brakeman-lib 3.3.1

data/lib/brakeman/processors/template_alias_processor.rb

@@ -0,0 +1,116 @@
+require 'set'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/render_helper'
+require 'brakeman/processors/lib/render_path'
+require 'brakeman/tracker'
+
+#Processes aliasing in templates.
+#Handles calls to +render+.
+class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
+  include Brakeman::RenderHelper
+
+  FORM_METHODS = Set[:form_for, :remote_form_for, :form_remote_for]
+
+  def initialize tracker, template, called_from = nil
+    super tracker
+    @template = template
+    @called_from = called_from
+  end
+
+  #Process template
+  def process_template name, args, _, line = nil, file_name = nil
+    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+
+    if @called_from
+      if @called_from.include_template? name
+        Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
+        return
+      end
+
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name)
+    else
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name)
+    end
+  end
+
+  #Determine template name
+  def template_name name
+    if !name.to_s.include?('/') && @template.name.to_s.include?('/')
+      name = "#{@template.name.to_s.match(/^(.*\/).*$/)[1]}#{name}"
+    end
+    name
+  end
+
+  UNKNOWN_MODEL_CALL = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new)
+  FORM_BUILDER_CALL = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
+
+  #Looks for form methods and iterating over collections of Models
+  def process_iter exp
+    process_default exp
+
+    call = exp.block_call
+
+    if call? call
+      target = call.target
+      method = call.method
+      arg = exp.block_args.first_param
+      block = exp.block
+
+      #Check for e.g. Model.find.each do ... end
+      if method == :each and arg and block and model = get_model_target(target)
+        if arg.is_a? Symbol
+          if model == target.target
+            env[Sexp.new(:lvar, arg)] = Sexp.new(:call, model, :new)
+          else
+            env[Sexp.new(:lvar, arg)] = UNKNOWN_MODEL_CALL
+          end
+
+          process block if sexp? block
+        end
+      elsif FORM_METHODS.include? method
+        if arg.is_a? Symbol
+          env[Sexp.new(:lvar, arg)] = FORM_BUILDER_CALL
+
+          process block if sexp? block
+        end
+      end
+    end
+
+    exp
+  end
+
+  #Checks if +exp+ is a call to Model.all or Model.find*
+  def get_model_target exp
+    if call? exp
+      target = exp.target
+
+      if exp.method == :all or exp.method.to_s[0,4] == "find"
+        models = Set.new @tracker.models.keys
+        name = class_name target
+        return target if models.include?(name)
+      end
+
+      return get_model_target(target)
+    end
+
+    false
+  end
+
+  #Ignore `<<` calls on template variables which are used by the templating
+  #library (HAML, ERB, etc.)
+  def find_push_target exp
+    if sexp? exp
+      if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout)
+        return nil
+      elsif exp.node_type == :ivar and exp.value == :@output_buffer
+        return nil
+      elsif exp.node_type == :call and call? exp.target and
+        exp.target.method == :_hamlout and exp.method == :buffer
+
+        return nil
+      end
+    end
+
+    super
+  end
+end

data/lib/brakeman/processors/template_processor.rb

@@ -0,0 +1,74 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/template'
+
+#Base Processor for templates/views
+class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
+
+  #Initializes template information.
+  def initialize tracker, template_name, called_from = nil, file_name = nil
+    super(tracker) 
+    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
+    @file_name = file_name
+
+    if called_from
+      template_name = (template_name.to_s + "." + called_from.to_s).to_sym
+    end
+
+    tracker.templates[template_name] = @current_template
+
+    @inside_concat = false
+  end
+
+  #Process the template Sexp.
+  def process exp
+    begin
+      super
+    rescue => e
+      except = e.exception("Error when processing #{@current_template.name}: #{e.message}")
+      except.set_backtrace(e.backtrace)
+      raise except
+    end
+  end
+
+  #Ignore initial variable assignment
+  def process_lasgn exp
+    if exp.lhs == :_erbout and exp.rhs.node_type == :str  #ignore
+      ignore
+    elsif exp.lhs == :_buf and exp.rhs.node_type == :str
+      ignore
+    else
+      exp.rhs = process exp.rhs
+      exp
+    end
+  end
+
+  #Adds output to the list of outputs.
+  def process_output exp
+    exp.value = process exp.value
+    @current_template.add_output exp unless exp.original_line
+    exp
+  end
+
+  def process_escaped_output exp
+    process_output exp
+  end
+
+  # Pull out actual output value from template
+  def normalize_output arg
+    if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
+      arg.target
+    elsif node_type? arg, :if
+      branches = [arg.then_clause, arg.else_clause].compact
+
+      if branches.empty?
+        s(:nil)
+      elsif branches.length == 2
+        Sexp.new(:or, *branches)
+      else
+        branches.first
+      end
+    else
+      arg
+    end
+  end
+end

