method_visibility": "private",
967
+ "method_name":"initialize",
968
+ "action": "CUSTOM",
969
+ "patch_class": "Contrast::Agent::Assess::Rule::Csrf::CsrfApplicator",
970
+ "patch_method": "csrf_tagger",
971
+ "source": "P1"
972
+ }, {
973
+ "class_name":"PG::Connection",
974
+ "instance_method": true,
975
+ "method_visibility": "public",
976
+ "method_name":"sync_exec",
977
+ "action": "CUSTOM",
978
+ "patch_class": "Contrast::Agent::Assess::Rule::Csrf::CsrfApplicator",
979
+ "patch_method": "csrf_tagger"
980
+ }, {
981
+ "class_name":"PG::Connection",
982
+ "instance_method": true,
983
+ "method_visibility": "public",
984
+ "method_name":"sync_exec_params",
985
+ "action": "CUSTOM",
986
+ "patch_class": "Contrast::Agent::Assess::Rule::Csrf::CsrfApplicator",
987
+ "patch_method": "csrf_tagger"
988
+ }, {
989
+ "class_name":"PG::Connection",
990
+ "instance_method": true,
991
+ "method_visibility": "public",
992
+ "method_name":"async_exec",
993
+ "action": "CUSTOM",
994
+ "patch_class": "Contrast::Agent::Assess::Rule::Csrf::CsrfApplicator",
995
+ "patch_method": "csrf_tagger"
996
+ }, {
997
+ "class_name":"PG::Connection",
998
+ "instance_method": true,
999
+ "method_visibility": "public",
1000
+ "method_name":"async_exec_params",
1001
+ "action": "CUSTOM",
1002
+ "patch_class": "Contrast::Agent::Assess::Rule::Csrf::CsrfApplicator",
1003
+ "patch_method": "csrf_tagger"
1004
+ }, {
1005
+ "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
1006
+ "instance_method": true,
1007
+ "method_visibility": "public",
1008
+ "method_name":"quote",
1009
+ "source": "P0",
1010
+ "target": "R",
1011
+ "action": "SPLAT",
1012
+ "tags":["SQL_ENCODED"],
1013
+ "untags":["SQL_DECODED"]
1014
+ }, {
1015
+ "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
1016
+ "instance_method": true,
1017
+ "method_visibility": "public",
1018
+ "method_name":"quote_string",
1019
+ "source": "P0",
1020
+ "target": "R",
1021
+ "action": "SPLAT",
1022
+ "tags":["SQL_ENCODED"],
1023
+ "untags":["SQL_DECODED"]
1024
+ },
1025
+ {
1026
+ "class_name":"IO",
1027
+ "method_name":"initialize",
1028
+ "instance_method": true,
1029
+ "method_visibility": "private",
1030
+ "source":"P0",
1031
+ "target":"O",
1032
+ "action":"SPLAT"
1033
+ },
1034
+ {
1035
+ "class_name": "ERB",
1036
+ "method_name": "result",
1037
+ "method_visibility": "public",
1038
+ "instance_method": true,
1039
+ "source": "P0",
1040
+ "target": "O",
1041
+ "action": "CUSTOM",
1042
+ "patch_class": "ERBPropagator",
1043
+ "patch_method": "result_tagger"
1044
+ }
1045
+ ],
1046
+ "rules":[
1047
+ {
1048
+ "name":"cmd-injection",
1049
+ "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED"],
1050
+ "triggers":[
1051
+ {
1052
+ "class_name":"IO",
1053
+ "instance_method": false,
1054
+ "method_visibility": "public",
1055
+ "method_name":"popen",
1056
+ "source":"P0"
1057
+ }, {
1058
+ "class_name":"Kernel",
1059
+ "instance_method": false,
1060
+ "method_visibility": "public",
1061
+ "method_name":"`",
1062
+ "source":"P0"
1063
+ }, {
1064
+ "class_name":"Kernel",
1065
+ "instance_method": false,
1066
+ "method_visibility": "public",
1067
+ "method_name":"exec",
1068
+ "source":"P0",
1069
+ "custom_patch": true
1070
+ }, {
1071
+ "class_name":"Kernel",
1072
+ "instance_method": true,
