ruby.rails.security.audit.xss.templates.var-in-href.var-in-href

profile photo of returntocorpreturntocorp
Author
6,305
Download Count*

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.

Run Locally

Run in CI

Defintion

rules:
  - id: var-in-href
    message: "Detected a template variable used in an anchor tag with the 'href'
      attribute. This allows a malicious actor to input the 'javascript:' URI
      and is subject to cross- site scripting (XSS) attacks. If using a relative
      URL, start with a literal forward slash and concatenate the URL, like
      this: href='/<%= link =>'. You may also consider setting the Content
      Security Policy (CSP) header."
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI
        - https://github.com/pugjs/pug/issues/2952
      category: security
      technology:
        - rails
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    paths:
      include:
        - "*.erb"
    severity: WARNING
    pattern-either:
      - pattern: <a ... href = "<%= ... %>" ... >
      - pattern: <a ... href = '<%= ... %>' ... >

Examples

var-in-href.erb

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>


<div class="jumbotron text-center">
    <h1 class="display-4">Oi, meu nome é <%= nome %>!</h1>
    <p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
    <!-- ruleid: var-in-href -->
    <a href="<%= link %>" class="text-center">Click me</a>
    <!-- ok: var-in-href -->
    <a href="/<%= link %>" class="text-center">Click me</a>

    <!-- ok: var-in-href -->
    <a href="#" class="dropdown-toggle" data-toggle="dropdown"> <%= current_user.name.pluralize %> Account <b class="caret"></b></a>

    <!-- ok: var-in-href -->
    <div class="alert lead alert-<%= key %>"><%= value %> </div>

    <!-- ok: var-in-href -->
    <a class="restore" href="#" style="display: none;"><%= I18n.t("gws/reminder.links.restore_reminder") %></a>
</div>

</html>