Class: Contrast::Agent::Protect::Rule::Xss

Inherits:
Base show all
Includes:
Reporting::InputType
Defined in:
lib/contrast/agent/protect/rule/xss/xss.rb

Overview

The Ruby implementation of the Protect Cross-Site Scripting rule.

Constant Summary collapse

NAME = 
'reflected-xss'
BLOCK_MESSAGE = 
'XSS rule triggered. Response blocked.'
APPLICABLE_USER_INPUTS = 
[
  BODY, PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
  MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE,
  DWR_VALUE, URI, QUERYSTRING
].cs__freeze

Constants included from Reporting::InputType

Reporting::InputType::BODY, Reporting::InputType::COOKIE_NAME, Reporting::InputType::COOKIE_VALUE, Reporting::InputType::DWR_VALUE, Reporting::InputType::HEADER, Reporting::InputType::JSON_ARRAYED_VALUE, Reporting::InputType::JSON_VALUE, Reporting::InputType::METHOD, Reporting::InputType::MULTIPART_CONTENT_TYPE, Reporting::InputType::MULTIPART_FIELD_NAME, Reporting::InputType::MULTIPART_NAME, Reporting::InputType::MULTIPART_VALUE, Reporting::InputType::PARAMETER_NAME, Reporting::InputType::PARAMETER_VALUE, Reporting::InputType::QUERYSTRING, Reporting::InputType::REQUEST, Reporting::InputType::SOCKET, Reporting::InputType::UNDEFINED_TYPE, Reporting::InputType::UNKNOWN, Reporting::InputType::URI, Reporting::InputType::URL_PARAMETER, Reporting::InputType::XML_VALUE

Constants inherited from Base

Base::BLOCKING_MODES, Base::RULE_NAME, Base::STACK_COLLECTION_RESULTS, Base::SUSPICIOUS_REPORTING_RULES

Constants included from Filters

Filters::POSTFILTER_MODES

Instance Attribute Summary

Attributes inherited from Base

#mode

Instance Method Summary collapse

Methods included from Reporting::InputType

to_a

Methods inherited from Base

#append_to_activity, #cef_logging, #classify, #enabled?, #excluded?, #initialize, #sub_rules, #update

Methods included from Filters

#infilter, #postfilter

Methods included from Builders

#build_attack_result, #build_attack_with_match, #build_attack_without_match, #build_base_sample, #build_violation

Methods included from Components::Scope::InstanceMethods

#contrast_enter_method_scopes!, #contrast_exit_method_scopes!, #with_app_scope, #with_contrast_scope, #with_deserialization_scope, #with_split_scope

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Constructor Details

This class inherits a constructor from Contrast::Agent::Protect::Rule::Base

Instance Method Details

#applicable_user_inputsObject 



91
92
93
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 91

def applicable_user_inputs
  APPLICABLE_USER_INPUTS
end

#block_messageString

Return the specific blocking message for this rule.

Returns:

  • (String)

    the reason for the raised security exception.



33
34
35
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 33

def block_message
  BLOCK_MESSAGE
end

#build_sample(context, ia_result, _xss_string, **_kwargs) ⇒ Contrast::Agent::Reporting::RaspRuleSample

Adding XSS details

Parameters:

Returns:



102
103
104
105
106
107
108
109
110
111
112
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 102

def build_sample context, ia_result, _xss_string, **_kwargs
  sample = build_base_sample(context, ia_result)
  sample.details = Contrast::Agent::Reporting::Details::XssDetails.new
  sample.details.input = ia_result.value

  # TODO: RUBY-99999 check the if the ReflectedXss matches are needed.
  xss_match = Contrast::Agent::Reporting::Details::XssMatch.new(ia_result.value)
  sample.details.matches << xss_match unless xss_match.empty?

  sample
end

#classificationmodule<Contrast::Agent::Protect::Rule::ReflectedXssInputClassification>

XSS Upload input classification

Returns:



83
84
85
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 83

def classification
  @_classification ||= Contrast::Agent::Protect::Rule::ReflectedXssInputClassification.cs__freeze
end

#infilter?(_context) ⇒ Boolean

XSS is evaluated only on prefilter

Returns:

  • (Boolean) 


71
72
73
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 71

def infilter? _context
  false
end

#postfilter?(_context) ⇒ Boolean

XSS is evaluated only on prefilter

Returns:

  • (Boolean) 


76
77
78
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 76

def postfilter? _context
  false
end

#prefilter(context) ⇒ Object 



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 52

def prefilter context
  return unless prefilter?(context)

  ia_results = gather_ia_results(context)

  ia_results.each do |ia_result|
    result = build_attack_result(context)
    result = build_attack_without_match(context, ia_result, result)
    next unless result

    append_to_activity(context, result)
    # XSS is being triggered, so we need to add it to the triggered rules,
    # So the IA won't be done for this rule again for the current request.
    record_triggered(context)
    raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
  end
end

#prefilter?(context) ⇒ Boolean

Prefilter check always called before infilter to check if the rule is infilter capable, not disabled or in other way excluded by url or input exclusions.

Parameters:

Returns:

  • (Boolean) 


42
43
44
45
46
47
48
49
50
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 42

def prefilter? context
  return false unless enabled?
  return false if protect_excluded_by_url?(rule_name)
  return false unless context
  return false unless (results = gather_ia_results(context)) && results.any?
  return false if protect_excluded_by_input?(results)

  true
end

#rule_nameObject 



26
27
28
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 26

def rule_name
  NAME
end

#stream_safe?Boolean

Returns:

  • (Boolean) 


87
88
89
 
# File 'lib/contrast/agent/protect/rule/xss/xss.rb', line 87

def stream_safe?
  false
end