add calls to .html_safe? as a shared XSS sanitizer

2026-05-02 04:05:14 +02:00 · 2024-03-22 17:46:39 +01:00
parent db3bf0e482
commit c60cec36d4
3 changed files with 25 additions and 0 deletions
--- a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected
+++ b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected
@@ -2,6 +2,7 @@ edges
 | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | provenance |  |
 | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | provenance |  |
 | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | provenance |  |
+| lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | provenance |  |
 nodes
 | lib/unsafeHtml.rb:2:31:2:34 | name | semmle.label | name |
 | lib/unsafeHtml.rb:3:10:3:16 | #{...} | semmle.label | #{...} |
@@ -9,8 +10,11 @@ nodes
 | lib/unsafeHtml.rb:11:13:11:19 | #{...} | semmle.label | #{...} |
 | lib/unsafeHtml.rb:16:19:16:22 | name | semmle.label | name |
 | lib/unsafeHtml.rb:17:28:17:31 | name | semmle.label | name |
+| lib/unsafeHtml.rb:23:32:23:35 | name | semmle.label | name |
+| lib/unsafeHtml.rb:24:10:24:16 | #{...} | semmle.label | #{...} |
 subpaths
 #select
 | lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "<h2>#{...}</h2>" | cross-site scripting |
 | lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting |
 | lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting |
+| lib/unsafeHtml.rb:24:10:24:16 | #{...} | lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:23:32:23:35 | name | library input | lib/unsafeHtml.rb:24:5:24:22 | "<h2>#{...}</h2>" | cross-site scripting |
--- a/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb
+++ b/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb
@@ -19,4 +19,12 @@ class Foobar
    # escape
    sprintf("<h2>%s</h2>", ERB::Util.html_escape(name)).html_safe # OK - the parameter is escaped
  end
+
+  def create_user_description2(name)
+    "<h2>#{name}</h2>".html_safe # NOT OK - the value is not necessarily HTML safe
+
+    if name.html_safe?
+      "<h2>#{name}</h2>".html_safe # OK - value is marked as being HTML safe
+    end
+  end
 end