brakeman-lib 3.3.1

data/lib/brakeman/checks/check_validation_regex.rb

@@ -0,0 +1,116 @@
+require 'brakeman/checks/base_check'
+
+#Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
+#as anchors in the given regular expression.
+#
+#For example:
+#
+# #Allows anything after new line
+# validates_format_of :user_name, :with => /^\w+$/
+class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Report uses of validates_format_of with improper anchors"
+
+  WITH = Sexp.new(:lit, :with)
+  FORMAT = Sexp.new(:lit, :format)
+
+  def run_check
+    active_record_models.each do |name, model|
+      @current_model = name
+      format_validations = model.options[:validates_format_of]
+
+      if format_validations
+        format_validations.each do |v|
+          process_validates_format_of v
+        end
+      end
+
+      validates = model.options[:validates]
+
+      if validates
+        validates.each do |v|
+          process_validates v
+        end
+      end
+    end
+  end
+
+  #Check validates_format_of
+  def process_validates_format_of validator
+    if value = hash_access(validator.last, WITH)
+      check_regex value, validator
+    end
+  end
+
+  #Check validates ..., :format => ...
+  def process_validates validator
+    hash_arg = validator.last
+    return unless hash? hash_arg
+
+    value = hash_access(hash_arg, FORMAT)
+
+    if hash? value
+      value = hash_access(value, WITH)
+    end
+
+    if value
+      check_regex value, validator
+    end
+  end
+
+  # Match secure regexp without extended option
+  SECURE_REGEXP_PATTERN = %r{
+    \A
+    \\A
+    .*
+    \\[zZ]
+    \z
+  }x
+
+  # Match secure of regexp with extended option
+  EXTENDED_SECURE_REGEXP_PATTERN = %r{
+    \A
+    \s*
+    \\A
+    .*
+    \\[zZ]
+    \s*
+    \z
+  }mx
+
+  #Issue warning if the regular expression does not use
+  #+\A+ and +\z+
+  def check_regex value, validator
+    return unless regexp? value
+
+    regex = value.value
+    unless secure_regex?(regex)
+      warn :model => @current_model,
+      :warning_type => "Format Validation",
+      :warning_code => :validation_regex,
+      :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors",
+      :line => value.line,
+      :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  #Get the name of the attribute being validated.
+  def get_name validator
+    name = validator[1]
+
+    if sexp? name
+      name.value
+    else
+      name
+    end
+  end
+
+  private
+
+  def secure_regex?(regex)
+    extended_regex = Regexp::EXTENDED == regex.options & Regexp::EXTENDED
+    regex_pattern = extended_regex ? EXTENDED_SECURE_REGEXP_PATTERN : SECURE_REGEXP_PATTERN
+    regex_pattern =~ regex.source
+  end
+end

data/lib/brakeman/checks/check_weak_hash.rb

@@ -0,0 +1,151 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckWeakHash < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for use of weak hashes like MD5"
+
+  DIGEST_CALLS = [:base64digest, :digest, :hexdigest, :new]
+
+  def run_check
+    tracker.find_call(:targets => [:'Digest::MD5', :'Digest::SHA1', :'OpenSSL::Digest::MD5', :'OpenSSL::Digest::SHA1'], :nested => true).each do |result|
+      process_hash_result result
+    end
+
+    tracker.find_call(:target => :'Digest::HMAC', :methods => [:new, :hexdigest], :nested => true).each do |result|
+      process_hmac_result result
+    end
+
+    tracker.find_call(:targets => [:'OpenSSL::Digest::Digest', :'OpenSSL::Digest'], :method => :new).each do |result|
+      process_openssl_result result
+    end
+  end
+
+  def process_hash_result result
+    return if duplicate? result
+    add_result result
+
+    input = nil
+    call = result[:call]
+
+    if DIGEST_CALLS.include? call.method
+      if input = user_input_as_arg?(call)
+        confidence = CONFIDENCE[:high]
+      elsif input = hashing_password?(call)
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+
+    alg = case call.target.last
+          when :MD5
+           " (MD5)"
+           when :SHA1
+            " (SHA1)"
+          else
+            ""
+          end
+
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_digest,
+      :message => "Weak hashing algorithm#{alg} used",
+      :confidence => confidence,
+      :user_input => input
+  end
+
+  def process_hmac_result result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+
+    alg = case call.third_arg.last
+           when :MD5
+             'MD5'
+           when :SHA1
+             'SHA1'
+           else
+             return
+           end
+
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_hmac,
+      :message => "Weak hashing algorithm (#{alg}) used in HMAC",
+      :confidence => CONFIDENCE[:med]
+  end
+
+  def process_openssl_result result
+    return if duplicate? result
+    add_result result
+
+    arg = result[:call].first_arg
+
+    if string? arg
+      alg = arg.value.upcase
+
+      if alg == 'MD5' or alg == 'SHA1'
+        warn :result => result,
+          :warning_type => "Weak Hash",
+          :warning_code => :weak_hash_digest,
+          :message => "Weak hashing algorithm (#{alg}) used",
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+
+  def user_input_as_arg? call
+    call.each_arg do |arg|
+      if input = include_user_input?(arg)
+        return input
+      end
+    end
+
+    nil
+  end
+
+  def hashing_password? call
+    call.each_arg do |arg|
+      @has_password = false
+
+      process arg
+
+      if @has_password
+        return @has_password
+      end
+    end
+
+    nil
+  end
+
+  def process_call exp
+    if exp.method == :password
+      @has_password = exp
+    else
+      process_default exp
+    end
+
+    exp
+  end
+
+  def process_ivar exp
+    if exp.value == :@password
+      @has_password = exp
+    end
+
+    exp
+  end
+
+  def process_lvar exp
+    if exp.value == :password
+      @has_password = exp
+    end
+
+    exp
+  end
+end

