Class: Spektr::Checks::JsonEntityEscape

Inherits:
Base
  • Object
show all
Defined in:
lib/spektr/checks/json_entity_escape.rb

Instance Attribute Summary

Attributes inherited from Base

#name

Instance Method Summary collapse

Methods inherited from Base

#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!

Constructor Details

#initialize(app, target) ⇒ JsonEntityEscape

Returns a new instance of JsonEntityEscape.



5
6
7
8
9
10
 
# File 'lib/spektr/checks/json_entity_escape.rb', line 5

def initialize(app, target)
  super
  @name = "HTML escaping is disabled for JSON output"
  @type = "Cross-Site Scripting"
  @targets = ["Spektr::Targets::Config", "Spektr::Targets::Base"]
end

Instance Method Details

#runObject 



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/spektr/checks/json_entity_escape.rb', line 12

def run
  return unless super
  if @app.production_config
    config = @app.production_config.find_calls(:escape_html_entities_in_json=).first
  end
  if config and config.receiver.expanded == "config.active_support" && config.arguments.first.type == :false
    warn! @app.production_config.path, self, nil, "HTML entities in JSON are not escaped by default"
  end
  ['ActiveSupport', 'ActiveSupport.JSON.Encoding'].each do |receiver|
    calls = @target.find_calls(:escape_html_entities_in_json=, receiver)
    if calls.any?
      warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
    end
  end
end