Sha256: a9e7980cf3b4240afd534ebbd5ea5863e865461286693db22fb9f4c81b30ab07
Contents?: true
Size: 1.1 KB
Versions: 4
Compression:
Stored size: 1.1 KB
Contents
require 'brakeman/checks/base_check'
#Checks if user supplied data is passed to send
class Brakeman::CheckSend < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for unsafe use of Object#send"
def run_check
Brakeman.debug("Finding instances of #send")
calls = tracker.find_call :method => :send
calls.each do |call|
process_result call
end
end
def process_result result
process_call_args result[:call]
target = process result[:call].target
if input = has_immediate_user_input?(result[:call].first_arg)
warn :result => result,
:warning_type => "Dangerous Send",
:message => "User controlled method execution",
:code => result[:call],
:user_input => input.match,
:confidence => CONFIDENCE[:high]
end
if input = has_immediate_user_input?(target)
warn :result => result,
:warning_type => "Dangerous Send",
:message => "User defined target of method invocation",
:code => result[:call],
:user_input => input.match,
:confidence => CONFIDENCE[:med]
end
end
end
Version data entries
4 entries across 4 versions & 1 rubygems