RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

data/lib/brakeman/processors/template_alias_processor.rb ADDED

@@ -0,0 +1,116 @@
+require 'set'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/render_helper'
+require 'brakeman/processors/lib/render_path'
+require 'brakeman/tracker'
+#Processes aliasing in templates.
+#Handles calls to +render+.
+class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
+  include Brakeman::RenderHelper
+  FORM_METHODS = Set[:form_for, :remote_form_for, :form_remote_for]
+  def initialize tracker, template, called_from = nil
+    super tracker
+    @template = template
+    @called_from = called_from
+  end
+  #Process template
+  def process_template name, args, _, line = nil, file_name = nil
+    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+    if @called_from
+      if @called_from.include_template? name
+        Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
+        return
+      end
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name)
+    else
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name)
+    end
+  end
+  #Determine template name
+  def template_name name
+    if !name.to_s.include?('/') && @template.name.to_s.include?('/')
+      name = "#{@template.name.to_s.match(/^(.*\/).*$/)[1]}#{name}"
+    end
+    name
+  end
+  UNKNOWN_MODEL_CALL = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new)
+  FORM_BUILDER_CALL = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
+  #Looks for form methods and iterating over collections of Models
+  def process_iter exp
+    process_default exp
+    call = exp.block_call
+    if call? call
+      target = call.target
+      method = call.method
+      arg = exp.block_args.first_param
+      block = exp.block
+      #Check for e.g. Model.find.each do ... end
+      if method == :each and arg and block and model = get_model_target(target)
+        if arg.is_a? Symbol
+          if model == target.target
+            env[Sexp.new(:lvar, arg)] = Sexp.new(:call, model, :new)
+          else
+            env[Sexp.new(:lvar, arg)] = UNKNOWN_MODEL_CALL
+          end
+          process block if sexp? block
+        end
+      elsif FORM_METHODS.include? method
+        if arg.is_a? Symbol
+          env[Sexp.new(:lvar, arg)] = FORM_BUILDER_CALL
+          process block if sexp? block
+        end
+      end
+    end
+    exp
+  end
+  #Checks if +exp+ is a call to Model.all or Model.find*
+  def get_model_target exp
+    if call? exp
+      target = exp.target
+      if exp.method == :all or exp.method.to_s[0,4] == "find"
+        models = Set.new @tracker.models.keys
+        name = class_name target
+        return target if models.include?(name)
+      end
+      return get_model_target(target)
+    end
+    false
+  end
+  #Ignore `<<` calls on template variables which are used by the templating
+  #library (HAML, ERB, etc.)
+  def find_push_target exp
+    if sexp? exp
+      if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout)
+        return nil
+      elsif exp.node_type == :ivar and exp.value == :@output_buffer
+        return nil
+      elsif exp.node_type == :call and call? exp.target and
+        exp.target.method == :_hamlout and exp.method == :buffer
+        return nil
+      end
+    end
+    super
+  end
+end

data/lib/brakeman/processors/template_processor.rb ADDED

@@ -0,0 +1,74 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/template'
+#Base Processor for templates/views
+class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
+  #Initializes template information.
+  def initialize tracker, template_name, called_from = nil, file_name = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
+    @file_name = file_name
+    if called_from
+      template_name = (template_name.to_s + "." + called_from.to_s).to_sym
+    end
+    tracker.templates[template_name] = @current_template
+    @inside_concat = false
+  end
+  #Process the template Sexp.
+  def process exp
+    begin
+      super
+    rescue => e
+      except = e.exception("Error when processing #{@current_template.name}: #{e.message}")
+      except.set_backtrace(e.backtrace)
+      raise except
+    end
+  end
+  #Ignore initial variable assignment
+  def process_lasgn exp
+    if exp.lhs == :_erbout and exp.rhs.node_type == :str  #ignore
+      ignore
+    elsif exp.lhs == :_buf and exp.rhs.node_type == :str
+      ignore
+    else
+      exp.rhs = process exp.rhs
+      exp
+    end
+  end
+  #Adds output to the list of outputs.
+  def process_output exp
+    exp.value = process exp.value
+    @current_template.add_output exp unless exp.original_line
+    exp
+  end
+  def process_escaped_output exp
+    process_output exp
+  end
+  # Pull out actual output value from template
+  def normalize_output arg
+    if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
+      arg.target
+    elsif node_type? arg, :if
+      branches = [arg.then_clause, arg.else_clause].compact
+      if branches.empty?
+        s(:nil)
+      elsif branches.length == 2
+        Sexp.new(:or, *branches)
+      else
+        branches.first
+      end
+    else
+      arg
+    end
+  end
+end

