class Railroader::CheckNumberToCurrency
Public Class Methods
new(*)
click to toggle source
Calls superclass method
Railroader::BaseCheck::new
# File lib/railroader/checks/check_number_to_currency.rb, line 8 def initialize(*) super @found_any = false end
Public Instance Methods
check_helper_option(result, exp)
click to toggle source
# File lib/railroader/checks/check_number_to_currency.rb, line 56 def check_helper_option result, exp if match = (has_immediate_user_input? exp or has_immediate_model? exp) warn_on_number_helper result, match @found_any = true else false end end
check_number_helper_usage()
click to toggle source
# File lib/railroader/checks/check_number_to_currency.rb, line 42 def check_number_helper_usage number_methods = [:number_to_currency, :number_to_percentage, :number_to_human] tracker.find_call(:target => false, :methods => number_methods).each do |result| arg = result[:call].second_arg next unless arg if not check_helper_option(result, arg) and hash? arg hash_iterate(arg) do |_key, value| break if check_helper_option(result, value) end end end end
generic_warning()
click to toggle source
# File lib/railroader/checks/check_number_to_currency.rb, line 25 def generic_warning message = "Rails #{rails_version} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version " if version_between? "2.3.0", "3.2.16" message << "3.2.17" else message << "4.0.3" end warn :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2014_0081, :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ" end
run_check()
click to toggle source
# File lib/railroader/checks/check_number_to_currency.rb, line 13 def run_check if version_between? "2.0.0", "2.3.18" or version_between? "3.0.0", "3.2.16" or version_between? "4.0.0", "4.0.2" return if lts_version? "2.3.18.8" check_number_helper_usage generic_warning unless @found_any end end
warn_on_number_helper(result, match)
click to toggle source
# File lib/railroader/checks/check_number_to_currency.rb, line 65 def warn_on_number_helper result, match warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2014_0081_call, :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}", :confidence => :high, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", :user_input => match end