brakeman-lib 3.3.1

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -0,0 +1,36 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for user input in session keys"
+
+  def run_check
+    tracker.find_call(:method => :[]=, :target => :session).each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    index = result[:call].first_arg
+
+    if input = has_immediate_user_input?(index)
+      if params? index
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :result => result,
+        :warning_type => "Session Manipulation",
+        :warning_code => :session_key_manipulation,
+        :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
+        :code => result[:call],
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_session_settings.rb

@@ -0,0 +1,170 @@
+require 'brakeman/checks/base_check'
+
+#Checks for session key length and http_only settings
+class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for session key length and http_only settings"
+
+  def initialize *args
+    super
+
+    unless tracker.options[:rails3]
+      @session_settings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+    else
+      @session_settings = nil
+    end
+  end
+
+  def run_check
+    settings = tracker.config.session_settings 
+
+    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
+
+    ["session_store.rb", "secret_token.rb"].each do |file|
+      if tracker.initializers[file] and not ignored? file
+        process tracker.initializers[file]
+      end
+    end
+
+    if tracker.options[:rails4]
+      check_secrets_yaml
+    end
+  end
+
+  #Looks for ActionController::Base.session = { ... }
+  #in Rails 2.x apps
+  #
+  #and App::Application.config.secret_token =
+  #in Rails 3.x apps
+  #
+  #and App::Application.config.secret_key_base =
+  #in Rails 4.x apps
+  def process_attrasgn exp
+    if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
+      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+    end
+
+    if tracker.options[:rails3] and settings_target?(exp.target) and
+      (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
+
+      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
+    end
+
+    exp
+  end
+
+  #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
+  #in Rails 3.x apps
+  def process_call exp
+    if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
+      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+    end
+
+    exp
+  end
+
+  private
+
+  def settings_target? exp
+    call? exp and
+    exp.method == :config and
+    node_type? exp.target, :colon2 and
+    exp.target.rhs == :Application
+  end
+
+  def check_for_issues settings, file
+    if settings and hash? settings
+      if value = (hash_access(settings, :session_http_only) ||
+                  hash_access(settings, :http_only) ||
+                  hash_access(settings, :httponly))
+
+        if false? value
+          warn_about_http_only value.line, file
+        end
+      end
+
+      if value = hash_access(settings, :secret)
+        if string? value
+          warn_about_secret_token value.line, file
+        end
+      end
+    end
+  end
+
+  def check_for_rails3_issues settings, file
+    if settings and hash? settings
+      if value = hash_access(settings, :httponly)
+        if false? value
+          warn_about_http_only value.line, file
+        end
+      end
+
+      if value = hash_access(settings, :secure)
+        if false? value
+          warn_about_secure_only value.line, file
+        end
+      end
+    end
+  end
+
+  def check_secrets_yaml
+    secrets_file = "config/secrets.yml"
+
+    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
+      yaml = @app_tree.read secrets_file
+      require 'date' # https://github.com/dtao/safe_yaml/issues/80
+      require 'safe_yaml/load'
+      secrets = SafeYAML.load yaml
+
+      if secrets["production"] and secret = secrets["production"]["secret_key_base"]
+        unless secret.include? "<%="
+          line = yaml.lines.find_index { |l| l.include? secret } + 1
+
+          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
+        end
+      end
+    end
+  end
+
+  def warn_about_http_only line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :http_cookies,
+      :message => "Session cookies should be set to HTTP only",
+      :confidence => CONFIDENCE[:high],
+      :line => line,
+      :file => file
+
+  end
+
+  def warn_about_secret_token line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :session_secret,
+      :message => "Session secret should not be included in version control",
+      :confidence => CONFIDENCE[:high],
+      :line => line,
+      :file => file
+  end
+
+  def warn_about_secure_only line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :secure_cookies,
+      :message => "Session cookie should be set to secure only",
+      :confidence => CONFIDENCE[:high],
+      :line => line,
+      :file => file
+  end
+
+  def ignored? file
+    [".", "config", "config/initializers"].each do |dir|
+      ignore_file = "#{dir}/.gitignore"
+      if @app_tree.exists? ignore_file
+        input = @app_tree.read(ignore_file)
+
+        return true if input.include? file
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_simple_format.rb

@@ -0,0 +1,59 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
+
+  def run_check
+    if version_between? "4.0.0", "4.0.1"
+      @inspect_arguments = true
+      @ignore_methods = Set[:h, :escapeHTML]
+
+      check_simple_format_usage
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
+  end
+
+  def check_simple_format_usage
+    tracker.find_call(:target => false, :method => :simple_format).each do |result|
+      @matched = false
+      process_call result[:call]
+      if @matched
+        warn_on_simple_format result, @matched
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+  def warn_on_simple_format result, match
+    return if duplicate? result
+    add_result result
+
+    @found_any = true
+
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416_call,
+      :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
+      :user_input => match
+  end
+end

data/lib/brakeman/checks/check_single_quotes.rb

@@ -0,0 +1,101 @@
+require 'brakeman/checks/base_check'
+
+#Checks for versions which do not escape single quotes.
