RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

data/lib/brakeman/checks/check_sql_cves.rb ADDED

@@ -0,0 +1,101 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for several SQL CVEs"
+  def run_check
+    check_rails_versions_against_cve_issues
+    check_cve_2014_0080
+  end
+  def check_rails_versions_against_cve_issues
+    issues = [
+      {
+        :cve => "CVE-2012-2660",
+        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
+      },
+      {
+        :cve => "CVE-2012-2661",
+        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-2695",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-5664",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+      },
+      {
+        :cve => "CVE-2013-0155",
+        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
+      },
+    ]
+    unless lts_version? '2.3.18.6'
+     issues << {
+        :cve => "CVE-2013-6417",
+        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
+      }
+    end
+    if tracker.config.has_gem? :pg
+      issues << {
+        :cve => "CVE-2014-3482",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
+      } <<
+      {
+        :cve => "CVE-2014-3483",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J" }
+    end
+    issues.each do |cve_issue|
+      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
+    end
+  end
+  def cve_warning_for versions, cve, link
+    upgrade_version = upgrade_version? versions
+    return unless upgrade_version
+    code = cve.tr('-', '_').to_sym
+    warn :warning_type => 'SQL Injection',
+      :warning_code => code,
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :confidence => CONFIDENCE[:high],
+      :gem_info => gemfile_or_environment,
+      :link_path => link
+  end
+  def upgrade_version? versions
+    versions.each do |low, high, upgrade|
+      return upgrade if version_between? low, high
+    end
+    false
+  end
+  def check_cve_2014_0080
+    return unless version_between? "4.0.0", "4.0.2" and
+                  @tracker.config.has_gem? :pg
+    warn :warning_type => 'SQL Injection',
+      :warning_code => :CVE_2014_0080,
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :confidence => CONFIDENCE[:high],
+      :gem_info => gemfile_or_environment(:pg),
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+  end
+end

data/lib/brakeman/checks/check_ssl_verify.rb ADDED

@@ -0,0 +1,49 @@
+require 'brakeman/checks/base_check'
+# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
+class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  SSL_VERIFY_NONE = s(:colon2, s(:colon2, s(:const, :OpenSSL), :SSL), :VERIFY_NONE)
+  @description = "Checks for OpenSSL::SSL::VERIFY_NONE"
+  def run_check
+    check_open_ssl_verify_none
+    check_http_start
+  end
+  def check_open_ssl_verify_none
+    tracker.find_call(:method => :verify_mode=).each {|call| process_verify_mode_result(call) }
+  end
+  def process_verify_mode_result result
+    if result[:call].last_arg == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+  def check_http_start
+    tracker.find_call(:target => :'Net::HTTP', :method => :start).each { |call| process_http_start_result call }
+  end
+  def process_http_start_result result
+    arg = result[:call].last_arg
+    if hash? arg and hash_access(arg, :verify_mode) == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+  def warn_about_ssl_verification_bypass result
+    return if duplicate?(result)
+    add_result result
+    warn :result => result,
+      :warning_type => "SSL Verification Bypass",
+      :warning_code => :ssl_verification_bypass,
+      :message => "SSL certificate verification was bypassed",
+      :confidence => CONFIDENCE[:high]
+  end
+end

data/lib/brakeman/checks/check_strip_tags.rb ADDED

@@ -0,0 +1,89 @@
+require 'brakeman/checks/base_check'
+#Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
+#https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
+#
+#Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+#
+#Check for user of strip_tags with rails-html-sanitizer 1.0.2:
+#https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
+class Brakeman::CheckStripTags < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Report strip_tags vulnerabilities"
+  def run_check
+    if uses_strip_tags?
+      cve_2011_2931
+      cve_2012_3465
+    end
+    cve_2015_7579
+  end
+  def cve_2011_2931
+    if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
+      if rails_version =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
+      else
+        message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
+      end
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2011_2931,
+        :message => message,
+        :gem_info => gemfile_or_environment,
+        :confidence => CONFIDENCE[:high],
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
+    end
+  end
+  def cve_2012_3465
+    case
+    when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
+      message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
+    when version_between?('3.0.10', '3.0.16')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
+    else
+      return
+    end
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2012_3465,
+      :message => message,
+      :confidence => CONFIDENCE[:high],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
+  end
+  def cve_2015_7579
+    if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
+      if uses_strip_tags?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2015_7579,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
+    end
+  end
+  def uses_strip_tags?
+    Brakeman.debug "Finding calls to strip_tags()"
+    not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
+  end
+end

