Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

class_eval matching #25

Closed
alepore opened this issue Jan 22, 2014 · 1 comment
Closed

class_eval matching #25

alepore opened this issue Jan 22, 2014 · 1 comment
Labels
question

Comments

@alepore
Copy link
Contributor

alepore commented Jan 22, 2014

Hi,
I have many Spree projects where is very common to create model decorators via class_eval().
Looks like dawn matches all of them because contain the "eval" word:

08:05:52 [$] dawn: Solution: Please refere to the Ruby on Rails cheatsheet available from owasp.org to mitigate this vulnerability
08:05:52 [!] dawn: Evidence:
08:05:52 [!] dawn: [{:filename=>"./app/models/spree/shipment_decorator.rb", :matches=>[{:match=>"Spree::Shipment.class_eval do\n", :line=>0}]}, {:filename=>"./app/models/spree/shipping_method_decorator.rb", :matches=>[{:match=>"Spree::ShippingMethod.class_eval do\n", :line=>0}]}
.......

is this intended?
@thesp0nge
Copy link
Owner

Unfortunately yes.

Owasp RoR Cheatsheet says that eval-uating script must be done carefully. Dawn uses a pattern matching approach to raise such a kind of warning, therefore it prompts your for the vuln.

A solution will follow later when I'll add a severity indicator... that it will be informational in this case.
By now, check your eval parameters that they can't be controlled by your users...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thesp0nge @alepore