Sha256: df5e9d53f966d17f4a319efc16faa1b3dbc9fa51d7d1cad8db0fefb437dd7627
Contents?: true
Size: 1.57 KB
Versions: 2
Compression:
Stored size: 1.57 KB
Contents
require 'railroader/checks/base_check'
# This check looks for regexes that include user input.
class Railroader::CheckRegexDoS < Railroader::BaseCheck
Railroader::Checks.add self
ESCAPES = {
s(:const, :Regexp) => [
:escape,
:quote
]
}
@description = "Searches regexes including user input"
# Process calls
def run_check
Railroader.debug "Finding dynamic regexes"
calls = tracker.find_call :method => [:railroader_regex_interp]
Railroader.debug "Processing dynamic regexes"
calls.each do |call|
process_result call
end
end
# Warns if regex includes user input
def process_result result
return unless original? result
call = result[:call]
components = call[1..-1]
components.any? do |component|
next unless sexp? component
if match = has_immediate_user_input?(component)
confidence = :high
elsif match = has_immediate_model?(component)
match = Match.new(:model, match)
confidence = :medium
elsif match = include_user_input?(component)
confidence = :weak
end
if match
message = "#{friendly_type_of(match).capitalize} used in regex"
warn :result => result,
:warning_type => "Denial of Service",
:warning_code => :regex_dos,
:message => message,
:confidence => confidence,
:user_input => match
end
end
end
def process_call(exp)
if escape_methods = ESCAPES[exp.target]
if escape_methods.include? exp.method
return exp
end
end
super
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| railroader-4.3.8 | lib/railroader/checks/check_regex_dos.rb |
| railroader-4.3.7 | lib/railroader/checks/check_regex_dos.rb |