# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/assess/rule/response/header_rule' require 'contrast/utils/string_utils' module Contrast module Agent module Assess module Rule module Response # These rules check that the HTTP Headers include CSP header types class CspHeaderInsecure < HeaderRule HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze DEFAULT_SAFE = false SETTINGS = %w[ base-uri child-src default-src connect-src frame-src media-src object-src script-src style-src form-action frame-ancestors plugin-types reflected-xss referer ].cs__freeze UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze ASTERISK_REGEXP = /[*]/.cs__freeze SAFE_REFLECTED_XSS = /1/.cs__freeze def rule_id 'csp-header-insecure' end protected # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so. # # @param response [Contrast::Agent::Response] the response of the application # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found def violated? response settings = {} csp_hash = get_header_value(response) return if csp_hash.nil? SETTINGS.each do |setting_attr| # default src has to be checked all other keys may be missing next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src' value = csp_hash[setting_attr] key = convert_key(setting_attr) settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value) settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value end evidence(settings.to_json) if settings.value?(false) end # Get the CSP values from and transforms them to key value hash # # ex default-src 'self' *.test.com; img-src * becomes: # { default-src: "'self' *.test.com", img-src: "*" } # # @param headers [Hash] the response of the application # @return [Array, nil] array of CSP header values def get_header_value response csp_hash = {} headers = response.headers HEADER_KEYS.each do |header_key| next unless headers[header_key]&.length&.positive? values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON) values.each do |value| normalized = value.downcase.strip kv = normalized.split(Contrast::Utils::ObjectShare::SPACE, 2) csp_hash[kv[0]] = kv[1] end end csp_hash end def value_secure? value ASTERISK_REGEXP.match(value).nil? end def value_safe? value UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil? end # Converts the CSP key to camelcase to be used as key for evidence object # # base-uri -> baseUri # # @param key [String] key as found in header # @return [String] camelcase key def convert_key key return key unless key.include?('-') str = key.split('-') "#{ str[0] }#{ str[1].capitalize }" end end end end end end end