class Brakeman::CheckReverseTabnabbing

Public Instance Methods

process_result(result) click to toggle source
# File lib/brakeman/checks/check_reverse_tabnabbing.rb, line 15
def process_result result
  return unless original? result and result[:call].last_arg

  html_opts = result[:call].last_arg
  return unless hash? html_opts

  target = hash_access html_opts, :target
  unless target &&
        (string?(target) && target.value == "_blank" ||
        symbol?(target) && target.value == :_blank)
    return
  end

  target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg

  # `url_for` and `_path` calls lead to urls on to the same origin.
  # That means that an adversary would need to run javascript on
  # the victim application's domain. If that is the case, the adversary
  # already has the ability to redirect the victim user anywhere.
  # Also statically provided URLs (interpolated or otherwise) are also
  # ignored as they produce many false positives.
  return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)

  rel = hash_access html_opts, :rel
  confidence = :medium

  if rel && string?(rel) then
    rel_opt = rel.value
    return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")

    if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
      confidence = :weak
    end
  end

  warn :result => result,
    :warning_type => "Reverse Tabnabbing",
    :warning_code => :reverse_tabnabbing,
    :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
                    ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
    :confidence => confidence,
    :user_input => rel,
    :cwe_id => [1022]
end
run_check() click to toggle source
# File lib/brakeman/checks/check_reverse_tabnabbing.rb, line 8
def run_check
  calls = tracker.find_call :methods => :link_to
  calls.each do |call|
    process_result call
  end
end