Sha256: 09256c5d2d86bfb6435a5a48038e5d760befe315af2b94e12205c9e3540907b7

Contents?: true

Size: 1.14 KB

Versions: 1

Compression:

Stored size: 1.14 KB

Contents

require 'brakeman/checks/base_check'

#Checks if user supplied data is passed to send
class Brakeman::CheckSend < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Check for unsafe use of Object#send"

  def run_check
    Brakeman.debug("Finding instances of #send")
    calls = tracker.find_call :methods => [:send, :try, :__send__, :public_send]

    calls.each do |call|
      process_result call
    end
  end

  def process_result result
    process_call_args result[:call]
    target = process result[:call].target

    if input = has_immediate_user_input?(result[:call].first_arg)
      warn :result => result,
        :warning_type => "Dangerous Send",
        :message => "User controlled method execution",
        :code => result[:call],
        :user_input => input.match,
        :confidence => CONFIDENCE[:high]
    end

    if input = has_immediate_user_input?(target)
      warn :result => result,
        :warning_type => "Dangerous Send",
        :message => "User defined target of method invocation",
        :code => result[:call],
        :user_input => input.match,
        :confidence => CONFIDENCE[:med]
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version Path
brakeman-1.9.2 lib/brakeman/checks/check_send.rb