brakeman-lib 3.3.1

data/lib/brakeman/checks/check_render_inline.rb

@@ -0,0 +1,54 @@
+class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for cross site scripting in render calls"
+
+  def run_check
+    setup
+
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      check_render result
+    end
+  end
+
+  def check_render result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+
+    if node_type? call, :render and
+      (call.render_type == :text or call.render_type == :inline)
+
+      unless call.render_type == :text and content_type_set? call[3]
+        render_value = call[2]
+
+        if input = has_immediate_user_input?(render_value)
+          warn :result => result,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped #{friendly_type_of input} rendered inline",
+            :user_input => input,
+            :confidence => CONFIDENCE[:high]
+        elsif input = has_immediate_model?(render_value)
+          warn :result => result,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped model attribute rendered inline",
+            :user_input => input,
+            :confidence => CONFIDENCE[:med]
+        end
+      end
+    end
+  end
+
+  CONTENT_TYPES = ["text/html", "text/javascript", "application/javascript"]
+
+  def content_type_set? opts
+    if hash? opts
+      content_type = hash_access(opts, :content_type)
+
+      string? content_type and not CONTENT_TYPES.include? content_type.value
+    end
+  end
+end

data/lib/brakeman/checks/check_response_splitting.rb

@@ -0,0 +1,21 @@
+require 'brakeman/checks/base_check'
+
+#Warn about response splitting in Rails versions before 2.3.13
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
+class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Report response splitting in Rails 2.3.0 - 2.3.13"
+
+  def run_check
+    if version_between?('2.3.0', '2.3.13')
+
+      warn :warning_type => "Response Splitting",
+        :warning_code => :CVE_2011_3186,
+        :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
+    end
+  end
+end

data/lib/brakeman/checks/check_route_dos.rb

@@ -0,0 +1,42 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for route DoS (CVE-2015-7581)"
+
+  def run_check
+    fix_version = case
+                  when version_between?("4.0.0", "4.1.14")
+                    "4.1.14.1"
+                  when version_between?("4.2.0", "4.2.5")
+                    "4.2.5.1"
+                  else
+                    return
+                  end
+
+    if controller_wildcards?
+      message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"
+
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2015_7581,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
+    end
+  end
+
+  def controller_wildcards?
+    tracker.routes.each do |name, actions|
+      if name == :':controllerController'
+        # awful hack for routes with :controller in them
+        return true
+      elsif string? actions and actions.value.include? ":controller"
+        return true
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -0,0 +1,31 @@
+require 'brakeman/checks/base_check'
+
+#Check for unsafe manipulation of strings
+#Right now this is just a version check for
+#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
+class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for Rails versions with SafeBuffer bug"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+
+    message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :safe_buffer_vuln, 
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -0,0 +1,79 @@
+require 'brakeman/checks/base_check'
+
+#sanitize and sanitize_css are vulnerable:
+#CVE-2013-1855 and CVE-2013-1857
+class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with vulnerable sanitize and sanitize_css"
+
+  def run_check
+    @fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      end
+
+    if @fix_version
+      check_cve_2013_1855
+      check_cve_2013_1857
+    elsif tracker.config.has_gem? :'rails-html-sanitizer' and
+          version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
+      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
+    end
+  end
+
+  def check_cve_2013_1855
+    check_for_cve :sanitize_css, :CVE_2013_1855, "https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"
+  end
+
+  def check_cve_2013_1857
+    check_for_cve :sanitize, :CVE_2013_1857, "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ"
+  end
+
+  def check_for_cve method, code, link
+    tracker.find_call(:target => false, :method => method).each do |result|
+      next if duplicate? result
+      add_result result
+
+      message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+
+      if include_user_input? result[:call]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:medium]
+      end
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => code,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :link_path => link
+    end
+  end
+
+  def warn_sanitizer_cve cve, link
+    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
+
+    if tracker.find_call(:target => false, :method => :sanitize).any?
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => cve.tr('-', '_').to_sym,
+      :message => message,
+      :gem_info => gemfile_or_environment,
+      :confidence => confidence,
+      :link_path => link
+  end
+end

