ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb

profile photo of semgrepsemgrep
Author
unknown
Download Count*

This rule is deprecated.

Run Locally

Run in CI

Defintion

rules:
  - id: number-to-currency-erb
    metadata:
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb
      category: security
      technology:
        - rails
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    message: This rule is deprecated.
    languages:
      - generic
    severity: WARNING
    patterns:
      - pattern: a()
      - pattern: b()

Examples

number-to-currency-erb.erb

<%= number_to_currency(1.02, unit: params[:currency]) %>

<%= number_to_currency(1.02, unit: params[:currency], separator: ",", delimiter: "") %>

<%= number_to_currency(1.02, unit: h(params[:currency])) %>

<%= number_to_currency(1.02, unit: h(params[:currency]), separator: ",", delimiter: "") %>