Sha256: b6f36cb2591df691105525dcfbad1ef4bfc3c7a89328c647cbca54a4a8323b6f
Contents?: true
Size: 1.1 KB
Versions: 4
Compression:
Stored size: 1.1 KB
Contents
require 'brakeman/checks/base_check'
#Checks if user supplied data is passed to send
class Brakeman::CheckSend < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for unsafe use of Object#send"
def run_check
Brakeman.debug("Finding instances of #send")
calls = tracker.find_call :method => :send
calls.each do |call|
process_result call
end
end
def process_result result
args = process_all result[:call].args
target = process result[:call].target
if input = has_immediate_user_input?(args.first)
warn :result => result,
:warning_type => "Dangerous Send",
:message => "User controlled method execution",
:code => result[:call],
:user_input => input.match,
:confidence => CONFIDENCE[:high]
end
if input = has_immediate_user_input?(target)
warn :result => result,
:warning_type => "Dangerous Send",
:message => "User defined target of method invocation",
:code => result[:call],
:user_input => input.match,
:confidence => CONFIDENCE[:med]
end
end
end
Version data entries
4 entries across 4 versions & 1 rubygems