+#https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
+class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  RACK_UTILS = Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)
+
+  @description = "Check for versions which do not escape single quotes (CVE-2012-3464)"
+
+  def initialize *args
+    super
+    @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
+  end
+
+  def run_check
+    return if uses_rack_escape?
+
+    case
+    when version_between?('2.0.0', '2.3.14')
+      message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
+    when version_between?('3.0.0', '3.0.16')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
+    else
+      return
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2012_3464,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
+  end
+
+  #Process initializers to see if they use workaround
+  #by replacing Erb::Util.html_escape
+  def uses_rack_escape?
+    @tracker.initializers.each do |name, src|
+      process src
+    end
+
+    @uses_rack_escape
+  end
+
+  #Look for
+  #
+  #    class ERB
+  def process_class exp
+    if exp.class_name == :ERB
+      @inside_erb = true
+      process_all exp.body
+      @inside_erb = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    module Util
+  def process_module exp
+    if @inside_erb and exp.module_name == :Util
+      @inside_util = true
+      process_all exp.body
+      @inside_util = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    def html_escape
+  def process_defn exp
+    if @inside_util and exp.method_name == :html_escape
+      @inside_html_escape = true
+      process_all exp.body
+      @inside_html_escape = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    Rack::Utils.escape_html
+  def process_call exp
+    if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
+      @uses_rack_escape = true
+    else
+      process exp.target if exp.target
+    end
+
+    exp
+  end
+end

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -0,0 +1,60 @@
+require 'brakeman/checks/base_check'
+
+#At the moment, this looks for
+#
+#  skip_before_filter :verify_authenticity_token, :except => [...]
+#
+#which is essentially a blacklist approach (no actions are checked EXCEPT the
+#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#the check)
+class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn when skipping CSRF or authentication checks by default"
+
+  def run_check
+    tracker.controllers.each do |name, controller|
+      controller.skip_filters.each do |filter|
+        process_skip_filter filter, controller
+      end
+    end
+  end
+
+  def process_skip_filter filter, controller
+    case skip_except_value filter
+    when :verify_authenticity_token
+      warn :class => controller.name, #ugh this should be a controller warning, too
+        :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :csrf_blacklist,
+        :message => "Use whitelist (:only => [..]) when skipping CSRF check",
+        :code => filter,
+        :confidence => CONFIDENCE[:med],
+        :file => controller.file
+
+    when :login_required, :authenticate_user!, :require_user
+      warn :controller => controller.name,
+        :warning_code => :auth_blacklist,
+        :warning_type => "Authentication",
+        :message => "Use whitelist (:only => [..]) when skipping authentication",
+        :code => filter,
+        :confidence => CONFIDENCE[:med],
+        :link => "authentication_whitelist",
+        :file => controller.file
+    end
+  end
+
+  def skip_except_value filter
+    return false unless call? filter
+
+    first_arg = filter.first_arg
+    last_arg = filter.last_arg
+
+    if symbol? first_arg and hash? last_arg
+      if hash_access(last_arg, :except)
+        return first_arg.value
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -0,0 +1,660 @@
+require 'brakeman/checks/base_check'
+
+#This check tests for find calls which do not use Rails' auto SQL escaping
+#
+#For example:
+# Project.find(:all, :conditions => "name = '" + params[:name] + "'")
+#
+# Project.find(:all, :conditions => "name = '#{params[:name]}'")
+#
+# User.find_by_sql("SELECT * FROM projects WHERE name = '#{params[:name]}'")
+class Brakeman::CheckSQL < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for SQL injection"
+
+  def run_check
+    @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
+      :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
+    @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
+    @sql_targets << :find_by << :find_by! if tracker.options[:rails4]
+
+    @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
+      :select_rows, :select_value, :select_values]
+
+    if tracker.options[:rails3]
