Fix CheckMailTo to detect the vulnerability

because it was checking the options for the wrong value

Fix CheckMailTo to detect the vulnerability
because it was checking the options for the wrong value
d1d15870 · Justin Collins · 492505f7 · d1d15870
隐藏空白更改
内联并排

Showing with 3 addition and 6 deletion

lib/brakeman/checks/check_mail_to.rb lib/brakeman/checks/check_mail_to.rb +3 -6

未找到文件。
--- a/lib/brakeman/checks/check_mail_to.rb
+++ b/lib/brakeman/checks/check_mail_to.rb
@@ -33,13 +33,10 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
    Brakeman.debug "Checking calls to mail_to for javascript encoding"
    tracker.find_call(:target => false, :method => :mail_to).each do |result|
-      call = result[:call]
+      result[:call].arglist.each do |arg|
-      args = call.args
-      args.each do |arg|
        if hash? arg
-          if hash_access(arg, :javascript)
+          if option = hash_access(arg, :encode)
-            return result
+            return result if symbol? option and option.value == :javascript
          end
        end
      end