Class: Brakeman::CheckContentTag
- Inherits:
-
CheckCrossSiteScripting
- Object
- SexpProcessor
- BaseCheck
- CheckCrossSiteScripting
- Brakeman::CheckContentTag
- Defined in:
- lib/brakeman/checks/check_content_tag.rb
Overview
Checks for unescaped values in ‘content_tag`
content_tag :tag, body
^-- Unescaped in Rails 2.x
content_tag, :tag, body, attribute => value
^-- Unescaped in all versions
content_tag, :tag, body, attribute => value
^
|
Escaped by default, can be explicitly escaped
or not by passing in (true|false) as fourth argument
Constant Summary
Constants inherited from CheckCrossSiteScripting
Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER
Constants inherited from BaseCheck
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from BaseCheck
Attributes inherited from SexpProcessor
Instance Method Summary collapse
- #check_argument(result, exp) ⇒ Object
- #process_call(exp) ⇒ Object
- #process_result(result) ⇒ Object
- #raw?(exp) ⇒ Boolean
- #run_check ⇒ Object
Methods inherited from CheckCrossSiteScripting
#actually_process_call, #check_for_immediate_xss, #process_cookies, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #process_string_interp, #raw_call?
Methods inherited from BaseCheck
#add_result, #initialize, #process_cookies, #process_default, #process_if, #process_params
Methods included from Util
#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#class_name, #process_all, #process_module
Methods inherited from SexpProcessor
#error_handler, #in_context, #initialize, #process, #process_dummy, #scope
Constructor Details
This class inherits a constructor from Brakeman::BaseCheck
Instance Method Details
#check_argument(result, exp) ⇒ Object
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
# File 'lib/brakeman/checks/check_content_tag.rb', line 87 def check_argument result, exp #Check contents of raw() calls directly if call? exp and exp.method == :raw arg = process exp.first_arg else arg = process exp end if input = has_immediate_user_input?(arg) case input.type when :params = "Unescaped parameter value in content_tag" when :cookies = "Unescaped cookie value in content_tag" else = "Unescaped user input value in content_tag" end add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => input.match, :confidence => CONFIDENCE[:high], :link_path => "content_tag" elsif not tracker.[:ignore_model_output] and match = has_immediate_model?(arg) method = match[2] unless IGNORE_MODEL_METHODS.include? method add_result result if MODEL_METHODS.include? method or method.to_s =~ /^find_by/ confidence = CONFIDENCE[:high] else confidence = CONFIDENCE[:med] end warn :result => result, :warning_type => "Cross Site Scripting", :message => "Unescaped model attribute in content_tag", :user_input => match, :confidence => confidence, :link_path => "content_tag" end elsif @matched = "Unescaped " case @matched.type when :model return if tracker.[:ignore_model_output] << "model attribute" when :params << "parameter" when :cookies << "cookie" when :session << "session" else << "user input" end << " value in content_tag" add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => @matched.match, :confidence => CONFIDENCE[:med], :link_path => "content_tag" end end |
#process_call(exp) ⇒ Object
164 165 166 167 168 169 170 171 172 173 174 |
# File 'lib/brakeman/checks/check_content_tag.rb', line 164 def process_call exp if @mark actually_process_call exp else @mark = true actually_process_call exp @mark = false end exp end |
#process_result(result) ⇒ Object
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/brakeman/checks/check_content_tag.rb', line 42 def process_result result return if duplicate? result call = result[:call] = result[:call].dup args = call.arglist tag_name = args[1] content = args[2] attributes = args[3] escape_attr = args[4] @matched = false #Silly, but still dangerous if someone uses user input in the tag type check_argument result, tag_name #Versions before 3.x do not escape body of tag, nor does the rails_xss gem unless @matched or (tracker.[:rails3] and not raw? content) check_argument result, content end #Attribute keys are never escaped, so check them for user input if not @matched and hash? attributes and not request_value? attributes hash_iterate(attributes) do |k, v| check_argument result, k return if @matched end end #By default, content_tag escapes attribute values passed in as a hash. #But this behavior can be disabled. So only check attributes hash #if they are explicitly not escaped. if not @matched and attributes and false? escape_attr if request_value? attributes or not hash? attributes check_argument result, attributes else #check hash values hash_iterate(attributes) do |k, v| check_argument result, v return if @matched end end end end |
#raw?(exp) ⇒ Boolean
176 177 178 |
# File 'lib/brakeman/checks/check_content_tag.rb', line 176 def raw? exp call? exp and exp.method == :raw end |
#run_check ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/brakeman/checks/check_content_tag.rb', line 21 def run_check @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once, :field_field, :fields_for, :h, :hidden_field, :hidden_field, :hidden_field_tag, :image_tag, :label, :mail_to, :radio_button, :select, :submit_tag, :text_area, :text_field, :text_field_tag, :url_encode, :url_for, :will_paginate].merge tracker.[:safe_methods] @known_dangerous = [] methods = tracker.find_call :target => false, :method => :content_tag @models = tracker.models.keys @inspect_arguments = tracker.[:check_arguments] Brakeman.debug "Checking for XSS in content_tag" methods.each do |call| process_result call end end |