# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/protect/rule/base_service'

module Contrast
  module Agent
    module Protect
      module Rule
        # The Ruby implementation of the Protect Cross-Site Scripting rule.
        class Xss < Contrast::Agent::Protect::Rule::BaseService
          NAME = 'reflected-xss'
          BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'

          class << self
            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
            # @return [Hash] the details for this specific rule
            def extract_details attack_sample
              {
                  input: attack_sample.xss.input,
                  matches: attack_sample.xss.matches.map do |match|
                             {
                                 evidenceStart: match.evidence_start_ms,
                                 evidence: match.evidence,
                                 offset: match.offset
                             }
                           end
              }
            end
          end

          def rule_name
            NAME
          end

          def stream_safe?
            false
          end
        end
      end
    end
  end
end