Class: Brakeman::CheckSingleQuotes

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_single_quotes.rb

Overview

Checks for versions which do not escape single quotes. groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion

Constant Summary collapse

RACK_UTILS =
Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, #process_cookies, #process_default, #process_if, #process_params

Methods included from Util

#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all

Methods inherited from SexpProcessor

#error_handler, #in_context, #process, #process_dummy, #scope

Constructor Details

#initialize(*args) ⇒ CheckSingleQuotes

Returns a new instance of CheckSingleQuotes.



11
12
13
14
# File 'lib/brakeman/checks/check_single_quotes.rb', line 11

def initialize *args
  super
  @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
end

Instance Method Details

#process_call(exp) ⇒ Object

Look for

Rack::Utils.escape_html


91
92
93
94
95
96
97
98
99
# File 'lib/brakeman/checks/check_single_quotes.rb', line 91

def process_call exp
  if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
    @uses_rack_escape = true
  else
    process exp.target if exp.target
  end

  exp
end

#process_class(exp) ⇒ Object

Look for

class ERB


52
53
54
55
56
57
58
59
60
# File 'lib/brakeman/checks/check_single_quotes.rb', line 52

def process_class exp
  if exp.class_name == :ERB
    @inside_erb = true
    process exp.body
    @inside_erb = false
  end

  exp
end

#process_defn(exp) ⇒ Object

Look for

def html_escape


78
79
80
81
82
83
84
85
86
# File 'lib/brakeman/checks/check_single_quotes.rb', line 78

def process_defn exp
  if @inside_util and exp.method_name == :html_escape
    @inside_html_escape = true
    process exp.body
    @inside_html_escape = false
  end

  exp
end

#process_module(exp) ⇒ Object

Look for

module Util


65
66
67
68
69
70
71
72
73
# File 'lib/brakeman/checks/check_single_quotes.rb', line 65

def process_module exp
  if @inside_erb and exp.module_name == :Util
    @inside_util = true
    process exp.body
    @inside_util = false
  end

  exp
end

#run_checkObject



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/brakeman/checks/check_single_quotes.rb', line 16

def run_check
  return if uses_rack_escape?

  case
  when version_between?('2.0.0', '2.3.14')
    message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
  when version_between?('3.0.0', '3.0.16')
    message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
  when version_between?('3.1.0', '3.1.7')
    message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
  when version_between?('3.2.0', '3.2.7')
    message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
  else
    return
  end

  warn :warning_type => "Cross Site Scripting",
    :message => message,
    :confidence => CONFIDENCE[:med],
    :file => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
end

#uses_rack_escape?Boolean

Process initializers to see if they use workaround by replacing Erb::Util.html_escape

Returns:

  • (Boolean)


41
42
43
44
45
46
47
# File 'lib/brakeman/checks/check_single_quotes.rb', line 41

def uses_rack_escape?
  @tracker.initializers.each do |name, src|
    process src
  end

  @uses_rack_escape
end