Sha256: e81f73eb61c814b57a38c8d043f63dc7db9647297e30922ef8668b6fe7ba2dd9
Contents?: true
Size: 1.67 KB
Versions: 3
Compression:
Stored size: 1.67 KB
Contents
# frozen_string_literal: true
module TaintedLove
module Replacer
# Ensures user input is tainted in Rails
class ReplaceRailsUserInput < Base
def should_replace?
Object.const_defined?('Rails')
end
def replace!
# taint headers
TaintedLove.proxy_method('ActionDispatch::Http::Headers', :[]) do |return_value, *_args|
return_value.taint
end
# taint the values loaded from the database
if Object.const_defined?('ActiveRecord::Base')
ActiveRecord::Base.after_find do
attributes.values.each do |value|
value.taint unless value.frozen?
end
end
end
if Object.const_defined?('ActionController::Base')
ActionController::Base.class_eval do
before_action :taint_params
before_action :taint_cookies
private
def taint_params(value = params)
if value.is_a?(ActionController::Parameters) || value.is_a?(ActiveSupport::HashWithIndifferentAccess)
value.values.map { |x| x.taint unless x.frozen? }
value.values.each { |x| taint_params(x) }
else
value.taint unless value.frozen?
end
end
def taint_cookies
request.cookies.values.each(&:taint)
end
end
end
# taint params keys
if Object.const_defined?('ActionController::Parameters')
ActionController::Parameters.class_eval do
def keys
@parameters.keys.map { |key| key.dup.taint }
end
end
end
end
end
end
end
Version data entries
3 entries across 3 versions & 1 rubygems