Sha256: d3fe0cc5a31bd327df8a7a802c8f9789dedd2d8df104db7f33e8a73be2af481c

Contents?: true

Size: 1.43 KB

Versions: 24

Compression:

Stored size: 1.43 KB

Contents

# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/assess/policy/source_method'

module Contrast
  module Agent
    module Assess
      module Policy
        module SourceValidation
          # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
          # tag to its target
          module CrossSiteValidator
            # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
            # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
            # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
            # Rack::Request#get_header method
            # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
            def self.valid? tag, source_type, source_name
              return true unless tag == 'CROSS_SITE'
              return false if source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
              return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
              return false unless source_name

              source_name == 'HTTP_REFERER'
            end
          end
        end
      end
    end
  end
end

Version data entries

24 entries across 24 versions & 1 rubygems

Version Path
contrast-agent-6.11.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.10.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.9.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.8.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.7.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.5 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.4 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.3 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.2 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.1 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.6.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.5.1 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.5.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.4.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.3.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.2.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.1.2 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.1.1 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.1.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
contrast-agent-6.0.0 lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb