contrast-agent 6.6.1 → 6.6.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0ba6de8e82da25931f2fd6d90f515451c33521c02c0fd00e0120ea05701bdc23
4
- data.tar.gz: 953297f4f0908bcdcf4791f91869dcf69312f44fe05e743e1e681ce9d3aa9b6f
3
+ metadata.gz: f00aee3e36cdb303ca9b209824fbb92386e0ca0043c0f24377f79168dca8d252
4
+ data.tar.gz: 7fc3d7571246ff92a10da151ce4b723768e3f7214b5a1e57d5bb1d6a66e86e2b
5
5
  SHA512:
6
- metadata.gz: f7e96583d53e23400fd53fd24aed86c728e0d9b8d79a17179cc1bb96a50ad002e047805b10cea0eaa362802c494ff0b45463a16b53a008e9921723cd9e6e43f9
7
- data.tar.gz: f3c7c2a5b575233f4f8d3e9058b281352133625ab42d50b3c6590c7178728ceda8c494953890a0d50e1413ad5f1e50c04595cc035d5f3ed247611f3a1401095e
6
+ metadata.gz: 9fc9e69602a2706cb41bf8d13e07693afb61ad85ad03ff43182f3c79c5f9dff1c0b8ed3e0cb690d15cf8e43830920516604e9b497945963897f0ee1b82e11f9b
7
+ data.tar.gz: dfd4e5146f9ac498b83d76b13a9d6ed17a5de0e659ed301acbf6a873e18d5ff75ea8aa8fa7c3789433e100903a9f6bfb4b87c9d283107c5bd04015f862e88644
@@ -20,11 +20,16 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
20
20
  # :STATE_INSIDE_BLOCK_COMMENT # inside a commend that will end with a closing tag
21
21
  # :STATE_SKIP_NEXT_CHARACTER
22
22
 
23
+ # @param query [String] the query being executed
24
+ # @param index [Integer] the index of the input in the query
25
+ # @param input [String] the input value provided by the user
26
+ # @return [Array<Integer>, nil] the boundary overrun by the input or nil if no overrun
23
27
  def crosses_boundary query, index, input
24
28
  last_boundary = 0
25
- token_boundaries(query).each do |boundary|
29
+ scan_token_boundaries(query).each do |boundary|
26
30
  if boundary > index
27
- return last_boundary, boundary if boundary < index + input.length
31
+ # We should report the previous and overrun boundary if the input crosses one.
32
+ return last_boundary, boundary if boundary < (index + input.length)
28
33
 
29
34
  break
30
35
  end
@@ -33,10 +38,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
33
38
  nil
34
39
  end
35
40
 
36
- def token_boundaries query
37
- @_token_boundaries ||= scan_token_boundaries(query)
38
- end
41
+ private
39
42
 
43
+ # @param query [String] the query being executed
44
+ # @return [Array<Integer>] the boundaries of the query
40
45
  def scan_token_boundaries query
41
46
  boundaries = []
42
47
  return boundaries unless query && !query.empty?
@@ -73,6 +78,11 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
73
78
  boundaries
74
79
  end
75
80
 
81
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
82
+ # @param current_state [Symbol] the state of the query
83
+ # @param char [String] the character being evaluated
84
+ # @param index [Integer] the location of the character in the query
85
+ # @param query [String] the query being executed
76
86
  def process_state boundaries, current_state, char, index, query
77
87
  case current_state
78
88
  when :STATE_EXPECTING_TOKEN
@@ -88,6 +98,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
88
98
  end
89
99
  end
90
100
 
101
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
102
+ # @param char [String] the character being evaluated
103
+ # @param index [Integer] the location of the character in the query
104
+ # @param query [String] the query being executed
91
105
  def process_expecting_token boundaries, char, index, query
92
106
  if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
93
107
  boundaries << index
@@ -112,6 +126,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
112
126
  end
113
127
  end
114
128
 
129
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
130
+ # @param char [String] the character being evaluated
131
+ # @param index [Integer] the location of the character in the query
132
+ # @param query [String] the query being executed
115
133
  def process_inside_token boundaries, char, index, query
116
134
  if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
117
135
  boundaries << index
@@ -133,6 +151,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
133
151
  end
134
152
  end
135
153
 
154
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
155
+ # @param char [String] the character being evaluated
156
+ # @param index [Integer] the location of the character in the query
157
+ # @param _query [String] the query being executed
136
158
  def process_number boundaries, char, index, _query
137
159
  if char.match?(Contrast::Utils::ObjectShare::DIGIT_REGEXP) || char == Contrast::Utils::ObjectShare::PERIOD
138
160
  :STATE_INSIDE_NUMBER
@@ -142,6 +164,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
142
164
  end
143
165
  end
144
166
 
167
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
168
+ # @param char [String] the character being evaluated
169
+ # @param index [Integer] the location of the character in the query
170
+ # @param query [String] the query being executed
145
171
  def process_double_quote boundaries, char, index, query
146
172
  if escape_char?(char)
147
173
  :STATE_SKIP_NEXT_CHARACTER
@@ -159,6 +185,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
159
185
  end
160
186
  end
161
187
 
188
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
189
+ # @param char [String] the character being evaluated
190
+ # @param index [Integer] the location of the character in the query
191
+ # @param query [String] the query being executed
162
192
  def process_single_quote boundaries, char, index, query
163
193
  if escape_char?(char)
164
194
  :STATE_SKIP_NEXT_CHARACTER
@@ -176,18 +206,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
176
206
  end
177
207
  end
178
208
 
