Module: Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator

Defined in:: lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

Overview

Validator used to assert a Reflected XSS finding is actually vulnerable before serializing that finding as a DTM to report to the service.

Constant Summary collapse

XSS_RULE =

'reflected-xss'

SAFE_CONTENT_TYPES =

%w[
  /csv
  /javascript
  /json
  /pdf
  /x-javascript
  /x-json
].cs__freeze

Class Method Summary collapse

.valid?(patcher, _object, _ret, _args) ⇒ Boolean

A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md.

Class Method Details

.valid?(patcher, _object, _ret, _args) ⇒ `Boolean`

A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md

Returns:

(Boolean)

# File 'lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb', line 26

def self.valid? patcher, _object, _ret, _args
  return true unless XSS_RULE == patcher&.rule_id

  content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
  return true unless content_type

  content_type = content_type.downcase
  SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
end

Module: Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator

Overview

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.valid?(patcher, _object, _ret, _args) ⇒ Boolean

.valid?(patcher, _object, _ret, _args) ⇒ `Boolean`