Sha256: a65dc903f8dc853c918764494d4c1729662415180dfe409f5a5085c1b3b9726c
Contents?: true
Size: 1.58 KB
Versions: 2
Compression:
Stored size: 1.58 KB
Contents
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Assess
module Policy
module TriggerValidation
# Validator used to assert a Reflected XSS finding is actually
# vulnerable before serializing that finding as a DTM to report to
# the TeamServer.
module XSSValidator
RULE_NAME = 'reflected-xss'
SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
# A finding is valid for XSS if the response type is not one of
# those assumed to be safe
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
#
# @param patcher [Contrast::Agent::Patcher] the patcher instance
# @param _object [Object] the object that was called
# @param _ret [Object] the return value of the method
# @param args [Array<Object>] the arguments passed to the method
# @return [Boolean] true if the finding is valid, false otherwise
def self.valid? _patcher, _object, _ret, _args
content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
return false unless content_type
content_type = content_type.downcase
SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
end
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| contrast-agent-7.6.1 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |
| contrast-agent-7.6.0 | lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb |