contrast-agent 5.0.0 → 5.3.0

data/ext/cs__scope/cs__scope.h

@@ -0,0 +1,88 @@
+#include <ruby.h>
+
+/* Calls to Contrast modules and classes */
+VALUE scope_interface;
+VALUE scope_inst_methods, scope_mod, scope_klass;
+
+/* IVs */
+static VALUE rb_iv_cntr_scope;
+static VALUE rb_iv_dslr_scope;
+static VALUE rb_iv_split_scope;
+
+/* Constants */
+static VALUE rb_const_ec;
+static VALUE rb_const_mon;
+static VALUE rb_const_ec_keys;
+
+/* Symbols */
+static VALUE rb_sym_scope_mod;
+static VALUE rb_sym_contrast;
+static VALUE rb_sym_deserialization;
+static VALUE rb_sym_split;
+
+/* methods names - only reusable ones */
+VALUE rb_method_name_init;
+VALUE rb_method_name_in_scope;
+VALUE rb_method_name_enter_scope;
+VALUE rb_method_name_exit_scope;
+VALUE rb_method_name_scope_for_current_ec;
+VALUE rb_method_name_in_cntr_scope;
+VALUE rb_method_name_enter_cntr_scope;
+VALUE rb_method_name_exit_cntr_scope;
+VALUE rb_method_name_in_dslr_scope;
+VALUE rb_method_name_enter_dslr_scope;
+VALUE rb_method_name_exit_dslr_scope;
+VALUE rb_method_name_in_split_scope;
+VALUE rb_method_name_enter_split_scope;
+VALUE rb_method_name_exit_split_scope;
+VALUE rb_method_name_split_scope_depth;
+
+/* Scope class */
+VALUE contrast_scope_klass_init(VALUE self, VALUE args);
+VALUE in_cntr_scope(VALUE self, VALUE args);
+VALUE enter_cntr_scope(VALUE self, VALUE args);
+VALUE exit_cntr_scope(VALUE self, VALUE args);
+VALUE in_split_scope(VALUE self, VALUE args);
+VALUE enter_split_scope(VALUE self, VALUE args);
+VALUE exit_split_scope(VALUE self, VALUE args);
+VALUE split_scope_depth(VALUE self, VALUE args);
+VALUE in_dsrl_scope_scope(VALUE self, VALUE args);
+VALUE enter_dsrl_scope(VALUE self, VALUE args);
+VALUE exit_dsrl_scope(VALUE self, VALUE args);
+VALUE scope_klass_in_scope(VALUE self, VALUE method_scope_sym);
+VALUE scope_klass_enter_scope(VALUE self, VALUE method_scope_sym);
+VALUE scope_klass_exit_scope(VALUE self, VALUE method_scope_sym);
+
+/* Scope interface */
+VALUE contrast_scope_interface_init(VALUE self, VALUE args);
+VALUE contrast_scope_for_current_ec(VALUE self, VALUE args);
+
+/* Scope instance methods */
+VALUE inst_methods_in_cntr_scope(VALUE self, VALUE args);
+VALUE inst_methods_enter_cntr_scope(VALUE self, VALUE args);
+VALUE inst_methods_exit_cntr_scope(VALUE self, VALUE args);
+VALUE inst_methods_in_split_scope(VALUE self, VALUE args);
+VALUE inst_methods_enter_split_scope(VALUE self, VALUE args);
+VALUE inst_methods_exit_split_scope(VALUE self, VALUE args);
+VALUE inst_methods_split_scope_depth(VALUE self, VALUE args);
+VALUE inst_methods_in_dsrl_scope(VALUE self, VALUE args);
+VALUE inst_methods_enter_dsrl_scope(VALUE self, VALUE args);
+VALUE inst_methods_exit_dsrl_scope(VALUE self, VALUE args);
+VALUE inst_methods_in_scope(VALUE self, VALUE method_scope_sym);
+VALUE inst_methods_enter_scope(VALUE self, VALUE method_scope_sym);
+VALUE inst_methods_exit_scope(VALUE self, VALUE method_scope_sym);
+
+/* Scope components module */
+VALUE scope_mod_sweep_dead_ecs(VALUE self, VALUE args);
+VALUE inst_methods_enter_method_scope(VALUE self, VALUE scopes_to_enter);
+VALUE inst_methods_exit_method_scope(VALUE self, VALUE scopes_to_exit);
+
+/* Helpers */
+VALUE is_in_scope(int scope);
+VALUE get_ec();
+VALUE rb_new_c_scope();
+void rb_raise_scope_no_method_err(const VALUE method_scope_sym);
+int scope_increase(int scope);
+int scope_decrease(int scope);
+
+void Init_cs__scope(void);

data/ext/cs__scope/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -15,20 +15,27 @@ module Contrast
     module Assess
       # This class holds the data about an event in the application We'll use it to build an event that TeamServer can
       # consume if the object to which this event belongs ends in a trigger.
-      #
-      # @attr_reader event_id [Integer] the atomic id of this event
-      # @attr_reader policy_node [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
-      # @attr_reader stack_trace [Array<String>] the execution stack at the time the method for this event was invoked
-      # @attr_reader time [Integer] the time, in epoch ms, when this event was created
-      # @attr_reader thread [Integer] the object id of the thread on which this event was generated
-      # @attr_reader object [Contrast::Agent::Assess::ContrastObject] the safe representation of the Object on which
-      #   the method was invoked
-      # @attr_reader ret [Contrast::Agent::Assess::ContrastObject] the safe representation of the Return of the invoked
-      #   method
-      # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the safe representation of the Arguments
-      #   with which the method was invoked
       class ContrastEvent
-        attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args, :tags
+        # @return [Integer] the atomic id of this event
+        attr_reader :event_id
+        # @return [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
+        attr_reader :policy_node
+        # @return [Array<String>] the execution stack at the time the method for this event was invoked
+        attr_reader :stack_trace
+        # @return [Integer] the time, in epoch ms, when this event was created
+        attr_reader :time
+        # @return [Integer] the object id of the thread on which this event was generated
+        attr_reader :thread
+        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Object on which the method
+        #   was invoked
+        attr_reader :object
+        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Return of the invoked method
+        attr_reader :ret
+        # @return [Array<Contrast::Agent::Assess::ContrastObject, nil>] the safe representation of the Arguments with
+        #   which the method was invoked
+        attr_reader :args
+        # @return [Hash<Contrast::Agent::Assess::Tag>]
+        attr_reader :tags
 
         # We need this to track the parent id's of events to build up a flow chart of the finding
         @atomic_id = 0

data/lib/contrast/agent/assess/contrast_object.rb

@@ -42,8 +42,11 @@ module Contrast
           end
         end
 
+        # Is the object this represents tracked or not?
+        #
+        # @return [Boolean]
         def tracked?
-          tags&.any?
+          !!tags&.any?
         end
       end
     end

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -118,11 +118,8 @@ module Contrast
           # it is an interesting security event that has a meaningful
           # change.
           def tagger?
-            @_tagger ||= begin
-              has_tags = tags&.any?
-              has_untags = untags&.any?
-              has_tags || has_untags
-            end
+            @_tagger = tags&.any? || untags&.any? if @_tagger.nil?
+            @_tagger
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -11,6 +11,10 @@ module Contrast
           # are unaffected beyond any merging of overlapping tags.
           class MatchData < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
+              # This patch method is used to track through the MatchData#[] and
+              # MatchData#match methods, since the last was introduced after
+              # Ruby 3.1.0, but shares similar functionality, except it does not
+              # support ranges.
               def square_bracket_tagger propagation_node, preshift, ret, _block
                 case ret
                 when Array
@@ -33,6 +37,8 @@ module Contrast
               end
 
               def captures_tagger propagation_node, preshift, ret, _block
+                return unless ret
+
                 idx = 0
                 while idx < ret.length
                   return_value = ret[idx]

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -8,6 +8,9 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/assess/events/event_data'
+require 'contrast/agent/reporting/reporting_events/preflight'
+require 'contrast/agent/reporting/reporting_events/preflight_message'
+require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 
 module Contrast
@@ -154,7 +157,7 @@ module Contrast
 
               new_preflight = Contrast::Agent::Reporting::Preflight.new
               new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              new_preflight_message.routes << request
+              new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
               new_preflight_message.hash_code = hash_code
               new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
               new_preflight.messages << new_preflight_message

