Module: Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
- Defined in:
- lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb
Overview
Validator used to assert a Reflected XSS finding is actually vulnerable before serializing that finding as a DTM to report to the TeamServer.
Constant Summary collapse
- RULE_NAME =
'reflected-xss'- SAFE_CONTENT_TYPES =
%w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
Class Method Summary collapse
-
.valid?(_patcher, _object, _ret, _args) ⇒ Boolean
A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md.
Class Method Details
.valid?(_patcher, _object, _ret, _args) ⇒ Boolean
A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
19 20 21 22 23 24 25 |
# File 'lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb', line 19 def self.valid? _patcher, _object, _ret, _args content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type return false unless content_type content_type = content_type.downcase SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) } end |