Fix checking for cookies as parameters

in method calls like <%= blah(cookies[:snickerdoodle]) %>

Fix checking for cookies as parameters
in method calls like <%= blah(cookies[:snickerdoodle]) %>
edd0c6f3 · Justin Collins · f5f0a50d · edd0c6f3 · edd0c6f3 · edd0c6f3
4 changed file
--- a/lib/checks/check_cross_site_scripting.rb
+++ b/lib/checks/check_cross_site_scripting.rb
@@ -152,6 +152,8 @@ class CheckCrossSiteScripting < BaseCheck
        message = "Unescaped model attribute" 
      elsif @matched == :params
        message = "Unescaped parameter value" 
+      elsif @matched == :cookies
+        message = "Unescaped cookie value" 
      end
      if message and not duplicate? exp
@@ -199,8 +201,9 @@ class CheckCrossSiteScripting < BaseCheck
      exp[0] = :ignore
      @matched = false
    elsif sexp? exp[1] and model_name? exp[1][1]
      @matched = :model
+    elsif cookies? exp or cookies? target or COOKIES == exp or COOKIES == target 
+      @matched = :cookies
    elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
      @matched = :params
    elsif @inspect_arguments

--- a/test/rails2/app/views/home/test_cookie.html.erb
+++ b/test/rails2/app/views/home/test_cookie.html.erb
 <h1>Home#test_cookie</h1>
 <p>Find me in app/views/home/test_cookie.html.erb</p>
 Hello, cookie named <%= @name %>!
+<%= indirect cookies[:oreo] %>
--- a/test/rails3/app/views/home/test_cookie.html.erb
+++ b/test/rails3/app/views/home/test_cookie.html.erb
 <h1>Home#test_cookie</h1>
 <p>Find me in app/views/home/test_cookie.html.erb</p>
 Hello, cookie named <%= raw @name %>!
+<%= raw indirect(cookies[:chipsahoy]) %>
--- a/test/test.rb
+++ b/test/test.rb
@@ -385,6 +385,15 @@ class Rails2Tests < Test::Unit::TestCase
    assert_equal 0, results.length, "escape_once is a safe method"
  end
+  def test_indirect_cookie
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 5,
+      :message => /^Unescaped cookie value/,
+      :confidence => 2,
+      :file => /test_cookie\.html\.erb/
+  end
 end
 class Rails3Tests < Test::Unit::TestCase
@@ -716,4 +725,13 @@ class Rails3Tests < Test::Unit::TestCase
    assert_equal 0, results.length, "escape_once is a safe method"
  end
+  def test_indirect_cookie
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 4,
+      :message => /^Unescaped cookie value/,
+      :confidence => 2,
+      :file => /test_cookie\.html\.erb/
+  end
 end