1073
+ "method_visibility": "private",
1074
+ "method_name":"exec",
1075
+ "source":"P0",
1076
+ "custom_patch": true
1077
+ }, {
1078
+ "class_name":"Kernel",
1079
+ "instance_method": false,
1080
+ "method_visibility": "public",
1081
+ "method_name":"spawn",
1082
+ "source":"P0"
1083
+ }, {
1084
+ "class_name":"Kernel",
1085
+ "instance_method": false,
1086
+ "method_visibility": "public",
1087
+ "method_name":"system",
1088
+ "source":"P0"
1089
+ },
1090
+ {
1091
+ "class_name":"Kernel",
1092
+ "instance_method": true,
1093
+ "method_visibility": "private",
1094
+ "method_name":"`",
1095
+ "source":"P0"
1096
+ }, {
1097
+ "class_name":"Kernel",
1098
+ "instance_method": true,
1099
+ "method_visibility": "private",
1100
+ "method_name":"spawn",
1101
+ "source":"P0"
1102
+ },
1103
+ {
1104
+ "class_name":"Kernel",
1105
+ "instance_method": true,
1106
+ "method_visibility": "private",
1107
+ "method_name":"system",
1108
+ "source":"P0"
1109
+ }
1110
+ ]
1111
+ },{
1112
+ "name":"path-traversal",
1113
+ "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED", "NO_CONTROL_CHARS"],
1114
+ "triggers":[
1115
+ {
1116
+ "class_name":"IO",
1117
+ "method_name":"open",
1118
+ "instance_method": false,
1119
+ "method_visibility": "public",
1120
+ "source":"P0"
1121
+ }, {
1122
+ "class_name":"IO",
1123
+ "method_name":"initialize",
1124
+ "instance_method": true,
1125
+ "method_visibility": "private",
1126
+ "source":"P0"
1127
+ }, {
1128
+ "class_name":"IO",
1129
+ "method_name":"binread",
1130
+ "instance_method": false,
1131
+ "method_visibility": "public",
1132
+ "source":"P0"
1133
+ }, {
1134
+ "class_name":"IO",
1135
+ "method_name":"binwrite",
1136
+ "instance_method": false,
1137
+ "method_visibility": "public",
1138
+ "source":"P0"
1139
+ }, {
1140
+ "class_name":"IO",
1141
+ "method_name":"read",
1142
+ "instance_method": false,
1143
+ "method_visibility": "public",
1144
+ "source":"P0"
1145
+ }, {
1146
+ "class_name":"IO",
1147
+ "method_name":"readlines",
1148
+ "instance_method": false,
1149
+ "method_visibility": "public",
1150
+ "source":"P0"
1151
+ }, {
1152
+ "class_name":"IO",
1153
+ "method_name":"copy_stream",
1154
+ "instance_method": false,
1155
+ "method_visibility": "public",
1156
+ "source":"P0,P1"
1157
+ }, {
1158
+ "class_name":"IO",
1159
+ "method_name":"foreach",
1160
+ "instance_method": false,
1161
+ "method_visibility": "public",
1162
+ "source":"P0"
1163
+ }, {
1164
+ "class_name":"IO",
1165
+ "method_name":"sysopen",
1166
+ "instance_method": false,
1167
+ "method_visibility": "public",
1168
+ "source":"P0"
1169
+ }, {
1170
+ "class_name":"IO",
1171
+ "method_name":"write",
1172
+ "instance_method": false,
1173
+ "method_visibility": "public",
1174
+ "source":"P0"
1175
+ }, {
1176
+ "class_name":"File",
1177
+ "method_name":"initialize",
1178
+ "instance_method": true,
1179
+ "method_visibility": "private",
1180
+ "source":"P0"
1181
+ }
1182
+ ]
1183
+ }, {
1184
+ "name": "redos",
1185
+ "triggers": [
1186
+ {
1187
+ "class_name":"Regexp",
1188
+ "instance_method": true,
1189
+ "method_visibility": "public",
1190
+ "method_name":"match",
1191
+ "source":"P0",
1192
+ "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
1193
+ "trigger_method": "regexp_complexity_check"