data/lib/brakeman/report.rb

@@ -0,0 +1,78 @@
+require 'brakeman/report/report_base'
+
+#Generates a report based on the Tracker and the results of
+#Tracker#run_checks. Be sure to +run_checks+ before generating
+#a report.
+class Brakeman::Report
+  attr_reader :tracker
+
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate]
+
+  def initialize app_tree, tracker
+    @app_tree = app_tree
+    @tracker = tracker
+  end
+
+  def format format
+    reporter = case format
+    when :to_codeclimate
+      require_report 'codeclimate'
+      Brakeman::Report::CodeClimate
+    when :to_csv
+      require_report 'csv'
+      Brakeman::Report::CSV
+    when :to_html
+      require_report 'html'
+      Brakeman::Report::HTML
+    when :to_json
+      return self.to_json
+    when :to_tabs
+      require_report 'tabs'
+      Brakeman::Report::Tabs
+    when :to_hash
+      require_report 'hash'
+      Brakeman::Report::Hash
+    when :to_markdown
+      return self.to_markdown
+    when :to_s
+      return self.to_s
+    when :to_pdf
+      raise "PDF output is not yet supported."
+    else
+      raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
+    end
+
+    generate(reporter)
+  end
+
+  def method_missing method, *args
+    if VALID_FORMATS.include? method
+      format method
+    else
+      super
+    end
+  end
+
+  def require_report type
+    require "brakeman/report/report_#{type}"
+  end
+
+  def to_json
+    require_report 'json'
+    generate Brakeman::Report::JSON
+  end
+
+  def to_s
+    require_report 'table'
+    generate Brakeman::Report::Table
+  end
+
+  def to_markdown
+    require_report 'markdown'
+    generate Brakeman::Report::Markdown
+  end
+
+  def generate reporter
+    reporter.new(@app_tree, @tracker).generate_report
+  end
+end

data/lib/brakeman/report/config/remediation.yml

@@ -0,0 +1,71 @@
+---
+basic_auth_password: 300000
+cross_site_scripting: 300000
+xss_content_tag: 300000
+CVE_2014_3514_call: 600000
+all_default_routes: 2000000
+unsafe_deserialize: 2000000
+local_request_config: 100000
+CVE_2012_3424: 4000000
+CVE_2011_2932: 8000000
+code_eval: 2000000
+command_injection: 2000000
+file_access: 2000000
+CVE_2014_7829: 4000000
+CVE_2011_2929: 4000000
+csrf_protection_disabled: 4000000
+CVE_2013_6414: 4000000
+CVE_2013_4491: 4000000
+CVE_2013_1856: 4000000
+CVE_2015_3226: 4000000
+CVE_2013_0333: 4000000
+xss_link_to: 300000
+xss_link_to_href: 300000
+CVE_2011_0446: 300000
+mass_assign_call: 2000000
+dangerous_attr_accessible: 2000000
+no_attr_accessible: 2000000
+CVE_2013_0277: 2000000
+CVE_2010_3933: 4000000
+CVE_2014_0081: 300000
+CVE_2011_2930: 600000
+open_redirect: 300000
+regex_dos: 600000
+dynamic_render_path: 4000000
+CVE_2014_0082: 4000000
+cross_site_scripting_inline: 600000
+CVE_2011_3186: 2000000
+safe_buffer_vuln: 4000000
+CVE_2013_1855: 4000000
+CVE_2013_1857: 4000000
+CVE_2012_3463: 600000
+select_options_vuln: 4000000
+dangerous_send: 600000
+session_key_manipulation: 600000
+http_cookies: 600000
+session_secret: 600000
+secure_cookies: 600000
+CVE_2013_6416: 600000
+CVE_2012_3464: 4000000
+csrf_blacklist: 300000
+auth_blacklist: 300000
+sql_injection: 1200000
+CVE-2012-2660: 4000000
+CVE-2012-2661: 4000000
+CVE-2012-2695: 4000000
+CVE-2012-5664: 4000000
+CVE-2013-0155: 4000000
+CVE-2013-6417: 4000000
+CVE-2014-3482: 4000000
+CVE-2014-3483: 4000000
+ssl_verification_bypass: 2500000
+CVE_2011_2931: 4000000
+unsafe_symbol_creation: 300000
+translate_vuln: 300000
+unsafe_constantize: 600000
+unscoped_find: 300000
+validation_regex: 300000
+mass_assign_without_protection: 600000
+CVE_2015_3227: 4000000
+CVE_2013_0156: 4000000
+weak_hash_digest: 800000

