class Brakeman::CheckRenderInline

Constants

CONTENT_TYPES

Public Instance Methods

check_render(result) click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 14
def check_render result
  return unless original? result

  call = result[:call]

  if node_type? call, :render and
    (call.render_type == :text or call.render_type == :inline)

    unless call.render_type == :text and content_type_set? call[3]
      render_value = call[2]

      if input = has_immediate_user_input?(render_value)
        warn :result => result,
          :warning_type => "Cross-Site Scripting",
          :warning_code => :cross_site_scripting_inline,
          :message => msg("Unescaped ", msg_input(input), " rendered inline"),
          :user_input => input,
          :confidence => :high
      elsif input = has_immediate_model?(render_value)
        warn :result => result,
          :warning_type => "Cross-Site Scripting",
          :warning_code => :cross_site_scripting_inline,
          :message => "Unescaped model attribute rendered inline",
          :user_input => input,
          :confidence => :medium
      end
    end
  end
end
content_type_set?(opts) click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 46
def content_type_set? opts
  if hash? opts
    content_type = hash_access(opts, :content_type)

    string? content_type and not CONTENT_TYPES.include? content_type.value
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 6
def run_check
  setup

  tracker.find_call(:target => nil, :method => :render).each do |result|
    check_render result
  end
end