class Railroader::CheckSimpleFormat

Public Instance Methods

check_simple_format_usage() click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 29
def check_simple_format_usage
  tracker.find_call(:target => false, :method => :simple_format).each do |result|
    @matched = false
    process_call result[:call]
    if @matched
      warn_on_simple_format result, @matched
    end
  end
end
generic_warning() click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 18
def generic_warning
  message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"

  warn :warning_type => "Cross-Site Scripting",
    :warning_code => :CVE_2013_6416,
    :message => message,
    :confidence => :medium,
    :gem_info => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
end
process_call(exp) click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 39
def process_call exp
  @mark = true
  actually_process_call exp
  exp
end
run_check() click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 8
def run_check
  if version_between? "4.0.0", "4.0.1"
    @inspect_arguments = true
    @ignore_methods = Set[:h, :escapeHTML]

    check_simple_format_usage
    generic_warning unless @found_any
  end
end
warn_on_simple_format(result, match) click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 45
def warn_on_simple_format result, match
  return unless original? result

  @found_any = true

  warn :result => result,
    :warning_type => "Cross-Site Scripting",
    :warning_code => :CVE_2013_6416_call,
    :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
    :confidence => :high,
    :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
    :user_input => match
end