fix(ruby): add missing rails XSS send_data case (#356)

Bearer · Apr 2, 2024 · e001462 · e001462
1 parent ec09c22
commit e001462
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/rules/ruby/rails/render_using_user_input.yml b/rules/ruby/rails/render_using_user_input.yml
@@ -15,6 +15,11 @@ patterns:
       - variable: USER_INPUT
         detection: ruby_shared_common_html_user_input
         scope: result
+  - pattern: send_data($<USER_INPUT>$<...>)
+    filters:
+      - variable: USER_INPUT
+        detection: ruby_shared_common_html_user_input
+        scope: result
 severity: high
 metadata:
   description: "Unsanitized user input in raw HTML strings (XSS)"

diff --git a/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb
@@ -3,3 +3,5 @@
 
 render html: sanitize(params[:oops])
 render inline: "<h1>#{strip_tags(params[:oops])}</h1>"
+
+send_data "ok", type: content_type
diff --git a/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb
@@ -2,3 +2,6 @@
 render html: params[:oops]
 # bearer:expected ruby_rails_render_using_user_input
 render inline: "<h1>#{params[:oops]}</h1>"
+
+# bearer:expected ruby_rails_render_using_user_input
+send_data params[:oops], type: content_type
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,5 @@

		render html: sanitize(params[:oops])
		render inline: "<h1>#{strip_tags(params[:oops])}</h1>"

		send_data "ok", type: content_type