class Brakeman::CheckValidationRegex
Reports any calls to validates_format_of
which do not use \A
and \z
as anchors in the given regular expression.
For example:
#Allows anything after new line validates_format_of :user_name, :with => /^\w+$/
Constants
- EXTENDED_SECURE_REGEXP_PATTERN
Match secure of regexp with extended option
- FORMAT
- SECURE_REGEXP_PATTERN
Match secure regexp without extended option
- WITH
Public Instance Methods
check_regex(value, validator)
click to toggle source
Issue warning if the regular expression does not use \A
and \z
# File lib/brakeman/checks/check_validation_regex.rb, line 84 def check_regex value, validator return unless regexp? value regex = value.value unless secure_regex?(regex) warn :model => @current_model, :warning_type => "Format Validation", :warning_code => :validation_regex, :message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"), :line => value.line, :confidence => :high, :cwe_id => [777] end end
get_name(validator)
click to toggle source
Get the name of the attribute being validated.
# File lib/brakeman/checks/check_validation_regex.rb, line 100 def get_name validator name = validator[1] if sexp? name name.value else name end end
process_validates(validator)
click to toggle source
Check validates …, :format => …
# File lib/brakeman/checks/check_validation_regex.rb, line 47 def process_validates validator hash_arg = validator.last return unless hash? hash_arg value = hash_access(hash_arg, FORMAT) if hash? value value = hash_access(value, WITH) end if value check_regex value, validator end end
process_validates_format_of(validator)
click to toggle source
Check validates_format_of
# File lib/brakeman/checks/check_validation_regex.rb, line 40 def process_validates_format_of validator if value = hash_access(validator.last, WITH) check_regex value, validator end end
run_check()
click to toggle source
# File lib/brakeman/checks/check_validation_regex.rb, line 18 def run_check active_record_models.each do |name, model| @current_model = model format_validations = model.options[:validates_format_of] if format_validations format_validations.each do |v| process_validates_format_of v end end validates = model.options[:validates] if validates validates.each do |v| process_validates v end end end end
Private Instance Methods
secure_regex?(regex)
click to toggle source
# File lib/brakeman/checks/check_validation_regex.rb, line 112 def secure_regex?(regex) extended_regex = Regexp::EXTENDED == regex.options & Regexp::EXTENDED regex_pattern = extended_regex ? EXTENDED_SECURE_REGEXP_PATTERN : SECURE_REGEXP_PATTERN regex_pattern =~ regex.source end