Sha256: 8ce5c13e64da69cdff8462f3773ff3a431b74730eb9480b3dc13f23048f89641

Contents?: true

Size: 1.22 KB

Versions: 51

Compression:

Stored size: 1.22 KB

Contents

require 'brakeman/checks/base_check'

class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Check if HTML escaping is disabled for JSON output"

  def run_check
    check_config_setting
    check_manual_disable
  end

  def check_config_setting
    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
      warn :warning_type => "Cross-Site Scripting",
        :warning_code => :json_html_escape_config,
        :message => msg("HTML entities in JSON are not escaped by default"),
        :confidence => :medium,
        :file => "config/environments/production.rb",
        :line => 1
    end
  end

  def check_manual_disable
    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
      setting = result[:call].first_arg

      if false? setting
        warn :result => result,
          :warning_type => "Cross-Site Scripting",
          :warning_code => :json_html_escape_module,
          :message => msg("HTML entities in JSON are not escaped by default"),
          :confidence => :medium,
          :file => "config/environments/production.rb"
      end
    end
  end
end

Version data entries

51 entries across 51 versions & 3 rubygems

Version Path
brakeman-5.2.3 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.2.3 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.2.3 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.2.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.2.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.2.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.2.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.2.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.2.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.2.0 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.2.0 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.2.0 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.1.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.1.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.1.2 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.1.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.1.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-min-5.1.1 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-5.1.0 lib/brakeman/checks/check_json_entity_escape.rb
brakeman-lib-5.1.0 lib/brakeman/checks/check_json_entity_escape.rb