class Railroader::CheckLinkTo

Checks for calls to link_to in versions of Ruby where link_to did not escape the first argument.

See rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input

Public Instance Methods

actually_process_call(exp) click to toggle source
# File lib/railroader/checks/check_link_to.rb, line 119
def actually_process_call exp
  return if @matched

  target = exp.target
  target = process target.dup if sexp? target

  # Bare records create links to the model resource,
  # not a string that could have injection
  # TODO: Needs test? I think this is broken?
  return exp if model_name? target and context == [:call, :arglist]

  super
end
check_argument(result, exp) click to toggle source

Check the argument for possible xss exploits

# File lib/railroader/checks/check_link_to.rb, line 61
def check_argument result, exp
  argument = process(exp)
  !check_user_input(result, argument) && !check_method(result, argument) && !check_matched(result, @matched)
end
check_matched(result, matched = nil) click to toggle source

Check if we should warn about the matched result

# File lib/railroader/checks/check_link_to.rb, line 90
def check_matched(result, matched = nil)
  return false unless matched
  return false if matched.type == :model and tracker.options[:ignore_model_output]

  message = "Unescaped #{friendly_type_of matched} in link_to"

  warn_xss(result, message, @matched, :medium)
end
check_method(result, argument) click to toggle source

Check if we should warn about the specified method

# File lib/railroader/checks/check_link_to.rb, line 77
def check_method(result, argument)
  return false if tracker.options[:ignore_model_output]
  match = has_immediate_model?(argument)
  return false unless match
  method = match.method
  return false if IGNORE_MODEL_METHODS.include? method

  confidence = :medium
  confidence = :high if likely_model_attribute? match
  warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
end
check_user_input(result, argument) click to toggle source

Check we should warn about the user input

# File lib/railroader/checks/check_link_to.rb, line 67
def check_user_input(result, argument)
  input = has_immediate_user_input?(argument)
  return false unless input

  message = "Unescaped #{friendly_type_of input} in link_to"

  warn_xss(result, message, input, :high)
end
process_call(exp) click to toggle source
# File lib/railroader/checks/check_link_to.rb, line 113
def process_call exp
  @mark = true
  actually_process_call exp
  exp
end
process_result(result) click to toggle source
# File lib/railroader/checks/check_link_to.rb, line 32
def process_result result
  return if duplicate? result

  # Have to make a copy of this, otherwise it will be changed to
  # an ignored method call by the code above.
  call = result[:call] = result[:call].dup

  first_arg = call.first_arg
  second_arg = call.second_arg

  @matched = false

  # Skip if no arguments(?) or first argument is a hash
  return if first_arg.nil? or hash? first_arg

  if version_between? "2.0.0", "2.2.99"
    check_argument result, first_arg

    if second_arg and not hash? second_arg
      check_argument result, second_arg
    end
  elsif second_arg
    # Only check first argument if there is a second argument
    # in Rails 2.3.x
    check_argument result, first_arg
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_link_to.rb, line 12
def run_check
  return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?

  @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
                        :field_field, :fields_for, :h, :hidden_field,
                        :hidden_field, :hidden_field_tag, :image_tag, :label,
                        :mail_to, :radio_button, :select,
                        :submit_tag, :text_area, :text_field,
                        :text_field_tag, :url_encode, :u, :url_for,
                        :will_paginate].merge tracker.options[:safe_methods]

  @known_dangerous = []
  # Ideally, I think this should also check to see if people are setting
  #:escape => false
  @models = tracker.models.keys
  @inspect_arguments = tracker.options[:check_arguments]

  tracker.find_call(:target => false, :method => :link_to).each {|call| process_result call}
end
warn_xss(result, message, user_input, confidence) click to toggle source

Create a warn for this xss

# File lib/railroader/checks/check_link_to.rb, line 100
def warn_xss(result, message, user_input, confidence)
  add_result(result)
  warn :result => result,
    :warning_type => "Cross-Site Scripting",
    :warning_code => :xss_link_to,
    :message => message,
    :user_input => user_input,
    :confidence => confidence,
    :link_path => "link_to"

  true
end