contrast-agent 6.6.1 → 6.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0ba6de8e82da25931f2fd6d90f515451c33521c02c0fd00e0120ea05701bdc23
4
- data.tar.gz: 953297f4f0908bcdcf4791f91869dcf69312f44fe05e743e1e681ce9d3aa9b6f
3
+ metadata.gz: f00aee3e36cdb303ca9b209824fbb92386e0ca0043c0f24377f79168dca8d252
4
+ data.tar.gz: 7fc3d7571246ff92a10da151ce4b723768e3f7214b5a1e57d5bb1d6a66e86e2b
5
5
  SHA512:
6
- metadata.gz: f7e96583d53e23400fd53fd24aed86c728e0d9b8d79a17179cc1bb96a50ad002e047805b10cea0eaa362802c494ff0b45463a16b53a008e9921723cd9e6e43f9
7
- data.tar.gz: f3c7c2a5b575233f4f8d3e9058b281352133625ab42d50b3c6590c7178728ceda8c494953890a0d50e1413ad5f1e50c04595cc035d5f3ed247611f3a1401095e
6
+ metadata.gz: 9fc9e69602a2706cb41bf8d13e07693afb61ad85ad03ff43182f3c79c5f9dff1c0b8ed3e0cb690d15cf8e43830920516604e9b497945963897f0ee1b82e11f9b
7
+ data.tar.gz: dfd4e5146f9ac498b83d76b13a9d6ed17a5de0e659ed301acbf6a873e18d5ff75ea8aa8fa7c3789433e100903a9f6bfb4b87c9d283107c5bd04015f862e88644
@@ -20,11 +20,16 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
20
20
  # :STATE_INSIDE_BLOCK_COMMENT # inside a commend that will end with a closing tag
21
21
  # :STATE_SKIP_NEXT_CHARACTER
22
22
 
23
+ # @param query [String] the query being executed
24
+ # @param index [Integer] the index of the input in the query
25
+ # @param input [String] the input value provided by the user
26
+ # @return [Array<Integer>, nil] the boundary overrun by the input or nil if no overrun
23
27
  def crosses_boundary query, index, input
24
28
  last_boundary = 0
25
- token_boundaries(query).each do |boundary|
29
+ scan_token_boundaries(query).each do |boundary|
26
30
  if boundary > index
27
- return last_boundary, boundary if boundary < index + input.length
31
+ # We should report the previous and overrun boundary if the input crosses one.
32
+ return last_boundary, boundary if boundary < (index + input.length)
28
33
 
29
34
  break
30
35
  end
@@ -33,10 +38,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
33
38
  nil
34
39
  end
35
40
 
36
- def token_boundaries query
37
- @_token_boundaries ||= scan_token_boundaries(query)
38
- end
41
+ private
39
42
 
43
+ # @param query [String] the query being executed
44
+ # @return [Array<Integer>] the boundaries of the query
40
45
  def scan_token_boundaries query
41
46
  boundaries = []
42
47
  return boundaries unless query && !query.empty?
@@ -73,6 +78,11 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
73
78
  boundaries
74
79
  end
75
80
 
81
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
82
+ # @param current_state [Symbol] the state of the query
83
+ # @param char [String] the character being evaluated
84
+ # @param index [Integer] the location of the character in the query
85
+ # @param query [String] the query being executed
76
86
  def process_state boundaries, current_state, char, index, query
77
87
  case current_state
78
88
  when :STATE_EXPECTING_TOKEN
@@ -88,6 +98,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
88
98
  end
89
99
  end
90
100
 
101
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
102
+ # @param char [String] the character being evaluated
103
+ # @param index [Integer] the location of the character in the query
104
+ # @param query [String] the query being executed
91
105
  def process_expecting_token boundaries, char, index, query
92
106
  if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
93
107
  boundaries << index
@@ -112,6 +126,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
112
126
  end
113
127
  end
114
128
 
129
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
130
+ # @param char [String] the character being evaluated
131
+ # @param index [Integer] the location of the character in the query
132
+ # @param query [String] the query being executed
115
133
  def process_inside_token boundaries, char, index, query
116
134
  if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
117
135
  boundaries << index
@@ -133,6 +151,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
133
151
  end
134
152
  end
135
153
 
154
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
155
+ # @param char [String] the character being evaluated
156
+ # @param index [Integer] the location of the character in the query
157
+ # @param _query [String] the query being executed
136
158
  def process_number boundaries, char, index, _query
137
159
  if char.match?(Contrast::Utils::ObjectShare::DIGIT_REGEXP) || char == Contrast::Utils::ObjectShare::PERIOD
138
160
  :STATE_INSIDE_NUMBER
@@ -142,6 +164,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
142
164
  end
143
165
  end
144
166
 
167
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
168
+ # @param char [String] the character being evaluated
169
+ # @param index [Integer] the location of the character in the query
170
+ # @param query [String] the query being executed
145
171
  def process_double_quote boundaries, char, index, query
146
172
  if escape_char?(char)
147
173
  :STATE_SKIP_NEXT_CHARACTER
@@ -159,6 +185,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
159
185
  end
160
186
  end
161
187
 
188
+ # @param boundaries [Array<Integer>] the indexes of the state changes in the query
189
+ # @param char [String] the character being evaluated
190
+ # @param index [Integer] the location of the character in the query
191
+ # @param query [String] the query being executed
162
192
  def process_single_quote boundaries, char, index, query
163
193
  if escape_char?(char)
164
194
  :STATE_SKIP_NEXT_CHARACTER
@@ -176,18 +206,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
176
206
  end
177
207
  end
178
208
 
209
+ # @param query [String] the query being executed
210
+ # @param index [Integer] the location of the character in the query
179
211
  def double_quote? query, index
180
212
  return false unless index >= 0 && index < query.length
181
213
 
182
214
  query[index] == Contrast::Utils::ObjectShare::DOUBLE_QUOTE
183
215
  end
184
216
 
217
+ # @param query [String] the query being executed
218
+ # @param index [Integer] the location of the character in the query
185
219
  def single_quote? query, index
186
220
  return false unless index >= 0 && index < query.length
187
221
 
188
222
  query[index] == Contrast::Utils::ObjectShare::SINGLE_QUOTE
189
223
  end
190
224
 
225
+ # @param query [String] the query being executed
226
+ # @param index [Integer] the location of the character in the query
191
227
  def find_escape_sequence_boundary query, index
192
228
  idx = index
193
229
  while idx < query.length
@@ -199,6 +235,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
199
235
  idx
200
236
  end
201
237
 
238
+ # @param query [String] the query being executed
239
+ # @param index [Integer] the location of the character in the query
202
240
  def find_block_comment_boundary query, index
203
241
  idx = index
204
242
  while idx < query.length
@@ -210,6 +248,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
210
248
  idx
211
249
  end
212
250
 
251
+ # @param query [String] the query being executed
252
+ # @param index [Integer] the location of the character in the query
213
253
  def find_new_line_boundary query, index
214
254
  idx = index
215
255
  while idx < query.length
@@ -222,12 +262,17 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
222
262
  idx
223
263
  end
224
264
 
265
+ # @param char [String] the character being evaluated
225
266
  def operator? char
226
267
  char.match?(OPERATOR_PATTERN)
227
268
  end
228
269
 
229
270
  # @note: Any class extending this module should override these methods as needed
230
271
  # Are the current and subsequent characters both '-' ?
272
+ #
273
+ # @param char [String] the character being evaluated
274
+ # @param index [Integer] the location of the character in the query
275
+ # @param query [String] the query being executed
231
276
  def start_line_comment? char, index, query
232
277
  return false unless char == Contrast::Utils::ObjectShare::DASH
233
278
  return false unless (query.length - 2) >= index
@@ -237,6 +282,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
237
282
 
238
283
  # Is the current character / sequence of characters the start of a block comment
239
284
  # We assume '/*' starts the comment by default
285
+ #
286
+ # @param char [String] the character being evaluated
287
+ # @param index [Integer] the location of the character in the query
288
+ # @param query [String] the query being executed
240
289
  def start_block_comment? char, index, query
241
290
  return false unless char == Contrast::Utils::ObjectShare::SLASH
242
291
  return false unless (query.length - 2) >= index
@@ -246,6 +295,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
246
295
 
247
296
  # Is the current character / sequence of characters the end of a block comment
248
297
  # We assume '*/' ends the comment by default
298
+ #
299
+ # @param char [String] the character being evaluated
300
+ # @param index [Integer] the location of the character in the query
301
+ # @param query [String] the query being executed
249
302
  def end_block_comment? char, index, query
250
303
  return false unless char == Contrast::Utils::ObjectShare::ASTERISK
251
304
  return false unless (query.length - 2) >= index
@@ -267,18 +320,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
267
320
 
268
321
  # Is the character provided an escape character?
269
322
  # By default, we'll assume
323
+ #
324
+ # @param char [String] the character being evaluated
270
325
  def escape_char? char
271
326
  char == Contrast::Utils::ObjectShare::BACK_SLASH
272
327
  end
273
328
 
274
329
  # Is this the start of a string escape sequence?
275
330
  # Since escape sequences aren't supported, the answer is always false
331
+ #
332
+ # @param _char [String] the character being evaluated
276
333
  def escape_sequence_start? _char
277
334
  false
278
335
  end
279
336
 
280
337
  # Is this the end of a string escape sequence?
281
338
  # Since escape sequences aren't supported, the answer is always false
339
+ #
340
+ # @param _char [String] the character being evaluated
282
341
  def escape_sequence_end? _char
283
342
  false
284
343
  end
@@ -65,8 +65,8 @@ module Contrast
65
65
  # if one exists, in the case of multiple inputs being found to violate the protection criteria
66
66
  # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
67
67
  # in the case of multiple inputs being found to violate the protection criteria
68
- # @query_string [string] he value of the input which may be an attack
69
- # @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
68
+ # @param query_string [String] the value of the input which may be an attack
69
+ # @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
70
70
  # to the Service to tell the story of the attack
71
71
  # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
72
72
  def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
@@ -86,14 +86,12 @@ module Contrast
86
86
  ss = StringScanner.new(query_string)
87
87
  length = attack_string.length
88
88
  while ss.scan_until(regexp)
89
- # the pos of StringScanner is at the end of the regexp (input string),
90
- # we need the beginning
89
+ # the pos of StringScanner is at the end of the regexp (input string), we need the beginning
91
90
  idx = ss.pos - attack_string.length
92
91
  last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
93
92
  next unless last_boundary && boundary
94
93
 
95
94
  result ||= build_attack_result(context)
96
-
97
95
  record_match(idx, length, boundary, last_boundary, kwargs)
98
96
  append_match(context, input_analysis_result, result, query_string, **kwargs)
99
97
  end
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '6.6.1'
6
+ VERSION = '6.6.2'
7
7
  end
8
8
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.6.1
4
+ version: 6.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2022-07-13 00:00:00.000000000 Z
16
+ date: 2022-07-15 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler