Sha256: d89210ac5db83f42023244acd48ddb5afa0566011513b521ff935835598af680
Contents?: true
Size: 1.57 KB
Versions: 25
Compression:
Stored size: 1.57 KB
Contents
class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
Brakeman::Checks.add self
@description = "Checks for cross-site scripting in render calls"
def run_check
setup
tracker.find_call(:target => nil, :method => :render).each do |result|
check_render result
end
end
def check_render result
return unless original? result
call = result[:call]
if node_type? call, :render and
(call.render_type == :text or call.render_type == :inline)
unless call.render_type == :text and content_type_set? call[3]
render_value = call[2]
if input = has_immediate_user_input?(render_value)
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :cross_site_scripting_inline,
:message => "Unescaped #{friendly_type_of input} rendered inline",
:user_input => input,
:confidence => :high
elsif input = has_immediate_model?(render_value)
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :cross_site_scripting_inline,
:message => "Unescaped model attribute rendered inline",
:user_input => input,
:confidence => :medium
end
end
end
end
CONTENT_TYPES = ["text/html", "text/javascript", "application/javascript"]
def content_type_set? opts
if hash? opts
content_type = hash_access(opts, :content_type)
string? content_type and not CONTENT_TYPES.include? content_type.value
end
end
end
Version data entries
25 entries across 25 versions & 3 rubygems