You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I have many Spree projects where is very common to create model decorators via class_eval().
Looks like dawn matches all of them because contain the "eval" word:
08:05:52 [$] dawn: Solution: Please refere to the Ruby on Rails cheatsheet available from owasp.org to mitigate this vulnerability
08:05:52 [!] dawn: Evidence:
08:05:52 [!] dawn: [{:filename=>"./app/models/spree/shipment_decorator.rb", :matches=>[{:match=>"Spree::Shipment.class_eval do\n", :line=>0}]}, {:filename=>"./app/models/spree/shipping_method_decorator.rb", :matches=>[{:match=>"Spree::ShippingMethod.class_eval do\n", :line=>0}]}
.......
is this intended?
The text was updated successfully, but these errors were encountered:
Owasp RoR Cheatsheet says that eval-uating script must be done carefully. Dawn uses a pattern matching approach to raise such a kind of warning, therefore it prompts your for the vuln.
A solution will follow later when I'll add a severity indicator... that it will be informational in this case.
By now, check your eval parameters that they can't be controlled by your users...
Hi,
I have many Spree projects where is very common to create model decorators via
class_eval()
.Looks like dawn matches all of them because contain the "eval" word:
is this intended?
The text was updated successfully, but these errors were encountered: