class Sqreen::Rules::Haml4CompilerBuildAttributeCB

Hook build attributes

Public Class Methods

clean_hash_key(hash, limit = 10, seen = []) { |k| ... } click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 216
def self.clean_hash_key(hash, limit = 10, seen = [], &block)
  seen << hash.object_id
  has_xss = false
  new_h = {}
  return if limit <= 0
  hash.each do |k, v|
    if seen.include?(v.object_id)
      new_h[k] = nil
      next
    end
    seen << v.object_id
    new_key, found_xss = yield k
    has_xss |= found_xss
    if v.is_a?(Hash)
      new_h[new_key], found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(v, limit - 1, seen, &block)
      has_xss |= found_xss
    else
      new_h[new_key] = v
    end
  end
  [new_h, has_xss]
end
new(*args) click to toggle source
Calls superclass method Sqreen::Rules::XSSCB::new
# File lib/sqreen/rules/xss_cb.rb, line 191
def initialize(*args)
  super(*args)
  @overtimeable = false
end

Public Instance Methods

pre(inst, args, _budget = nil, &_block) click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 196
def pre(inst, args, _budget = nil, &_block)
  return unless Haml::VERSION < '5'
  attrs = args[-1]
  params = xss_params
  new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
    if !key.nil? && key.is_a?(String) && params.any? { |p| p == key } && report_dangerous_xss?(key)
      Sqreen.log.debug { format('Found unescaped user param: %s', key) }
      [CGI.escape_html(key), true]
    else
      [key, false]
    end
  end

  return if !found_xss || !block
  # potential XSS! let's escape
  args[-1] = new_attrs
  r = inst.send(method, *args)
  { :status => :skip, :new_return_value => r }
end