Sha256: 0fbe74b132129fd0baed28d3e2c3b122d2cb2ef66786570f477df3d9bebbee12
Contents?: true
Size: 1.21 KB
Versions: 2
Compression:
Stored size: 1.21 KB
Contents
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Assess
module Policy
module TriggerValidation
# Validator used to assert a Reflected XSS finding is actually
# vulnerable before serializing that finding as a DTM to report to
# the service.
module XSSValidator
RULE_NAME = 'reflected-xss'
SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
# A finding is valid for XSS if the response type is not one of
# those assumed to be safe
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
def self.valid? _patcher, _object, _ret, _args
content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
return false unless content_type
content_type = content_type.downcase
SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
end
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-4.14.1 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |
| contrast-agent-4.14.0 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |