Module: Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator

Defined in:: lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb

Overview

Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the tag to its target

Class Method Summary collapse

.valid?(tag, source_type, source_name) ⇒ Boolean

Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.

Class Method Details

.valid?(tag, source_type, source_name) ⇒ `Boolean`

Prevent the application of a tag if it is from a source known to not apply a tag in a provided context. Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in ActionDispatch::Http::Headers to convert keys like ‘referer` to `HTTP_REFERER` before they get to the Rack::Request#get_header method bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md

Parameters:

tag (String) —

the tag to be applied.
source_type (String) —

the type of the source.
source_name (String) —

the name of the source.

Returns:

(Boolean)

# File 'lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb', line 23

def self.valid? tag, source_type, source_name
  return true unless tag == 'CROSS_SITE'
  return false if source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
  return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
  return false unless source_name

  source_name == 'HTTP_REFERER'
end

Module: Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator

Overview

Class Method Summary collapse

Class Method Details

.valid?(tag, source_type, source_name) ⇒ Boolean

.valid?(tag, source_type, source_name) ⇒ `Boolean`