# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true cs__scoped_require 'contrast/agent/assess/policy/source_method' module Contrast module Agent module Assess module Policy module SourceValidation # Validator used to assert a CROSS_SITE tag is actually applicable to # the given method before applying the tag to its target module CrossSiteValidator # prevent the application of a tag if it is from a source known to # not apply a tag in a provided context. # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md def self.valid? tag, source_type, source_name return true unless tag == 'CROSS_SITE' return false if source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE return false unless source_name source_name.casecmp?('referer') end end end end end end end