Class: Brakeman::CheckContentTag

Inherits:
CheckCrossSiteScripting show all
Defined in:
lib/brakeman/checks/check_content_tag.rb

Overview

Checks for unescaped values in `content_tag`

content_tag :tag, body
                   ^-- Unescaped in Rails 2.x

content_tag, :tag, body, attribute => value
                            ^-- Unescaped in all versions

content_tag, :tag, body, attribute => value
                                        ^
                                        |
        Escaped by default, can be explicitly escaped
        or not by passing in (true|false) as fourth argument

Constant Summary

Constants inherited from CheckCrossSiteScripting

Brakeman::CheckCrossSiteScripting::CGI, Brakeman::CheckCrossSiteScripting::FORM_BUILDER, Brakeman::CheckCrossSiteScripting::HAML_HELPERS, Brakeman::CheckCrossSiteScripting::IGNORE_LIKE, Brakeman::CheckCrossSiteScripting::IGNORE_MODEL_METHODS, Brakeman::CheckCrossSiteScripting::MODEL_METHODS, Brakeman::CheckCrossSiteScripting::URI, Brakeman::CheckCrossSiteScripting::XML_HELPER

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from CheckCrossSiteScripting

#actually_process_call, #boolean_method?, #cgi_escaped?, #check_for_immediate_xss, #form_builder_method?, #haml_escaped?, #ignore_call?, #ignored_method?, #ignored_model_method?, #likely_model_attribute?, #process_cookies, #process_escaped_output, #process_format, #process_format_escaped, #process_if, #process_output, #process_params, #process_render, #process_string_interp, #raw_call?, #safe_input_attribute?, #setup, #xml_escaped?

Methods inherited from BaseCheck

#add_result, inherited, #initialize, #process_cookies, #process_default, #process_if, #process_params, #process_string_interp

Methods included from Util

#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_all!, #process_call_args, #process_class, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#check_argument(result, exp) ⇒ Object


88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/brakeman/checks/check_content_tag.rb', line 88

def check_argument result, exp
  #Check contents of raw() calls directly
  if call? exp and exp.method == :raw
    arg = process exp.first_arg
  else
    arg = process exp
  end

  if input = has_immediate_user_input?(arg)
    message = "Unescaped #{friendly_type_of input} in content_tag"

    add_result result

    warn :result => result,
      :warning_type => "Cross Site Scripting",
      :warning_code => :xss_content_tag,
      :message => message,
      :user_input => input.match,
      :confidence => CONFIDENCE[:high],
      :link_path => "content_tag"

  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
    unless IGNORE_MODEL_METHODS.include? match.method
      add_result result

      if likely_model_attribute? match
        confidence = CONFIDENCE[:high]
      else
        confidence = CONFIDENCE[:med]
      end

      warn :result => result,
        :warning_type => "Cross Site Scripting",
        :warning_code => :xss_content_tag,
        :message => "Unescaped model attribute in content_tag",
        :user_input => match,
        :confidence => confidence,
        :link_path => "content_tag"
    end

  elsif @matched
    return if @matched.type == :model and tracker.options[:ignore_model_output]

    message = "Unescaped #{friendly_type_of @matched} in content_tag"

    add_result result

    warn :result => result,
      :warning_type => "Cross Site Scripting",
      :warning_code => :xss_content_tag,
      :message => message,
      :user_input => @matched.match,
      :confidence => CONFIDENCE[:med],
      :link_path => "content_tag"
  end
end

#process_call(exp) ⇒ Object


145
146
147
148
149
150
151
152
153
154
155
# File 'lib/brakeman/checks/check_content_tag.rb', line 145

def process_call exp
  if @mark
    actually_process_call exp
  else
    @mark = true
    actually_process_call exp
    @mark = false
  end

  exp
end

#process_result(result) ⇒ Object


43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'lib/brakeman/checks/check_content_tag.rb', line 43

def process_result result
  return if duplicate? result

  call = result[:call] = result[:call].dup

  args = call.arglist

  tag_name = args[1]
  content = args[2]
  attributes = args[3]
  escape_attr = args[4]

  @matched = false

  #Silly, but still dangerous if someone uses user input in the tag type
  check_argument result, tag_name

  #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
  unless @matched or (tracker.options[:rails3] and not raw? content)
    check_argument result, content
  end

  #Attribute keys are never escaped, so check them for user input
  if not @matched and hash? attributes and not request_value? attributes
    hash_iterate(attributes) do |k, v|
      check_argument result, k
      return if @matched
    end
  end

  #By default, content_tag escapes attribute values passed in as a hash.
  #But this behavior can be disabled. So only check attributes hash
  #if they are explicitly not escaped.
  if not @matched and attributes and false? escape_attr
    if request_value? attributes or not hash? attributes
      check_argument result, attributes
    else #check hash values
      hash_iterate(attributes) do |k, v|
        check_argument result, v
        return if @matched
      end
    end
  end
end

#raw?(exp) ⇒ Boolean

Returns:

  • (Boolean)

157
158
159
# File 'lib/brakeman/checks/check_content_tag.rb', line 157

def raw? exp
  call? exp and exp.method == :raw
end

#run_checkObject


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/brakeman/checks/check_content_tag.rb', line 21

def run_check
  @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
                         :field_field, :fields_for, :h, :hidden_field,
                         :hidden_field, :hidden_field_tag, :image_tag, :label,
                         :mail_to, :radio_button, :select,
                         :submit_tag, :text_area, :text_field,
                         :text_field_tag, :url_encode, :url_for,
                         :will_paginate].merge tracker.options[:safe_methods]

  @known_dangerous = []
  methods = tracker.find_call :target => false, :method => :content_tag

  @models = tracker.models.keys
  @inspect_arguments = tracker.options[:check_arguments]
  @mark = nil

  Brakeman.debug "Checking for XSS in content_tag"
  methods.each do |call|
    process_result call
  end
end