rails-guarddog 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/rails/guarddog/checkers/xss_checker.rb +44 -26
- data/lib/rails/guarddog/scanner.rb +44 -37
- data/lib/rails/guarddog/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 92c763b8e850ec9df964d0723a218f1801ce5ed0f9e0793976facac66c492205
|
|
4
|
+
data.tar.gz: c7d7d91d85c82f585ff1f3d0f04b05dd3c863124b5db0f927067080317d7340c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cdef99a6784a17bfac825a9c2877e4905a232ffc0ec949ac624dd6bd2493a3fff69261b2831aa81ac08750c425eafcb4d29421f32d569f282a3b9f7247663b6f
|
|
7
|
+
data.tar.gz: fea6fbb432a20662f3b45e996381b4e58a11a39222daeca42d9dc7e6b51f81a584b9da0bd46e6f4f26b18abc88b8ffee017dc96aaef324bec63de817151b16fb
|
|
@@ -1,26 +1,44 @@
|
|
|
1
|
-
module Rails
|
|
2
|
-
module Guarddog
|
|
3
|
-
module Checkers
|
|
4
|
-
class XssChecker < BaseChecker
|
|
5
|
-
def run
|
|
6
|
-
glob_files('app/views/**/*.erb').each do |file|
|
|
7
|
-
content = File.read(file)
|
|
8
|
-
content.each_line.with_index do |line, idx|
|
|
9
|
-
if
|
|
10
|
-
add_finding(
|
|
11
|
-
severity: :high,
|
|
12
|
-
message: "Potential XSS vulnerability:
|
|
13
|
-
file: file,
|
|
14
|
-
line: idx + 1,
|
|
15
|
-
snippet: line.strip,
|
|
16
|
-
remediation: "Use <%= h() %> or sanitize()
|
|
17
|
-
)
|
|
18
|
-
end
|
|
19
|
-
end
|
|
20
|
-
end
|
|
21
|
-
findings
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
1
|
+
module Rails
|
|
2
|
+
module Guarddog
|
|
3
|
+
module Checkers
|
|
4
|
+
class XssChecker < BaseChecker
|
|
5
|
+
def run
|
|
6
|
+
glob_files('app/views/**/*.erb').each do |file|
|
|
7
|
+
content = File.read(file)
|
|
8
|
+
content.each_line.with_index do |line, idx|
|
|
9
|
+
if xss_vulnerable?(line)
|
|
10
|
+
add_finding(
|
|
11
|
+
severity: :high,
|
|
12
|
+
message: "Potential XSS vulnerability: unescaped output detected",
|
|
13
|
+
file: file,
|
|
14
|
+
line: idx + 1,
|
|
15
|
+
snippet: line.strip,
|
|
16
|
+
remediation: "Use <%= h() %> or sanitize() instead of raw/html_safe"
|
|
17
|
+
)
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
findings
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
def xss_vulnerable?(line)
|
|
27
|
+
# <%== is Rails' raw output (alias for raw())
|
|
28
|
+
return true if line.match?(/<%==/)
|
|
29
|
+
|
|
30
|
+
# raw() helper explicitly disables escaping
|
|
31
|
+
return true if line.match?(/<%=.*\braw\s*\(/)
|
|
32
|
+
|
|
33
|
+
# .html_safe bypasses escaping
|
|
34
|
+
return true if line.match?(/<%=.*\.html_safe/)
|
|
35
|
+
|
|
36
|
+
# concat with raw content
|
|
37
|
+
return true if line.match?(/<%=.*content_tag.*html_safe/)
|
|
38
|
+
|
|
39
|
+
false
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
@@ -1,37 +1,44 @@
|
|
|
1
|
-
module Rails
|
|
2
|
-
module Guarddog
|
|
3
|
-
class Scanner
|
|
4
|
-
attr_accessor :configuration, :findings
|
|
5
|
-
|
|
6
|
-
def initialize(config = nil)
|
|
7
|
-
@configuration = config || Configuration.new
|
|
8
|
-
@findings = []
|
|
9
|
-
end
|
|
10
|
-
|
|
11
|
-
def run
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
Checkers
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
end
|
|
1
|
+
module Rails
|
|
2
|
+
module Guarddog
|
|
3
|
+
class Scanner
|
|
4
|
+
attr_accessor :configuration, :findings
|
|
5
|
+
|
|
6
|
+
def initialize(config = nil)
|
|
7
|
+
@configuration = config || Configuration.new
|
|
8
|
+
@findings = []
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def run
|
|
12
|
+
load_checkers.each do |checker_class|
|
|
13
|
+
checker = checker_class.new(@configuration.root)
|
|
14
|
+
checker.run
|
|
15
|
+
@findings.concat(checker.findings)
|
|
16
|
+
end
|
|
17
|
+
@findings.sort_by { |f| severity_order(f.severity) }
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
private
|
|
21
|
+
|
|
22
|
+
def load_checkers
|
|
23
|
+
[
|
|
24
|
+
Checkers::SqlInjectionChecker,
|
|
25
|
+
Checkers::XssChecker,
|
|
26
|
+
Checkers::CsrfChecker,
|
|
27
|
+
Checkers::MassAssignmentChecker,
|
|
28
|
+
Checkers::OpenRedirectChecker,
|
|
29
|
+
Checkers::SecretsChecker,
|
|
30
|
+
Checkers::DosChecker,
|
|
31
|
+
Checkers::IdorChecker,
|
|
32
|
+
Checkers::AiInjectionChecker,
|
|
33
|
+
Checkers::RateLimitChecker,
|
|
34
|
+
Checkers::DependencyChecker,
|
|
35
|
+
Checkers::GraphqlChecker
|
|
36
|
+
]
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def severity_order(severity)
|
|
40
|
+
{ critical: 0, high: 1, medium: 2, low: 3 }[severity] || 4
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|