Sha256: e3ff6b3490c7fcf9387d993ef0fbcdc79e6363baacccfce964bbdb912ae623b7

Contents?: true

Size: 1005 Bytes

Versions: 5

Compression:

Stored size: 1005 Bytes

Contents

require 'brakeman/checks/base_check'

#Checks for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
class Brakeman::CheckStripTags < Brakeman::BaseCheck
  Brakeman::Checks.add self

  def run_check
    if (version_between?('2.0.0', '2.3.12') or 
        version_between?('3.0.0', '3.0.9')) and uses_strip_tags?

      if tracker.config[:rails_version] =~ /^3/
        message = "Versions before 3.0.10 have a vulnerability in strip_tags: CVE-2011-2931"
      else
        message = "Versions before 2.3.13 have a vulnerability in strip_tags: CVE-2011-2931"
      end

      warn :warning_type => "Cross Site Scripting",
        :message => message,
        :confidence => CONFIDENCE[:high],
        :file => gemfile_or_environment
    end
  end

  def uses_strip_tags?
    debug_info "Finding calls to strip_tags()"

    not tracker.find_call(:target => false, :method => :strip_tags).empty?
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version Path
brakeman-1.2.0 lib/brakeman/checks/check_strip_tags.rb
brakeman-1.1.0 lib/brakeman/checks/check_strip_tags.rb
brakeman-1.1.pre lib/brakeman/checks/check_strip_tags.rb
brakeman-1.0.0 lib/brakeman/checks/check_strip_tags.rb
brakeman-1.0.rc1 lib/brakeman/checks/check_strip_tags.rb