Beef up params? and cookies?

to also detect params[:blah][:blah][:blah] as a direct use of params (and the same for cookies)

Beef up params? and cookies?
to also detect params[:blah][:blah][:blah] as a direct use of params (and the same for cookies)
81262c6b · Justin Collins · 805468c5 · 81262c6b · 81262c6b · 81262c6b
8 changed file
--- a/lib/checks/base_check.rb
+++ b/lib/checks/base_check.rb
@@ -56,9 +56,9 @@ class BaseCheck < SexpProcessor
    process exp[1] if sexp? exp[1]
    process exp[3]

-    if ALL_PARAMETERS.include? exp[1] or ALL_PARAMETERS.include? exp or params? exp[1]
+    if params? exp[1]
      @has_user_input = :params
-    elsif exp[1] == COOKIES or exp == COOKIES or cookies? exp[1]
+    elsif cookies? exp[1]
      @has_user_input = :cookies
    elsif sexp? exp[1] and model_name? exp[1][1]
      @has_user_input = :model
@@ -173,20 +173,16 @@ class BaseCheck < SexpProcessor
  #expression
  def has_immediate_user_input? exp
    if exp.nil?
-      return false
+      false
    elsif params? exp
      return :params, exp
    elsif cookies? exp
      return :cookies, exp
    elsif call? exp
-      if sexp? exp[1]
-        if ALL_PARAMETERS.include? exp[1] or params? exp[1]
-          return :params, exp
-        elsif exp[1] == COOKIES or cookies? exp[1]
-          return :cookies, exp
-        else
-          false
-        end
+      if params? exp[1]
+        return :params, exp
+      elsif cookies? exp[1]
+        return :cookies, exp
      else
        false
      end

--- a/lib/checks/check_cross_site_scripting.rb
+++ b/lib/checks/check_cross_site_scripting.rb
@@ -202,9 +202,9 @@ class CheckCrossSiteScripting < BaseCheck
      @matched = false
    elsif sexp? exp[1] and model_name? exp[1][1]
      @matched = :model
-    elsif cookies? exp or cookies? target or COOKIES == exp or COOKIES == target 
+    elsif cookies? exp
      @matched = :cookies
-    elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
+    elsif @inspect_arguments and params? exp
      @matched = :params
    elsif @inspect_arguments
      process args

--- a/lib/util.rb
+++ b/lib/util.rb
@@ -127,11 +127,36 @@ module Util

  #Check if _exp_ is a params hash
  def params? exp
-    exp.is_a? Sexp and exp.node_type == :params
+    if exp.is_a? Sexp
+      return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
+
+      if exp.node_type == :call
+        if params? exp[1]
+          return true
+        elsif exp[2] == :[]
+          return params? exp[1]
+        end
+      end
+    end
+
+    false
  end

  def cookies? exp
-    exp.is_a? Sexp and exp.node_type == :cookies
+    if exp.is_a? Sexp
+      return true if exp.node_type == :cookies or exp == COOKIES
+
+      if exp.node_type == :call
+        if cookies? exp[1]
+          return true
+        elsif exp[2] == :[]
+          return cookies? exp[1]
+        end
+      end
+    end
+
+    false
+
  end

  #Check if _exp_ is a Sexp.

--- a/test/rails2/app/views/home/test_cookie.html.erb
+++ b/test/rails2/app/views/home/test_cookie.html.erb
@@ -3,3 +3,5 @@
 Hello, cookie named <%= @name %>!

 <%= indirect cookies[:oreo] %>
+
+And: <%= cookies[:user][:name] %>
--- a/test/rails2/app/views/home/test_params.html.erb
+++ b/test/rails2/app/views/home/test_params.html.erb
@@ -4,3 +4,5 @@
 Jello, <%= @name %>

 More: <%= @indirect %>
+
+And: <%= params[:x][:y] %>
--- a/test/rails3/app/views/home/test_cookie.html.erb
+++ b/test/rails3/app/views/home/test_cookie.html.erb
@@ -3,3 +3,5 @@
 Hello, cookie named <%= raw @name %>!

 <%= raw indirect(cookies[:chipsahoy]) %>
+
+And: <%= raw cookies[:x][:y] %>
--- a/test/rails3/app/views/home/test_params.html.erb
+++ b/test/rails3/app/views/home/test_params.html.erb
@@ -7,3 +7,4 @@ More: <%= raw @indirect %>

 Indirectly: <%= some_method params[:bad_stuff] %>

+And: <%= raw params[:x][:y] %>
--- a/test/test.rb
+++ b/test/test.rb
@@ -394,6 +394,27 @@ class Rails2Tests < Test::Unit::TestCase
      :confidence => 2,
      :file => /test_cookie\.html\.erb/
  end
+
+  #Check for params that look like params[:x][:y]
+  def test_params_multidimensional
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 8,
+      :message => /^Unescaped parameter value/,
+      :confidence => 0,
+      :file => /test_params\.html\.erb/
+  end
+
+  #Check for cookies that look like cookies[:blah][:blah]
+  def test_cookies_multidimensional
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 7,
+      :message => /^Unescaped cookie value/,
+      :confidence => 0,
+      :file => /test_cookie\.html\.erb/
+  end
+
 end

 class Rails3Tests < Test::Unit::TestCase
@@ -735,11 +756,44 @@ class Rails3Tests < Test::Unit::TestCase
      :file => /test_cookie\.html\.erb/
  end

+  #Check for params that look like params[:x][:y]
+  def test_params_multidimensional
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 10,
+      :message => /^Unescaped parameter value/,
+      :confidence => 0,
+      :file => /test_params\.html\.erb/
+  end
+
+  #Check for cookies that look like cookies[:blah][:blah]
+  def test_cookies_multidimensional
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 6,
+      :message => /^Unescaped cookie value/,
+      :confidence => 0,
+      :file => /test_cookie\.html\.erb/
+  end
+
  def test_default_routes
    assert_warning :warning_type => "Default Routes",
      :line => 93,
      :message => /All public methods in controllers are available as actions/,
      :file => /routes\.rb/
  end
+end

+class BrakemanTests < Test::Unit::TestCase
+  def util
+    Class.new.extend Util
+  end
+
+  def test_cookies?
+    assert util.cookies?(RubyParser.new.parse 'cookies[:x][:y][:z]')
+  end
+
+  def test_params?
+    assert util.params?(RubyParser.new.parse 'params[:x][:y][:z]')
+  end
 end