class Railroader::CheckRender

Check calls to +render()+ for dangerous values

Public Instance Methods

check_for_dynamic_path(result) click to toggle source

Check if path to action or file is determined dynamically

# File lib/railroader/checks/check_render.rb, line 32
def check_for_dynamic_path result
  view = result[:call][2]

  if sexp? view and original? result

    if input = has_immediate_user_input?(view)
      if string_interp? view
        confidence = :medium
      else
        confidence = :high
      end
    elsif input = include_user_input?(view)
      confidence = :weak
    else
      return
    end

    return if input.type == :model # skip models
    return if safe_param? input.match

    message = "Render path contains #{friendly_type_of input}"

    warn :result => result,
      :warning_type => "Dynamic Render Path",
      :warning_code => :dynamic_render_path,
      :message => message,
      :user_input => input,
      :confidence => confidence
  end
end
check_for_rce(result) click to toggle source
# File lib/railroader/checks/check_render.rb, line 63
def check_for_rce result
  return unless version_between? "0.0.0", "3.2.22" or
                version_between? "4.0.0", "4.1.14" or
                version_between? "4.2.0", "4.2.5"


  view = result[:call][2]
  if sexp? view and not duplicate? result
    if params? view
      add_result result
      return if safe_param? view

      warn :result => result,
        :warning_type => "Remote Code Execution",
        :warning_code => :dynamic_render_path_rce,
        :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
        :user_input => view,
        :confidence => :high
    end
  end
end
process_render_result(result) click to toggle source
# File lib/railroader/checks/check_render.rb, line 15
def process_render_result result
  return unless node_type? result[:call], :render

  case result[:call].render_type
  when :partial, :template, :action, :file
    check_for_rce(result) or
      check_for_dynamic_path(result)
  when :inline
  when :js
  when :json
  when :text
  when :update
  when :xml
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_render.rb, line 9
def run_check
  tracker.find_call(:target => nil, :method => :render).each do |result|
    process_render_result result
  end
end
safe_param?(exp) click to toggle source
# File lib/railroader/checks/check_render.rb, line 85
def safe_param? exp
  if params? exp and call? exp
    method_name = exp.method

    if method_name == :[]
      arg = exp.first_arg
      symbol? arg and [:controller, :action].include? arg.value
    else
      boolean_method? method_name
    end
  end
end