brakeman-lib 3.3.1

data/lib/brakeman/checks/check_basic_auth.rb

@@ -0,0 +1,88 @@
+require 'brakeman/checks/base_check'
+
+#Checks if password is stored in controller
+#when using http_basic_authenticate_with
+#
+#Only for Rails >= 3.1
+class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for the use of http_basic_authenticate_with"
+
+  def run_check
+    return if version_between? "0.0.0", "3.0.99"
+
+    check_basic_auth_filter
+    check_basic_auth_request
+  end
+
+  def check_basic_auth_filter
+    controllers = tracker.controllers.select do |name, c|
+      c.options[:http_basic_authenticate_with]
+    end
+
+    Hash[controllers].each do |name, controller|
+      controller.options[:http_basic_authenticate_with].each do |call|
+
+        if pass = get_password(call) and string? pass
+          warn :controller => name,
+              :warning_type => "Basic Auth",
+              :warning_code => :basic_auth_password,
+              :message => "Basic authentication password stored in source code",
+              :code => call,
+              :confidence => 0,
+              :file => controller.file
+          break
+        end
+      end
+    end
+  end
+
+  # Look for
+  #  authenticate_or_request_with_http_basic do |username, password|
+  #    username == "foo" && password == "bar"
+  #  end
+  def check_basic_auth_request
+    tracker.find_call(:target => nil, :method => :authenticate_or_request_with_http_basic).each do |result|
+      if include_password_literal? result
+          warn :result => result,
+              :code => @include_password,
+              :warning_type => "Basic Auth",
+              :warning_code => :basic_auth_password,
+              :message => "Basic authentication password stored in source code",
+              :confidence => 0
+      end
+    end
+  end
+
+  # Check if the block of a result contains a comparison of password to string
+  def include_password_literal? result
+    @password_var = result[:block_args].last
+    @include_password = false
+    process result[:block]
+    @include_password
+  end
+
+  # Looks for :== calls on password var
+  def process_call exp
+    target = exp.target
+
+    if node_type?(target, :lvar) and
+      target.value == @password_var and
+      exp.method == :== and
+      string? exp.first_arg
+
+      @include_password = exp
+    end
+
+    exp
+  end
+
+  def get_password call
+    arg = call.first_arg
+
+    return false if arg.nil? or not hash? arg
+
+    hash_access(arg, :password)
+  end
+end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -0,0 +1,33 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for timing attack in basic auth (CVE-2015-7576)"
+
+  def run_check
+    @upgrade = case
+               when version_between?("0.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+
+    check_basic_auth_call
+  end
+
+  def check_basic_auth_call
+    tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
+      warn :result => result,
+        :warning_type => "Timing Attack",
+        :warning_code => :CVE_2015_7576,
+        :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+        :confidence => CONFIDENCE[:high],
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+    end
+  end
+end

data/lib/brakeman/checks/check_content_tag.rb

@@ -0,0 +1,160 @@
+require 'brakeman/checks/check_cross_site_scripting'
+
+#Checks for unescaped values in `content_tag`
+#
+#    content_tag :tag, body
+#                       ^-- Unescaped in Rails 2.x
+#
+#    content_tag, :tag, body, attribute => value
+#                                ^-- Unescaped in all versions
+#
+#    content_tag, :tag, body, attribute => value
+#                                            ^
+#                                            |
+#            Escaped by default, can be explicitly escaped
+#            or not by passing in (true|false) as fourth argument
+class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for XSS in calls to content_tag"
+
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @known_dangerous = []
+    methods = tracker.find_call :target => false, :method => :content_tag
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    @mark = nil
+
+    Brakeman.debug "Checking for XSS in content_tag"
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    call = result[:call] = result[:call].dup
+
+    args = call.arglist
+
+    tag_name = args[1]
+    content = args[2]
+    attributes = args[3]
+    escape_attr = args[4]
+
+    @matched = false
+
+    #Silly, but still dangerous if someone uses user input in the tag type
+    check_argument result, tag_name
+
+    #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
+    unless @matched or (tracker.options[:rails3] and not raw? content)
+      check_argument result, content
+    end
+
+    #Attribute keys are never escaped, so check them for user input
+    if not @matched and hash? attributes and not request_value? attributes
+      hash_iterate(attributes) do |k, v|
+        check_argument result, k
+        return if @matched
+      end
+    end
+
+    #By default, content_tag escapes attribute values passed in as a hash.