1194
+
1195
+ }, {
1196
+ "class_name":"String",
1197
+ "instance_method": true,
1198
+ "method_visibility": "public",
1199
+ "method_name":"=~",
1200
+ "source":"O",
1201
+ "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
1202
+ "trigger_method": "regexp_complexity_check"
1203
+ }, {
1204
+ "class_name":"Regexp",
1205
+ "instance_method": true,
1206
+ "method_visibility": "public",
1207
+ "method_name":"=~",
1208
+ "source":"P0",
1209
+ "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
1210
+ "trigger_method": "regexp_complexity_check"
1211
+
1212
+ }
1213
+ ]
1214
+ }, {
1215
+ "name":"reflected-xss",
1216
+ "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED"],
1217
+ "triggers":[
1218
+ {
1219
+ "class_name": "Tilt::Template",
1220
+ "method_name": "evaluate",
1221
+ "instance_method": true,
1222
+ "method_visibility": "public",
1223
+ "source":"O",
1224
+ "trigger_class": "TiltTemplateTrigger",
1225
+ "trigger_method": "render_trigger_check"
1226
+ },
1227
+ {
1228
+ "class_name":"String",
1229
+ "method_name":"html_safe",
1230
+ "instance_method": true,
1231
+ "method_visibility": "public",
1232
+ "source":"O"
1233
+ }, {
1234
+ "class_name":"ActionView::Helpers::OutputSafetyHelper",
1235
+ "method_name":"raw",
1236
+ "instance_method": true,
1237
+ "method_visibility": "public",
1238
+ "source":"P0"
1239
+ }, {
1240
+ "class_name":"ActionView::Helpers::RawOutputHelper",
1241
+ "method_name":"raw",
1242
+ "instance_method": true,
1243
+ "method_visibility": "public",
1244
+ "source":"P0"
1245
+ }, {
1246
+ "class_name":"ActionDispatch::Response",
1247
+ "method_name":"body=",
1248
+ "instance_method": true,
1249
+ "method_visibility": "public",
1250
+ "source":"P0"
1251
+ }, {
1252
+ "class_name":"ActionDispatch::Response::Buffer",
1253
+ "method_name":"write",
1254
+ "instance_method": true,
1255
+ "method_visibility": "public",
1256
+ "source":"P0"
1257
+ }, {
1258
+ "class_name":"Sinatra::Helpers",
1259
+ "method_name":"body",
1260
+ "instance_method": true,
1261
+ "method_visibility": "public",
1262
+ "source":"P0"
1263
+ }, {
1264
+ "class_name":"Sinatra::Response",
1265
+ "method_name":"body=",
1266
+ "instance_method": true,
1267
+ "method_visibility": "public",
1268
+ "source":"P0"
1269
+ }
1270
+ ]
1271
+ }, {
1272
+ "name":"sql-injection",
1273
+ "disallowed_tags":["SQL_ENCODED"],
1274
+ "triggers":[
1275
+ {
1276
+ "class_name":"SQLite3::Database",
1277
+ "instance_method": true,
1278
+ "method_visibility": "public",
1279
+ "method_name":"execute",
1280
+ "source":"P0"
1281
+ }, {
1282
+ "class_name":"SQLite3::Statement",
1283
+ "instance_method": true,
1284
+ "method_visibility": "private",
1285
+ "method_name":"initialize",
1286
+ "source":"P1"
1287
+ }, {
1288
+ "class_name":"Mysql2::Client",
1289
+ "instance_method": true,
1290
+ "method_visibility": "public",
1291
+ "method_name":"query",
1292
+ "source":"P0"
1293
+ }, {
1294
+ "class_name":"Mysql2::Statement",
1295
+ "instance_method": true,
1296
+ "method_visibility": "public",
1297
+ "method_name":"execute",
1298
+ "source":"P0"
1299
+ }, {
1300
+ "class_name":"PG::Connection",
1301
+ "instance_method": true,
1302
+ "method_visibility": "public",
1303
+ "method_name":"exec",
1304
+ "source":"P0"
1305
+ }, {
1306
