Class: SvgSentinel::Policy
- Inherits:
-
Object
- Object
- SvgSentinel::Policy
- Defined in:
- lib/svg_sentinel/policy.rb
Overview
Re-rates raw findings for the situation they will be used in. Two layers, applied in order:
-
Rendering context. The same SVG is dangerous differently depending on how a browser will run it. Inline
-
Explicit overrides. A team can force a code to a severity or drop it entirely from config; this wins over the context rating.
Constant Summary collapse
- CONTEXTS =
%i[inline standalone img css_background].freeze
- CONTEXT_SENSITIVE_CODES =
Codes whose danger depends on the SVG actually scripting or fetching. Neutralised in a secure-static context (img / css_background).
%i[ script_element event_handler script_uri css_script foreign_element data_uri external_ref animation animated_attribute ].freeze
- SECURE_STATIC_CONTEXTS =
%i[img css_background].freeze
Instance Method Summary collapse
- #apply(findings) ⇒ Object
-
#initialize(context: :inline, overrides: {}, disabled: []) ⇒ Policy
constructor
A new instance of Policy.
Constructor Details
#initialize(context: :inline, overrides: {}, disabled: []) ⇒ Policy
Returns a new instance of Policy.
33 34 35 36 37 |
# File 'lib/svg_sentinel/policy.rb', line 33 def initialize(context: :inline, overrides: {}, disabled: []) @context = context @overrides = normalize_overrides(overrides) @disabled = Array(disabled).map(&:to_sym) end |
Instance Method Details
#apply(findings) ⇒ Object
39 40 41 |
# File 'lib/svg_sentinel/policy.rb', line 39 def apply(findings) findings.filter_map { |finding| rerate(finding) } end |