class Brakeman::CheckSingleQuotes

Checks for versions which do not escape single quotes. groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion

Constants

RACK_UTILS

Public Class Methods

new(*args) click to toggle source
Calls superclass method Brakeman::BaseCheck::new
# File lib/brakeman/checks/check_single_quotes.rb, line 11
def initialize *args
  super
  @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
end

Public Instance Methods

process_call(exp) click to toggle source

Look for

Rack::Utils.escape_html
# File lib/brakeman/checks/check_single_quotes.rb, line 97
def process_call exp
  if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
    @uses_rack_escape = true
  else
    process exp.target if exp.target
  end

  exp
end
process_class(exp) click to toggle source

Look for

class ERB
# File lib/brakeman/checks/check_single_quotes.rb, line 58
def process_class exp
  if exp.class_name == :ERB
    @inside_erb = true
    process_all exp.body
    @inside_erb = false
  end

  exp
end
process_defn(exp) click to toggle source

Look for

def html_escape
# File lib/brakeman/checks/check_single_quotes.rb, line 84
def process_defn exp
  if @inside_util and exp.method_name == :html_escape
    @inside_html_escape = true
    process_all exp.body
    @inside_html_escape = false
  end

  exp
end
process_module(exp) click to toggle source

Look for

module Util
# File lib/brakeman/checks/check_single_quotes.rb, line 71
def process_module exp
  if @inside_erb and exp.module_name == :Util
    @inside_util = true
    process_all exp.body
    @inside_util = false
  end

  exp
end
run_check() click to toggle source
# File lib/brakeman/checks/check_single_quotes.rb, line 16
def run_check
  return if uses_rack_escape?

  if version_between? '2.0.0', '2.3.14'
    message = msg("All Rails 2.x versions do not escape single quotes ", msg_cve("CVE-2012-3464"))
  else
    message = msg(msg_version(rails_version), " does not escape single quotes ", msg_cve("CVE-2012-3464"), ". Upgrade to ")

    case
    when version_between?('3.0.0', '3.0.16')
      message << msg_version('3.0.17')
    when version_between?('3.1.0', '3.1.7')
      message << msg_version('3.1.8')
    when version_between?('3.2.0', '3.2.7')
      message << msg_version('3.2.8')
    else
      return
    end
  end

  warn :warning_type => "Cross-Site Scripting",
    :warning_code => :CVE_2012_3464,
    :message => message,
    :confidence => :medium,
    :gem_info => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion",
    :cwe_id => [79]
end
uses_rack_escape?() click to toggle source

Process initializers to see if they use workaround by replacing Erb::Util.html_escape

# File lib/brakeman/checks/check_single_quotes.rb, line 47
def uses_rack_escape?
  @tracker.initializers.each do |_name, src|
    process src
  end

  @uses_rack_escape
end