Sha256: dab265e77df9695b4748cf55e03e7d89908b870335d01685841507c7714d394b

Contents?: true

Size: 1.18 KB

Versions: 36

Compression:

Stored size: 1.18 KB

Contents

require 'brakeman/checks/base_check'

#Checks if user supplied data is passed to send
class Brakeman::CheckSend < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Check for unsafe use of Object#send"

  def run_check
    @send_methods = [:send, :try, :__send__, :public_send]
    Brakeman.debug("Finding instances of #send")
    calls = tracker.find_call :methods => @send_methods, :nested => true

    calls.each do |call|
      process_result call
    end
  end

  def process_result result
    return unless original? result

    send_call = get_send result[:call]
    process_call_args send_call
    process send_call.target

    if input = has_immediate_user_input?(send_call.first_arg)
      warn :result => result,
        :warning_type => "Dangerous Send",
        :warning_code => :dangerous_send,
        :message => "User controlled method execution",
        :code => result[:call],
        :user_input => input,
        :confidence => CONFIDENCE[:high]
    end
  end

  # Recursively check call chain for send call
  def get_send exp
    if call? exp
      if @send_methods.include? exp.method
        return exp
      else
        get_send exp.target
      end
    end
  end
end

Version data entries

36 entries across 36 versions & 3 rubygems

Version Path
brakeman-min-3.7.2 lib/brakeman/checks/check_send.rb
brakeman-lib-3.7.2 lib/brakeman/checks/check_send.rb
brakeman-3.7.2 lib/brakeman/checks/check_send.rb
brakeman-lib-3.7.1 lib/brakeman/checks/check_send.rb
brakeman-min-3.7.1 lib/brakeman/checks/check_send.rb
brakeman-3.7.1 lib/brakeman/checks/check_send.rb
brakeman-lib-3.7.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.7.0 lib/brakeman/checks/check_send.rb
brakeman-3.7.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.6.2 lib/brakeman/checks/check_send.rb
brakeman-lib-3.6.2 lib/brakeman/checks/check_send.rb
brakeman-3.6.2 lib/brakeman/checks/check_send.rb
brakeman-3.6.1 lib/brakeman/checks/check_send.rb
brakeman-min-3.6.1 lib/brakeman/checks/check_send.rb
brakeman-lib-3.6.1 lib/brakeman/checks/check_send.rb
brakeman-lib-3.6.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.6.0 lib/brakeman/checks/check_send.rb
brakeman-3.6.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.5.0 lib/brakeman/checks/check_send.rb
brakeman-lib-3.5.0 lib/brakeman/checks/check_send.rb