From e001462b5fbf32eb237c644e5c0801484ef928c1 Mon Sep 17 00:00:00 2001 From: David Roe Date: Tue, 2 Apr 2024 12:54:12 +0100 Subject: [PATCH] fix(ruby): add missing rails XSS send_data case (#356) --- rules/ruby/rails/render_using_user_input.yml | 5 +++++ .../rails/render_using_user_input/testdata/ok_not_unsafe.rb | 2 ++ tests/ruby/rails/render_using_user_input/testdata/unsafe.rb | 3 +++ 3 files changed, 10 insertions(+) diff --git a/rules/ruby/rails/render_using_user_input.yml b/rules/ruby/rails/render_using_user_input.yml index 469f9293f..a58e92279 100644 --- a/rules/ruby/rails/render_using_user_input.yml +++ b/rules/ruby/rails/render_using_user_input.yml @@ -15,6 +15,11 @@ patterns: - variable: USER_INPUT detection: ruby_shared_common_html_user_input scope: result + - pattern: send_data($$<...>) + filters: + - variable: USER_INPUT + detection: ruby_shared_common_html_user_input + scope: result severity: high metadata: description: "Unsanitized user input in raw HTML strings (XSS)" diff --git a/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb index a930f7056..3c9fcd1d1 100644 --- a/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb +++ b/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb @@ -3,3 +3,5 @@ render html: sanitize(params[:oops]) render inline: "

#{strip_tags(params[:oops])}

" + +send_data "ok", type: content_type diff --git a/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb index 9df67dca7..7c6e5a2ed 100644 --- a/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb +++ b/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb @@ -2,3 +2,6 @@ render html: params[:oops] # bearer:expected ruby_rails_render_using_user_input render inline: "

#{params[:oops]}

" + +# bearer:expected ruby_rails_render_using_user_input +send_data params[:oops], type: content_type