ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation
returntocorpAuthor
6,305
Download Count*
License
Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'.
Run Locally
Run in CI
Defintion
rules:
- id: manual-template-creation
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_template_injection.rb
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
references:
- https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown
category: security
technology:
- rails
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
message: Detected manual creation of an ERB template. Manual creation of
templates may expose your application to server-side template injection
(SSTI) or cross-site scripting (XSS) attacks if user input is used to
create the template. Instead, create a '.erb' template file and use
'render'.
languages:
- ruby
severity: WARNING
pattern: ERB.new(...)
Examples
manual-template-creation.rb
require 'erb'
class FaxHelper
def to_fax
html = File.open(path_to_template).read
# ruleid: manual-template-creation
template = ERB.new(html)
template.result
end
end
x = 42
# ruleid: manual-template-creation
template = ERB.new <<-EOF
The value of x is: <%= x %>
EOF
puts template.result(binding)
Short Link: https://sg.run/L01L