brakeman-lib 3.3.1

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
+class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
+
+  def run_check
+    if (version_between?('2.0.0', '2.3.13') or 
+        version_between?('3.0.0', '3.0.9'))
+
+      if uses_quote_table_name?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      if rails_version =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in quote_table_name: CVE-2011-2930"
+      else
+        message = "Versions before 2.3.14 have a vulnerability in quote_table_name: CVE-2011-2930"
+      end
+
+      warn :warning_type => "SQL Injection",
+        :warning_code => :CVE_2011_2930,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
+    end
+  end
+
+  def uses_quote_table_name?
+    Brakeman.debug "Finding calls to quote_table_name()"
+
+    not tracker.find_call(:target => false, :method => :quote_table_name).empty?
+  end
+end

data/lib/brakeman/checks/check_redirect.rb

@@ -0,0 +1,215 @@
+require 'brakeman/checks/base_check'
+
+#Reports any calls to +redirect_to+ which include parameters in the arguments.
+#
+#For example:
+#
+# redirect_to params.merge(:action => :elsewhere)
+class Brakeman::CheckRedirect < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for calls to redirect_to with user input as arguments"
+
+  def run_check
+    Brakeman.debug "Finding calls to redirect_to()"
+
+    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :last, :new]
+
+    if tracker.options[:rails3]
+      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
+    end
+
+    if version_between? "4.0.0", "9.9.9"
+      @model_find_calls.merge [:find_by, :find_by!, :take]
+    end
+
+    @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
+      process_result res
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    call = result[:call]
+
+    method = call.method
+
+    if method == :redirect_to and
+        not only_path?(call) and
+        not explicit_host?(call.first_arg) and
+        not slice_call?(call.first_arg) and
+        res = include_user_input?(call)
+
+      add_result result
+
+      if res.type == :immediate
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => result,
+        :warning_type => "Redirect",
+        :warning_code => :open_redirect,
+        :message => "Possible unprotected redirect",
+        :code => call,
+        :user_input => res,
+        :confidence => confidence
+    end
+  end
+
+  #Custom check for user input. First looks to see if the user input
+  #is being output directly. This is necessary because of tracker.options[:check_arguments]
+  #which can be used to enable/disable reporting output of method calls which use
+  #user input as arguments.
+  def include_user_input? call, immediate = :immediate
+    Brakeman.debug "Checking if call includes user input"
+
+    arg = call.first_arg
+
+    # if the first argument is an array, rails assumes you are building a
+    # polymorphic route, which will never jump off-host
+    return false if array? arg
+
+    if tracker.options[:ignore_redirect_to_model]
+      if model_instance?(arg) or decorated_model?(arg)
+        return false
+      end
+    end
+
+    if res = has_immediate_model?(arg)
+      return Match.new(immediate, res)
+    elsif call? arg
+      if request_value? arg
+        return Match.new(immediate, arg)
+      elsif request_value? arg.target
+        return Match.new(immediate, arg.target)
+      elsif arg.method == :url_for and include_user_input? arg
+        return Match.new(immediate, arg)
+        #Ignore helpers like some_model_url?
+      elsif arg.method.to_s =~ /_(url|path)\z/
+        return false
+      end
+    elsif request_value? arg
+      return Match.new(immediate, arg)
+    end
+
+    if tracker.options[:check_arguments] and call? arg
+      include_user_input? arg, false  #I'm doubting if this is really necessary...
+    else
+      false
+    end
+  end
+
+  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  #nullifies the danger posed by redirecting with user input
+  def only_path? call
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return true if true?(value)
+      end
+    elsif call? arg and arg.method == :url_for
+      return check_url_for(arg)
+    end
+
+    false
+  end
+
+  def explicit_host? arg
+    return unless sexp? arg
+
+    if hash? arg
+      if value = hash_access(arg, :host)
+        return !has_immediate_user_input?(value)
+      end
+    elsif call? arg
+      target = arg.target
+
+      if hash? target and value = hash_access(target, :host)
+        return !has_immediate_user_input?(value)
+      elsif call? arg
+        return explicit_host? target
+      end
+    end
+
+    false
+  end
+
+  #+url_for+ is only_path => true by default. This checks to see if it is
+  #set to false for some reason.
+  def check_url_for call
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return false if false?(value)
+      end
+    end
+
+    true
+  end
+
+  #Returns true if exp is (probably) a model instance
+  def model_instance? exp
+    if node_type? exp, :or
+      model_instance? exp.lhs or model_instance? exp.rhs
+    elsif call? exp
+      if model_target? exp and
+        (@model_find_calls.include? exp.method or exp.method.to_s.match(/^find_by_/))
+        true
+      else
+        association?(exp.target, exp.method)
+      end
+    end
+  end
+
+  def model_target? exp
+    return false unless call? exp
+    model_name? exp.target or
+    friendly_model? exp.target or
+    model_target? exp.target
+  end
+
+  #Returns true if exp is (probably) a friendly model instance
+  #using the FriendlyId gem
+  def friendly_model? exp
+    call? exp and model_name? exp.target and exp.method == :friendly
+  end
+  
+  #Returns true if exp is (probably) a decorated model instance
+  #using the Draper gem
+  def decorated_model? exp
+    if node_type? exp, :or
+      decorated_model? exp.lhs or decorated_model? exp.rhs
+    else
+      tracker.config.has_gem? :draper and
+      call? exp and
+      node_type?(exp.target, :const) and
+      exp.target.value.to_s.match(/Decorator$/) and
+      exp.method == :decorate
+    end
+  end
+
+  #Check if method is actually an association in a Model
+  def association? model_name, meth
+    if call? model_name
+      return association? model_name.target, meth
+    elsif model_name? model_name
+      model = tracker.models[class_name(model_name)]
+    else
+      return false
+    end
+
+    return false unless model
+
+    model.association? meth
+  end
+
+  def slice_call? exp
+    return unless call? exp
+    exp.method == :slice
+  end
+end

