# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/assess/rule/response/base_rule' require 'contrast/utils/string_utils' module Contrast module Agent module Assess module Rule module Response # These rules check the content of the HTTP Response to determine if the body contains a form which # incorrectly sets the action attribute. class ParametersPollution < BaseRule def rule_id 'parameter-pollution' end protected # Rules discern which responses they can/should analyze. # # @param response [Contrast::Agent::Response] the response of the application def analyze_response? response super && body?(response) end # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so. # # @param response [Contrast::Agent::Response] the response of the application # @return [Hash, nil] the evidence required to prove the violation of the rule def violated? response body = response.body forms = forms(body) forms.each do |form| # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can # skip out on the first violation. return form if action?(form[HTML_PROP]) end nil end def accepted_values [/action="[^"]/i, /action='[^']/i, /action=[^\\'"]/i, /action=[^\s<>'"]/i].cs__freeze end def action? form return true unless /action=/i.match?(form) accepted_values.each do |off_value| return false if form.match?(off_value) end true end end end end end end end