class Railroader::CheckStripTags

Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x): groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion

Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10: groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12

Check for user of strip_tags with rails-html-sanitizer 1.0.2: groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ

Public Instance Methods

cve_2011_2931() click to toggle source
# File lib/railroader/checks/check_strip_tags.rb, line 25
def cve_2011_2931
  if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
    if rails_version =~ /^3/
      message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
    else
      message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
    end

    warn :warning_type => "Cross-Site Scripting",
      :warning_code => :CVE_2011_2931,
      :message => message,
      :gem_info => gemfile_or_environment,
      :confidence => :high,
      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
  end
end
cve_2012_3465() click to toggle source
# File lib/railroader/checks/check_strip_tags.rb, line 42
def cve_2012_3465
  case
  when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
    message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
  when version_between?('3.0.10', '3.0.16')
    message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
  when version_between?('3.1.0', '3.1.7')
    message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
  when version_between?('3.2.0', '3.2.7')
    message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
  else
    return
  end

  warn :warning_type => "Cross-Site Scripting",
    :warning_code => :CVE_2012_3465,
    :message => message,
    :confidence => :high,
    :gem_info => gemfile_or_environment,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
end
cve_2015_7579() click to toggle source
# File lib/railroader/checks/check_strip_tags.rb, line 64
def cve_2015_7579
  if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
    if uses_strip_tags?
      confidence = :high
    else
      confidence = :medium
    end

    message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"

    warn :warning_type => "Cross-Site Scripting",
      :warning_code => :CVE_2015_7579,
      :message => message,
      :confidence => confidence,
      :gem_info => gemfile_or_environment,
      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"

  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_strip_tags.rb, line 16
def run_check
  if uses_strip_tags?
    cve_2011_2931
    cve_2012_3465
  end

  cve_2015_7579
end
uses_strip_tags?() click to toggle source
# File lib/railroader/checks/check_strip_tags.rb, line 84
def uses_strip_tags?
  Railroader.debug "Finding calls to strip_tags()"

  not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
end