+    #But this behavior can be disabled. So only check attributes hash
+    #if they are explicitly not escaped.
+    if not @matched and attributes and false? escape_attr
+      if request_value? attributes or not hash? attributes
+        check_argument result, attributes
+      else #check hash values
+        hash_iterate(attributes) do |k, v|
+          check_argument result, v
+          return if @matched
+        end
+      end
+    end
+  end
+
+  def check_argument result, exp
+    #Check contents of raw() calls directly
+    if call? exp and exp.method == :raw
+      arg = process exp.first_arg
+    else
+      arg = process exp
+    end
+
+    if input = has_immediate_user_input?(arg)
+      message = "Unescaped #{friendly_type_of input} in content_tag"
+
+      add_result result
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :xss_content_tag,
+        :message => message,
+        :user_input => input,
+        :confidence => CONFIDENCE[:high],
+        :link_path => "content_tag"
+
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
+      unless IGNORE_MODEL_METHODS.include? match.method
+        add_result result
+
+        if likely_model_attribute? match
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :xss_content_tag,
+          :message => "Unescaped model attribute in content_tag",
+          :user_input => match,
+          :confidence => confidence,
+          :link_path => "content_tag"
+      end
+
+    elsif @matched
+      return if @matched.type == :model and tracker.options[:ignore_model_output]
+
+      message = "Unescaped #{friendly_type_of @matched} in content_tag"
+
+      add_result result
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :xss_content_tag,
+        :message => message,
+        :user_input => @matched,
+        :confidence => CONFIDENCE[:med],
+        :link_path => "content_tag"
+    end
+  end
+
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      @mark = false
+    end
+
+    exp
+  end
+
+  def raw? exp
+    call? exp and exp.method == :raw
+  end
+end

data/lib/brakeman/checks/check_create_with.rb

@@ -0,0 +1,75 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCreateWith < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for strong params bypass in CVE-2014-3514"
+
+  def run_check
+    @warned = false
+
+    if version_between? "4.0.0", "4.0.8"
+      suggested_version = "4.0.9"
+    elsif version_between? "4.1.0", "4.1.4"
+      suggested_version = "4.1.5"
+    else
+      return
+    end
+
+    @message = "create_with is vulnerable to strong params bypass. Upgrade to Rails #{suggested_version} or patch"
+
+    tracker.find_call(:method => :create_with, :nested => true).each do |result|
+      process_result result
+    end
+
+    generic_warning unless @warned
+  end
+
+  def process_result result
+    return if duplicate? result
+    add_result result
+    arg = result[:call].first_arg
+
+    confidence = danger_level arg
+
+    if confidence
+      @warned = true
+
+      warn :warning_type => "Mass Assignment",
+        :warning_code => :CVE_2014_3514_call,
+        :result => result,
+        :message => @message,
+        :confidence => confidence,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+    end
+  end
+
+  #For a given create_with call, set confidence level.
+  #Ignore calls that use permit()
+  def danger_level exp
+    return unless sexp? exp
+
+    if call? exp and exp.method == :permit
+      nil
+    elsif request_value? exp
+      CONFIDENCE[:high]
+    elsif hash? exp
+      nil
+    elsif has_immediate_user_input?(exp)
+      CONFIDENCE[:high]
+    elsif include_user_input? exp
+      CONFIDENCE[:med]
+    else
+      CONFIDENCE[:low]
+    end
+  end
+
+  def generic_warning
+      warn :warning_type => "Mass Assignment",
+        :warning_code => :CVE_2014_3514,
+        :message => @message,
+        :gem_info => gemfile_or_environment,
+        :confidence => CONFIDENCE[:med],
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -0,0 +1,385 @@
+require 'brakeman/checks/base_check'
+require 'brakeman/processors/lib/find_call'
+require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/util'
+require 'set'
+
+#This check looks for unescaped output in templates which contains
+#parameters or model attributes.
