Class: Sqreen::Rules::ReflectedXSSCB

Inherits:

XSSCB

• Object
• CB
• FrameworkCB
• RuleCB
• RegexpRuleCB
• XSSCB
• Sqreen::Rules::ReflectedXSSCB

Defined in:

lib/sqreen/rules/xss_cb.rb

Overview

look for reflected XSS with erb template engine

Constant Summary

Constants inherited from RuleCB

Sqreen::Rules::RuleCB::DEFAULT_PAYLOAD

Constants included from CallCountable

CallCountable::COUNT_CALLS, CallCountable::FAILING, CallCountable::POST, CallCountable::PRE

Constants inherited from CB

CB::DEFAULT_PRIORITY

Instance Attribute Summary

Attributes inherited from RuleCB

#block, #payload_tpl, #test

Attributes included from CallCountable

#call_count_interval, #call_counts

Attributes inherited from FrameworkCB

#framework

Attributes inherited from CB

#klass, #method, #overtimeable

Instance Method Summary

• #pre(_inst, args, _budget = nil, &_block) ⇒ Object

Methods inherited from XSSCB

#initialize, #report_dangerous_xss?, #xss_params

Methods inherited from RegexpRuleCB

#initialize, #match_regexp, #prepare

Methods inherited from RuleCB

#advise_action, #initialize, #overtime!, #priority, #record_event, #record_exception, #rule_name, #rulespack_id

Methods included from CallCountable

#count_callback_calls, #failing_with_count, #post_with_count, #pre_with_count

Methods included from Conditionable

#condition_callbacks, #failing_with_conditions, #post_with_conditions, #pre_with_conditions

Methods inherited from FrameworkCB

#record_observation, #whitelisted?

Methods inherited from CB

#failing?, #framework, #initialize, #overtime!, #post?, #pre?, #priority, #to_s, #whitelisted?

Constructor Details

This class inherits a constructor from Sqreen::Rules::XSSCB

Instance Method Details

#pre(_inst, args, _budget = nil, &_block) ⇒ Object

# File 'lib/sqreen/rules/xss_cb.rb', line 67

def pre(_inst, args, _budget = nil, &_block)
  value = args[0]

  return unless value.is_a?(String)

  # If the value is not marked as html_safe, it will be escaped later
  return unless value.html_safe?

  # Sqreen::log.debug value

  return unless xss_params.any? { |p| p == value }

  Sqreen.log.debug { format('Found unescaped user param: %s', value) }

  saved_value = value.dup
  return unless report_dangerous_xss?(saved_value)

  # potential XSS! let's escape
  args[0].replace(CGI.escape_html(value)) if block

  advise_action(nil)
end