209
+ # @param query [String] the query being executed
210
+ # @param index [Integer] the location of the character in the query
179
211
  def double_quote? query, index
180
212
  return false unless index >= 0 && index < query.length
181
213
 
182
214
  query[index] == Contrast::Utils::ObjectShare::DOUBLE_QUOTE
183
215
  end
184
216
 
217
+ # @param query [String] the query being executed
218
+ # @param index [Integer] the location of the character in the query
185
219
  def single_quote? query, index
186
220
  return false unless index >= 0 && index < query.length
187
221
 
188
222
  query[index] == Contrast::Utils::ObjectShare::SINGLE_QUOTE
189
223
  end
190
224
 
225
+ # @param query [String] the query being executed
226
+ # @param index [Integer] the location of the character in the query
191
227
  def find_escape_sequence_boundary query, index
192
228
  idx = index
193
229
  while idx < query.length
@@ -199,6 +235,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
199
235
  idx
200
236
  end
201
237
 
238
+ # @param query [String] the query being executed
239
+ # @param index [Integer] the location of the character in the query
202
240
  def find_block_comment_boundary query, index
203
241
  idx = index
204
242
  while idx < query.length
@@ -210,6 +248,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
210
248
  idx
211
249
  end
212
250
 
251
+ # @param query [String] the query being executed
252
+ # @param index [Integer] the location of the character in the query
213
253
  def find_new_line_boundary query, index
214
254
  idx = index
215
255
  while idx < query.length
@@ -222,12 +262,17 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
222
262
  idx
223
263
  end
224
264
 
265
+ # @param char [String] the character being evaluated
225
266
  def operator? char
226
267
  char.match?(OPERATOR_PATTERN)
227
268
  end
228
269
 
229
270
  # @note: Any class extending this module should override these methods as needed
230
271
  # Are the current and subsequent characters both '-' ?
272
+ #
273
+ # @param char [String] the character being evaluated
274
+ # @param index [Integer] the location of the character in the query
275
+ # @param query [String] the query being executed
231
276
  def start_line_comment? char, index, query
232
277
  return false unless char == Contrast::Utils::ObjectShare::DASH
233
278
  return false unless (query.length - 2) >= index
@@ -237,6 +282,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
237
282
 
238
283
  # Is the current character / sequence of characters the start of a block comment
239
284
  # We assume '/*' starts the comment by default
285
+ #
286
+ # @param char [String] the character being evaluated
287
+ # @param index [Integer] the location of the character in the query
288
+ # @param query [String] the query being executed
240
289
  def start_block_comment? char, index, query
241
290
  return false unless char == Contrast::Utils::ObjectShare::SLASH
242
291
  return false unless (query.length - 2) >= index
@@ -246,6 +295,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
246
295
 
247
296
  # Is the current character / sequence of characters the end of a block comment
248
297
  # We assume '*/' ends the comment by default
298
+ #
299
+ # @param char [String] the character being evaluated
300
+ # @param index [Integer] the location of the character in the query
301
+ # @param query [String] the query being executed
249
302
  def end_block_comment? char, index, query
250
303
  return false unless char == Contrast::Utils::ObjectShare::ASTERISK
251
304
  return false unless (query.length - 2) >= index
@@ -267,18 +320,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
267
320
 
268
321
  # Is the character provided an escape character?
269
322
  # By default, we'll assume
323
+ #
324
+ # @param char [String] the character being evaluated
270
325
  def escape_char? char
271
326
  char == Contrast::Utils::ObjectShare::BACK_SLASH
272
327
  end
273
328
 
274
329
  # Is this the start of a string escape sequence?
275
330
  # Since escape sequences aren't supported, the answer is always false
331
+ #
332
+ # @param _char [String] the character being evaluated
276
333
  def escape_sequence_start? _char
277
334
  false
278
335
  end
279
336
 
280
337
  # Is this the end of a string escape sequence?
281
338
  # Since escape sequences aren't supported, the answer is always false
339
+ #
340
+ # @param _char [String] the character being evaluated
282
341
  def escape_sequence_end? _char
283
342
  false
284
343
  end
@@ -65,8 +65,8 @@ module Contrast
65
65
  # if one exists, in the case of multiple inputs being found to violate the protection criteria
66
66
  # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
67
67
  # in the case of multiple inputs being found to violate the protection criteria
68
- # @query_string [string] he value of the input which may be an attack
69
- # @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
68
+ # @param query_string [String] the value of the input which may be an attack
69
+ # @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
70
70
  # to the Service to tell the story of the attack
71
71
  # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
72
72
  def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
@@ -86,14 +86,12 @@ module Contrast
86
86
  ss = StringScanner.new(query_string)
87
87
  length = attack_string.length
88
88
  while ss.scan_until(regexp)
89
- # the pos of StringScanner is at the end of the regexp (input string),
90
- # we need the beginning
89
+ # the pos of StringScanner is at the end of the regexp (input string), we need the beginning
91
90
  idx = ss.pos - attack_string.length
92
91
  last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
93
92
  next unless last_boundary && boundary
94
93
 
95
94
  result ||= build_attack_result(context)
96
-
97
95
  record_match(idx, length, boundary, last_boundary, kwargs)
98
96
  append_match(context, input_analysis_result, result, query_string, **kwargs)
99
97
  end
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '6.6.1'
6
+ VERSION = '6.6.2'
7
7
  end
8
8
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.6.1
4
+ version: 6.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2022-07-13 00:00:00.000000000 Z
16
+ date: 2022-07-15 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler