Class: Brakeman::CheckLinkToHref
- Inherits:
-
CheckLinkTo
- Object
- SexpProcessor
- BaseCheck
- CheckCrossSiteScripting
- CheckLinkTo
- Brakeman::CheckLinkToHref
- Defined in:
- lib/brakeman/checks/check_link_to_href.rb
Overview
Checks for calls to link_to which pass in potentially hazardous data to the second argument. While this argument must be html_safe to not break the html, it must also be url safe as determined by calling a :url_safe_method. This prevents attacks such as javascript:evil() or data:<encoded XSS> which is html_safe, but not safe as an href Props to Nick Green for the idea.
Constant Summary
Constants inherited from CheckCrossSiteScripting
Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER
Constants inherited from BaseCheck
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from BaseCheck
Attributes inherited from SexpProcessor
Instance Method Summary collapse
- #call_on_params?(exp) ⇒ Boolean
- #decorated_model?(method) ⇒ Boolean
- #ignore_call?(target, method) ⇒ Boolean
-
#ignore_interpolation?(arg, suspect) ⇒ Boolean
Ignore situations where the href is an interpolated string with something before the user input.
- #ignored_method?(target, method) ⇒ Boolean
- #model_find_call?(exp) ⇒ Boolean
- #process_result(result) ⇒ Object
- #run_check ⇒ Object
Methods inherited from CheckLinkTo
#actually_process_call, #check_argument, #check_matched, #check_method, #check_user_input, #process_call, #warn_xss
Methods inherited from CheckCrossSiteScripting
#actually_process_call, #cgi_escaped?, #check_for_immediate_xss, #form_builder_method?, #haml_escaped?, #html_safe_call?, #ignored_model_method?, #likely_model_attribute?, #process_call, #process_case, #process_cookies, #process_dstr, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #raw_call?, #safe_input_attribute?, #setup, #xml_escaped?
Methods inherited from BaseCheck
#add_result, inherited, #initialize, #process_call, #process_cookies, #process_default, #process_dstr, #process_if, #process_params
Methods included from Util
#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#current_file_name, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module
Methods inherited from SexpProcessor
#in_context, #initialize, #process, processors, #scope
Constructor Details
This class inherits a constructor from Brakeman::BaseCheck
Instance Method Details
#call_on_params?(exp) ⇒ Boolean
134 135 136 137 138 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 134 def call_on_params? exp call? exp and params? exp.target and exp.method != :[] end |
#decorated_model?(method) ⇒ Boolean
116 117 118 119 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 116 def decorated_model? method tracker.config.has_gem? :draper and method == :decorate end |
#ignore_call?(target, method) ⇒ Boolean
112 113 114 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 112 def ignore_call? target, method decorated_model? method or super end |
#ignore_interpolation?(arg, suspect) ⇒ Boolean
Ignore situations where the href is an interpolated string with something before the user input
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 96 def ignore_interpolation? arg, suspect return unless string_interp? arg return true unless arg[1].chomp.empty? # plain string before interpolation first_interp = arg.find_nodes(:evstr).first return unless first_interp first_interp[1].deep_each do |e| if suspect == e return false end end true end |
#ignored_method?(target, method) ⇒ Boolean
121 122 123 124 125 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 121 def ignored_method? target, method @ignore_methods.include? method or method.to_s =~ /_path$/ or (target.nil? and method.to_s =~ /_url$/) end |
#model_find_call?(exp) ⇒ Boolean
127 128 129 130 131 132 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 127 def model_find_call? exp return unless call? exp MODEL_METHODS.include? exp.method or exp.method.to_s =~ /^find_by_/ end |
#process_result(result) ⇒ Object
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 32 def process_result result #Have to make a copy of this, otherwise it will be changed to #an ignored method call by the code above. call = result[:call] = result[:call].dup @matched = false url_arg = process call.second_arg if call? url_arg and url_arg.method == :url_for url_arg = url_arg.first_arg end return if call? url_arg and ignore_call? url_arg.target, url_arg.method if input = has_immediate_user_input?(url_arg) = "Unsafe #{friendly_type_of input} in link_to href" unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match add_result result warn :result => result, :warning_type => "Cross Site Scripting", :warning_code => :xss_link_to_href, :message => , :user_input => input, :confidence => CONFIDENCE[:high], :link_path => "link_to_href" end elsif has_immediate_model? url_arg or model_find_call? url_arg # Decided NOT warn on models. polymorphic_path is called it a model is # passed to link_to (which passes it to url_for) elsif array? url_arg # Just like models, polymorphic path/url is called if the argument is # an array elsif hash? url_arg # url_for uses the key/values pretty carefully and I don't see a risk. # IF you have default routes AND you accept user input for :controller # and :only_path, then MAYBE you could trigger a javascript:/data: # attack. elsif @matched if @matched.type == :model and not tracker.[:ignore_model_output] = "Unsafe model attribute in link_to href" elsif @matched.type == :params and not call_on_params? @matched.match = "Unsafe parameter value in link_to href" end if and not duplicate? result and not ignore_interpolation? url_arg, @matched.match add_result result warn :result => result, :warning_type => "Cross Site Scripting", :warning_code => :xss_link_to_href, :message => , :user_input => @matched, :confidence => CONFIDENCE[:med], :link_path => "link_to_href" end end end |
#run_check ⇒ Object
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 14 def run_check @ignore_methods = Set[:button_to, :check_box, :field_field, :fields_for, :hidden_field, :hidden_field, :hidden_field_tag, :image_tag, :label, :mail_to, :polymorphic_url, :radio_button, :select, :slice, :submit_tag, :text_area, :text_field, :text_field_tag, :url_encode, :u, :will_paginate].merge(tracker.[:url_safe_methods] || []) @models = tracker.models.keys @inspect_arguments = tracker.[:check_arguments] methods = tracker.find_call :target => false, :method => :link_to methods.each do |call| process_result call end end |