Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

params.merge and cross site scripting

I'm using Brakeman to identify security issues. It's flagging up any links which use params.merge as a cross site scripting vulnerability. How can I sanitize something like the following?

  - @archives.each do |archive|
    =  link_to "FTP", params.merge(:action => :ftp, :archive => archive, :recipient => "company")
like image 501
snowangel Avatar asked Sep 04 '12 20:09

snowangel


People also ask

What are the two primary defenses against cross-site scripting attacks?

You may have been realizing that the main reason for having an XSS vulnerability is the lack of data validation. So, you guessed that the primary defense against XSS attacks is distrusting user input.

What is cross-site scripting in salesforce?

We call this cross-site scripting, or XSS for short. XSS is an injection vulnerability that occurs when an attacker inserts unauthorized JavaScript, VBScript, HTML, or other active content into a web page. When subsequent users view the page, the malicious code executes or attacks the user.

What is XSS attack in PHP?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.


1 Answers

You should create a new hash based on only the elements of params which you expect and wish to allow to be a part of the FTP link and use that to merge your additional parameters.

What you have allows me to add whatever I want to that FTP link by modifying the querystring, opening up the door to security vulnerabilities. By building a hash for use in place of the params in the params.merge(... you're effectively whitelisting expected querystring components for use in the template you're rendering.


As a GET example, if you expect a URL like

/some/path?opt1=val1&opt2=val2

your controller action you might do

@cleaned_params = { opt1: params[:opt1], opt2: params[:opt2] }
@cleaned_params.merge! action: :ftp, archive: archive, recipient: :company

And then pass @cleaned_params to the link_to

=  link_to "FTP", @cleaned_params

This way if I manually enter a URL like

/some/path?opt1=val1&opt2=val2&maliciousopt=somexss

The params[:maliciousopt] will never make it into your FTP link_to in your view.

The same behaviour applies to POST requests, only to be malicious I might add a couple fields to the form before submitting it

<input type="hidden" name="maliciousopt" value="somexss" />
like image 157
deefour Avatar answered Oct 19 '22 16:10

deefour