data/lib/brakeman/report.rb ADDED

@@ -0,0 +1,78 @@
+require 'brakeman/report/report_base'
+#Generates a report based on the Tracker and the results of
+#Tracker#run_checks. Be sure to +run_checks+ before generating
+#a report.
+class Brakeman::Report
+  attr_reader :tracker
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate]
+  def initialize app_tree, tracker
+    @app_tree = app_tree
+    @tracker = tracker
+  end
+  def format format
+    reporter = case format
+    when :to_codeclimate
+      require_report 'codeclimate'
+      Brakeman::Report::CodeClimate
+    when :to_csv
+      require_report 'csv'
+      Brakeman::Report::CSV
+    when :to_html
+      require_report 'html'
+      Brakeman::Report::HTML
+    when :to_json
+      return self.to_json
+    when :to_tabs
+      require_report 'tabs'
+      Brakeman::Report::Tabs
+    when :to_hash
+      require_report 'hash'
+      Brakeman::Report::Hash
+    when :to_markdown
+      return self.to_markdown
+    when :to_s
+      return self.to_s
+    when :to_pdf
+      raise "PDF output is not yet supported."
+    else
+      raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
+    end
+    generate(reporter)
+  end
+  def method_missing method, *args
+    if VALID_FORMATS.include? method
+      format method
+    else
+      super
+    end
+  end
+  def require_report type
+    require "brakeman/report/report_#{type}"
+  end
+  def to_json
+    require_report 'json'
+    generate Brakeman::Report::JSON
+  end
+  def to_s
+    require_report 'table'
+    generate Brakeman::Report::Table
+  end
+  def to_markdown
+    require_report 'markdown'
+    generate Brakeman::Report::Markdown
+  end
+  def generate reporter
+    reporter.new(@app_tree, @tracker).generate_report
+  end
+end

data/lib/brakeman/report/config/remediation.yml ADDED

@@ -0,0 +1,71 @@
+---
+basic_auth_password: 300000
+cross_site_scripting: 300000
+xss_content_tag: 300000
+CVE_2014_3514_call: 600000
+all_default_routes: 2000000
+unsafe_deserialize: 2000000
+local_request_config: 100000
+CVE_2012_3424: 4000000
+CVE_2011_2932: 8000000
+code_eval: 2000000
+command_injection: 2000000
+file_access: 2000000
+CVE_2014_7829: 4000000
+CVE_2011_2929: 4000000
+csrf_protection_disabled: 4000000
+CVE_2013_6414: 4000000
+CVE_2013_4491: 4000000
+CVE_2013_1856: 4000000
+CVE_2015_3226: 4000000
+CVE_2013_0333: 4000000
+xss_link_to: 300000
+xss_link_to_href: 300000
+CVE_2011_0446: 300000
+mass_assign_call: 2000000
+dangerous_attr_accessible: 2000000
+no_attr_accessible: 2000000
+CVE_2013_0277: 2000000
+CVE_2010_3933: 4000000
+CVE_2014_0081: 300000
+CVE_2011_2930: 600000
+open_redirect: 300000
+regex_dos: 600000
+dynamic_render_path: 4000000
+CVE_2014_0082: 4000000
+cross_site_scripting_inline: 600000
+CVE_2011_3186: 2000000
+safe_buffer_vuln: 4000000
+CVE_2013_1855: 4000000
+CVE_2013_1857: 4000000
+CVE_2012_3463: 600000
+select_options_vuln: 4000000
+dangerous_send: 600000
+session_key_manipulation: 600000
+http_cookies: 600000
+session_secret: 600000
+secure_cookies: 600000
+CVE_2013_6416: 600000
+CVE_2012_3464: 4000000
+csrf_blacklist: 300000
+auth_blacklist: 300000
+sql_injection: 1200000
+CVE-2012-2660: 4000000
+CVE-2012-2661: 4000000
+CVE-2012-2695: 4000000
+CVE-2012-5664: 4000000
+CVE-2013-0155: 4000000
+CVE-2013-6417: 4000000
+CVE-2014-3482: 4000000
+CVE-2014-3483: 4000000
+ssl_verification_bypass: 2500000
+CVE_2011_2931: 4000000
+unsafe_symbol_creation: 300000
+translate_vuln: 300000
+unsafe_constantize: 600000
+unscoped_find: 300000
+validation_regex: 300000
+mass_assign_without_protection: 600000
+CVE_2015_3227: 4000000
+CVE_2013_0156: 4000000
+weak_hash_digest: 800000

