Add warnings to unescaped use of to_json

Set ActiveSupport.escape_html_entities_in_json=true in versions >= 2.1.0 for autoescaping on a to_json call.

Add warnings to unescaped use of to_json
Set ActiveSupport.escape_html_entities_in_json=true in versions >= 2.1.0 for autoescaping on a to_json call.
8bcd1240 · oreoshake · df685c28 · 8bcd1240 · 8bcd1240 · 8bcd1240
4 changed file
--- a/lib/brakeman/checks/check_cross_site_scripting.rb
+++ b/lib/brakeman/checks/check_cross_site_scripting.rb
@@ -34,7 +34,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 

  #Run check
-  def run_check 
+  def run_check
    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                           :field_field, :fields_for, :h, :hidden_field,
                           :hidden_field, :hidden_field_tag, :image_tag, :label,
@@ -58,6 +58,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
      @known_dangerous << :strip_tags
    end

+    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    json_escape_on = matches.detect {|result| result[-1].first_arg.value == :true}
+
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+    end
+
    tracker.each_template do |name, template|
      @current_template = template
      template[:outputs].each do |out|
@@ -115,10 +122,15 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
          confidence = CONFIDENCE[:med]
        end

+        message = "Unescaped model attribute"
+        if [:call, :attrasgn].include?(out.node_type) && out.method == :to_json
+          message += " in JSON hash" 
+        end
+
        code = find_chain out, match
        warn :template => @current_template,
          :warning_type => "Cross Site Scripting", 
-          :message => "Unescaped model attribute",
+          :message => message,
          :code => code,
          :confidence => confidence
      end
@@ -173,12 +185,14 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
        if message and not duplicate? exp
          add_result exp

-          if exp.target.nil? and @known_dangerous.include? exp.method
+          if @known_dangerous.include? exp.method
            confidence = CONFIDENCE[:high]
          else
            confidence = CONFIDENCE[:low]
          end

+          message += " in JSON hash" if exp.method == :to_json
+
          warn :template => @current_template,
            :warning_type => "Cross Site Scripting", 
            :message => message,

--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
@@ -141,6 +141,12 @@ class HomeController < ApplicationController
    @user = User.find(current_user)
  end

+  def test_to_json
+    @model_json = User.find(current_user).to_json
+    @not_json = {:thing => params[:thing]}
+    @json = {:json_thing => params[:json_thing]}.to_json
+  end
+
  private

  def filter_it

--- a/test/apps/rails2/app/views/home/test_to_json.html.erb
+++ b/test/apps/rails2/app/views/home/test_to_json.html.erb
+Detection of to_json
+
+<%= @model_json %>
+
+In the view
+
+<%= @not_json.to_json %>
+
+In the controller
+
+<%= @json %>
+
+You would break the json formatting by doing this, but it's technically safe...
+<%= h(@json) %>
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 33,
+        :template => 36,
        :warning => 31}
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 33,
+        :template => 36,
        :warning => 32 }
    end
  end
@@ -691,5 +691,32 @@ class Rails2Tests < Test::Unit::TestCase
      :confidence => 0,
      :file => /test_strip_tags\.html\.erb/
  end
+
+  def test_to_json
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Unescaped model attribute in JSON hash/,
+      :confidence => 0,
+      :file => /test_to_json\.html\.erb/
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 7,
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :file => /test_to_json\.html\.erb/
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 11,
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :file => /test_to_json\.html\.erb/
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 14,
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :file => /test_to_json\.html\.erb/
+  end
 end