lib/contrast/agent/assess/policy/trigger_node.rb in contrast-agent-4.13.1 vs lib/contrast/agent/assess/policy/trigger_node.rb in contrast-agent-4.14.0

@@ -20,10 +20,14 @@
           JSON_DISALLOWED_TAGS = 'disallowed_tags'
           JSON_REQUIRED_TAGS = 'required_tags'
           JSON_RULE_NAME = 'name'
           JSON_CUSTOM_PATCH = 'custom_patch'
 
+          # Our list with rules to be collected and reported back when we have response
+          # from the application. Some rules rely on Content-Type validation.
+          COLLECTABLE_RULES = %w[reflected-xss].cs__freeze
+
           attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
 
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             good_value = trigger_hash[JSON_GOOD_VALUE]
@@ -65,10 +69,14 @@
 
           def node_type
             :TYPE_METHOD
           end
 
+          def collectable?
+            COLLECTABLE_RULES.include?(rule_id)
+          end
+
           def rule_disabled?
             ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
 
           # Indicate if this is a dataflow based trigger, meaning it has a proper
@@ -158,12 +166,12 @@
             validate_rule_tags(disallowed_tags)
             @disallowed_tags = Set.new(disallowed_tags)
             @disallowed_tags << LIMITED_CHARS
             @disallowed_tags << CUSTOM_ENCODED
             @disallowed_tags << CUSTOM_VALIDATED
-            @disallowed_tags << ENCODER_START + loud_name
-            @disallowed_tags << VALIDATOR_START + loud_name
+            @disallowed_tags << (ENCODER_START + loud_name)
+            @disallowed_tags << (VALIDATOR_START + loud_name)
           end
 
           def validate_rule_tags tags
             return unless tags
 
@@ -198,17 +206,17 @@
               # only those that have all the required tags in the tags_at
               # satisfy the requirement
               satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
               # if this range matches all the required tags and we're already
               # chunking, meaning the previous range matched, do nothing
-              if satisfied && chunking
-                start_range += 1
-                next
-              end
 
               # if we are satisfied and we were not chunking, this represents
               # the start of the next range, so create a new entry.
               if satisfied
+                if chunking
+                  start_range += 1
+                  next
+                end
                 ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
                 chunking = true
                 # if we are chunking and not satisfied, this represents the end
                 # of the range, meaning the last index is what satisfied the
                 # range. Because the range is exclusive end, we can just use this