Class: Brakeman::CheckSingleQuotes

Inherits:

BaseCheck

• Object
• SexpProcessor
• BaseCheck
• Brakeman::CheckSingleQuotes

Defined in:

lib/brakeman/checks/check_single_quotes.rb

Overview

Checks for versions which do not escape single quotes. groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion

Constant Summary

RACK_UTILS =

Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary

• #initialize(*args) ⇒ CheckSingleQuotes constructor

  A new instance of CheckSingleQuotes.

• #process_call(exp) ⇒ Object

  Look for.

• #process_class(exp) ⇒ Object

  Look for.

• #process_defn(exp) ⇒ Object

  Look for.

• #process_module(exp) ⇒ Object

  Look for.

• #run_check ⇒ Object
• #uses_rack_escape? ⇒ Boolean

  Process initializers to see if they use workaround by replacing Erb::Util.html_escape.

Methods inherited from BaseCheck

#add_result, inherited, #process_cookies, #process_default, #process_dstr, #process_if, #process_params

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#process_all, #process_all!, #process_call_args, #process_call_defn?

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(*args) ⇒ CheckSingleQuotes

Returns a new instance of CheckSingleQuotes.

# File 'lib/brakeman/checks/check_single_quotes.rb', line 11

def initialize *args
  super
  @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
end

Instance Method Details

#process_call(exp) ⇒ Object

Look for

Rack::Utils.escape_html

# File 'lib/brakeman/checks/check_single_quotes.rb', line 92

def process_call exp
  if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
    @uses_rack_escape = true
  else
    process exp.target if exp.target
  end

  exp
end

#process_class(exp) ⇒ Object

Look for

class ERB

# File 'lib/brakeman/checks/check_single_quotes.rb', line 53

def process_class exp
  if exp.class_name == :ERB
    @inside_erb = true
    process_all exp.body
    @inside_erb = false
  end

  exp
end

#process_defn(exp) ⇒ Object

Look for

def html_escape

# File 'lib/brakeman/checks/check_single_quotes.rb', line 79

def process_defn exp
  if @inside_util and exp.method_name == :html_escape
    @inside_html_escape = true
    process_all exp.body
    @inside_html_escape = false
  end

  exp
end

#process_module(exp) ⇒ Object

Look for

module Util

# File 'lib/brakeman/checks/check_single_quotes.rb', line 66

def process_module exp
  if @inside_erb and exp.module_name == :Util
    @inside_util = true
    process_all exp.body
    @inside_util = false
  end

  exp
end

#run_check ⇒ Object

# File 'lib/brakeman/checks/check_single_quotes.rb', line 16

def run_check
  return if uses_rack_escape?

  case
  when version_between?('2.0.0', '2.3.14')
    message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
  when version_between?('3.0.0', '3.0.16')
    message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
  when version_between?('3.1.0', '3.1.7')
    message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
  when version_between?('3.2.0', '3.2.7')
    message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
  else
    return
  end

  warn :warning_type => "Cross Site Scripting",
    :warning_code => :CVE_2012_3464,
    :message => message,
    :confidence => CONFIDENCE[:med],
    :gem_info => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
end

#uses_rack_escape? ⇒ Boolean

Process initializers to see if they use workaround by replacing Erb::Util.html_escape

Returns:

• (Boolean)

# File 'lib/brakeman/checks/check_single_quotes.rb', line 42

def uses_rack_escape?
  @tracker.initializers.each do |name, src|
    process src
  end

  @uses_rack_escape
end