WARNING TYPES
Cross Site Scripting
Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere.
XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
In Rails 2.x, values need to be explicitly escaped (e.g., by using the h
method). In Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw
method to output a value directly.
See the Ruby Security Guide for more details.
Query Parameters and Cookies
Rails 2.x example in ERB:
<%= params[:query] %>
Railroader looks for several situations that can allow XSS. The simplest is like the example above: a value from the params
or cookies
is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Railroader will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Railroader to either be dangerous (link_to
is one) or safe (escape_once
). Users can specify safe methods using the --safe-methods
option. Alternatively, Railroader can be set to only warn when values are used directly with the --report-direct
option.
Model Attributes
Because (many) models come from database values, Railroader mistrusts them by default.
For example, if @user
is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name %>
Railroader will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn’t), this can be disabled with --ignore-model-output
.
Back to Warning Types