+      @connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
+    else
+      @connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
+    end
+
+    Brakeman.debug "Finding possible SQL calls on models"
+    calls = tracker.find_call :targets => active_record_models.keys,
+      :methods => @sql_targets,
+      :chained => true
+
+    Brakeman.debug "Finding possible SQL calls with no target"
+    calls.concat tracker.find_call(:target => nil, :methods => @sql_targets)
+
+    Brakeman.debug "Finding possible SQL calls using constantized()"
+    calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
+
+    connect_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
+    calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
+
+    Brakeman.debug "Finding calls to named_scope or scope"
+    calls.concat find_scope_calls
+
+    Brakeman.debug "Processing possible SQL calls"
+    calls.each { |call| process_result call }
+  end
+
+  #Find calls to named_scope() or scope() in models
+  #RP 3 TODO
+  def find_scope_calls
+    scope_calls = []
+
+    if version_between?("2.1.0", "3.0.9")
+      ar_scope_calls(:named_scope) do |name, args|
+        call = make_call(nil, :named_scope, args).line(args.line)
+        scope_calls << scope_call_hash(call, name, :named_scope)
+      end
+    elsif version_between?("3.1.0", "9.9.9")
+      ar_scope_calls(:scope) do |name, args|
+        second_arg = args[2]
+        next unless sexp? second_arg
+
+        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+          process_scope_with_block(name, args)
+        elsif call? second_arg
+          call = second_arg
+          scope_calls << scope_call_hash(call, name, call.method)
+        else
+          call = make_call(nil, :scope, args).line(args.line)
+          scope_calls << scope_call_hash(call, name, :scope)
+        end
+      end
+    end
+
+    scope_calls
+  end
+
+  def ar_scope_calls(symbol_name = :named_scope, &block)
+    return_array = []
+    active_record_models.each do |name, model|
+      model_args = model.options[symbol_name]
+      if model_args
+        model_args.each do |args|
+          yield name, args
+          return_array << [name, args]
+        end
+      end
+    end
+    return_array
+  end
+
+  def scope_call_hash(call, name, method)
+    { :call => call, :location => { :type => :class, :class => name }, :method => :named_scope }
+  end
+
+
+  def process_scope_with_block model_name, args
+    scope_name = args[1][1]
+    block = args[-1][-1]
+
+    # Search lambda for calls to query methods
+    if block.node_type == :block
+      find_calls = Brakeman::FindAllCalls.new(tracker)
+      find_calls.process_source(block, :class => model_name, :method => scope_name)
+      find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
+    elsif call? block
+      while call? block
+        process_result :target => block.target, :method => block.method, :call => block,
+         :location => { :type => :class, :class => model_name, :method => scope_name }
+
+        block = block.target
+      end
+    end
+  end
+
+  #Process possible SQL injection sites:
+  #
+  # Model#find
+  #
+  # Model#(named_)scope
+  #
+  # Model#(find|count)_by_sql
+  #
+  # Model#all
+  #
+  ### Rails 3
+  #
+  # Model#(where|having)
+  # Model#(order|group)
+  #
+  ### Find Options Hash
+  #
+  # Dangerous keys that accept SQL:
+  #
+  # * conditions
+  # * order
+  # * having
+  # * joins
+  # * select
+  # * from
+  # * lock
+  #
+  def process_result result
+    return if duplicate?(result) or result[:call].original_line
+    return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
+
+
+    call = result[:call]
+    method = call.method
+
+    dangerous_value = case method
+                      when :find
+                        check_find_arguments call.second_arg
+                      when :exists?, :delete_all, :destroy_all
+                        check_find_arguments call.first_arg
+                      when :named_scope, :scope
+                        check_scope_arguments call
+                      when :find_by_sql, :count_by_sql
+                        check_by_sql_arguments call.first_arg
+                      when :calculate
+                        check_find_arguments call.third_arg
+                      when :last, :first, :all
+                        check_find_arguments call.first_arg
+                      when :average, :count, :maximum, :minimum, :sum
+                        if call.length > 5
+                          unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
+                        else
+                          check_find_arguments call.last_arg
+                        end
+                      when :where, :having, :find_by, :find_by!