data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb

@@ -0,0 +1,69 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/body_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body contains a form which
+          # incorrectly sets the autocomplete attribute.
+          class AutoComplete < BaseRule
+            include BodyRule
+            def rule_id
+              'autocomplete-missing'
+            end
+
+            protected
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              body = response.body
+              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms.each do |form|
+                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
+                # skip out on the first violation.
+                return form if autocomplete?(form[HTML_PROP])
+              end
+              nil
+            end
+
+            def off_values
+              [/"off"/, /'off'/, /off /, /off>/]
+            end
+
+            # Determine if the given form does not have a valid autocomplete tag. Because autocompletion is on by
+            # default, the form must both have the value and set it to being disabled to not autocomplete.
+            #
+            # @param form [String] the form tag
+            # @return [Boolean]
+            def autocomplete? form
+              idx = form =~ /autocomplete=/i
+              return true unless idx
+
+              # Adjust for the length of 'autocomplete='
+              idx += 13
+              off_values.each do |off_value|
+                return false if (form =~ off_value) == idx
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'rack'
+require 'json'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/preflight_util'
@@ -40,6 +41,8 @@ module Contrast
 
             protected
 
+            DATA = 'data'.cs__freeze
+
             # Rules discern which responses they can/should analyze.
             #
             # @param response [Contrast::Agent::Response] the response of the application
@@ -55,10 +58,15 @@ module Contrast
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
-            # @param _response [Contrast::Agent::Response] the response of the application
+            # @param response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? _response; end
 
+            def evidence data = Contrast::Utils::ObjectShare::EMPTY_STRING
+              data = Contrast::Utils::ObjectShare::EMPTY_STRING if data.nil?
+              { DATA => data }
+            end
+
             # Convert the given evidence into a finding. The rule will populate this evidence with each of the
             #
             # @param evidence [Hash] the properties required to build this finding.
@@ -68,15 +76,28 @@ module Contrast
               finding.rule_id = rule_id
               context = Contrast::Agent::REQUEST_TRACKER.current
               finding.routes << context.route if context&.route
-              evidence.each_pair do |key, value|
-                finding.properties[key] = Contrast::Utils::StringUtils.force_utf8(value)
-              end
+              build_evidence evidence, finding
               hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
               finding
             end
 
