Add Check: CSS Injection within inline styling

[boveus]

Is your feature request related to a problem? Please describe. There is a vulnerability that can be introduced in Rails templating languages that would allow a malicious user to inject arbitrary CSS. This can occur if inline styles interpolate user-controlled values unsafely. Brakeman does not currently check for these sort of unsafe patterns.

For example:

<header style="background-color: #<%= params[:header_color] %>;">

In this example, a user could make a request including ?header_color=FFFF;background(www.evil.com/cat.jpg) to inject arbitrary CSS into a web page.

Most modern web browsers protect against any sort of JS injection through this vector, but it could still be possible for an attacker to use this to extract data the victim user enters into the affected page. See: https://curesec.com/blog/article/blog/Reading-Data-via-CSS-Injection-180.html

Describe the solution you'd like There should be a new check against CSS injection for inline styles. The conditions would involve any use of inline styles that contain params.

Describe alternatives you've considered There are probably additional patterns to check for with HAML, but the example I discovered was in ERB.

Additional context I attempted to write a rule to contribute it myself, but I wasn't sure how to begin writing the rule. If it would be easier for a maintainer to give me some quick pointers to get started on writing the rule I should be able help write this.

[presidentbeef]

Unfortunately, due to the way templating languages work, this is kind of hard.