Class: Sqreen::Rules::Haml4CompilerBuildAttributeCB

Inherits:
XSSCB show all
Defined in:
lib/sqreen/rules/xss_cb.rb

Overview

Hook build attributes

Constant Summary

Constants inherited from RuleCB

RuleCB::DEFAULT_PAYLOAD

Constants included from CallCountable

CallCountable::COUNT_CALLS, CallCountable::FAILING, CallCountable::POST, CallCountable::PRE

Constants inherited from CB

CB::DEFAULT_PRIORITY

Instance Attribute Summary

Attributes inherited from RuleCB

#block, #payload_tpl, #test

Attributes included from CallCountable

#call_count_interval, #call_counts

Attributes inherited from FrameworkCB

#framework

Attributes inherited from CB

#klass, #method, #overtimeable

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from XSSCB

#report_dangerous_xss?, #xss_params

Methods inherited from RegexpRuleCB

#match_regexp, #prepare

Methods inherited from RuleCB

#advise_action, #overtime!, #priority, #record_event, #record_exception, #rule_name, #rulespack_id

Methods included from CallCountable

#count_callback_calls, #failing_with_count, #post_with_count, #pre_with_count

Methods included from Conditionable

#condition_callbacks, #failing_with_conditions, #post_with_conditions, #pre_with_conditions

Methods inherited from FrameworkCB

#record_observation, #whitelisted?

Methods inherited from CB

#failing?, #framework, #overtime!, #post?, #pre?, #priority, #to_s, #whitelisted?

Constructor Details

#initialize(*args) ⇒ Haml4CompilerBuildAttributeCB

Returns a new instance of Haml4CompilerBuildAttributeCB.



191
192
193
194
 
# File 'lib/sqreen/rules/xss_cb.rb', line 191

def initialize(*args)
  super(*args)
  @overtimeable = false
end

Class Method Details

.clean_hash_key(hash, limit = 10, seen = [], &block) ⇒ Object 



216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
 
# File 'lib/sqreen/rules/xss_cb.rb', line 216

def self.clean_hash_key(hash, limit = 10, seen = [], &block)
  seen << hash.object_id
  has_xss = false
  new_h = {}
  return if limit <= 0
  hash.each do |k, v|
    if seen.include?(v.object_id)
      new_h[k] = nil
      next
    end
    seen << v.object_id
    new_key, found_xss = yield k
    has_xss |= found_xss
    if v.is_a?(Hash)
      new_h[new_key], found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(v, limit - 1, seen, &block)
      has_xss |= found_xss
    else
      new_h[new_key] = v
    end
  end
  [new_h, has_xss]
end

Instance Method Details

#pre(inst, args, _budget = nil, &_block) ⇒ Object 



196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
 
# File 'lib/sqreen/rules/xss_cb.rb', line 196

def pre(inst, args, _budget = nil, &_block)
  return unless Haml::VERSION < '5'
  attrs = args[-1]
  params = xss_params
  new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
    if !key.nil? && key.is_a?(String) && params.any? { |p| p == key } && report_dangerous_xss?(key)
      Sqreen.log.debug { format('Found unescaped user param: %s', key) }
      [CGI.escape_html(key), true]
    else
      [key, false]
    end
  end

  return if !found_xss || !block
  # potential XSS! let's escape
  args[-1] = new_attrs
  r = inst.send(method, *args)
  { :status => :skip, :new_return_value => r }
end