# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true module Contrast module Agent module Assess module Policy module TriggerValidation # Validator used to assert a Reflected XSS finding is actually # vulnerable before serializing that finding as a DTM to report to # the service. module XSSValidator RULE_NAME = 'reflected-xss' SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze # A finding is valid for XSS if the response type is not one of # those assumed to be safe # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md def self.valid? _patcher, _object, _ret, _args content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type return false unless content_type content_type = content_type.downcase SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) } end end end end end end end