# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

module Contrast
  module Agent
    module Assess
      module Policy
        module TriggerValidation
          # Validator used to assert a Reflected XSS finding is actually
          # vulnerable before serializing that finding as a DTM to report to
          # the TeamServer.
          module XSSValidator
            RULE_NAME = 'reflected-xss'
            SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

            # A finding is valid for XSS if the response type is not one of
            # those assumed to be safe
            # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
            #
            # @param patcher [Contrast::Agent::Patcher] the patcher instance
            # @param _object [Object] the object that was called
            # @param _ret [Object] the return value of the method
            # @param args [Array<Object>] the arguments passed to the method
            # @return [Boolean] true if the finding is valid, false otherwise
            def self.valid? _patcher, _object, _ret, _args
              content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
              return false unless content_type

              content_type = content_type.downcase
              SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
            end
          end
        end
      end
    end
  end
end