/
unquoted-attribute.yaml
41 lines (41 loc) · 1.23 KB
/
unquoted-attribute.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
rules:
- id: unquoted-attribute
message: 'Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could
inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this:
"<%= expr %>".'
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes
- https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
category: security
technology:
- rails
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
languages:
- generic
paths:
include:
- '*.erb'
severity: WARNING
patterns:
- pattern-inside: <$TAG ...>
- pattern-not-inside: ="..."
- pattern-not-inside: ="<%= ... %>"
- pattern-not-inside: ='...'
- pattern-not-inside: ='<%= ... %>'
- pattern: <%= ... %>
fix-regex:
regex: <%=(.*?)%>
replacement: '"<%=\1%>"'