Sha256: 5dcc209834f5b28b9a0a52fc6a0c66a9992969d8bed752798f87301a795b8746
Contents?: true
Size: 1.88 KB
Versions: 1
Compression:
Stored size: 1.88 KB
Contents
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
require 'contrast/agent/assess/rule/response/base_rule'
require 'contrast/utils/string_utils'
module Contrast
module Agent
module Assess
module Rule
module Response
# These rules check the content of the HTTP Response to determine if the response contains the needed header
class XXssProtection < BaseRule
def rule_id
'xxssprotection-header-disabled'
end
protected
HEADER_KEY = 'X-XSS-Protection'.cs__freeze
HEADER_KEY_SYM = HEADER_KEY.to_sym
ACCEPTED_VALUE = /^1/.cs__freeze
# Rules discern which responses they can/should analyze.
#
# @param response [Contrast::Agent::Response] the response of the application
def analyze_response? response
super && headers?(response)
end
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
#
# @param response [Contrast::Agent::Response] the response of the application
# @return [Hash, nil] the evidence required to prove the violation of the rule
def violated? response
headers = response.headers
x_xss_protection = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
# header is safe by default so only need to return finding on failed value match
return unless x_xss_protection
return unsafe_response x_xss_protection unless ACCEPTED_VALUE.match?(x_xss_protection)
nil
end
def unsafe_response value = ''
{ data: value }
end
end
end
end
end
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-5.1.0 | lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb |