Add check for weak html escape method

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195

Add check for weak html escape method
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
9f97910d · Justin Collins · 2d733ae1 · 9f97910d
隐藏空白更改
内联并排

Showing with 17 addition and 0 deletion

lib/checks/check_escape_function.rb lib/checks/check_escape_function.rb +17 -0

未找到文件。
--- a/lib/checks/check_escape_function.rb
+++ b/lib/checks/check_escape_function.rb
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for versions with vulnerable html escape method
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
+class CheckEscapeFunction < BaseCheck
+  Checks.add self
+
+  def run_check
+    if version_between?('2.0.0', '2.3.12') and RUBY_VERSION < '1.9.0' 
+
+      warn :warning_type => 'Cross Site Scripting',
+        :message => 'Versions before 2.3.13 have a vulnerability in escape method when used with Ruby 1.8. Upgrade or apply patches as needed.',
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end