Sha256: b571b4e57e22f8c31399afa0bfe7ca3d6c1f9625debb7ace9705fd5918396d1f
Contents?: true
Size: 1.91 KB
Versions: 44
Compression:
Stored size: 1.91 KB
Contents
require 'brakeman/checks/base_check'
#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
class Brakeman::CheckSelectTag < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
def run_check
if version_between? "3.0.0", "3.0.16"
suggested_version = "3.0.17"
elsif version_between? "3.1.0", "3.1.7"
suggested_version = "3.1.8"
elsif version_between? "3.2.0", "3.2.7"
suggested_version = "3.2.8"
else
return
end
@ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
@message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
result[:location][:type] == :template
end
calls.each do |result|
process_result result
end
end
#Check if select_tag is called with user input in :prompt option
def process_result result
return if duplicate? result
add_result result
#Only concerned if user input is supplied for :prompt option
last_arg = result[:call].last_arg
if hash? last_arg
prompt_option = hash_access last_arg, :prompt
if call? prompt_option and @ignore_methods.include? prompt_option.method
return
elsif sexp? prompt_option and input = include_user_input?(prompt_option)
warn :warning_type => "Cross Site Scripting",
:warning_code => :CVE_2012_3463,
:result => result,
:message => @message,
:confidence => CONFIDENCE[:high],
:user_input => input.match,
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
end
end
end
end
Version data entries
44 entries across 44 versions & 2 rubygems