From 45ca92c6a31600c75391ad826b6546348444bb5c Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Thu, 22 Mar 2018 13:21:40 -0700
Subject: [PATCH] Add check for CVE-2018-3741 (sanitize XSS)

---
 lib/brakeman/checks/check_sanitize_methods.rb | 24 ++++++++++++++-----
 lib/brakeman/warning_codes.rb                 |  1 +
 test/tests/rails5.rb                          | 14 ++++++++++-
 test/tests/rails52.rb                         | 14 ++++++++++-
 4 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/lib/brakeman/checks/check_sanitize_methods.rb b/lib/brakeman/checks/check_sanitize_methods.rb
index 151edd2ea5..354bf5f944 100644
--- a/lib/brakeman/checks/check_sanitize_methods.rb
+++ b/lib/brakeman/checks/check_sanitize_methods.rb
@@ -22,11 +22,10 @@ def run_check
     if @fix_version
       check_cve_2013_1855
       check_cve_2013_1857
-    elsif tracker.config.has_gem? :'rails-html-sanitizer' and
-          version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+    end
 
-      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
-      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
+    if tracker.config.has_gem? :'rails-html-sanitizer'
+      check_rails_html_sanitizer
     end
 
     check_cve_2018_8048
@@ -62,6 +61,19 @@ def check_for_cve method, code, link
     end
   end
 
+  def check_rails_html_sanitizer
+    rhs_version = tracker.config.gem_version(:'rails-html-sanitizer')
+
+    if version_between? "1.0.0", "1.0.2", rhs_version
+      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ", "1.0.3"
+      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ", "1.0.3"
+    end
+
+    if version_between? "1.0.0", "1.0.3", rhs_version
+      warn_sanitizer_cve "CVE-2018-3741", "https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ", "1.0.4"
+    end
+  end
+
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
       message = "Loofah #{tracker.config.gem_version(:loofah)} is vulnerable (CVE-2018-8048). Upgrade to 2.1.2"
@@ -87,8 +99,8 @@ def loofah_vulnerable_cve_2018_8048?
     loofah_version and loofah_version < "2.1.2"
   end
 
-  def warn_sanitizer_cve cve, link
-    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
+  def warn_sanitizer_cve cve, link, upgrade_version
+    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to #{upgrade_version}"
 
     if tracker.find_call(:target => false, :method => :sanitize).any?
       confidence = :high
diff --git a/lib/brakeman/warning_codes.rb b/lib/brakeman/warning_codes.rb
index e27f8a0ec9..57f90864af 100644
--- a/lib/brakeman/warning_codes.rb
+++ b/lib/brakeman/warning_codes.rb
@@ -108,6 +108,7 @@ module Brakeman::WarningCodes
     :divide_by_zero => 104,
     :dangerous_permit_key => 105,
     :CVE_2018_8048 => 106,
+    :CVE_2018_3741 => 107,
   }
 
   def self.code name
diff --git a/test/tests/rails5.rb b/test/tests/rails5.rb
index 051df8e57a..fb2002f792 100644
--- a/test/tests/rails5.rb
+++ b/test/tests/rails5.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 9,
-      :generic => 18
+      :generic => 19
     }
   end
 
@@ -617,6 +617,18 @@ def test_cross_site_scripting_loofah_CVE_2018_8048
       :user_input => nil
   end
 
+  def test_cross_site_scripting_CVE_2018_3741
+    assert_warning :type => :warning,
+      :warning_code => 107,
+      :fingerprint => "3e35a6afcd1a8a14894cf26a7f00d4e895f0583bbc081d45e5bd28c4b541b7e6",
+      :warning_type => "Cross-Site Scripting",
+      :line => 115,
+      :message => /^rails\-html\-sanitizer\ 1\.0\.2\ is\ vulnerable/,
+      :confidence => 0,
+      :relative_path => "Gemfile.lock",
+      :user_input => nil
+  end
+
   def test_dangerous_eval_in_prior_class_method_with_same_name
     assert_warning :type => :warning,
       :warning_code => 13,
diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb
index e8f99e92be..8060062a14 100644
--- a/test/tests/rails52.rb
+++ b/test/tests/rails52.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 0,
-      :generic => 2
+      :generic => 3
     }
   end
 
@@ -77,4 +77,16 @@ def test_cross_site_scripting_loofah_CVE_2018_8048
       :relative_path => "Gemfile.lock",
       :user_input => nil
   end
+
+  def test_cross_site_scripting_CVE_2018_3741
+    assert_warning :type => :warning,
+      :warning_code => 107,
+      :fingerprint => "e0636b950dd005468b5f9a0426ed50936e136f18477ca983cfc51b79e29f6463",
+      :warning_type => "Cross-Site Scripting",
+      :line => 109,
+      :message => /^rails\-html\-sanitizer\ 1\.0\.3\ is\ vulnerable/,
+      :confidence => 1,
+      :relative_path => "Gemfile.lock",
+      :user_input => nil
+  end
 end