Open MaxSchlueter opened 6 months ago
Thanks for reporting this. @alexrford are we missing a model for %
and/or sprintf
?
Hi, apologies for the late response. We have modeling for String#%
in StringFormatters.qll
, the issue here is with the XSS query expecting the taint step to appear before the html_safe
call in the dataflow path. In the case of e.g. "Welcome %{user}".html_safe % { user: @user.handle }
, the string "Welcome %{user}"
is marked as HTML safe before the string is tainted, which the XSS queries currently miss.
I have an improvement for the XSS queries in mind that will address this, but it needs some more testing before it's ready
I noticed that dataflow in Ruby isn't propagated to Kernel.sprintf formatted strings, e.g. the stored xss query should flag this code in an ERB template:
The string literal is parsed as a a single
Ast::StringTextComponent
, where it should probably also contain aAst::StringInterpolationComponent
. I tried to work around this problem using an additional taint step:which works for the code snippet above, but doesn't work when the dataflow gets a bit more complex:
I tried the following, but it doesn't work:
How do I catch the insecure code snippet above using local dataflow?