Skip to content

Commit

Permalink
Add check for CVE-2018-3741 (sanitize XSS)
Browse files Browse the repository at this point in the history
  • Loading branch information
@presidentbeef
presidentbeef committed Mar 23, 2018
1 parent a965f55 commit 45ca92c
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 8 deletions.
24 changes: 18 additions & 6 deletions lib/brakeman/checks/check_sanitize_methods.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,10 @@ def run_check
if @fix_version
check_cve_2013_1855
check_cve_2013_1857
elsif tracker.config.has_gem? :'rails-html-sanitizer' and
version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
end

warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
if tracker.config.has_gem? :'rails-html-sanitizer'
check_rails_html_sanitizer
end

check_cve_2018_8048
Expand Down Expand Up @@ -62,6 +61,19 @@ def check_for_cve method, code, link
end
end

def check_rails_html_sanitizer
rhs_version = tracker.config.gem_version(:'rails-html-sanitizer')

if version_between? "1.0.0", "1.0.2", rhs_version
warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ", "1.0.3"
warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ", "1.0.3"
end

if version_between? "1.0.0", "1.0.3", rhs_version
warn_sanitizer_cve "CVE-2018-3741", "https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ", "1.0.4"
end
end

def check_cve_2018_8048
if loofah_vulnerable_cve_2018_8048?
message = "Loofah #{tracker.config.gem_version(:loofah)} is vulnerable (CVE-2018-8048). Upgrade to 2.1.2"
Expand All @@ -87,8 +99,8 @@ def loofah_vulnerable_cve_2018_8048?
loofah_version and loofah_version < "2.1.2"
end

def warn_sanitizer_cve cve, link
message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
def warn_sanitizer_cve cve, link, upgrade_version
message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to #{upgrade_version}"

if tracker.find_call(:target => false, :method => :sanitize).any?
confidence = :high
Expand Down
1 change: 1 addition & 0 deletions lib/brakeman/warning_codes.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ module Brakeman::WarningCodes
:divide_by_zero => 104,
:dangerous_permit_key => 105,
:CVE_2018_8048 => 106,
:CVE_2018_3741 => 107,
}

def self.code name
Expand Down
14 changes: 13 additions & 1 deletion test/tests/rails5.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ def expected
:controller => 0,
:model => 0,
:template => 9,
:generic => 18
:generic => 19
}
end

Expand Down Expand Up @@ -617,6 +617,18 @@ def test_cross_site_scripting_loofah_CVE_2018_8048
:user_input => nil
end

def test_cross_site_scripting_CVE_2018_3741
assert_warning :type => :warning,
:warning_code => 107,
:fingerprint => "3e35a6afcd1a8a14894cf26a7f00d4e895f0583bbc081d45e5bd28c4b541b7e6",
:warning_type => "Cross-Site Scripting",
:line => 115,
:message => /^rails\-html\-sanitizer\ 1\.0\.2\ is\ vulnerable/,
:confidence => 0,
:relative_path => "Gemfile.lock",
:user_input => nil
end

def test_dangerous_eval_in_prior_class_method_with_same_name
assert_warning :type => :warning,
:warning_code => 13,
Expand Down
14 changes: 13 additions & 1 deletion test/tests/rails52.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ def expected
:controller => 0,
:model => 0,
:template => 0,
:generic => 2
:generic => 3
}
end

Expand Down Expand Up @@ -77,4 +77,16 @@ def test_cross_site_scripting_loofah_CVE_2018_8048
:relative_path => "Gemfile.lock",
:user_input => nil
end

def test_cross_site_scripting_CVE_2018_3741
assert_warning :type => :warning,
:warning_code => 107,
:fingerprint => "e0636b950dd005468b5f9a0426ed50936e136f18477ca983cfc51b79e29f6463",
:warning_type => "Cross-Site Scripting",
:line => 109,
:message => /^rails\-html\-sanitizer\ 1\.0\.3\ is\ vulnerable/,
:confidence => 1,
:relative_path => "Gemfile.lock",
:user_input => nil
end
end

0 comments on commit 45ca92c

Please sign in to comment.