data/lib/brakeman/checks/check_regex_dos.rb

@@ -0,0 +1,69 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  ESCAPES = {
+    s(:const, :Regexp) => [
+      :escape,
+      :quote
+    ]
+  }
+
+  @description = "Searches regexes including user input"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding dynamic regexes"
+    calls = tracker.find_call :method => [:brakeman_regex_interp]
+
+    Brakeman.debug "Processing dynamic regexes"
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if regex includes user input
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    call = result[:call]
+    components = call[1..-1]
+
+    components.any? do |component|
+      next unless sexp? component
+
+      if match = has_immediate_user_input?(component)
+        confidence = CONFIDENCE[:high]
+      elsif match = has_immediate_model?(component)
+        match = Match.new(:model, match)
+        confidence = CONFIDENCE[:med]
+      elsif match = include_user_input?(component)
+        confidence = CONFIDENCE[:low]
+      end
+
+      if match
+        message = "#{friendly_type_of(match).capitalize} used in regex"
+
+        warn :result => result,
+          :warning_type => "Denial of Service",
+          :warning_code => :regex_dos,
+          :message => message,
+          :confidence => confidence,
+          :user_input => match
+      end
+    end
+  end
+
+  def process_call(exp)
+    if escape_methods = ESCAPES[exp.target]
+      if escape_methods.include? exp.method
+        return exp
+      end
+    end
+
+    super
+  end
+end

data/lib/brakeman/checks/check_render.rb

@@ -0,0 +1,92 @@
+require 'brakeman/checks/base_check'
+
+#Check calls to +render()+ for dangerous values
+class Brakeman::CheckRender < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Finds calls to render that might allow file access or code execution"
+
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render_result result
+    end
+  end
+
+  def process_render_result result
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_rce(result) or
+        check_for_dynamic_path(result)
+    when :inline
+    when :js
+    when :json
+    when :text
+    when :update
+    when :xml
+    end
+  end
+
+  #Check if path to action or file is determined dynamically
+  def check_for_dynamic_path result
+    view = result[:call][2]
+
+    if sexp? view and not duplicate? result
+      add_result result
+
+      if input = has_immediate_user_input?(view)
+        if string_interp? view
+          confidence = CONFIDENCE[:med]
+        else
+          confidence = CONFIDENCE[:high]
+        end
+      elsif input = include_user_input?(view)
+        confidence = CONFIDENCE[:low]
+      else
+        return
+      end
+
+      return if input.type == :model #skip models
+      return if safe_param? input.match
+
+      message = "Render path contains #{friendly_type_of input}"
+
+      warn :result => result,
+        :warning_type => "Dynamic Render Path",
+        :warning_code => :dynamic_render_path,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view
+        add_result result
+        return if safe_param? view
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
+          :user_input => view,
+          :confidence => CONFIDENCE[:high]
+      end
+    end
+  end
+
+  def safe_param? exp
+    if params? exp and call? exp and exp.method == :[]
+      arg = exp.first_arg
+      symbol? arg and [:controller, :action].include? arg.value
+    end
+  end
+end 

data/lib/brakeman/checks/check_render_dos.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn about denial of service with render :text (CVE-2014-0082)"
+
+  def run_check
+    if version_between? "3.0.0", "3.0.20" or
+       version_between? "3.1.0", "3.1.12" or
+       version_between? "3.2.0", "3.2.16"
+
+      tracker.find_call(:target => nil, :method => :render).each do |result|
+        if text_render? result
+          warn_about_text_render
+          break
+        end
+      end
+    end
+  end
+
+  def text_render? result
+    node_type? result[:call], :render and
+    result[:call].render_type == :text
+  end
+
+  def warn_about_text_render
+    message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2014_0082,
+      :message => message,
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
+      :gem_info => gemfile_or_environment
+  end
+end