# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/assess/rule/response/base_rule' require 'contrast/utils/string_utils' module Contrast module Agent module Assess module Rule module Response # These rules check the content of the HTTP Response to determine if the headers contains the required header class Clickjacking < BaseRule def rule_id 'clickjacking-control-missing' end protected HEADER_KEY = 'X-Frame-Options'.cs__freeze HEADER_KEY_SYM = HEADER_KEY.to_sym ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze # Rules discern which responses they can/should analyze. # # @param response [Contrast::Agent::Response] the response of the application def analyze_response? response super && headers?(response) end # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so. # # @param response [Contrast::Agent::Response] the response of the application # @return [Hash, nil] the evidence required to prove the violation of the rule def violated? response headers = response.headers cache_control = headers[HEADER_KEY] || headers[HEADER_KEY_SYM] return unsafe_response unless cache_control return unsafe_response(cache_control) unless valid_header?(cache_control) nil end def valid_header? header ACCEPTED_VALUES.any? { |val| header =~ val } end def unsafe_response value = '' { data: value } end # Change it accordingly the rule you work on # # @param evidence [Hash] the properties required to build this finding. # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to def build_evidence evidence, finding evidence.each_pair do |key, value| finding.properties[key] = Contrast::Utils::StringUtils.protobuf_format(value) end end end end end end end end