/
dangerous-link-to.yaml
42 lines (42 loc) · 1.41 KB
/
dangerous-link-to.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rules:
- id: dangerous-link-to
message: >-
Detected a template variable used in 'link_to'. This will
generate dynamic data in the 'href' attribute.
This allows a malicious actor to
input the 'javascript:' URI and is subject to cross-
site scripting (XSS) attacks. If using a relative URL,
start with a literal forward slash and concatenate the URL,
like this: 'link_to "Here", "/"+@link'. You may also consider
setting the Content Security Policy (CSP) header.
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_link_to.rb
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss
- https://brakemanscanner.org/docs/warning_types/link_to_href/
category: security
technology:
- rails
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
languages:
- generic
paths:
include:
- '*.erb'
severity: WARNING
patterns:
- pattern-inside: <%= ... %>
- pattern-not-inside: link_to ... "/" + ... @$VAR
- pattern-not-inside: link_to ... '/' + ... @$VAR
- pattern: link_to ... @$VAR