+                        check_query_arguments call.arglist
+                      when :order, :group, :reorder
+                        check_order_arguments call.arglist
+                      when :joins
+                        check_joins_arguments call.first_arg
+                      when :from
+                        unsafe_sql? call.first_arg
+                      when :lock
+                        check_lock_arguments call.first_arg
+                      when :pluck
+                        unsafe_sql? call.first_arg
+                      when :update_all, :select
+                        check_update_all_arguments call.args
+                      when *@connection_calls
+                        check_by_sql_arguments call.first_arg
+                      else
+                        Brakeman.debug "Unhandled SQL method: #{method}"
+                      end
+
+    if dangerous_value
+      add_result result
+
+      input = include_user_input? dangerous_value
+      if input
+        confidence = CONFIDENCE[:high]
+        user_input = input
+      else
+        confidence = CONFIDENCE[:med]
+        user_input = dangerous_value
+      end
+
+      warn :result => result,
+        :warning_type => "SQL Injection",
+        :warning_code => :sql_injection,
+        :message => "Possible SQL injection",
+        :user_input => user_input,
+        :confidence => confidence
+    end
+
+    if check_for_limit_or_offset_vulnerability call.last_arg
+      if include_user_input? call.last_arg
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => result,
+        :warning_type => "SQL Injection",
+        :warning_code => :sql_injection_limit_offset,
+        :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection",
+        :confidence => confidence
+    end
+  end
+
+
+  #The 'find' methods accept a number of different types of parameters:
+  #
+  # * The first argument might be :all, :first, or :last
+  # * The first argument might be an integer ID or an array of IDs
+  # * The second argument might be a hash of options, some of which are
+  #   dangerous and some of which are not
+  # * The second argument might contain SQL fragments as values
+  # * The second argument might contain properly parameterized SQL fragments in arrays
+  # * The second argument might contain improperly parameterized SQL fragments in arrays
+  #
+  #This method should only be passed the second argument.
+  def check_find_arguments arg
+    return nil if not sexp? arg or node_type? arg, :lit, :string, :str, :true, :false, :nil
+
+    unsafe_sql? arg
+  end
+
+  def check_scope_arguments call
+    scope_arg = call.second_arg #first arg is name of scope
+
+    node_type?(scope_arg, :iter) ? unsafe_sql?(scope_arg.block) : unsafe_sql?(scope_arg)
+  end
+
+  def check_query_arguments arg
+    return unless sexp? arg
+    first_arg = arg[1]
+
+    if node_type? arg, :arglist
+      if arg.length > 2 and string_interp? first_arg
+        # Model.where("blah = ?", blah)
+        return check_string_interp first_arg
+      else
+        arg = first_arg
+      end
+    end
+
+    if request_value? arg
+      unless call? arg and params? arg.target and [:permit, :slice].include? arg.method
+        # Model.where(params[:where])
+        arg
+      end
+    elsif hash? arg
+      #This is generally going to be a hash of column names and values, which
+      #would escape the values. But the keys _could_ be user input.
+      check_hash_keys arg
+    elsif node_type? arg, :lit, :str
+      nil
+    else
+      #Hashes are safe...but we check above for hash, so...?
+      unsafe_sql? arg, :ignore_hash
+    end
+  end
+
+  #Checks each argument to order/reorder/group for possible SQL.
+  #Anything used with these methods is passed in verbatim.
+  def check_order_arguments args
+    return unless sexp? args
+
+    if node_type? args, :arglist
+      check_update_all_arguments(args)
+    else
+      unsafe_sql? args
+    end
+  end
+
+  #find_by_sql and count_by_sql can take either a straight SQL string
+  #or an array with values to bind.
+  def check_by_sql_arguments arg
+    return unless sexp? arg
+
+    #This is kind of unnecessary, because unsafe_sql? will handle an array
+    #correctly, but might be better to be explicit.
+    array?(arg) ? unsafe_sql?(arg[1]) : unsafe_sql?(arg)
+  end
+
+  #joins can take a string, hash of associations, or an array of both(?)
+  #We only care about the possible string values.
+  def check_joins_arguments arg
+    return unless sexp? arg and not node_type? arg, :hash, :string, :str
+
+    if array? arg
+      arg.each do |a|
+        unsafe_arg = check_joins_arguments a
+        return unsafe_arg if unsafe_arg
+      end
+
+      nil
+    else
+      unsafe_sql? arg
+    end
+  end
+
+  def check_update_all_arguments args
+    args.each do |arg|
+      unsafe_arg = unsafe_sql? arg
+      return unsafe_arg if unsafe_arg
+    end
+
+    nil
+  end
+
+  #Model#lock essentially only cares about strings. But those strings can be
+  #any SQL fragment. This does not apply to all databases. (For those who do not
+  #support it, the lock method does nothing).
