Class: Scanny::Checks::XssFlashCheck

Inherits:

Check

• Object
• Check
• Scanny::Checks::XssFlashCheck

Defined in:

lib/scanny/checks/xss/xss_flash_check.rb

Overview

Check for flash methods that are called with request params or dynamic a string. This allows us to avoid showing dangerous HTML code to users

Instance Method Summary

• #check(node) ⇒ Object
• #pattern ⇒ Object

Methods inherited from Check

#compiled_pattern, #issue, #strict?, #visit

Instance Method Details

#check(node) ⇒ Object

# File 'lib/scanny/checks/xss/xss_flash_check.rb', line 14

def check(node)
  if Machete.matches?(node, pattern_params)
    issue :high, warning_message, :cwe => 79
  elsif Machete.matches?(node, pattern_dynamic_string)
    issue :medium, warning_message, :cwe => 79
  end
end

#pattern ⇒ Object

# File 'lib/scanny/checks/xss/xss_flash_check.rb', line 7

def pattern
  [
    pattern_params,
    pattern_dynamic_string
  ].join("|")
end