data/lib/brakeman/checks/check_symbol_dos.rb ADDED

@@ -0,0 +1,64 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+  UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
+  @description = "Checks for symbol denial of service"
+  def run_check
+    return if rails_version > "5.0.0"
+    tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
+      check_unsafe_symbol_creation(result)
+    end
+  end
+  def check_unsafe_symbol_creation result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+    call = result[:call]
+    if result[:method] == :literal_to_sym
+      args = call.select { |e| sexp? e }
+    else
+      args = [call.target]
+    end
+    if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
+      confidence = CONFIDENCE[:high]
+    elsif input = args.map{ |arg| include_user_input?(arg) }.compact.first
+      confidence = CONFIDENCE[:med]
+    end
+    if confidence
+      return if safe_parameter? input.match
+      message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
+      warn :result => result,
+        :warning_type => "Denial of Service",
+        :warning_code => :unsafe_symbol_creation,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+  def safe_parameter? input
+    if call? input
+      if node_type? input.target, :params
+        input.method == :[] and
+        symbol? input.first_arg and
+        [:controller, :action].include? input.first_arg.value
+      else
+        safe_parameter? input.target
+      end
+    else
+      false
+    end
+  end
+end

data/lib/brakeman/checks/check_symbol_dos_cve.rb ADDED

@@ -0,0 +1,30 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for versions with ActiveRecord symbol denial of service vulnerability"
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        nil
+      end
+    if fix_version && active_record_models.any?
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_1854,
+        :message => "Rails #{rails_version} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
+    end
+  end
+end

data/lib/brakeman/checks/check_translate_bug.rb ADDED

@@ -0,0 +1,45 @@
+require 'brakeman/checks/base_check'
+#Check for vulnerability in translate() helper that allows cross-site scripting
+class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Report XSS vulnerability in translate helper"
+  def run_check
+    return if lts_version? '2.3.18.6'
+    if (version_between?('2.3.0', '2.3.99') and tracker.config.escape_html?) or
+        version_between?('3.0.0', '3.0.10') or
+        version_between?('3.1.0', '3.1.1')
+      confidence = if uses_translate?
+        CONFIDENCE[:high]
+      else
+        CONFIDENCE[:med]
+      end
+      description = "have a vulnerability in the translate helper with keys ending in _html"
+      message = if rails_version =~ /^3\.1/
+        "Versions before 3.1.2 #{description}."
+      elsif rails_version =~ /^3\.0/
+        "Versions before 3.0.11 #{description}."
+      else
+        "Rails 2.3.x using the rails_xss plugin #{description}."
+      end
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :translate_vuln,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
+    end
+  end
+  def uses_translate?
+    Brakeman.debug "Finding calls to translate() or t()"
+    tracker.find_call(:target => nil, :methods => [:t, :translate]).any?
+  end
+end

data/lib/brakeman/checks/check_unsafe_reflection.rb ADDED

@@ -0,0 +1,51 @@
+require 'brakeman/checks/base_check'
+# Checks for string interpolation and parameters in calls to
+# String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.
+#
+# Exploit examples at: http://blog.conviso.com.br/2013/02/exploiting-unsafe-reflection-in.html
+class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for unsafe reflection"
+  def run_check
+    reflection_methods = [:constantize, :safe_constantize, :const_get, :qualified_const_get]
+    tracker.find_call(:methods => reflection_methods, :nested => true).each do |result|
+      check_unsafe_reflection result
+    end
+  end
+  def check_unsafe_reflection result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+    call = result[:call]
+    method = call.method
+    case method
+    when :constantize, :safe_constantize
+      arg = call.target
+    else
+      arg = call.first_arg
+    end
+    if input = has_immediate_user_input?(arg)
+      confidence = CONFIDENCE[:high]
+    elsif input = include_user_input?(arg)
+      confidence = CONFIDENCE[:med]
+    end
+    if confidence
+      message = "Unsafe reflection method #{method} called with #{friendly_type_of input}"
+      warn :result => result,
+        :warning_type => "Remote Code Execution",
+        :warning_code => :unsafe_constantize,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_unscoped_find.rb ADDED

@@ -0,0 +1,41 @@
+require 'brakeman/checks/base_check'
+# Checks for unscoped calls to models' #find and #find_by_id methods.
+class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+  @description = "Check for unscoped ActiveRecord queries"
+  def run_check
+    Brakeman.debug("Finding instances of #find on models with associations")
+    associated_model_names = active_record_models.keys.select do |name|
+      active_record_models[name].associations[:belongs_to]
+    end
+    calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
+                              :targets => associated_model_names
+    calls.each do |call|
+      process_result call
+    end
+  end
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    # Not interested unless argument is user controlled.
+    inputs = result[:call].args.map { |arg| include_user_input?(arg) }
+    return unless input = inputs.compact.first
+    add_result result
+    warn :result => result,
+      :warning_type => "Unscoped Find",
+      :warning_code => :unscoped_find,
+      :message      => "Unscoped call to #{result[:target]}##{result[:method]}",
+      :code         => result[:call],
+      :confidence   => CONFIDENCE[:low],
+      :user_input   => input
+  end
+end