Class: Brakeman::CheckLinkTo
- Inherits:
-
CheckCrossSiteScripting
- Object
- SexpProcessor
- BaseCheck
- CheckCrossSiteScripting
- Brakeman::CheckLinkTo
- Defined in:
- lib/brakeman/checks/check_link_to.rb
Overview
Checks for calls to link_to in versions of Ruby where link_to did not escape the first argument.
See rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
Direct Known Subclasses
Constant Summary
Constants inherited from CheckCrossSiteScripting
Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER
Constants inherited from BaseCheck
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from BaseCheck
Attributes inherited from SexpProcessor
Instance Method Summary collapse
- #actually_process_call(exp) ⇒ Object
- #check_argument(result, exp) ⇒ Object
- #process_call(exp) ⇒ Object
- #process_result(result) ⇒ Object
- #run_check ⇒ Object
Methods inherited from CheckCrossSiteScripting
#check_for_immediate_xss, #process_cookies, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #process_string_interp, #raw_call?
Methods inherited from BaseCheck
#add_result, #initialize, #process_cookies, #process_default, #process_if, #process_params
Methods included from Util
#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#class_name, #process_all, #process_module
Methods inherited from SexpProcessor
#error_handler, #in_context, #initialize, #process, #process_dummy, #scope
Constructor Details
This class inherits a constructor from Brakeman::BaseCheck
Instance Method Details
#actually_process_call(exp) ⇒ Object
130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
# File 'lib/brakeman/checks/check_link_to.rb', line 130 def actually_process_call exp return if @matched target = exp.target if sexp? target target = process target.dup end #Bare records create links to the model resource, #not a string that could have injection if model_name? target and context == [:call, :arglist] return exp end super end |
#check_argument(result, exp) ⇒ Object
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/brakeman/checks/check_link_to.rb', line 63 def check_argument result, exp arg = process exp if input = has_immediate_user_input?(arg) case input.type when :params = "Unescaped parameter value in link_to" when :cookies = "Unescaped cookie value in link_to" else = "Unescaped user input value in link_to" end add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => input.match, :confidence => CONFIDENCE[:high], :link_path => "link_to" elsif not tracker.[:ignore_model_output] and match = has_immediate_model?(arg) method = match[2] unless IGNORE_MODEL_METHODS.include? method add_result result if MODEL_METHODS.include? method or method.to_s =~ /^find_by/ confidence = CONFIDENCE[:high] else confidence = CONFIDENCE[:med] end warn :result => result, :warning_type => "Cross Site Scripting", :message => "Unescaped model attribute in link_to", :user_input => match, :confidence => confidence, :link_path => "link_to" end elsif @matched if @matched.type == :model and not tracker.[:ignore_model_output] = "Unescaped model attribute in link_to" elsif @matched.type == :params = "Unescaped parameter value in link_to" end if add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => @matched.match, :confidence => CONFIDENCE[:med], :link_path => "link_to" end end end |
#process_call(exp) ⇒ Object
124 125 126 127 128 |
# File 'lib/brakeman/checks/check_link_to.rb', line 124 def process_call exp @mark = true actually_process_call exp exp end |
#process_result(result) ⇒ Object
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# File 'lib/brakeman/checks/check_link_to.rb', line 36 def process_result result return if duplicate? result #Have to make a copy of this, otherwise it will be changed to #an ignored method call by the code above. call = result[:call] = result[:call].dup args = call.args @matched = false #Skip if no arguments(?) or first argument is a hash return if args.first.nil? or hash? args.first if version_between? "2.0.0", "2.2.99" check_argument result, args.first if args.second and not hash? args.second check_argument result, args.second end elsif args.second #Only check first argument if there is a second argument #in Rails 2.3.x check_argument result, args.first end end |
#run_check ⇒ Object
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/brakeman/checks/check_link_to.rb', line 12 def run_check return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html] @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once, :field_field, :fields_for, :h, :hidden_field, :hidden_field, :hidden_field_tag, :image_tag, :label, :mail_to, :radio_button, :select, :submit_tag, :text_area, :text_field, :text_field_tag, :url_encode, :url_for, :will_paginate].merge tracker.[:safe_methods] @known_dangerous = [] #Ideally, I think this should also check to see if people are setting #:escape => false methods = tracker.find_call :target => false, :method => :link_to @models = tracker.models.keys @inspect_arguments = tracker.[:check_arguments] methods.each do |call| process_result call end end |