class Brakeman::CheckSanitizeConfigCve
Public Instance Methods
check_config()
click to toggle source
Look for
config.action_view.sanitized_allowed_tags = ["select", "style"]
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 52 def check_config sanitizer_config = tracker.config.rails.dig(:action_view, :sanitized_allowed_tags) if sanitizer_config and include_both_tags? sanitizer_config @specific_warning = true cve_warning confidence: :high end end
check_sanitize_calls()
click to toggle source
Look for
sanitize ..., tags: ["select", "style"]
and
Rails::Html::SafeListSanitizer.new.sanitize(..., tags: ["select", "style"])
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 65 def check_sanitize_calls tracker.find_call(method: :sanitize, target: nil).each do |result| check_tags_option result end tracker.find_call(method: :sanitize, target: :'Rails::Html::SafeListSanitizer.new').each do |result| check_tags_option result end end
cve_warning(confidence: :weak, result: nil)
click to toggle source
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 24 def cve_warning confidence: :weak, result: nil return if result and not original? result message = msg(msg_version(@gem_version, 'rails-html-sanitizer'), " is vulnerable to cross-site scripting when ", msg_code('select'), " and ", msg_code("style"), " tags are allowed ", msg_cve("CVE-2022-32209") ) unless result message << ". Upgrade to 1.4.3 or newer" end warn :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2022_32209, :message => message, :confidence => confidence, :gem_info => gemfile_or_environment(:'rails-html-sanitizer'), :link_path => "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ", :cwe_id => [79], :result => result end
run_check()
click to toggle source
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 8 def run_check @specific_warning = false @gem_version = tracker.config.gem_version :'rails-html-sanitizer' if version_between? "0.0.0", "1.4.2", @gem_version check_config check_sanitize_calls check_safe_list_allowed_tags unless @specific_warning # General warning about the vulnerable version cve_warning end end end
Private Instance Methods
check_result(result, arg)
click to toggle source
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 93 def check_result result, arg if include_both_tags? arg @specific_warning = true cve_warning confidence: :high, result: result end end
has_tag?(exp, tag)
click to toggle source
# File lib/brakeman/checks/check_sanitize_config_cve.rb, line 107 def has_tag? exp, tag tag_sym = tag.to_sym exp.each_sexp do |e| if string? e and e.value == tag return true elsif symbol? e and e.value == tag_sym return true end end false end