data/lib/brakeman/checks/check_secrets.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSecrets < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for secrets stored in source code"
+
+  def run_check
+    check_constants
+  end
+
+  def check_constants
+    @warned = Set.new
+
+    @tracker.constants.each do |constant|
+      name = constant.name.last
+      value = constant.value
+
+      if string? value and not value.value.empty? and looks_like_secret? name
+        match = [name, value, value.line]
+
+        unless @warned.include? match
+          @warned << match
+
+          warn :warning_code => :secret_in_source,
+            :warning_type => "Authentication",
+            :message => "Hardcoded value for #{name} in source code",
+            :confidence => CONFIDENCE[:med],
+            :file => constant.file,
+            :line => constant.line
+        end
+      end
+    end
+  end
+
+  def looks_like_secret? name
+    # REST_AUTH_SITE_KEY is the pepper in Devise
+    name.match /password|secret|(rest_auth_site|api)_key$/i
+  end
+end

data/lib/brakeman/checks/check_select_tag.rb

@@ -0,0 +1,60 @@
+require 'brakeman/checks/base_check'
+
+#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
+#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
+class Brakeman::CheckSelectTag < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.16"
+      suggested_version = "3.0.17"
+    elsif version_between? "3.1.0", "3.1.7"
+      suggested_version = "3.1.8"
+    elsif version_between? "3.2.0", "3.2.7"
+      suggested_version = "3.2.8"
+    else
+      return
+    end
+
+    @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
+
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select_tag is vulnerable (CVE-2012-3463)"
+
+    calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #Check if select_tag is called with user input in :prompt option
+  def process_result result
+    return if duplicate? result
+    add_result result
+
+    #Only concerned if user input is supplied for :prompt option
+    last_arg = result[:call].last_arg
+
+    if hash? last_arg
+      prompt_option = hash_access last_arg, :prompt
+
+      if call? prompt_option and @ignore_methods.include? prompt_option.method
+        return
+      elsif sexp? prompt_option and input = include_user_input?(prompt_option)
+
+        warn :warning_type => "Cross Site Scripting",
+          :warning_code => :CVE_2012_3463,
+          :result => result,
+          :message => @message,
+          :confidence => CONFIDENCE[:high],
+          :user_input => input,
+          :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -0,0 +1,60 @@
+require 'brakeman/checks/base_check'
+
+#Checks for select() helper vulnerability in some versions of Rails 3
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select() helper"
+
+  def run_check
+
+    if lts_version? "2.3.18.7"
+      return
+    elsif version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    elsif version_between? "2.0.0", "2.3.14"
+      suggested_version = "3 or use options_for_select"
+    else
+      return
+    end
+
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select() helper is vulnerable"
+
+    calls = tracker.find_call(:target => nil, :method => :select).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    third_arg = result[:call].third_arg
+
+    #Check for user input in options parameter
+    if sexp? third_arg and include_user_input? third_arg
+      add_result result
+
+      if string_interp? third_arg
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :template => result[:location][:template],
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :select_options_vuln,
+          :result => result,
+          :message => @message,
+          :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_send.rb

@@ -0,0 +1,48 @@
+require 'brakeman/checks/base_check'
+
+#Checks if user supplied data is passed to send
+class Brakeman::CheckSend < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for unsafe use of Object#send"
+
+  def run_check
+    @send_methods = [:send, :try, :__send__, :public_send]
+    Brakeman.debug("Finding instances of #send")
+    calls = tracker.find_call :methods => @send_methods, :nested => true
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    send_call = get_send result[:call]
+    process_call_args send_call
+    process send_call.target
+
+    if input = has_immediate_user_input?(send_call.first_arg)
+      warn :result => result,
+        :warning_type => "Dangerous Send",
+        :warning_code => :dangerous_send,
+        :message => "User controlled method execution",
+        :code => result[:call],
+        :user_input => input,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  # Recursively check call chain for send call
+  def get_send exp
+    if call? exp
+      if @send_methods.include? exp.method
+        return exp
+      else
+        get_send exp.target
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_send_file.rb

@@ -0,0 +1,19 @@
+require 'brakeman/checks/check_file_access'
+require 'brakeman/processors/lib/processor_helper'
+
+#Checks for user input in send_file()
+class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
+  Brakeman::Checks.add self
+
+  @description = "Check for user input in uses of send_file"
+
+  def run_check
+    Brakeman.debug "Finding all calls to send_file()"
+
+    methods = tracker.find_call :target => false, :method => :send_file
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+end