class Railroader::CheckSimpleFormat
Public Instance Methods
check_simple_format_usage()
click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 29 def check_simple_format_usage tracker.find_call(:target => false, :method => :simple_format).each do |result| @matched = false process_call result[:call] if @matched warn_on_simple_format result, @matched end end end
generic_warning()
click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 18 def generic_warning message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2" warn :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2013_6416, :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ" end
process_call(exp)
click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 39 def process_call exp @mark = true actually_process_call exp exp end
run_check()
click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 8 def run_check if version_between? "4.0.0", "4.0.1" @inspect_arguments = true @ignore_methods = Set[:h, :escapeHTML] check_simple_format_usage generic_warning unless @found_any end end
warn_on_simple_format(result, match)
click to toggle source
# File lib/railroader/checks/check_simple_format.rb, line 45 def warn_on_simple_format result, match return unless original? result @found_any = true warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :CVE_2013_6416_call, :message => "Values passed to simple_format are not safe in Rails #{rails_version}", :confidence => :high, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ", :user_input => match end