Class: Brakeman::CheckSingleQuotes

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_single_quotes.rb

Overview

Checks for versions which do not escape single quotes. groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion

Constant Summary collapse

RACK_UTILS =
Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::DIR_CONST, Util::LITERALS, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP, Util::SIMPLE_LITERALS

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, inherited, #process_array, #process_cookies, #process_default, #process_dstr, #process_if, #process_params

Methods included from Messages

#msg, #msg_code, #msg_cve, #msg_file, #msg_input, #msg_lit, #msg_plain, #msg_version

Methods included from Util

#all_literals?, #array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #dir_glob?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #hash_values, #integer?, #kwsplat?, #literal?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #recurse_check?, #regexp?, #remove_kwsplat, #request_env?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #simple_literal?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore

Methods included from ProcessorHelper

#current_file, #process_all, #process_all!, #process_call_args, #process_call_defn?

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(*args) ⇒ CheckSingleQuotes

Returns a new instance of CheckSingleQuotes.



11
12
13
14
# File 'lib/brakeman/checks/check_single_quotes.rb', line 11

def initialize *args
  super
  @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
end

Instance Method Details

#process_call(exp) ⇒ Object

Look for

Rack::Utils.escape_html


96
97
98
99
100
101
102
103
104
# File 'lib/brakeman/checks/check_single_quotes.rb', line 96

def process_call exp
  if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
    @uses_rack_escape = true
  else
    process exp.target if exp.target
  end

  exp
end

#process_class(exp) ⇒ Object

Look for

class ERB


57
58
59
60
61
62
63
64
65
# File 'lib/brakeman/checks/check_single_quotes.rb', line 57

def process_class exp
  if exp.class_name == :ERB
    @inside_erb = true
    process_all exp.body
    @inside_erb = false
  end

  exp
end

#process_defn(exp) ⇒ Object

Look for

def html_escape


83
84
85
86
87
88
89
90
91
# File 'lib/brakeman/checks/check_single_quotes.rb', line 83

def process_defn exp
  if @inside_util and exp.method_name == :html_escape
    @inside_html_escape = true
    process_all exp.body
    @inside_html_escape = false
  end

  exp
end

#process_module(exp) ⇒ Object

Look for

module Util


70
71
72
73
74
75
76
77
78
# File 'lib/brakeman/checks/check_single_quotes.rb', line 70

def process_module exp
  if @inside_erb and exp.module_name == :Util
    @inside_util = true
    process_all exp.body
    @inside_util = false
  end

  exp
end

#run_checkObject



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/brakeman/checks/check_single_quotes.rb', line 16

def run_check
  return if uses_rack_escape?

  if version_between? '2.0.0', '2.3.14'
    message = msg("All Rails 2.x versions do not escape single quotes ", msg_cve("CVE-2012-3464"))
  else
    message = msg(msg_version(rails_version), " does not escape single quotes ", msg_cve("CVE-2012-3464"), ". Upgrade to ")

    case
    when version_between?('3.0.0', '3.0.16')
      message << msg_version('3.0.17')
    when version_between?('3.1.0', '3.1.7')
      message << msg_version('3.1.8')
    when version_between?('3.2.0', '3.2.7')
      message << msg_version('3.2.8')
    else
      return
    end
  end

  warn :warning_type => "Cross-Site Scripting",
    :warning_code => :CVE_2012_3464,
    :message => message,
    :confidence => :medium,
    :gem_info => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
end

#uses_rack_escape?Boolean

Process initializers to see if they use workaround by replacing Erb::Util.html_escape

Returns:

  • (Boolean)


46
47
48
49
50
51
52
# File 'lib/brakeman/checks/check_single_quotes.rb', line 46

def uses_rack_escape?
  @tracker.initializers.each do |_name, src|
    process src
  end

  @uses_rack_escape
end