class Brakeman::CheckReverseTabnabbing
Public Instance Methods
process_result(result)
click to toggle source
# File lib/brakeman/checks/check_reverse_tabnabbing.rb, line 15 def process_result result return unless original? result and result[:call].last_arg html_opts = result[:call].last_arg return unless hash? html_opts target = hash_access html_opts, :target unless target && (string?(target) && target.value == "_blank" || symbol?(target) && target.value == :_blank) return end target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg # `url_for` and `_path` calls lead to urls on to the same origin. # That means that an adversary would need to run javascript on # the victim application's domain. If that is the case, the adversary # already has the ability to redirect the victim user anywhere. # Also statically provided URLs (interpolated or otherwise) are also # ignored as they produce many false positives. return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/) rel = hash_access html_opts, :rel confidence = :medium if rel && string?(rel) then rel_opt = rel.value return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer") if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then confidence = :weak end end warn :result => result, :warning_type => "Reverse Tabnabbing", :warning_code => :reverse_tabnabbing, :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'), ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."), :confidence => confidence, :user_input => rel end
run_check()
click to toggle source
# File lib/brakeman/checks/check_reverse_tabnabbing.rb, line 8 def run_check calls = tracker.find_call :methods => :link_to calls.each do |call| process_result call end end