Contents

# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/assess/rule/response/base_rule'
require 'contrast/utils/string_utils'

module Contrast
  module Agent
    module Assess
      module Rule
        module Response
          # These rules check the content of the HTTP Response to determine if the response contains the needed header
          class XContentType < BaseRule
            def rule_id
              'xcontenttype-header-missing'
            end

            protected

            HEADER_KEY = 'X-Content-Type-Options'.cs__freeze
            HEADER_KEY_SYM = HEADER_KEY.to_sym
            ACCEPTED_VALUE = /^nosniff/i.cs__freeze

            # Rules discern which responses they can/should analyze.
            #
            # @param response [Contrast::Agent::Response] the response of the application
            def analyze_response? response
              super && headers?(response)
            end

            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
            #
            # @param response [Contrast::Agent::Response] the response of the application
            # @return [Hash, nil] the evidence required to prove the violation of the rule
            def violated? response
              headers = response.headers
              x_content_type = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
              return unsafe_response unless x_content_type
              return unsafe_response x_content_type unless ACCEPTED_VALUE.match?(x_content_type)

              nil
            end

            def unsafe_response value = ''
              { data: value }
            end
          end
        end
      end
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
contrast-agent-5.1.0	lib/contrast/agent/assess/rule/response/x_content_type_rule.rb