data/lib/brakeman/report/ignore/config.rb ADDED

@@ -0,0 +1,135 @@
+require 'set'
+require 'json'
+module Brakeman
+  class IgnoreConfig
+    attr_reader :shown_warnings, :ignored_warnings
+    attr_accessor :file
+    def initialize file, new_warnings
+      @file = file
+      @new_warnings = new_warnings
+      @already_ignored = []
+      @ignored_fingerprints = Set.new
+      @notes = {}
+      @shown_warnings = @ignored_warnings = nil
+      @changed = false
+    end
+    # Populate ignored_warnings and shown_warnings based on ignore
+    # configuration
+    def filter_ignored
+      @shown_warnings = []
+      @ignored_warnings = []
+      @new_warnings.each do |w|
+        if ignored? w
+          @ignored_warnings << w
+        else
+          @shown_warnings << w
+        end
+      end
+      @shown_warnings
+    end
+    # Remove warning from ignored list
+    def unignore warning
+      @ignored_fingerprints.delete warning.fingerprint
+      if @already_ignored.reject! { |w|w[:fingerprint] == warning.fingerprint }
+        @changed = true
+      end
+    end
+    # Determine if warning should be ignored
+    def ignored? warning
+      @ignored_fingerprints.include? warning.fingerprint
+    end
+    def ignore warning
+      @changed = true unless ignored? warning
+      @ignored_fingerprints << warning.fingerprint
+    end
+    # Add note for warning
+    def add_note warning, note
+      @changed = true
+      @notes[warning.fingerprint] = note
+    end
+    # Retrieve note for warning if it exists. Returns nil if no
+    # note is found
+    def note_for warning
+      if warning.is_a? Warning
+        fingerprint = warning.fingerprint
+      else
+        fingerprint = warning[:fingerprint]
+      end
+      @already_ignored.each do |w|
+        if fingerprint == w[:fingerprint]
+          return w[:note]
+        end
+      end
+      nil
+    end
+    # Read configuration to file
+    def read_from_file file = @file
+      if File.exist? file
+        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+      else
+        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        @already_ignored = []
+      end
+      @already_ignored.each do |w|
+        @ignored_fingerprints << w[:fingerprint]
+        @notes[w[:fingerprint]] = w[:note]
+      end
+    end
+    # Save configuration to file
+    def save_to_file warnings, file = @file
+      warnings = warnings.map do |w|
+        if w.is_a? Warning
+          w_hash = w.to_hash
+          w_hash[:file] = w.relative_path
+          w = w_hash
+        end
+        w[:note] = @notes[w[:fingerprint]] || ""
+        w
+      end.sort_by { |w| w[:fingerprint] }
+      output = {
+        :ignored_warnings => warnings,
+        :updated => Time.now.to_s,
+        :brakeman_version => Brakeman::Version
+      }
+      File.open file, "w" do |f|
+        f.puts JSON.pretty_generate(output)
+      end
+    end
+    # Save old ignored warnings and newly ignored ones
+    def save_with_old
+      warnings = @ignored_warnings.dup
+      # Only add ignored warnings not already ignored
+      @already_ignored.each do |w|
+        fingerprint = w[:fingerprint]
+        unless @ignored_warnings.find { |ignored_warning| ignored_warning.fingerprint == fingerprint }
+          warnings << w
+        end
+      end
+      if @changed
+        save_to_file warnings
+      end
+    end
+  end
+end