Module: Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator

Defined in:

lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

Overview

Validator used to assert a Reflected XSS finding is actually vulnerable before serializing that finding as a DTM to report to the TeamServer.

Constant Summary

RULE_NAME =

'reflected-xss'

SAFE_CONTENT_TYPES =

%w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

Class Method Summary

• .valid?(_patcher, _object, _ret, _args) ⇒ Boolean

  A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md.

Class Method Details

.valid?(_patcher, _object, _ret, _args) ⇒ Boolean

A finding is valid for XSS if the response type is not one of those assumed to be safe bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md

Parameters:

• patcher (Contrast::Agent::Patcher) —

  the patcher instance

• _object (Object) —

  the object that was called

• _ret (Object) —

  the return value of the method

• args (Array<Object>) —

  the arguments passed to the method

Returns:

• (Boolean) —

  true if the finding is valid, false otherwise

# File 'lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb', line 25

def self.valid? _patcher, _object, _ret, _args
  content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
  return false unless content_type

  content_type = content_type.downcase
  SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
end