ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute

profile photo of semgrepsemgrep
Author
6,305
Download Count*
LGPL Commons Clause
License

Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "<%= expr %>".

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unquoted-attribute
    message: 'Detected a unquoted template variable as an attribute. If unquoted, a
      malicious actor could inject custom JavaScript handlers. To fix this, add
      quotes around the template expression, like this: "<%= expr %>".'
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes
        - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
      category: security
      technology:
        - rails
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - generic
    paths:
      include:
        - "*.erb"
    severity: WARNING
    patterns:
      - pattern-inside: <$TAG ...>
      - pattern-not-inside: ="..."
      - pattern-not-inside: ="<%= ... %>"
      - pattern-not-inside: ='...'
      - pattern-not-inside: ='<%= ... %>'
      - pattern: <%= ... %>
    fix-regex:
      regex: <%=(.*?)%>
      replacement: '"<%=\1%>"'

Examples

unquoted-attribute.erb

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>


<div class="jumbotron text-center">
    <h1 class="display-4">Oi, meu nome é <%= nome %>!</h1>
    <p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
    <!-- ruleid: unquoted-attribute -->
    <a href=<%= link %> class="text-center">Click me</a>
    <!-- ruleid: unquoted-attribute -->
    <a href=/<%= link %> class="text-center">Click me</a>
    <!-- ok: unquoted-attribute -->
    <a href="<%= Foo::Bar::FooBar.frobnicate("#{event_id}", @params) %>" class="text-center">Click me</a>
    <!-- ok: unquoted-attribute -->
    <a href='<%= link %>' class="text-center">Click me</a>

    <!-- ok: unquoted-attribute -->
    <div class="alert lead alert-<%= key %>"><%= value %> </div>

    <!-- ok: unquoted-attribute -->
    <a href="#" class="dropdown-toggle" data-toggle="dropdown"> <%= current_user.name.pluralize %> Account <b class="caret"></b></a>
</div>

</html>