Sha256: 8144166058d42351a3440aec35ae692b88b60df1d128afb41b30fa8d512aa06a
Contents?: true
Size: 1.3 KB
Versions: 2
Compression:
Stored size: 1.3 KB
Contents
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Assess
module Policy
module TriggerValidation
# Validator used to assert a Reflected XSS finding is actually
# vulnerable before serializing that finding as a DTM to report to
# the service.
module XSSValidator
RULE_NAME = 'reflected-xss'
SAFE_CONTENT_TYPES = %w[
/csv
/javascript
/json
/pdf
/x-javascript
/x-json
].cs__freeze
# A finding is valid for XSS if the response type is not one of
# those assumed to be safe
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
def self.valid? _patcher, _object, _ret, _args
content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
return true unless content_type
content_type = content_type.downcase
SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
end
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-4.6.0 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |
| contrast-agent-4.5.0 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |