Sha256: eca8b020366f8fed94acaf75981f432c90a24efff24dc74bd8a005f2b7af5e02

Contents?: true

Size: 1.25 KB

Versions: 20

Compression:

Stored size: 1.25 KB

Contents

require 'brakeman/checks/base_check'

#Checks if user supplied data is passed to send
class Brakeman::CheckSend < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Check for unsafe use of Object#send"

  def run_check
    @send_methods = [:send, :try, :__send__, :public_send]
    Brakeman.debug("Finding instances of #send")
    calls = tracker.find_call :methods => @send_methods, :nested => true

    calls.each do |call|
      process_result call
    end
  end

  def process_result result
    return if duplicate? result or result[:call].original_line
    add_result result

    send_call = get_send result[:call]
    process_call_args send_call
    target = process send_call.target

    if input = has_immediate_user_input?(send_call.first_arg)
      warn :result => result,
        :warning_type => "Dangerous Send",
        :warning_code => :dangerous_send,
        :message => "User controlled method execution",
        :code => result[:call],
        :user_input => input.match,
        :confidence => CONFIDENCE[:high]
    end
  end

  # Recursively check call chain for send call
  def get_send exp
    if call? exp
      if @send_methods.include? exp.method
        return exp
      else
        get_send exp.target
      end
    end
  end
end

Version data entries

20 entries across 20 versions & 2 rubygems

Version Path
brakeman-3.1.1 lib/brakeman/checks/check_send.rb
brakeman-min-3.1.1 lib/brakeman/checks/check_send.rb
brakeman-3.1.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.1.0 lib/brakeman/checks/check_send.rb
brakeman-3.0.5 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.5 lib/brakeman/checks/check_send.rb
brakeman-3.0.4 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.4 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.3 lib/brakeman/checks/check_send.rb
brakeman-3.0.3 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.2 lib/brakeman/checks/check_send.rb
brakeman-3.0.2 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.1 lib/brakeman/checks/check_send.rb
brakeman-3.0.1 lib/brakeman/checks/check_send.rb
brakeman-3.0.0 lib/brakeman/checks/check_send.rb
brakeman-min-3.0.0 lib/brakeman/checks/check_send.rb
brakeman-2.6.3 lib/brakeman/checks/check_send.rb
brakeman-min-2.6.3 lib/brakeman/checks/check_send.rb
brakeman-min-2.6.2 lib/brakeman/checks/check_send.rb
brakeman-2.6.2 lib/brakeman/checks/check_send.rb