data/lib/brakeman/checks/check_without_protection.rb

@@ -0,0 +1,80 @@
+require 'brakeman/checks/base_check'
+
+#Check for bypassing mass assignment protection
+#with without_protection => true
+#
+#Only for Rails 3.1
+class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for mass assignment using without_protection"
+
+  def run_check
+    if version_between? "0.0.0", "3.0.99"
+      return
+    end
+
+    return if active_record_models.empty?
+
+    Brakeman.debug "Finding all mass assignments"
+    calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
+      :attributes=, 
+      :update_attributes, 
+      :update_attributes!,
+      :create,
+      :create!]
+
+    Brakeman.debug "Processing all mass assignments"
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[:call]
+    last_arg = call.last_arg
+
+    if hash? last_arg and not call.original_line and not duplicate? res
+
+      if value = hash_access(last_arg, :without_protection)
+        if true? value
+          add_result res
+
+          if input = include_user_input?(call.arglist)
+            confidence = CONFIDENCE[:high]
+          elsif all_literals? call
+            return
+          else
+            confidence = CONFIDENCE[:med]
+          end
+
+          warn :result => res, 
+            :warning_type => "Mass Assignment", 
+            :warning_code => :mass_assign_without_protection,
+            :message => "Unprotected mass assignment",
+            :code => call, 
+            :user_input => input,
+            :confidence => confidence
+
+        end
+      end
+    end
+  end
+
+  def all_literals? call
+    call.each_arg do |arg|
+      if hash? arg
+        hash_iterate arg do |k, v|
+          unless node_type? k, :str, :lit, :false, :true and node_type? v, :str, :lit, :false, :true
+            return false
+          end
+        end
+      else
+        return false
+      end
+    end
+
+    true
+  end
+end

data/lib/brakeman/checks/check_xml_dos.rb

@@ -0,0 +1,51 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for XML denial of service (CVE-2015-3227)"
+
+  def run_check
+    version = rails_version
+
+    fix_version = case
+                  when version_between?("2.0.0", "3.2.21")
+                    "3.2.22"
+                  when version_between?("4.1.0", "4.1.10")
+                    "4.1.11"
+                  when version_between?("4.2.0", "4.2.1")
+                    "4.2.2"
+                  when version_between?("4.0.0", "4.0.99")
+                    "4.2.2"
+                  when (version.nil? and tracker.options[:rails3])
+                    version = "3.x"
+                    "3.2.22"
+                  when (version.nil? and tracker.options[:rails4])
+                    version = "4.x"
+                    "4.2.2"
+                  else
+                    return
+                  end
+
+    return if has_workaround?
+
+    message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2015_3227,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
+      arg = match.call.first_arg
+      if string? arg
+        value = arg.value
+        value == 'Nokogiri' or value == 'LibXML'
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -0,0 +1,121 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for YAML parsing vulnerabilities (CVE-2013-0156)"
+
+  def run_check
+    return unless version_between? "0.0.0", "2.3.14" or
+                  version_between? "3.0.0", "3.0.18" or
+                  version_between? "3.1.0", "3.1.9" or
+                  version_between? "3.2.0", "3.2.10"
+
+    unless disabled_xml_parser? or disabled_xml_dangerous_types?
+      new_version = if version_between? "0.0.0", "2.3.14"
+                      "2.3.15"
+                    elsif version_between? "3.0.0", "3.0.18"
+                      "3.0.19"
+                    elsif version_between? "3.1.0", "3.1.9"
+                      "3.1.10"
+                    elsif version_between? "3.2.0", "3.2.10"
+                      "3.2.11"
+                    end
+
+      message = "Rails #{rails_version} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+
+      warn :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0156,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+
+    #Warn if app accepts YAML
+    if version_between?("0.0.0", "2.3.14") and enabled_yaml_parser?
+      message = "Parsing YAML request parameters enables remote code execution: disable YAML parser"
+
+      warn :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0156,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+  end
+
+  def disabled_xml_parser?
+    if version_between? "0.0.0", "2.3.14"
+      #Look for ActionController::Base.param_parsers.delete(Mime::XML)
+      params_parser = s(:call,
+                        s(:colon2, s(:const, :ActionController), :Base),
+                        :param_parsers)
+
+      matches = tracker.check_initializers(params_parser, :delete)
+    else
+      #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
+      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+    end
+
+    unless matches.empty?
+      mime_xml = s(:colon2, s(:const, :Mime), :XML)
+
+      matches.each do |result|
+        if result.call.first_arg == mime_xml
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
+  #in Rails 2.x apps
+  def enabled_yaml_parser?
+    param_parsers = s(:call,
+                      s(:colon2, s(:const, :ActionController), :Base),
+                      :param_parsers)
+
+    matches = tracker.check_initializers(param_parsers, :[]=)
+
+    mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
+
+    matches.each do |result|
+      if result.call.first_arg == mime_yaml and
+        symbol? result.call.second_arg and
+        result.call.second_arg.value == :yaml
+
+        return true
+      end
+    end
+
+    false
+  end
+
+  def disabled_xml_dangerous_types?
+    if version_between? "0.0.0", "2.3.14"
+      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+    else
+      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+    end
+
+    symbols_off = false
+    yaml_off = false
+
+    matches.each do |result|
+      arg = result.call.first_arg
+
+      if string? arg
+        if arg.value == "yaml"
+          yaml_off = true
+        elsif arg.value == "symbol"
+          symbols_off = true
+        end
+      end
+    end
+
+    symbols_off and yaml_off
+  end
+end