Class: TaintedLove::Replacer::ReplaceRailsUserInput

Inherits:
Base
  • Object
show all
Defined in:
lib/tainted_love/replacer/replace_rails_user_input.rb

Overview

Ensures user input is tainted in Rails

Instance Method Summary collapse

Methods inherited from Base

replacers

Instance Method Details

#replace!Object 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/tainted_love/replacer/replace_rails_user_input.rb', line 11

def replace!

  # taint the values loaded from the database
  if Object.const_defined?('ActiveRecord::Base')
    ActiveRecord::Base.after_find do
      attributes.each do |key, value|
        TaintedLove.tag(value.taint, source: "ActiveRecord attribute #{self.class.to_s}##{key}", value: value)
      end
    end
  end

  TaintedLove.proxy_method('ActionDispatch::Http::Headers', :[]) do |return_value, *args|
    TaintedLove.tag(return_value.taint, source: "headers[#{args.first.inspect}]", value: return_value)
  end

  # taint params keys
  if Object.const_defined?('ActionController::Parameters')
    ActionController::Parameters.class_eval do
      def keys
        @parameters.keys.map { |key|
          TaintedLove.tag(key.dup.taint, source: "Parameter name #{key.inspect}", value: key)
        }
      end
    end
  end

  # Transfer tags from String to SafeBuffer
  TaintedLove.proxy_method('ActiveSupport::SafeBuffer', :initialize) do |return_value, str|
    return_value.tainted_love_tags = str.tainted_love_tags
  end
end

#should_replace?Boolean

Returns:

  • (Boolean) 


7
8
9
 
# File 'lib/tainted_love/replacer/replace_rails_user_input.rb', line 7

def should_replace?
  Object.const_defined?('Rails')
end