labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

XSS false positive. Is haml v6 supported?

Open AkshayGoyal022 opened this issue 1 year ago • 5 comments

Background

Brakeman version: 6.1.2 Rails version: 7.1.5 Ruby version: 3.3.1

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped model attribute
Code: Setup.hostname
File: app/views/layouts/_i18n_settings.html.haml
Line: 3

Relevant code:

# app/views/layouts/_i18n_settings.html.haml

:javascript
  $(document).ready(function() {
    var domain = '#{Setup.hostname}' # Fetch value from db
    # ...
  });

Why might this be a false positive? We recently upgrade to haml 6.3.0 (from haml v5.2.0 ) and we are getting CrossSiteScripting warning for above code. Same warning doesn't come up with haml v5.2.0. Wondering if haml v6 is supported?

AkshayGoyal022 avatar Jan 21 '25 08:01 AkshayGoyal022

That certainly looks dangerous to me. Make Setup.hostname return something like ';alert("bang");'

kwerle avatar Feb 07 '25 18:02 kwerle

Haml 6.x is not yet supported (looks like it requires some explicit Brakeman changes to do so). See also https://github.com/presidentbeef/brakeman/pull/1842

presidentbeef avatar Feb 07 '25 18:02 presidentbeef

@presidentbeef any plans on supporting HAML 6? It's been out for a while now 😄 We can't upgrade because of #1842 and other incompatiblities.

gstokkink avatar Jun 11 '25 10:06 gstokkink

Yes, will take a look at supporting. Hopefully soon...ish.

presidentbeef avatar Jun 13 '25 21:06 presidentbeef

@presidentbeef thanks, much appreciated. Also thanks for your hard work on this incredibly useful gem. Let me know if I can assist with testing.

gstokkink avatar Jun 14 '25 04:06 gstokkink