Skip to content

Commit

Permalink
Refactoring for better readability and Go-like code
Browse files Browse the repository at this point in the history
  • Loading branch information
Yevhen Zavhorodnii committed May 29, 2024
1 parent e12979b commit bcb3dd2
Showing 1 changed file with 12 additions and 7 deletions.
19 changes: 12 additions & 7 deletions pkg/security/risks/builtin/cross_site_request_forgery_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,25 +51,23 @@ func (r *CrossSiteRequestForgeryRule) GenerateRisks(parsedModel *types.Model) ([
}
incomingFlows := parsedModel.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id]
for _, incomingFlow := range incomingFlows {
if incomingFlow.Protocol.IsPotentialWebAccessProtocol() {
likelihood := types.VeryLikely
if incomingFlow.Usage == types.DevOps {
likelihood = types.Likely
}
risks = append(risks, r.createRisk(parsedModel, technicalAsset, incomingFlow, likelihood))
if !incomingFlow.Protocol.IsPotentialWebAccessProtocol() {
continue
}
risks = append(risks, r.createRisk(parsedModel, technicalAsset, incomingFlow))
}
}
return risks, nil
}

func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, technicalAsset *types.TechnicalAsset, incomingFlow *types.CommunicationLink, likelihood types.RiskExploitationLikelihood) *types.Risk {
func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, technicalAsset *types.TechnicalAsset, incomingFlow *types.CommunicationLink) *types.Risk {
sourceAsset := parsedModel.TechnicalAssets[incomingFlow.SourceId]
title := "<b>Cross-Site Request Forgery (CSRF)</b> risk at <b>" + technicalAsset.Title + "</b> via <b>" + incomingFlow.Title + "</b> from <b>" + sourceAsset.Title + "</b>"
impact := types.LowImpact
if incomingFlow.HighestIntegrity(parsedModel) == types.MissionCritical {
impact = types.MediumImpact
}
likelihood := r.likelihoodFromUsage(incomingFlow)
risk := &types.Risk{
CategoryId: r.Category().ID,
Severity: types.CalculateSeverity(likelihood, impact),
Expand All @@ -84,3 +82,10 @@ func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, techn
risk.SyntheticId = risk.CategoryId + "@" + technicalAsset.Id + "@" + incomingFlow.Id
return risk
}

func (*CrossSiteRequestForgeryRule) likelihoodFromUsage(cl *types.CommunicationLink) types.RiskExploitationLikelihood {
if cl.Usage == types.DevOps {
return types.Likely
}
return types.VeryLikely
}

0 comments on commit bcb3dd2

Please sign in to comment.