Merge branch 'cross-site' of git://github.com/paultetreau/brakeman in…

…to paultetreau-cross-site

# Conflicts:
#	WARNING_TYPES
#	docs/warning_types/cross_site_scripting/index.markdown
#	docs/warning_types/session_setting/index.markdown
#	lib/brakeman/checks/check_link_to_href.rb
#	test/tests/rails2.rb
#	test/tests/rails3.rb
#	test/tests/rails4.rb

CHANGES

@@ -300,7 +300,7 @@
 # 3.0.0
 
 * Add check for CVE-2014-7829
-* Add check for cross site scripting via inline renders
+* Add check for cross-site scripting via inline renders
 * Fix formatting of command interpolation
 * Local variables are no longer formatted as `(local var)`
 * Actually skip skipped before filters

FEATURES

@@ -1,5 +1,5 @@
 Can detect:
--Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
+-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
 -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
 -String interpolation in find_by_sql (SQL Injection)
 -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)

docs/warning_types/content_tag/index.markdown

@@ -1,4 +1,4 @@
-Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
+Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
 
 [content\_tag](http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) is a view helper which generates an HTML tag with some content:
 

docs/warning_types/cross_site_scripting/index.markdown

@@ -1,4 +1,4 @@
-Cross site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
+Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
 
 XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
 

docs/warning_types/cross_site_scripting_to_json/index.markdown

@@ -1,4 +1,4 @@
-Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
+Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
 
 XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.  Calls to `Hash#to_json` can be used to trigger XSS.  Brakeman will check to see if there are any calls to `Hash#to_json` with `ActiveSupport#escape_html_entities_in_json` set to false (or if you are running Rails < 2.1.0 which did not have this functionality).
 

docs/warning_types/session_setting/index.markdown

@@ -2,7 +2,7 @@ Brakeman warns about several different session-related issues.
 
 ### HTTP Only
 
-It is recommended that session cookies be set to `http-only`. This helps prevent stealing of cookies via cross site scripting.
+It is recommended that session cookies be set to `http-only`. This helps prevent stealing of cookies via cross-site scripting.
 
 ### Secret Length
 

lib/brakeman/checks/check_content_tag.rb

@@ -101,7 +101,7 @@ def check_argument result, exp
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input,
@@ -119,7 +119,7 @@ def check_argument result, exp
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_content_tag,
           :message => "Unescaped model attribute in content_tag",
           :user_input => match,
@@ -135,7 +135,7 @@ def check_argument result, exp
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched,
@@ -179,7 +179,7 @@ def check_cve_2016_6316
                       return
                     end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2016_6316,
         :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
         :confidence => confidence,

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -73,7 +73,7 @@ def check_for_immediate_xss exp
       message = "Unescaped #{friendly_type_of input}"
 
       warn :template => @current_template,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
@@ -106,7 +106,7 @@ def check_for_immediate_xss exp
         end
 
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => warning_code,
           :message => message,
           :code => match,
@@ -189,7 +189,7 @@ def process_call exp
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => warning_code,
             :message => message,
             :code => exp,

lib/brakeman/checks/check_escape_function.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
   def run_check
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
 
-      warn :warning_type => 'Cross Site Scripting',
+      warn :warning_type => 'Cross-Site Scripting',
         :warning_code => :CVE_2011_2932,
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
         :confidence => :high,

lib/brakeman/checks/check_i18n_xss.rb

@@ -18,7 +18,7 @@ def run_check
         return
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2013_4491,
         :message => message,
         :confidence => :medium,

lib/brakeman/checks/check_json_encoding.rb

@@ -21,7 +21,7 @@ def run_check
         confidence = :medium
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2015_3226,
         :message => message,
         :confidence => confidence,

lib/brakeman/checks/check_link_to.rb

@@ -100,7 +100,7 @@ def check_matched(result, matched = nil)
   def warn_xss(result, message, user_input, confidence)
     add_result(result)
     warn :result => result,
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :warning_code => :xss_link_to,
       :message => message,
       :user_input => user_input,

lib/brakeman/checks/check_link_to_href.rb

@@ -48,7 +48,7 @@ def process_result result
       unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match
         add_result result
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_link_to_href,
           :message => message,
           :user_input => input,
@@ -62,7 +62,7 @@ def process_result result
       message = "Potentially unsafe model attribute in link_to href"
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_link_to_href,
         :message => message,
         :user_input => input,

lib/brakeman/checks/check_mail_to.rb

@@ -1,6 +1,6 @@
 require 'brakeman/checks/base_check'
 