+  def check_lock_arguments arg
+    return unless sexp? arg and not node_type? arg, :hash, :array, :string, :str
+
+    unsafe_sql?(arg, :ignore_hash)
+  end
+
+
+  #Check hash keys for user input.
+  #(Seems unlikely, but if a user can control the column names queried, that
+  #could be bad)
+  def check_hash_keys exp
+    hash_iterate(exp) do |key, value|
+      unless symbol?(key)
+        unsafe_key = unsafe_sql? key
+        return unsafe_key if unsafe_key
+      end
+    end
+
+    false
+  end
+
+  #Check an interpolated string for dangerous values.
+  #
+  #This method assumes values interpolated into strings are unsafe by default,
+  #unless safe_value? explicitly returns true.
+  def check_string_interp arg
+    arg.each do |exp|
+      if dangerous = unsafe_string_interp?(exp)
+        return dangerous
+      end
+    end
+
+    nil
+  end
+
+  #Returns value if interpolated value is not something safe
+  def unsafe_string_interp? exp
+    if node_type? exp, :evstr
+      value = exp.value
+    else
+      value = exp
+    end
+
+    if not sexp? value
+      nil
+    elsif call? value and value.method == :to_s
+      unsafe_string_interp? value.target
+    else
+      case value.node_type
+      when :or
+        unsafe_string_interp?(value.lhs) || unsafe_string_interp?(value.rhs)
+      when :dstr
+        if dangerous = check_string_interp(value)
+          return dangerous
+        end
+      else
+        if safe_value? value
+          nil
+        elsif string_building? value
+          check_for_string_building value
+        else
+          value
+        end
+      end
+    end
+  end
+
+  #Checks the given expression for unsafe SQL values. If an unsafe value is
+  #found, returns that value (may be the given _exp_ or a subexpression).
+  #
+  #Otherwise, returns false/nil.
+  def unsafe_sql? exp, ignore_hash = false
+    return unless sexp?(exp)
+
+    dangerous_value = find_dangerous_value exp, ignore_hash
+    safe_value?(dangerous_value) ? false : dangerous_value
+  end
+
+  #Check _exp_ for dangerous values. Used by unsafe_sql?
+  def find_dangerous_value exp, ignore_hash
+    case exp.node_type
+    when :lit, :str, :const, :colon2, :true, :false, :nil
+      nil
+    when :array
+      #Assume this is an array like
+      #
+      #  ["blah = ? AND thing = ?", ...]
+      #
+      #and check first value
+      unsafe_sql? exp[1]
+    when :dstr
+      check_string_interp exp
+    when :hash
+      check_hash_values exp unless ignore_hash
+    when :if
+      unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
+    when :call
+      unless IGNORE_METHODS_IN_SQL.include? exp.method
+        if has_immediate_user_input? exp or has_immediate_model? exp
+          exp
+        elsif exp.method == :to_s
+          find_dangerous_value exp.target, ignore_hash
+        else
+          check_call exp
+        end
+      end
+    when :or
+      if unsafe = (unsafe_sql?(exp.lhs) || unsafe_sql?(exp.rhs))
+        unsafe
+      else
+        nil
+      end
+    when :block, :rlist
+      unsafe_sql? exp.last
+    else
+      if has_immediate_user_input? exp or has_immediate_model? exp
+        exp
+      else
+        nil
+      end
+    end
+  end
+
+  #Checks hash values associated with these keys:
+  #
+  # * conditions
+  # * order
+  # * having
+  # * joins
+  # * select
+  # * from
+  # * lock
+  def check_hash_values exp
+    hash_iterate(exp) do |key, value|
+      if symbol? key
+        unsafe = case key.value
+                 when :conditions, :having, :select
+                   check_query_arguments value
+                 when :order, :group
+                   check_order_arguments value
+                 when :joins
+                   check_joins_arguments value
+                 when :lock
+                   check_lock_arguments value
+                 when :from
+                   unsafe_sql? value
+                 else
+                   nil
+                 end
+
+        return unsafe if unsafe
+      end
+    end
+
+    false
+  end
+
+  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
+
+  def check_for_string_building exp
+    return unless call? exp
+
+    target = exp.target
