Class: Pipeline::ZAPCondensingFilter

Inherits:
BaseFilter show all
Defined in:
lib/pipeline/filters/zap_consdensing_filter.rb

Instance Attribute Summary

Attributes inherited from BaseFilter

#description, #name

Instance Method Summary collapse

Constructor Details

#initializeZAPCondensingFilter

Returns a new instance of ZAPCondensingFilter.



7
8
9
10
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 7

def initialize
  @name = "ZAP Condensing Filter"
  @description = "Consolidate N ZAP warnings to one per issue type."
end

Instance Method Details

#dirbrowsing?(finding) ⇒ Boolean

Returns:

  • (Boolean)


51
52
53
54
55
56
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 51

def dirbrowsing? finding
  if finding.description == "It is possible to view the directory listing.  Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information."
    return true
  end
  return false
end

#filter(tracker) ⇒ Object



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 12

def filter tracker
  Pipeline.debug "Have #{tracker.findings.count} items pre ZAP filter."
  tracker.findings.each do |finding|
    if zap? finding
      if xframe? finding
        record tracker,finding
      elsif xcontenttypeoptions? finding
        record tracker, finding
      elsif dirbrowsing? finding
        record tracker, finding
      elsif xxssprotection? finding
        record tracker, finding
      end
    end
  end
  Pipeline.debug "Have #{tracker.findings.count} items post ZAP filter."
end

#record(tracker, finding) ⇒ Object

Is it always true that the findings will be on the same site? For now, we can assume that. Note that this may not be an efficient way to to do this, but it seems to work as a first pass.



68
69
70
71
72
73
74
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 68

def record tracker, finding
  tracker.findings.delete_if do |to_delete|
    to_delete.description == finding.description
  end
  finding.detail << "\n\t** Consolidated ** - Potentially identified in > 1 spot."  # Make sure to note that there were 
  tracker.findings.push finding 
end

#xcontenttypeoptions?(finding) ⇒ Boolean

Returns:

  • (Boolean)


44
45
46
47
48
49
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 44

def xcontenttypeoptions? finding
  if finding.description == "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
    return true
  end
  return false
end

#xframe?(finding) ⇒ Boolean

Returns:

  • (Boolean)


37
38
39
40
41
42
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 37

def xframe? finding
  if finding.description == "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks."
    return true
  end
  return false
end

#xxssprotection?(finding) ⇒ Boolean

Returns:

  • (Boolean)


58
59
60
61
62
63
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 58

def xxssprotection? finding
  if finding.description == "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server"
    return true
  end
  return false
end

#zap?(finding) ⇒ Boolean

Returns:

  • (Boolean)


30
31
32
33
34
35
# File 'lib/pipeline/filters/zap_consdensing_filter.rb', line 30

def zap? finding
  if finding.source =~ /\AZAP/
    return true
  end
  return false
end