Class: Sqreen::Rules::Haml4UtilInterpolationHookCB

Inherits:
RuleCB show all
Defined in:
lib/sqreen/rules/xss_cb.rb

Constant Summary

Constants inherited from RuleCB

RuleCB::DEFAULT_PAYLOAD

Constants included from CallCountable

CallCountable::COUNT_CALLS, CallCountable::FAILING, CallCountable::POST, CallCountable::PRE

Constants inherited from CB

CB::DEFAULT_PRIORITY

Instance Attribute Summary

Attributes inherited from RuleCB

#block, #payload_tpl, #test

Attributes included from CallCountable

#call_count_interval, #call_counts

Attributes inherited from FrameworkCB

#framework

Attributes inherited from CB

#klass, #method, #overtimeable

Instance Method Summary collapse

Methods inherited from RuleCB

#advise_action, #overtime!, #priority, #record_event, #record_exception, #rule_name, #rulespack_id

Methods included from CallCountable

#count_callback_calls, #failing_with_count, #post_with_count, #pre_with_count

Methods included from Conditionable

#condition_callbacks, #failing_with_conditions, #post_with_conditions, #pre_with_conditions

Methods inherited from FrameworkCB

#record_observation, #whitelisted?

Methods inherited from CB

#failing?, #framework, #overtime!, #post?, #pre?, #priority, #to_s, #whitelisted?

Constructor Details

#initialize(*args) ⇒ Haml4UtilInterpolationHookCB

Returns a new instance of Haml4UtilInterpolationHookCB.



161
162
163
164
 
# File 'lib/sqreen/rules/xss_cb.rb', line 161

def initialize(*args)
  super(*args)
  @overtimeable = false
end

Instance Method Details

#pre(_inst, args, _budget = nil, &_block) ⇒ Object 



166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
 
# File 'lib/sqreen/rules/xss_cb.rb', line 166

def pre(_inst, args, _budget = nil, &_block)
  # Also work in haml5
  str = args[0]
  escape_html = args[1]
  # Original code from HAML tuned up to insert escape_haml call
  res = ''
  rest = Haml::Util.handle_interpolation str.dump do |scan|
    escapes = (scan[2].size - 1) / 2
    res << scan.matched[0...-3 - escapes]
    if escapes.odd?
      res << '#{'
    else
      # Use eval to get rid of string escapes
      # TODO: look for eval removal
      content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
      content = "Haml::Helpers.html_escape((#{content}))" if escape_html
      res << '#{Sqreen.escape_haml((' + content + '))}'
    end
  end
  { :status => :skip, :new_return_value => res + rest }
end