diff --git a/rules/ruby/rails/render_using_user_input.yml b/rules/ruby/rails/render_using_user_input.yml index a58e9227..bfa51408 100644 --- a/rules/ruby/rails/render_using_user_input.yml +++ b/rules/ruby/rails/render_using_user_input.yml @@ -15,11 +15,23 @@ patterns: - variable: USER_INPUT detection: ruby_shared_common_html_user_input scope: result - - pattern: send_data($$<...>) + - pattern: | + send_data($, disposition: $) filters: - variable: USER_INPUT detection: ruby_shared_common_html_user_input scope: result + - not: + variable: DISPOSITION + detection: ruby_rails_render_using_user_input_attachment + scope: cursor +auxiliary: + - id: ruby_rails_render_using_user_input_attachment + patterns: + - pattern: $ + filters: + - variable: VALUE + string_regex: \Aattachment\z severity: high metadata: description: "Unsanitized user input in raw HTML strings (XSS)" diff --git a/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb index 3c9fcd1d..9e7645ac 100644 --- a/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb +++ b/tests/ruby/rails/render_using_user_input/testdata/ok_not_unsafe.rb @@ -4,4 +4,5 @@ render html: sanitize(params[:oops]) render inline: "

#{strip_tags(params[:oops])}

" -send_data "ok", type: content_type +send_data params[:user_input], type: content_type +send_data params[:user_input], type: content_type, disposition: "attachment" diff --git a/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb b/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb index 7c6e5a2e..ce761594 100644 --- a/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb +++ b/tests/ruby/rails/render_using_user_input/testdata/unsafe.rb @@ -4,4 +4,6 @@ render inline: "

#{params[:oops]}

" # bearer:expected ruby_rails_render_using_user_input -send_data params[:oops], type: content_type +send_data params[:user_input], type: content_type, disposition: "inline" +# bearer:expected ruby_rails_render_using_user_input +send_data params[:user_input], type: content_type, disposition: unknown