Contents

# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

module Contrast
  module Agent
    module Assess
      module Policy
        module TriggerValidation
          # Validator used to assert a Reflected XSS finding is actually
          # vulnerable before serializing that finding as a DTM to report to
          # the service.
          module XSSValidator
            XSS_RULE = 'reflected-xss'
            SAFE_CONTENT_TYPES = %w[
              /csv
              /javascript
              /json
              /pdf
              /x-javascript
              /x-json
            ].cs__freeze

            # A finding is valid for XSS if the response type is not one of
            # those assumed to be safe
            # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
            def self.valid? patcher, _object, _ret, _args
              return true unless XSS_RULE == patcher&.rule_id

              content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
              return true unless content_type

              content_type = content_type.downcase
              SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
            end
          end
        end
      end
    end
  end
end

Version data entries

23 entries across 23 versions & 1 rubygems

Version	Path
contrast-agent-4.3.2	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-4.3.1	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-4.3.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-4.2.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-4.1.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-4.0.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.16.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.15.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.14.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.13.2	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.13.1	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.13.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.12.2	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.12.1	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.12.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.11.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.10.2	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.10.1	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.10.0	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
contrast-agent-3.9.1	lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb