ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb

rules:
  - id: number-to-currency-erb
    metadata:
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb
      category: security
      technology:
        - rails
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Detected user input flowing into number_to_currency helper. One of the
      parameters to the helper (unit) is  not escaped correctly and could  lead
      to XSS, which in turn could lead to  sensitive data being exfiltrated.
      Instead, sanitize data with the 'html_escape' or 'h' function before
      passing it into `number_to_currency` or upgrade to Rails 4.0.2 or 3.2.16.
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*.erb"
    patterns:
      - pattern-either:
          - pattern: |
              <%= ... number_to_currency(..., unit: params[:$UNIT], ...) ... %>
          - pattern: |
              <%= ... number_to_currency(..., unit: params[:$UNIT]) ... %>
      - pattern-not: |
          <%= ... number_to_currency(..., h(unit: params[:$UNIT]), ...) ... %>
      - pattern-not: |
          <%= ... number_to_currency(..., h(unit: params[:$UNIT])) ... %>