Sha256: 2863a9006cdc21a060c50582177d473ed8d2a784a4ee59754be09e70449468b5

Contents?: true

Size: 1.87 KB

Versions: 4

Compression:

Stored size: 1.87 KB

Contents

require 'brakeman/checks/base_check'

#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
class Brakeman::CheckSelectTag < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"

  def run_check

    if version_between? "3.0.0", "3.0.16"
      suggested_version = "3.0.17"
    elsif version_between? "3.1.0", "3.1.7"
      suggested_version = "3.1.8"
    elsif version_between? "3.2.0", "3.2.7"
      suggested_version = "3.2.8"
    else
      return
    end

    @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]

    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"

    calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
      result[:location][0] == :template
    end

    calls.each do |result|
      process_result result
    end
  end

  #Check if select_tag is called with user input in :prompt option
  def process_result result
    return if duplicate? result
    add_result result

    #Only concerned if user input is supplied for :prompt option
    last_arg = result[:call].arglist.last

    if hash? last_arg
      prompt_option = hash_access last_arg, :prompt

      if call? prompt_option and @ignore_methods.include? prompt_option.method
        return
      elsif sexp? prompt_option and input = include_user_input?(prompt_option)

        warn :warning_type => "Cross Site Scripting",
          :result => result,
          :message => @message,
          :confidence => CONFIDENCE[:high],
          :user_input => input.match,
          :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
brakeman-1.8.3 lib/brakeman/checks/check_select_tag.rb
brakeman-1.8.2 lib/brakeman/checks/check_select_tag.rb
brakeman-1.8.1 lib/brakeman/checks/check_select_tag.rb
brakeman-1.8.0 lib/brakeman/checks/check_select_tag.rb