Class: Sqreen::Rules::XSSCB

Inherits:

RegexpRuleCB

• Object
• CB
• FrameworkCB
• RuleCB
• RegexpRuleCB
• Sqreen::Rules::XSSCB

Defined in:

lib/sqreen/rules/xss_cb.rb

Overview

XSSCB abstract common behaviour of tpls

Direct Known Subclasses

Haml4CompilerBuildAttributeCB, ReflectedUnsafeXSSCB, ReflectedXSSCB, ReflectedXSSHamlCB, SlimSplatBuilderCB

Constant Summary

Constants inherited from RuleCB

RuleCB::DEFAULT_PAYLOAD

Constants included from CallCountable

CallCountable::COUNT_CALLS, CallCountable::FAILING, CallCountable::POST, CallCountable::PRE

Constants inherited from CB

CB::DEFAULT_PRIORITY

Instance Attribute Summary

Attributes inherited from RuleCB

#block, #payload_tpl, #test

Attributes included from CallCountable

#call_count_interval, #call_counts

Attributes inherited from FrameworkCB

#framework

Attributes inherited from CB

#klass, #method, #overtimeable

Instance Method Summary

• #initialize(*args) ⇒ XSSCB constructor

  A new instance of XSSCB.

• #report_dangerous_xss?(value) ⇒ Boolean

  The remaining code is only to find out if user entry was an attack, and record it.

• #xss_params ⇒ Object

Methods inherited from RegexpRuleCB

#match_regexp, #prepare

Methods inherited from RuleCB

#advise_action, #overtime!, #priority, #record_event, #record_exception, #rule_name, #rulespack_id

Methods included from CallCountable

#count_callback_calls, #failing_with_count, #post_with_count, #pre_with_count

Methods included from Conditionable

#condition_callbacks, #failing_with_conditions, #post_with_conditions, #pre_with_conditions

Methods inherited from FrameworkCB

#record_observation, #whitelisted?

Methods inherited from CB

#failing?, #framework, #overtime!, #post?, #pre?, #priority, #to_s, #whitelisted?

Constructor Details

#initialize(*args) ⇒ XSSCB

Returns a new instance of XSSCB.

# File 'lib/sqreen/rules/xss_cb.rb', line 17

def initialize(*args)
  super(*args)
  @union_pattern = Regexp.union(*@patterns)
end

Instance Method Details

#report_dangerous_xss?(value) ⇒ Boolean

The remaining code is only to find out if user entry was an attack, and record it. Since we don’t rely on it to respond to user, it would be better to do it in background.

Returns:

• (Boolean)

# File 'lib/sqreen/rules/xss_cb.rb', line 30

def report_dangerous_xss?(value)
  found = match_regexp(value)

  return false unless found
  infos = {
    :found => found,
    :payload => value,
  }
  record_event(infos)
  true
end

#xss_params ⇒ Object

# File 'lib/sqreen/rules/xss_cb.rb', line 22

def xss_params
  return nil unless framework
  framework.xss_params(@union_pattern)
end