Is your feature request related to a problem? Please describe.
It appears that Brakeman may not pick up on Cross-Site Scripting (XSS) issues when they occurs as a result of a loop. A simple loop which marks html_safe from a param is not detected (see example at bottom). I made a repository demoing this here. Endpoints which trigger the XSS are: http://localhost:3000/unsafe?xss=%3Cscript%3Ealert(1)%3C/script%3E and http://localhost:3000/unsafe_erb?xss=%3Cscript%3Ealert(1)%3C/script%3E
Describe the solution you'd like
It'd be nice if Brakeman could detect XSS that occurs as a result of a loop variable.
Describe alternatives you've considered
I'm new to Brakeman, so this might not be something that can be done with the current parser. In that case, flagging a low confidence for loop variables being html_safe/raw would still be an improvement.
Additional context
Consider the following minimal route and view:
Rails.application.routes.draw do
get '/unsafe', to: 'unsafe#index'
end
- [params[:xss]].each do |xss|
= xss.html_safe
Accessing the route such as: /unsafe?xss=<script>alert(1)</script> triggers the XSS, but Brakeman does not detect it:
Is your feature request related to a problem? Please describe. It appears that Brakeman may not pick up on Cross-Site Scripting (XSS) issues when they occurs as a result of a loop. A simple loop which marks html_safe from a param is not detected (see example at bottom). I made a repository demoing this here. Endpoints which trigger the XSS are:
http://localhost:3000/unsafe?xss=%3Cscript%3Ealert(1)%3C/script%3E
andhttp://localhost:3000/unsafe_erb?xss=%3Cscript%3Ealert(1)%3C/script%3E
Describe the solution you'd like It'd be nice if Brakeman could detect XSS that occurs as a result of a loop variable.
Describe alternatives you've considered I'm new to Brakeman, so this might not be something that can be done with the current parser. In that case, flagging a low confidence for loop variables being html_safe/raw would still be an improvement.
Additional context Consider the following minimal route and view:
Accessing the route such as:
/unsafe?xss=<script>alert(1)</script>
triggers the XSS, but Brakeman does not detect it:Note that while my example was HAML, the same issue happens with ERB: