Sha256: 42bfbdcc7d7a471ce8707d4e0a3de9719e9f2da569514876af4cb3e928174365
Contents?: true
Size: 1.63 KB
Versions: 2
Compression:
Stored size: 1.63 KB
Contents
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/assess/policy/source_method' module Contrast module Agent module Assess module Policy module SourceValidation # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the # tag to its target module CrossSiteValidator # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context. # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the # Rack::Request#get_header method # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md # # @param tag [String] the tag to be applied. # @param source_type [String] the type of the source. # @param source_name [String] the name of the source. def self.valid? tag, source_type, source_name return true unless tag == 'CROSS_SITE' return false if source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE return false unless source_name source_name == 'HTTP_REFERER' end end end end end end end
Version data entries
2 entries across 2 versions & 1 rubygems