Check for overridden initializer values

9845e74a · oreoshake · 5004d3ad · 9845e74a
隐藏空白更改
内联并排

Showing with 8 addition and 7 deletion

lib/brakeman/checks/check_cross_site_scripting.rb lib/brakeman/checks/check_cross_site_scripting.rb +8 -7

未找到文件。
--- a/lib/brakeman/checks/check_cross_site_scripting.rb
+++ b/lib/brakeman/checks/check_cross_site_scripting.rb
@@ -31,7 +31,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck

  CGI = Sexp.new(:const, :CGI)

-  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist))

  #Run check
  def run_check
@@ -58,8 +58,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
      @known_dangerous << :strip_tags
    end

-    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    json_escape_on = matches.detect {|result| true? result[-1].first_arg}
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true? (result[-1].first_arg) }

    if !json_escape_on or version_between? "0.0.0", "2.0.99"
      @known_dangerous << :to_json
@@ -107,7 +108,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
        message = "Unescaped user input value"
      end

-      warn :template => @current_template, 
+      warn :template => @current_template,
        :warning_type => "Cross Site Scripting",
        :message => message,
        :code => input.match,
@@ -128,13 +129,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
        message = "Unescaped model attribute"
        link_path = "cross_site_scripting"
        if node_type?(out, :call, :attrasgn) && out.method == :to_json
-          message += " in JSON hash" 
+          message += " in JSON hash"
          link_path += "_to_json"
        end

        code = find_chain out, match
        warn :template => @current_template,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
          :message => message,
          :code => code,
          :confidence => confidence,
@@ -203,7 +204,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
          end

          warn :template => @current_template,
-            :warning_type => "Cross Site Scripting", 
+            :warning_type => "Cross Site Scripting",
            :message => message,
            :code => exp,
            :user_input => @matched.match,