data/lib/brakeman/report/ignore/config.rb

@@ -0,0 +1,135 @@
+require 'set'
+require 'json'
+
+module Brakeman
+  class IgnoreConfig
+    attr_reader :shown_warnings, :ignored_warnings
+    attr_accessor :file
+
+    def initialize file, new_warnings
+      @file = file
+      @new_warnings = new_warnings
+      @already_ignored = []
+      @ignored_fingerprints = Set.new
+      @notes = {}
+      @shown_warnings = @ignored_warnings = nil
+      @changed = false
+    end
+
+    # Populate ignored_warnings and shown_warnings based on ignore
+    # configuration
+    def filter_ignored
+      @shown_warnings = []
+      @ignored_warnings = []
+
+      @new_warnings.each do |w|
+        if ignored? w
+          @ignored_warnings << w
+        else
+          @shown_warnings << w
+        end
+      end
+
+      @shown_warnings
+    end
+
+    # Remove warning from ignored list
+    def unignore warning
+      @ignored_fingerprints.delete warning.fingerprint
+      if @already_ignored.reject! { |w|w[:fingerprint] == warning.fingerprint }
+        @changed = true
+      end
+    end
+
+    # Determine if warning should be ignored
+    def ignored? warning
+      @ignored_fingerprints.include? warning.fingerprint
+    end
+
+    def ignore warning
+      @changed = true unless ignored? warning
+      @ignored_fingerprints << warning.fingerprint
+    end
+
+    # Add note for warning
+    def add_note warning, note
+      @changed = true
+      @notes[warning.fingerprint] = note
+    end
+
+    # Retrieve note for warning if it exists. Returns nil if no
+    # note is found
+    def note_for warning
+      if warning.is_a? Warning
+        fingerprint = warning.fingerprint
+      else
+        fingerprint = warning[:fingerprint]
+      end
+
+      @already_ignored.each do |w|
+        if fingerprint == w[:fingerprint]
+          return w[:note]
+        end
+      end
+
+      nil
+    end
+
+    # Read configuration to file
+    def read_from_file file = @file
+      if File.exist? file
+        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+      else
+        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        @already_ignored = []
+      end
+
+      @already_ignored.each do |w|
+        @ignored_fingerprints << w[:fingerprint]
+        @notes[w[:fingerprint]] = w[:note]
+      end
+    end
+
+    # Save configuration to file
+    def save_to_file warnings, file = @file
+      warnings = warnings.map do |w|
+        if w.is_a? Warning
+          w_hash = w.to_hash
+          w_hash[:file] = w.relative_path
+          w = w_hash
+        end
+
+        w[:note] = @notes[w[:fingerprint]] || ""
+        w
+      end.sort_by { |w| w[:fingerprint] }
+
+      output = {
+        :ignored_warnings => warnings,
+        :updated => Time.now.to_s,
+        :brakeman_version => Brakeman::Version
+      }
+
+      File.open file, "w" do |f|
+        f.puts JSON.pretty_generate(output)
+      end
+    end
+
+    # Save old ignored warnings and newly ignored ones
+    def save_with_old
+      warnings = @ignored_warnings.dup
+
+      # Only add ignored warnings not already ignored
+      @already_ignored.each do |w|
+        fingerprint = w[:fingerprint]
+
+        unless @ignored_warnings.find { |ignored_warning| ignored_warning.fingerprint == fingerprint }
+          warnings << w
+        end
+      end
+
+      if @changed
+        save_to_file warnings
+      end
+    end
+  end
+end