class Brakeman::CheckNumberToCurrency
Public Class Methods
new(*)
click to toggle source
Calls superclass method
Brakeman::BaseCheck::new
# File lib/brakeman/checks/check_number_to_currency.rb, line 8 def initialize(*) super @found_any = false end
Public Instance Methods
check_helper_option(result, exp)
click to toggle source
# File lib/brakeman/checks/check_number_to_currency.rb, line 56 def check_helper_option result, exp if match = (has_immediate_user_input? exp or has_immediate_model? exp) warn_on_number_helper result, match @found_any = true else false end end
check_number_helper_usage()
click to toggle source
# File lib/brakeman/checks/check_number_to_currency.rb, line 42 def check_number_helper_usage number_methods = [:number_to_currency, :number_to_percentage, :number_to_human] tracker.find_call(:target => false, :methods => number_methods).each do |result| arg = result[:call].second_arg next unless arg if not check_helper_option(result, arg) and hash? arg hash_iterate(arg) do |_key, value| break if check_helper_option(result, value) end end end end
generic_warning()
click to toggle source
# File lib/brakeman/checks/check_number_to_currency.rb, line 25 def generic_warning message = msg(msg_version(rails_version), " has a vulnerability in number helpers ", msg_cve("CVE-2014-0081"), ". Upgrade to ") if version_between? "2.3.0", "3.2.16" message << msg_version("3.2.17") else message << msg_version("4.0.3") end warn :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2014_0081, :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ" end
run_check()
click to toggle source
# File lib/brakeman/checks/check_number_to_currency.rb, line 13 def run_check if version_between? "2.0.0", "2.3.18" or version_between? "3.0.0", "3.2.16" or version_between? "4.0.0", "4.0.2" return if lts_version? "2.3.18.8" check_number_helper_usage generic_warning unless @found_any end end
warn_on_number_helper(result, match)
click to toggle source
# File lib/brakeman/checks/check_number_to_currency.rb, line 65 def warn_on_number_helper result, match warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2014_0081_call, :message => msg("Format options in ", msg_code(result[:call].method), " are not safe in ", msg_version(rails_version)), :confidence => :high, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", :user_input => match end