+    method = exp.method
+    arg = exp.first_arg
+
+    if STRING_METHODS.include? method
+      check_str_target_or_arg(target, arg) or
+      check_interp_target_or_arg(target, arg) or
+      check_for_string_building(target) or
+      check_for_string_building(arg)
+    else
+      nil
+    end
+  end
+
+  def check_str_target_or_arg target, arg
+    if string? target
+      check_string_arg arg
+    elsif string? arg
+      check_string_arg target
+    end
+  end
+
+  def check_interp_target_or_arg target, arg
+    if string_interp? target or string_interp? arg
+      check_string_arg target and
+      check_string_arg arg
+    end
+  end
+
+  def check_string_arg exp
+    if safe_value? exp
+      nil
+    elsif string_building? exp
+      check_for_string_building exp
+    elsif string_interp? exp
+      check_string_interp exp
+    elsif call? exp and exp.method == :to_s
+      check_string_arg exp.target
+    else
+      exp
+    end
+  end
+
+  def string_building? exp
+    return false unless call? exp and STRING_METHODS.include? exp.method
+
+    node_type? exp.target, :str, :dstr or
+    node_type? exp.first_arg, :str, :dstr or
+    string_building? exp.target or
+    string_building? exp.first_arg
+  end
+
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
+    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
+    :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.node_type
+    when :str, :lit, :const, :colon2, :nil, :true, :false
+      true
+    when :call
+      if exp.method == :to_s or exp.method == :to_sym
+        safe_value? exp.target
+      else
+        IGNORE_METHODS_IN_SQL.include? exp.method or
+        quote_call? exp or
+        arel? exp or
+        exp.method.to_s.end_with? "_id"
+      end
+    when :if
+      safe_value? exp.then_clause and safe_value? exp.else_clause
+    when :block, :rlist
+      safe_value? exp.last
+    when :or
+      safe_value? exp.lhs and safe_value? exp.rhs
+    else
+      false
+    end
+  end
+
+  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
+
+  def quote_call? exp
+    if call? exp.target
+      exp.target.method == :connection and QUOTE_METHODS.include? exp.method
+    elsif exp.target.nil?
+      exp.method == :quote_value
+    end
+  end
+
+  AREL_METHODS = [:all, :and, :arel_table, :as, :eq, :eq_any, :exists, :group,
+                  :gt, :gteq, :having, :in, :join_sources, :limit, :lt, :lteq, :not,
+                  :not_eq, :on, :or, :order, :project, :skip, :take, :where, :with]
+
+  def arel? exp
+    call? exp and (AREL_METHODS.include? exp.method or arel? exp.target)
+  end
+
+  #Check call for string building
+  def check_call exp
+    return unless call? exp
+    unsafe = check_for_string_building exp
+
+    if unsafe
+      unsafe
+    elsif call? exp.target
+      check_call exp.target
+    else
+      nil
+    end
+  end
+
+  #Prior to Rails 2.1.1, the :offset and :limit parameters were not
+  #escaping input properly.
+  #
+  #http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
+  def check_for_limit_or_offset_vulnerability options
+    return false if rails_version.nil? or rails_version >= "2.1.1" or not hash?(options)
+
+    return true if hash_access(options, :limit) or hash_access(options, :offset)
+
+    false
+  end
+
+  #Look for something like this:
+  #
+  # params[:x].constantize.find('something')
+  #
+  # s(:call,
+  #   s(:call,
+  #     s(:call,
+  #       s(:call, nil, :params, s(:arglist)),
+  #       :[],
+  #       s(:arglist, s(:lit, :x))),
+  #     :constantize,
+  #     s(:arglist)),
+  #   :find,
+  #   s(:arglist, s(:str, "something")))
+  def constantize_call? result
+    call = result[:call]
+    call? call.target and call.target.method == :constantize
+  end
+
+  SELF_CLASS = s(:call, s(:self), :class)
+
+  def connect_call? result
+    call = result[:call]
+    target = call.target
+
+    if call? target and target.method == :connection
+      target = target.target
+      klass = class_name(target)
+
+      target.nil? or
+      target == SELF_CLASS or
+      node_type? target, :self or
+      klass == :"ActiveRecord::Base" or
+      active_record_models.include? klass
+    end
+  end
+end