-#Check for cross site scripting vulnerability in mail_to :encode => :javascript
+#Check for cross-site scripting vulnerability in mail_to :encode => :javascript
 #with certain versions of Rails (< 2.3.11 or < 3.0.4).
 #
 #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81

lib/brakeman/checks/check_number_to_currency.rb

@@ -31,7 +31,7 @@ def generic_warning
       message << "4.0.3"
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2014_0081,
       :message => message,
       :confidence => :medium,
@@ -64,7 +64,7 @@ def check_helper_option result, exp
 
   def warn_on_number_helper result, match
     warn :result => result,
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2014_0081_call,
       :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}",
       :confidence => :high,

lib/brakeman/checks/check_render_inline.rb

@@ -1,7 +1,7 @@
 class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
   Brakeman::Checks.add self
 
-  @description = "Checks for cross site scripting in render calls"
+  @description = "Checks for cross-site scripting in render calls"
 
   def run_check
     setup
@@ -24,14 +24,14 @@ def check_render result
 
         if input = has_immediate_user_input?(render_value)
           warn :result => result,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => :cross_site_scripting_inline,
             :message => "Unescaped #{friendly_type_of input} rendered inline",
             :user_input => input,
             :confidence => :high
         elsif input = has_immediate_model?(render_value)
           warn :result => result,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => :cross_site_scripting_inline,
             :message => "Unescaped model attribute rendered inline",
             :user_input => input,

lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -22,7 +22,7 @@ def run_check
 
     message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :safe_buffer_vuln, 
       :message => message,
       :confidence => :medium,

lib/brakeman/checks/check_sanitize_methods.rb

@@ -52,7 +52,7 @@ def check_for_cve method, code, link
       end
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => code,
         :message => message,
         :confidence => :high,
@@ -69,7 +69,7 @@ def warn_sanitizer_cve cve, link
       confidence = :medium
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => cve.tr('-', '_').to_sym,
       :message => message,
       :gem_info => gemfile_or_environment,

lib/brakeman/checks/check_select_tag.rb

@@ -46,7 +46,7 @@ def process_result result
         return
       elsif sexp? prompt_option and input = include_user_input?(prompt_option)
 
-        warn :warning_type => "Cross Site Scripting",
+        warn :warning_type => "Cross-Site Scripting",
           :warning_code => :CVE_2012_3463,
           :result => result,
           :message => @message,

lib/brakeman/checks/check_select_vulnerability.rb

@@ -50,7 +50,7 @@ def process_result result
       end
 
       warn :template => result[:location][:template],
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :select_options_vuln,
           :result => result,
           :message => @message,

lib/brakeman/checks/check_simple_format.rb

@@ -18,7 +18,7 @@ def run_check
   def generic_warning
     message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2013_6416,
       :message => message,
       :confidence => :medium,
@@ -48,7 +48,7 @@ def warn_on_simple_format result, match
     @found_any = true
 
     warn :result => result,
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2013_6416_call,
       :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
       :confidence => :high,

lib/brakeman/checks/check_single_quotes.rb

@@ -29,7 +29,7 @@ def run_check
       return
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2012_3464,
       :message => message,
       :confidence => :medium,

lib/brakeman/checks/check_strip_tags.rb

@@ -30,7 +30,7 @@ def cve_2011_2931
         message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2011_2931,
         :message => message,
         :gem_info => gemfile_or_environment,
@@ -53,7 +53,7 @@ def cve_2012_3465
       return
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2012_3465,
       :message => message,
       :confidence => :high,
@@ -71,7 +71,7 @@ def cve_2015_7579
 
       message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2015_7579,
         :message => message,
         :confidence => confidence,

lib/brakeman/checks/check_translate_bug.rb

@@ -28,7 +28,7 @@ def run_check
         "Rails 2.3.x using the rails_xss plugin #{description}."
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :translate_vuln,
         :message => message,
         :confidence => confidence,

test/apps/rails2/config/brakeman.ignore

@@ -1,7 +1,7 @@
 {
   "ignored_warnings": [
     {
-      "warning_type": "Cross Site Scripting",
+      "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
       "fingerprint": "e53a25ddc8ca61f7c4b81602bae04cd6746cf6a7432e89407fbeb362a66f4e8f",
       "message": "Unescaped model attribute",

test/tests/cves.rb

@@ -26,7 +26,7 @@ def test_CVE_2015_3226_4_1_1
     assert_warning :type => :warning,
       :warning_code => 87,
       :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :line => 4,
       :message => /^Rails\ 4\.1\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
       :confidence => 0,
@@ -43,7 +43,7 @@ def test_CVE_2015_3226_4_2_1
     assert_warning :type => :warning,
       :warning_code => 87,
       :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :line => 4,
       :message => /^Rails\ 4\.2\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
       :confidence => 0,
@@ -76,7 +76,7 @@ def to_s
     assert_no_warning :type => :warning,
       :warning_code => 87,
       :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :line => 4,
       :message => /^Rails\ 4\.2\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
       :confidence => 0,