+#
+#For example:
+#
+# <%= User.find(:id).name %>
+# <%= params[:id] %>
+class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unescaped output in views"
+
+  #Model methods which are known to be harmless
+  IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
+
+  MODEL_METHODS = Set[:all, :find, :first, :last, :new]
+
+  IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
+
+  HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
+
+  XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
+
+  URI = Sexp.new(:const, :URI)
+
+  CGI = Sexp.new(:const, :CGI)
+
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
+
+  #Run check
+  def run_check
+    setup
+
+    tracker.each_template do |name, template|
+      Brakeman.debug "Checking #{name} for XSS"
+
+      @current_template = template
+
+      template.each_output do |out|
+        unless check_for_immediate_xss out
+          @matched = false
+          @mark = false
+          process out
+        end
+      end
+    end
+  end
+
+  def check_for_immediate_xss exp
+    return :duplicate if duplicate? exp
+
+    if exp.node_type == :output
+      out = exp.value
+    elsif exp.node_type == :escaped_output
+      if raw_call? exp
+        out = exp.value.first_arg
+      elsif html_safe_call? exp
+        out = exp.value.target
+      end
+    end
+
+    return if call? out and ignore_call? out.target, out.method
+
+    if input = has_immediate_user_input?(out)
+      add_result exp
+
+      message = "Unescaped #{friendly_type_of input}"
+
+      warn :template => @current_template,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :cross_site_scripting,
+        :message => message,
+        :code => input.match,
+        :confidence => CONFIDENCE[:high]
+
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
+      method = if call? match
+                 match.method
+               else
+                 nil
+               end
+
+      unless IGNORE_MODEL_METHODS.include? method
+        add_result exp
+
+        if likely_model_attribute? match
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        message = "Unescaped model attribute"
+        link_path = "cross_site_scripting"
+        warning_code = :cross_site_scripting
+
+        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
+          message += " in JSON hash"
+          link_path += "_to_json"
+          warning_code = :xss_to_json
+        end
+
+        warn :template => @current_template,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => warning_code,
+          :message => message,
+          :code => match,
+          :confidence => confidence,
+          :link_path => link_path
+      end
+
+    else
+      false
+    end
+  end
+
+  #Call already involves a model, but might not be acting on a record
+  def likely_model_attribute? exp
+    return false unless call? exp
+
+    method = exp.method
+
+    if MODEL_METHODS.include? method or method.to_s.start_with? "find_by_"
+      true
+    else
+      likely_model_attribute? exp.target
+    end
+  end
+
+  #Process an output Sexp
+  def process_output exp
+    process exp.value.dup
+  end
+
+  #Look for calls to raw()
+  #Otherwise, ignore
+  def process_escaped_output exp
+    unless check_for_immediate_xss exp
+      if not duplicate? exp
+        if raw_call? exp
+          process exp.value.first_arg
+        elsif html_safe_call? exp
+          process exp.value.target
+        end
+      end
+    end
+    exp
+  end
+
+  #Check a call for user input
+  #
+  #
+  #Since we want to report an entire call and not just part of one, use @mark
+  #to mark when a call is started. Any dangerous values inside will then
+  #report the entire call chain.
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      message = nil
+
+      if @matched
+        unless @matched.type and tracker.options[:ignore_model_output]
+          message = "Unescaped #{friendly_type_of @matched}"
+        end
+
+        if message and not duplicate? exp
+          add_result exp
+
+          link_path = "cross_site_scripting"
+          warning_code = :cross_site_scripting
+
+          if @known_dangerous.include? exp.method
+            confidence = CONFIDENCE[:high]
+            if exp.method == :to_json
+              message += " in JSON hash"
+              link_path += "_to_json"
+              warning_code = :xss_to_json
+            end
+          else
+            confidence = CONFIDENCE[:low]
+          end
+
+          warn :template => @current_template,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => warning_code,
+            :message => message,
+            :code => exp,
+            :user_input => @matched,
+            :confidence => confidence,
+            :link_path => link_path
+        end
+      end
+
+      @mark = @matched = false
+    end
+
+    exp
+  end
+
+  def actually_process_call exp
+    return if @matched
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+
+    method = exp.method
+
+    #Ignore safe items
+    if ignore_call? target, method
+      @matched = false
+    elsif sexp? target and model_name? target[1] #TODO: use method call?
