contrast-agent 5.0.0 → 5.3.0

data/lib/contrast/agent/assess/rule/response/autocomplete_rule.rb

@@ -1,130 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/rule/response/base_rule'
-require 'contrast/utils/string_utils'
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        module Response
-          # These rules check the content of the HTTP Response to determine if the body contains a form which
-          # incorrectly sets the autocomplete attribute.
-          class Autocomplete < BaseRule
-            def rule_id
-              'autocomplete-missing'
-            end
-
-            protected
-
-            HTML_PROP = 'html'.cs__freeze
-            START_PROP = 'start'.cs__freeze
-            END_PROP = 'end'.cs__freeze
-
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && body?(response)
-            end
-
-            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence required to prove the violation of the rule
-            def violated? response
-              body = response.body
-              forms = forms(body)
-              forms.each do |form|
-                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
-                # skip out on the first violation.
-                return form if autocomplete?(form[HTML_PROP])
-              end
-              nil
-            end
-
-            # Find the forms in this body, if any, so as to determine if they violate this rule.
-            #
-            # @param body [String]
-            # @return [Array<Hash>] the forms of this body, as well as their start and end indexes.
-            def forms body
-              forms = []
-              body_start = 0
-              # The instance of "<form" in the body may be a form. Turn them into chunks to check.
-              potential_forms = body.split(form_start)
-              potential_forms.each do |potential_form|
-                # We can consider this a form if the next character is one of whitespace of form tag closing
-                # characters.
-                next unless potential_form
-                next unless form_openings.any? { |opening| potential_form.start_with?(opening) }
-
-                body_start = body.index(form_start, body_start)
-                next unless body_start
-
-                form_stop = potential_form.index('>').to_i
-                next unless form_stop
-
-                body_close = body_start + 6 + form_stop
-                forms << capture(body, body_start, body_close, form_stop)
-                body_start = body_close
-              end
-              forms
-            end
-
-            def form_start
-              /<form/i
-            end
-
-            def form_openings
-              [' ', "\n", "\r", "\t", '>']
-            end
-
-            def off_values
-              [/"off"/, /'off'/, /off /, /off>/]
-            end
-
-            # Determine if the given form does not have a valid autocomplete tag. Because autocompletion is on by
-            # default, the form must both have the value and set it to being disabled to not autocomplete.
-            #
-            # @param form [String] the form tag
-            # @return [Boolean]
-            def autocomplete? form
-              idx = form =~ /autocomplete=/i
-              return true unless idx
-
-              # Adjust for the length of 'autocomplete='
-              idx += 13
-              off_values.each do |off_value|
-                return false if (form =~ off_value) == idx
-              end
-              true
-            end
-
-            # Capture the information needed to build the properties of this finding by parsing out from the body
-            #
-            # @param body [String] the entire HTTP Response body
-            # @param body_start [Integer] the start of the range to take from the body
-            # @param body_close [Integer] the end of the range to take from the body
-            # @param form_stop [Integer] the index of the end of the form from its start
-            # @return [Hash]
-            def capture body, body_start, body_close, form_stop
-              form = {}
-              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
-              capture_start = body_start < 50 ? 0 : body_start - 50
-              # Start is where the '<form' is in the body
-              # 6 accounts for the characters in the form and the opening char
-              # potential_form.index('>') accounts for finding the rest of the form
-              # 50 accounts for the context to capture beyond
-              capture_close = body_close + 50
-              form[HTML_PROP] = body[capture_start...capture_close]
-              form[START_PROP] = body_start < 50 ? body_start : 50
-              form[END_PROP] = form[START_PROP] + 6 + form_stop
-              form
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extension/kernel.rb

@@ -1,54 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/components/scope'
-
-# This is a reasonable place for the Kernel#catch hook to live.
-# No current plans for component re-design, but if we had some kind of
-# "do this when a component is hooked in" thing, this would live there.
-# For now, it's over-engineering to live anywhere else.  -ajm
-module Kernel # :nodoc:
-  alias_method :cs__catch, :catch
-
-  # In the event of a `throw`, we need to override `catch`
-  # to save & restore scope state:
-  #
-  #   scope_level == 0
-  #
-  #   catch(:abc) do
-  #     with_contrast_scope do
-  #       throw :abc # will leak
-  #     end
-  #   end
-  #
-  #   scope_level == 1
-  #
-  # Frankly, this isn't how scope should be used.  This is in place of
-  # proper `ensure` blocks within the instrumentation call stack.
-  # This will actually /create/ scope leaks if you're doing something like:
-  #
-  #   catch(:ohno) do
-  #     enter scope
-  #   end
-  #
-  #   abc()
-  #
-  #   exit scope
-  #
-  # i.e. if you intend to change net scope across a catch block boundary.
-
-  private
-
-  def catch *args, &block
-    # Save current scope level
-    scope_level = ::Contrast::SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
-
-    # Run original catch with block.
-    retval = cs__catch(*args, &block)
-
-    # Restore scope.
-    ::Contrast::SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
-
-    retval
-  end
-end