Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
77f12cf3
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
77f12cf3
编写于
6月 14, 2013
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Refactor ignored output in XSS check
上级
47746fee
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
43 addition
and
10 deletion
+43
-10
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+43
-10
未找到文件。
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
77f12cf3
...
...
@@ -229,16 +229,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
method
=
exp
.
method
#Ignore safe items
if
(
target
.
nil?
and
(
@ignore_methods
.
include?
method
or
method
.
to_s
=~
IGNORE_LIKE
))
or
(
@matched
and
@matched
.
type
==
:model
and
IGNORE_MODEL_METHODS
.
include?
method
)
or
(
target
==
HAML_HELPERS
and
method
==
:html_escape
)
or
((
target
==
URI
or
target
==
CGI
)
and
method
==
:escape
)
or
(
target
==
XML_HELPER
and
method
==
:escape_xml
)
or
(
target
==
FORM_BUILDER
and
@ignore_methods
.
include?
method
)
or
(
target
and
@safe_input_attributes
.
include?
method
)
or
(
method
.
to_s
[
-
1
,
1
]
==
"?"
)
#exp[0] = :ignore #should not be necessary
if
ignore_call?
target
,
method
@matched
=
false
elsif
sexp?
target
and
model_name?
target
[
1
]
#TODO: use method call?
@matched
=
Match
.
new
(
:model
,
exp
)
...
...
@@ -293,4 +284,46 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
def
raw_call?
exp
exp
.
value
.
node_type
==
:call
and
exp
.
value
.
method
==
:raw
end
def
ignore_call?
target
,
method
ignored_method?
(
target
,
method
)
or
safe_input_attribute?
(
target
,
method
)
or
ignored_model_method?
(
method
)
or
form_builder_method?
(
target
,
method
)
or
boolean_method?
(
method
)
or
cgi_escaped?
(
target
,
method
)
or
xml_escaped?
(
target
,
method
)
end
def
ignored_model_method?
method
@matched
and
@matched
.
type
==
:model
and
IGNORE_MODEL_METHODS
.
include?
method
end
def
ignored_method?
target
,
method
target
.
nil?
and
(
@ignore_methods
.
include?
method
or
method
.
to_s
=~
IGNORE_LIKE
)
end
def
cgi_escaped?
target
,
method
method
==
:escape
and
(
target
==
URI
or
target
==
CGI
)
end
def
xml_escaped?
target
,
method
method
==
:escape_xml
and
target
==
XML_HELPER
end
def
form_builder_method?
target
,
method
target
==
FORM_BUILDER
and
@ignore_methods
.
include?
method
end
def
safe_input_attribute?
target
,
method
target
and
@safe_input_attributes
.
include?
method
end
def
boolean_method?
method
method
.
to_s
.
end_with?
"?"
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录