+      @matched = Match.new(:model, exp)
+    elsif cookies? exp
+      @matched = Match.new(:cookies, exp)
+    elsif @inspect_arguments and params? exp
+      @matched = Match.new(:params, exp)
+    elsif @inspect_arguments
+      process_call_args exp
+    end
+  end
+
+  #Note that params have been found
+  def process_params exp
+    @matched = Match.new(:params, exp)
+    exp
+  end
+
+  #Note that cookies have been found
+  def process_cookies exp
+    @matched = Match.new(:cookies, exp)
+    exp
+  end
+
+  #Ignore calls to render
+  def process_render exp
+    exp
+  end
+
+  #Process as default
+  def process_dstr exp
+    process_default exp
+  end
+
+  #Process as default
+  def process_format exp
+    process_default exp
+  end
+
+  #Ignore output HTML escaped via HAML
+  def process_format_escaped exp
+    exp
+  end
+
+  #Ignore condition in if Sexp
+  def process_if exp
+    process exp.then_clause if sexp? exp.then_clause
+    process exp.else_clause if sexp? exp.else_clause
+    exp
+  end
+
+  def process_case exp
+    #Ignore user input in case value
+    #TODO: also ignore when values
+
+    current = 2
+    while current < exp.length
+      process exp[current] if exp[current]
+      current += 1
+    end
+
+    exp
+  end
+
+  def setup
+    @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    @known_dangerous = Set[:truncate, :concat]
+
+    if version_between? "2.0.0", "3.0.5"
+      @known_dangerous << :auto_link
+    elsif version_between? "3.0.6", "3.0.99"
+      @ignore_methods << :auto_link
+    end
+
+    if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
+      @known_dangerous << :strip_tags
+    end
+
+    if tracker.config.has_gem? :'rails-html-sanitizer' and
+       version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      @known_dangerous << :sanitize
+    end
+
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+
+    if tracker.config.escape_html_entities_in_json?
+        json_escape_on = true
+    elsif version_between? "4.0.0", "9.9.9"
+      json_escape_on = true
+    end
+
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
+    else
+      @safe_input_attributes << :to_json
+      Brakeman.debug("Automatic to_json escaping is enabled.")
+    end
+  end
+
+  def raw_call? exp
+    exp.value.node_type == :call and exp.value.method == :raw
+  end
+
+  def html_safe_call? exp
+    call? exp.value and exp.value.method == :html_safe
+  end
+
+  def ignore_call? target, method
+    ignored_method?(target, method) or
+    safe_input_attribute?(target, method) or
+    ignored_model_method?(target, method) or
+    form_builder_method?(target, method) or
+    haml_escaped?(target, method) or
+    boolean_method?(method) or
+    cgi_escaped?(target, method) or
+    xml_escaped?(target, method)
+  end
+
+  def ignored_model_method? target, method
+    ((@matched and @matched.type == :model) or
+       model_name? target) and
+       IGNORE_MODEL_METHODS.include? method
+  end
+
+  def ignored_method? target, method
+    @ignore_methods.include? method or method.to_s =~ IGNORE_LIKE
+  end
+
+  def cgi_escaped? target, method
+    method == :escape and
+    (target == URI or target == CGI)
+  end
+
+  def haml_escaped? target, method
+    method == :html_escape and target == HAML_HELPERS
+  end
+
+  def xml_escaped? target, method
+    method == :escape_xml and target == XML_HELPER
+  end
+
+  def form_builder_method? target, method
+    target == FORM_BUILDER and @ignore_methods.include? method
+  end
+
+  def safe_input_attribute? target, method
+    target and always_safe_method? method
+  end
+
+  def boolean_method? method
+    method.to_s.end_with? "?"
+  end
+end