Class: Brakeman::CheckContentTag

Inherits:
CheckCrossSiteScripting show all
Defined in:
lib/brakeman/checks/check_content_tag.rb

Overview

Checks for unescaped values in ‘content_tag`

content_tag :tag, body
                   ^-- Unescaped in Rails 2.x

content_tag, :tag, body, attribute => value
                            ^-- Unescaped in all versions

content_tag, :tag, body, attribute => value
                                        ^
                                        |
        Escaped by default, can be explicitly escaped
        or not by passing in (true|false) as fourth argument

Constant Summary

Constants inherited from CheckCrossSiteScripting

Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from CheckCrossSiteScripting

#actually_process_call, #check_for_immediate_xss, #process_cookies, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #process_string_interp, #raw_call?

Methods inherited from BaseCheck

#add_result, #initialize, #process_cookies, #process_default, #process_if, #process_params

Methods included from Util

#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#check_argument(result, exp) ⇒ Object



87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# File 'lib/brakeman/checks/check_content_tag.rb', line 87

def check_argument result, exp
  #Check contents of raw() calls directly
  if call? exp and exp.method == :raw
    arg = process exp.first_arg
  else
    arg = process exp
  end

  if input = has_immediate_user_input?(arg)
    case input.type
    when :params
      message = "Unescaped parameter value in content_tag"
    when :cookies
      message = "Unescaped cookie value in content_tag"
    else
      message = "Unescaped user input value in content_tag"
    end

    add_result result

    warn :result => result,
      :warning_type => "Cross Site Scripting", 
      :message => message,
      :user_input => input.match,
      :confidence => CONFIDENCE[:high],
      :link_path => "content_tag"

  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
    method = match[2]

    unless IGNORE_MODEL_METHODS.include? method
      add_result result

      if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
        confidence = CONFIDENCE[:high]
      else
        confidence = CONFIDENCE[:med]
      end

      warn :result => result,
        :warning_type => "Cross Site Scripting", 
        :message => "Unescaped model attribute in content_tag",
        :user_input => match,
        :confidence => confidence,
        :link_path => "content_tag"
    end

  elsif @matched
    message = "Unescaped "

    case @matched.type
    when :model
      return if tracker.options[:ignore_model_output]
      message << "model attribute"
    when :params
      message << "parameter"
    when :cookies
      message << "cookie"
    when :session
      message << "session"
    else
      message << "user input"
    end

    message << " value in content_tag"

    add_result result

    warn :result => result, 
      :warning_type => "Cross Site Scripting", 
      :message => message,
      :user_input => @matched.match,
      :confidence => CONFIDENCE[:med],
      :link_path => "content_tag"
    end
end

#process_call(exp) ⇒ Object



164
165
166
167
168
169
170
171
172
173
174
# File 'lib/brakeman/checks/check_content_tag.rb', line 164

def process_call exp
  if @mark
    actually_process_call exp
  else
    @mark = true
    actually_process_call exp
    @mark = false
  end

  exp
end

#process_result(result) ⇒ Object



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/brakeman/checks/check_content_tag.rb', line 42

def process_result result
  return if duplicate? result

  call = result[:call] = result[:call].dup

  args = call.arglist 

  tag_name = args[1]
  content = args[2]
  attributes = args[3]
  escape_attr = args[4]

  @matched = false

  #Silly, but still dangerous if someone uses user input in the tag type
  check_argument result, tag_name

  #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
  unless @matched or (tracker.options[:rails3] and not raw? content)
    check_argument result, content
  end

  #Attribute keys are never escaped, so check them for user input
  if not @matched and hash? attributes and not request_value? attributes
    hash_iterate(attributes) do |k, v|
      check_argument result, k
      return if @matched
    end
  end

  #By default, content_tag escapes attribute values passed in as a hash.
  #But this behavior can be disabled. So only check attributes hash
  #if they are explicitly not escaped.
  if not @matched and attributes and false? escape_attr
    if request_value? attributes or not hash? attributes
      check_argument result, attributes
    else #check hash values
      hash_iterate(attributes) do |k, v|
        check_argument result, v
        return if @matched
      end
    end
  end
end

#raw?(exp) ⇒ Boolean

Returns:

  • (Boolean)


176
177
178
# File 'lib/brakeman/checks/check_content_tag.rb', line 176

def raw? exp
  call? exp and exp.method == :raw
end

#run_checkObject



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/brakeman/checks/check_content_tag.rb', line 21

def run_check
  @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
                         :field_field, :fields_for, :h, :hidden_field,
                         :hidden_field, :hidden_field_tag, :image_tag, :label,
                         :mail_to, :radio_button, :select,
                         :submit_tag, :text_area, :text_field,
                         :text_field_tag, :url_encode, :url_for,
                         :will_paginate].merge tracker.options[:safe_methods]

  @known_dangerous = []
  methods = tracker.find_call :target => false, :method => :content_tag

  @models = tracker.models.keys
  @inspect_arguments = tracker.options[:check_arguments]

  Brakeman.debug "Checking for XSS in content_tag"
  methods.each do |call|
    process_result call
  end
end