# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/assess/policy/source_method' module Contrast module Agent module Assess module Policy module SourceValidation # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the # tag to its target module CrossSiteValidator # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context. # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the # Rack::Request#get_header method # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md def self.valid? tag, source_type, source_name return true unless tag == 'CROSS_SITE' return false if source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE return false unless source_name source_name == 'HTTP_REFERER' end end end end end end end