+ "class_name":"PG::Connection",
1307
+ "instance_method": true,
1308
+ "method_visibility": "public",
1309
+ "method_name":"exec_params",
1310
+ "source":"P0"
1311
+ }, {
1312
+ "class_name":"PG::Connection",
1313
+ "instance_method": true,
1314
+ "method_visibility": "public",
1315
+ "method_name":"async_exec",
1316
+ "source":"P0"
1317
+ }, {
1318
+ "class_name":"ActiveRecord::Querying",
1319
+ "instance_method": false,
1320
+ "method_visibility": "public",
1321
+ "method_name":"select",
1322
+ "source":"P0"
1323
+ }
1324
+ ]
1325
+ }, {
1326
+ "name": "reflection-injection",
1327
+ "triggers": [
1328
+ {
1329
+ "class_name":"String",
1330
+ "instance_method": true,
1331
+ "method_visibility": "public",
1332
+ "method_name":"constantize",
1333
+ "source":"O"
1334
+ },{
1335
+ "class_name":"String",
1336
+ "instance_method": true,
1337
+ "method_visibility": "public",
1338
+ "method_name":"safe_constantize",
1339
+ "source":"O"
1340
+ }, {
1341
+ "class_name":"Module",
1342
+ "instance_method": false,
1343
+ "method_visibility": "public",
1344
+ "method_name":"const_get",
1345
+ "source":"P0"
1346
+ },
1347
+ {
1348
+ "class_name":"Module",
1349
+ "instance_method": true,
1350
+ "method_visibility": "public",
1351
+ "method_name":"const_get",
1352
+ "source":"P0"
1353
+ }
1354
+ ]
1355
+ },{
1356
+ "name":"unsafe-code-execution",
1357
+ "triggers":[
1358
+ {
1359
+ "class_name":"Kernel",
1360
+ "instance_method": false,
1361
+ "method_visibility": "public",
1362
+ "method_name":"eval",
1363
+ "source":"P0"
1364
+ },{
1365
+ "class_name": "Kernel",
1366
+ "instance_method": true,
1367
+ "method_visibility": "private",
1368
+ "method_name": "eval",
1369
+ "source": "P0"
1370
+ }, {
1371
+ "class_name": "ActiveSupport::Tryable",
1372
+ "instance_method": true,
1373
+ "method_visibility": "public",
1374
+ "method_name":"try",
1375
+ "source":"P0"
1376
+ }, {
1377
+ "class_name": "ActiveSupport::Tryable",
1378
+ "instance_method": true,
1379
+ "method_visibility": "public",
1380
+ "method_name":"try!",
1381
+ "source":"P0"
1382
+ }, {
1383
+ "class_name": "BasicObject",
1384
+ "instance_method": false,
1385
+ "method_visibility": "public",
1386
+ "method_name":"instance_eval",
1387
+ "source":"P0",
1388
+ "custom_patch": true
1389
+ }, {
1390
+ "class_name": "Module",
1391
+ "instance_method": true,
1392
+ "method_visibility": "public",
1393
+ "method_name":"class_eval",
1394
+ "source":"P0",
1395
+ "custom_patch": true
1396
+ }, {
1397
+ "class_name": "Module",
1398
+ "instance_method": true,
1399
+ "method_visibility": "public",
1400
+ "method_name":"module_eval",
1401
+ "source":"P0",
1402
+ "custom_patch": true
1403
+ },{
1404
+ "class_name": "Object",
1405
+ "instance_method": true,
1406
+ "method_visibility": "public",
1407
+ "method_name": "try",
1408
+ "source": "P0"
1409
+ }, {
1410
+ "class_name": "Object",
1411
+ "instance_method": true,
1412
+ "method_visibility": "public",
1413
+ "method_name": "try!",
1414
+ "source": "P0"
1415
+ }
1416
+ ]
1417
+ }, {
1418
+ "name":"crypto-weak-randomness",
1419
+ "dataflow": false,
1420
+ "triggers":[
1421
+ {
1422
+ "class_name":"Kernel",
1423
+ "instance_method": false,
1424
+ "method_visibility": "public",
1425
+ "method_name":"rand"
1426
+ }, {
1427
+ "class_name":"Kernel",
1428
+ "instance_method": false,
1429
+ "method_visibility": "public",
1430
+ "method_name":"srand"
1431
+ }, {
1432
+ "class_name":"Random",
1433
+ "instance_method": false,
1434
+ "method_visibility": "public",
1435
+ "method_name":"rand"
1436
+ }, {
1437
+ "class_name":"Random",
1438
+ "instance_method": false,
1439
+ "method_visibility": "public",
1440
+ "method_name":"srand"
1441
+ }, {
1442
+ "class_name":"Random",
1443
+ "instance_method": true,
1444
+ "method_visibility": "public",
1445
+ "method_name":"rand"
1446
+ }
1447
+ ]
1448
+ }, {
1449
+ "name":"crypto-bad-mac",
1450
+ "dataflow": false,
1451
+ "triggers":[
1452
+ {
1453
+ "class_name":"OpenSSL::Digest",
1454
+ "instance_method": true,
1455
+ "method_visibility": "private",
1456
+ "method_name":"initialize",
1457
+ "source":"P0",
1458
+ "good_value":"^(?:MDC2|RIPEMD160|SHA224|SHA256|SHA384|SHA512)"
1459
+ }, {
1460
+ "class_name":"Digest::MD5",
1461
+ "instance_method": true,
1462
+ "method_visibility": "public",
1463
+ "method_name":"initialize"
1464
+ },{
1465
+ "class_name":"Digest::SHA1",
1466
+ "instance_method": true,
1467
+ "method_visibility": "public",
1468
+ "method_name":"initialize"
1469
+ }
1470
+ ]
1471
+ }, {
1472
+ "name":"crypto-bad-ciphers",
1473
+ "dataflow": false,
1474
+ "triggers":[
1475
+ {
1476
+ "class_name":"OpenSSL::Cipher",
1477
+ "instance_method": true,
1478
+ "method_visibility": "private",
1479
+ "method_name":"initialize",
1480
+ "source":"P0",
1481
+ "good_value":"^(?:AES|CAMELLIA|CAST|DES-EDE|DES-EDE3|DES3|DESX|SEED).*"
1482
+ }
1483
+ ]
1484
+ },
1485
+ {
1486
+ "name": "ssrf",
1487
+ "triggers": [
1488
+ {
1489
+ "class_name": "Net::HTTP",
1490
+ "instance_method": true,
1491
+ "method_visibility": "private",
1492
+ "method_name": "initialize",
1493
+ "source": "P0"
1494
+ },{
1495
+ "class_name": "Net::HTTP",
1496
+ "instance_method": true,
1497
+ "method_visibility": "public",
1498
+ "method_name": "get",
1499
+ "source": "P0"
1500
+ },{
1501
+ "class_name": "Net::HTTP",
1502
+ "instance_method": true,
1503
+ "method_visibility": "public",
1504
+ "method_name": "post",
1505
+ "source": "P0"
1506
+ },{
1507
+ "class_name": "Net::HTTP",
1508
+ "instance_method": true,
1509
+ "method_visibility": "public",
1510
+ "method_name": "head",
1511
+ "source": "P0"
1512
+ },{
1513
+ "class_name": "Net::HTTP",
1514
+ "instance_method": true,
1515
+ "method_visibility": "public",
1516
+ "method_name": "put",
1517
+ "source": "P0"
1518
+ },{
1519
+ "class_name": "Net::HTTP",
1520
+ "instance_method": true,
1521
+ "method_visibility": "public",
1522
+ "method_name": "patch",
1523
+ "source": "P0"
1524
+ },{
1525
+ "class_name": "Net::HTTP",
1526
+ "instance_method": true,
1527
+ "method_visibility": "public",
1528
+ "method_name": "delete",
1529
+ "source": "P0"
1530
+ },{
1531
+ "class_name": "Excon",
1532
+ "instance_method": true,
1533
+ "method_visibility": "private",
1534
+ "method_name": "initialize",
1535
+ "source": "P0"
1536
+ },
1537
+ {
1538
+ "class_name": "Typhoeus::Request",
1539
+ "instance_method": true,
1540
+ "method_visibility": "private",
1541
+ "method_name": "initialize",
1542
+ "source": "P0"
1543
+ }
1544
+ ]
1545
+ },
1546
+ {
1547
+ "name": "nosql-injection",
1548
