require 'railroader/checks/base_check'

# Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
# https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
#
# Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
#
# Check for user of strip_tags with rails-html-sanitizer 1.0.2:
# https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
class Railroader::CheckStripTags < Railroader::BaseCheck
  Railroader::Checks.add self

  @description = "Report strip_tags vulnerabilities"

  def run_check
    if uses_strip_tags?
      cve_2011_2931
      cve_2012_3465
    end

    cve_2015_7579
  end

  def cve_2011_2931
    if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
      if rails_version =~ /^3/
        message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
      else
        message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
      end

      warn :warning_type => "Cross-Site Scripting",
        :warning_code => :CVE_2011_2931,
        :message => message,
        :gem_info => gemfile_or_environment,
        :confidence => :high,
        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
    end
  end

  def cve_2012_3465
    case
    when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
      message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
    when version_between?('3.0.10', '3.0.16')
      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
    when version_between?('3.1.0', '3.1.7')
      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
    when version_between?('3.2.0', '3.2.7')
      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
    else
      return
    end

    warn :warning_type => "Cross-Site Scripting",
      :warning_code => :CVE_2012_3465,
      :message => message,
      :confidence => :high,
      :gem_info => gemfile_or_environment,
      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
  end

  def cve_2015_7579
    if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
      if uses_strip_tags?
        confidence = :high
      else
        confidence = :medium
      end

      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"

      warn :warning_type => "Cross-Site Scripting",
        :warning_code => :CVE_2015_7579,
        :message => message,
        :confidence => confidence,
        :gem_info => gemfile_or_environment,
        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"

    end
  end

  def uses_strip_tags?
    Railroader.debug "Finding calls to strip_tags()"

    not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
  end
end