ruby.rails.security.audit.mail-to-erb.mail-to-erb

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected use of mail_to helper used with the :encode => :javascript option. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use :encode => :hex or patch to Rails 3.0.4 or 2.3.11.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mail-to-erb
    metadata:
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb
      category: security
      technology:
        - rails
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Detected use of mail_to helper used with the `:encode => :javascript
      option`. The attacker could specify a malicious name or email value that
      could lead to a XSS attack. Instead, use `:encode => :hex` or patch to
      Rails 3.0.4 or 2.3.11.
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*.erb"
    patterns:
      - pattern-either:
          - pattern: |
              <%= mail_to ..., ..., :encode => :javascript %>
          - pattern: |
              <%= mail_to ..., ..., :encode => :javascript, ... %>
      - pattern-not: >
          <%= mail_to escape_javascript(...), escape_javascript(...), ...
          :encode => :javascript %>
      - pattern-not: >
          <%= mail_to escape_javascript(...), escape_javascript(...), ...
          :encode => :javascript, ... %>
      - pattern-not: |
          <%= mail_to "...", "...", ... :encode => :javascript %>
      - pattern-not: |
          <%= mail_to "...", "...", ... :encode => :javascript, ... %>

Examples

mail-to-erb.erb

// ruleid: mail-to-erb
<%= mail_to user.email, user.name, :encode => :javascript %>
// ruleid: mail-to-erb
<%= mail_to user.email, user.name, :encode => :javascript, :replace_at => :_at_ %>
// ok: mail-to-erb
<%= mail_to user.email, user.name, :encode => :hex %>
// ok: mail-to-erb
<%= mail_to escape_javascript(user.email),
escape_javascript(user.name), :encode => :javascript %>
// ok: mail-to-erb
<%= mail_to "domain", "email", :encode => :javascript %>