+ "disallowed_tags":["JAVASCRIPT_ENCODED"],
1549
+ "triggers": [
1550
+ {
1551
+ "class_name": "Mongo::Protocol::Query",
1552
+ "instance_method": true,
1553
+ "method_visibility": "private",
1554
+ "method_name": "initialize",
1555
+ "source": "P2"
1556
+ },
1557
+ {
1558
+ "class_name": "Mongo::Operation::Specifiable",
1559
+ "instance_method": true,
1560
+ "method_visibility": "private",
1561
+ "method_name": "initialize",
1562
+ "source": "P0"
1563
+ }
1564
+ ]
1565
+ },
1566
+ {
1567
+ "name": "xxe",
1568
+ "dataflow": "true",
1569
+ "triggers": [
1570
+ {
1571
+ "class_name": "Ox",
1572
+ "instance_method": false,
1573
+ "method_visibility": "public",
1574
+ "method_name": "parse",
1575
+ "source": "P0"
1576
+ },
1577
+ {
1578
+ "class_name": "Ox",
1579
+ "instance_method": false,
1580
+ "method_visibility": "public",
1581
+ "method_name": "load",
1582
+ "source": "P0"
1583
+ },
1584
+ {
1585
+ "class_name": "Oga::XML::Parser",
1586
+ "instance_method": true,
1587
+ "method_visibility": "private",
1588
+ "method_name": "initialize",
1589
+ "source": "P0"
1590
+ },
1591
+ {
1592
+ "class_name": "Oga::XML::SaxParser",
1593
+ "instance_method": true,
1594
+ "method_visibility": "private",
1595
+ "method_name": "initialize",
1596
+ "source": "P1"
1597
+ }, {
1598
+ "class_name": "Nokogiri::XML::Document",
1599
+ "instance_method": false,
1600
+ "method_visibility": "public",
1601
+ "method_name": "parse",
1602
+ "source": "P0"
1603
+ }, {
1604
+ "class_name": "Nokogiri::XML::SAX::Parser",
1605
+ "instance_method": true,
1606
+ "method_visibility": "public",
1607
+ "method_name": "parse",
1608
+ "source": "P0"
1609
+ }
1610
+ ]
1611
+ }, {
1612
+ "name": "trust-boundary-violation",
1613
+ "triggers": [
1614
+ {
1615
+ "class_name": "ActionDispatch::Request::Session",
1616
+ "instance_method": true,
1617
+ "method_visibility": "public",
1618
+ "method_name": "[]=",
1619
+ "source": "P0,P1"
1620
+ },{
1621
+ "class_name": "Rack::Session::Cookie::Identity",
1622
+ "instance_method": true,
1623
+ "method_visibility": "public",
1624
+ "method_name": "encode",
1625
+ "source": "P0"
1626
+ },{
1627
+ "class_name": "Rack::Session::Cookie::Base64",
1628
+ "instance_method": true,
1629
+ "method_visibility": "public",
1630
+ "method_name": "encode",
1631
+ "source": "P0"
1632
+ }
1633
+ ]
1634
+ }, {
1635
+ "name": "unvalidated-redirect",
1636
+ "disallowed_tags":["URL_ENCODED"],
1637
+ "triggers": [
1638
+ {
1639
+ "class_name": "Sinatra::Helpers",
1640
+ "instance_method": true,
1641
+ "method_visibility": "public",
1642
+ "method_name": "redirect",
1643
+ "source": "P0"
1644
+ },
1645
+ {
1646
+ "class_name": "ActionController::Redirecting",
1647
+ "instance_method": true,
1648
+ "method_visibility": "public",
1649
+ "method_name": "redirect_to",
1650
+ "source": "P0"
1651
+ }
1652
+ ]
1653
+ }, {
1654
+ "name": "untrusted-deserialization",
1655
+ "triggers": [
1656
+ {
1657
+ "class_name": "Marshal",
1658
+ "instance_method": false,
1659
+ "method_visibility": "public",
1660
+ "method_name": "load",
1661
+ "source": "P0"
1662
+ },
1663
+ {
1664
+ "class_name": "Psych",
1665
+ "instance_method": false,
1666
+ "method_visibility": "public",
1667
+ "method_name": "load",
1668
+ "source": "P0"
1669
+ }
1670
+ ]
1671
+ }
1672
+ ]
1673
+ }