Class: Brakeman::CheckLinkToHref
- Inherits:
-
CheckLinkTo
- Object
- SexpProcessor
- BaseCheck
- CheckCrossSiteScripting
- CheckLinkTo
- Brakeman::CheckLinkToHref
- Defined in:
- lib/brakeman/checks/check_link_to_href.rb
Overview
Checks for calls to link_to which pass in potentially hazardous data to the second argument. While this argument must be html_safe to not break the html, it must also be url safe as determined by calling a :url_safe_method. This prevents attacks such as javascript:evil() or data:<encoded XSS> which is html_safe, but not safe as an href Props to Nick Green for the idea.
Constant Summary
Constants inherited from CheckCrossSiteScripting
Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER
Constants inherited from BaseCheck
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from BaseCheck
Attributes inherited from SexpProcessor
Instance Method Summary collapse
Methods inherited from CheckLinkTo
#actually_process_call, #check_argument, #process_call
Methods inherited from CheckCrossSiteScripting
#actually_process_call, #check_for_immediate_xss, #process_call, #process_cookies, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #process_string_interp, #raw_call?
Methods inherited from BaseCheck
#add_result, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params
Methods included from Util
#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#class_name, #process_all, #process_module
Methods inherited from SexpProcessor
#error_handler, #in_context, #initialize, #process, #process_dummy, #scope
Constructor Details
This class inherits a constructor from Brakeman::BaseCheck
Instance Method Details
#process_result(result) ⇒ Object
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 32 def process_result result #Have to make a copy of this, otherwise it will be changed to #an ignored method call by the code above. call = result[:call] = result[:call].dup @matched = false url_arg = process call.args.second #Ignore situations where the href is an interpolated string #with something before the user input return if node_type?(url_arg, :string_interp) && !url_arg[1].chomp.empty? if input = has_immediate_user_input?(url_arg) case input.type when :params = "Unsafe parameter value in link_to href" when :cookies = "Unsafe cookie value in link_to href" else = "Unsafe user input value in link_to href" end unless duplicate? result add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => input.match, :confidence => CONFIDENCE[:high], :link_path => "link_to_href" end elsif has_immediate_model? url_arg # Decided NOT warn on models. polymorphic_path is called it a model is # passed to link_to (which passes it to url_for) elsif hash? url_arg # url_for uses the key/values pretty carefully and I don't see a risk. # IF you have default routes AND you accept user input for :controller # and :only_path, then MAYBE you could trigger a javascript:/data: # attack. elsif @matched if @matched.type == :model and not tracker.[:ignore_model_output] = "Unsafe model attribute in link_to href" elsif @matched.type == :params = "Unsafe parameter value in link_to href" end if and not duplicate? result add_result result warn :result => result, :warning_type => "Cross Site Scripting", :message => , :user_input => @matched.match, :confidence => CONFIDENCE[:med], :link_path => "link_to_href" end end end |
#run_check ⇒ Object
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/brakeman/checks/check_link_to_href.rb', line 14 def run_check @ignore_methods = Set[:button_to, :check_box, :field_field, :fields_for, :hidden_field, :hidden_field, :hidden_field_tag, :image_tag, :label, :mail_to, :radio_button, :select, :submit_tag, :text_area, :text_field, :text_field_tag, :url_encode, :url_for, :will_paginate].merge(tracker.[:url_safe_methods] || []) @models = tracker.models.keys @inspect_arguments = tracker.[:check_arguments] methods = tracker.find_call :target => false, :method => :link_to methods.each do |call| process_result call end end |