Merge pull request #154 from oreoshake/check_for_overwritten_initializer

Check for overridden initializer values

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -31,7 +31,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   CGI = Sexp.new(:const, :CGI)
 
-  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist))
 
   #Run check
   def run_check
@@ -58,8 +58,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @known_dangerous << :strip_tags
     end
 
-    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    json_escape_on = matches.detect {|result| true? result[-1].first_arg}
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true? (result[-1].first_arg) }
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"
       @known_dangerous << :to_json
@@ -107,7 +108,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         message = "Unescaped user input value"
       end
 
-      warn :template => @current_template, 
+      warn :template => @current_template,
         :warning_type => "Cross Site Scripting",
         :message => message,
         :code => input.match,
@@ -128,13 +129,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         message = "Unescaped model attribute"
         link_path = "cross_site_scripting"
         if node_type?(out, :call, :attrasgn) && out.method == :to_json
-          message += " in JSON hash" 
+          message += " in JSON hash"
           link_path += "_to_json"
         end
 
         code = find_chain out, match
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
           :message => message,
           :code => code,
           :confidence => confidence,
@@ -203,7 +204,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting", 
+            :warning_type => "Cross Site Scripting",
             :message => message,
             :code => exp,
             :user_input => @matched.match,

test/apps/rails3.1/app/views/users/json_test.html.erb

+<%= raw({:donkey => params[:donkey]}.to_json) %>
\ No newline at end of file

test/apps/rails3.1/config/initializers/set_escape_json.rb

+# this value will be overwritten in unset_escape_json.rb
+ActiveSupport.escape_html_entities_in_json = true

test/apps/rails3.1/config/initializers/unset_escape_json.rb

+# this overwrites the value set in set_escape_json
+ActiveSupport.escape_html_entities_in_json = false
\ No newline at end of file

test/tests/test_rails31.rb

@@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase
   def expected
     @expected ||= {
       :model => 0,
-      :template => 15,
+      :template => 16,
       :controller => 1,
       :warning => 48 }
   end
@@ -604,4 +604,13 @@ class Rails31Tests < Test::Unit::TestCase
       :confidence => 0,
       :file => /Gemfile/
   end
+
+  def test_to_json_with_overwritten_config
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :line => 1,
+      :file => /json_test\.html\.erb/
+  end
 end