+            # This method allows to change the evidence we attach and the way we attach it
+            # Change it accordingly the rule you work on
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            def build_evidence evidence, finding
+              evidence.each_pair do |key, value|
+                finding.properties[key] = if value.cs__is_a?(Hash)
+                                            Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          else
+                                            Contrast::Utils::StringUtils.protobuf_format(value)
+                                          end
+              end
+            end
+
             # A rule is disabled if assess is off or it is turned off by TeamServer or by configuration.
             #
             # @return [Boolean]
@@ -101,14 +122,6 @@ module Contrast
             def valid_content_type? type
               !type || [/json/i, /xml/i].none? { |invalid_content| type =~ invalid_content }
             end
-
-            # Determine if a response has a body or not.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def body? response
-              Contrast::Utils::StringUtils.present?(response.body)
-            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -0,0 +1,109 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          module BodyRule
+            protected
+
+            HTML_PROP = 'html'.cs__freeze
+            START_PROP = 'start'.cs__freeze
+            END_PROP = 'end'.cs__freeze
+            FORM_START_REGEXP = /<form/i.cs__freeze
+            META_TYPE = 'meta'
+            PRAGMA = 'pragma'
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+
+            # Determine if a response has a body or not.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def body? response
+              Contrast::Utils::StringUtils.present?(response.body)
+            end
+
+            # Find the elements in this section, if any, so as to determine if they violate this rule.
+            #
+            # @param section [String,nil] html section to find element
+            # @param element_start_str [String] element to find in html section
+            # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
+            def html_elements section, element_start_str = '', capture_overflow = false
+              elements = []
+              section_start = 0
+              return [] unless section
+
+              potential_elements(section, element_start_str).flatten.each do |potential_element|
+                next unless potential_element
+                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+
+                section_start = section.index(element_start_str, section_start)
+                next unless section_start
+
+                element_stop = potential_element.index('>').to_i
+                next unless element_stop
+
+                section_close = section_start + 6 + element_stop
+                elements << capture(section, section_start, section_close, element_stop, capture_overflow)
+                section_start = section_close
+              end
+              elements
+            end
+
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+
+            def element_openings
+              [' ', "\n", "\r", "\t", '>']
+            end
+
+            # Capture the information needed to build the properties of this finding by parsing out from the body
+            #
+            # @param body [String] the entire HTTP Response body
+            # @param body_start [Integer] the start of the range to take from the body
+            # @param body_close [Integer] the end of the range to take from the body
+            # @param tag_stop [Integer] the index of the end of the html tag from its start
+            # @return [Hash]
+            def capture body, body_start, body_close, tag_stop, overflow = false
+              tag = {}
+              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
+              if overflow
+                capture_start = body_start < 50 ? 0 : body_start - 50
+                # Start is where the '<form' is in the body
+                # 6 accounts for the characters in the form and the opening char
+                # potential_form.index('>') accounts for finding the rest of the form
+                # 50 accounts for the context to capture beyond
+                capture_close = body_close + 50
+                tag[HTML_PROP] = body[capture_start...capture_close]
+                tag[START_PROP] = body_start < 50 ? body_start : 50
+              else
+                tag[HTML_PROP] = body[body_start...body_close]
+                tag[START_PROP] = body_start
+              end
+              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
+              tag
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -0,0 +1,157 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/agent/assess/rule/response/body_rule'
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/utils/string_utils'
+require 'json'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body or the headers include and/or
+          # set incorrectly the cache-control header
+          class CacheControl < HeaderRule
+            include BodyRule
+            include Framework::RailsSupport
+
+            def rule_id
+              'cache-controls-missing'
+            end
+
+            protected
+
+            HEADER_KEYS = %w[Cache-Control].cs__freeze
+            ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
+            DEFAULT_SAFE = false
+            META_START_STR = /<meta/i.cs__freeze
+            HEAD_TAG = /<head>/i.cs__freeze
+            NAME = 'cache-control'
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              has_header, evidence = process_header(response)
+              return evidence unless evidence.nil?
+
+              has_tag, evidence = process_body(response)
+              return evidence unless evidence.nil?
+              return {} if !has_header && !has_tag
+
+              nil
+            end
+
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
+            def process_header response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported?
+                cache_control = response.rack_response.cache_control
+                has_header = !cache_control.empty?
+                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
+                # evidence requires header value string, pull directly instead of rebuilding from hash
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
+              else
+                # This rule is violated if the header is not there is there,
+                # but the value is not 'no-store' or 'no-cache'
+                cache_control = get_header_value(response)
+                has_header = !!cache_control
+                not_valid = has_header && !valid_header?(cache_control)
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+              end
+              [has_header, nil]
+            end
+
+            # Process Body to determine cache control exists as meta tag and if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
+            def process_body response
+              body = response.body
+              # check if the meta tag is include it
+              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
+              meta_tags.each do |tag|
+                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+              end
+              [!meta_tags.empty?, nil]
+            end
+
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+
+            def accepted_http_values
+              [/'cache-control'/i, /"cache-control"/i]
+            end
+
+            def accepted_values
+              [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
+            end
+
+            # Determine if the given metatag does not have a valid cache-control tag.
+            # Meta tags has the option to set http-equiv and content to set the http response header
+            # to define for the document
+            #
+            # @param tag [String] the meta tag
+            # @return [Boolean, nil]
+            def meta_cache_tag? tag
+              # Here we should determine the index of the needed keys
+              # http-equiv and content
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+              return false unless is_valid
+
+              content_idx += 8
+              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
+
+              true
+            end
+
+            # This method accepts the violation and transforms it to the proper hash
+            # before return in as violation
+            #
+            # @param type [String] String of Header or META of the type
+            # @param name [String] String of either cache-control or pragma
+            # @param value [String] String of the violated value
+            def evidence type, name, value
+              { DATA => { type: type, name: name, value: value }.to_s }
+            end
+
+            # Rebuilds the String value of the Cache-Control Header
+            # from the hash build in the Rack::Response
+            #
+            # @param hsh [Hash]
+            # @return [String]
+            def cache_control_to_s hsh
+              values = []
+              hsh.each_pair do |k, v|
+                key = k.to_s.tr('_', '-')
+                values << if key.to_sym == :extras
+                            v
+                          elsif v.is_a?(TrueClass)
+                            key
+                          else
+                            "#{ key }=#{ v }"
+                          end
+              end
+              values.join(', ')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the headers contains the required header
+          class ClickJacking < HeaderRule
+            def rule_id
+              'clickjacking-control-missing'
+            end
+
+            HEADER_KEYS = %w[X-Frame-Options].cs__freeze
+            ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end