brakeman-lib 3.3.1

data/lib/brakeman/checks/check_default_routes.rb

@@ -0,0 +1,86 @@
+require 'brakeman/checks/base_check'
+
+#Checks if default routes are allowed in routes.rb
+class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for default routes"
+
+  #Checks for :allow_all_actions globally and for individual routes
+  #if it is not enabled globally.
+  def run_check
+    check_for_default_routes
+    check_for_action_globs
+    check_for_cve_2014_0130
+  end
+
+  def check_for_default_routes
+    if allow_all_actions?
+      #Default routes are enabled globally
+      warn :warning_type => "Default Routes",
+        :warning_code => :all_default_routes,
+        :message => "All public methods in controllers are available as actions in routes.rb",
+        :line => tracker.routes[:allow_all_actions].line,
+        :confidence => CONFIDENCE[:high],
+        :file => "#{tracker.app_path}/config/routes.rb"
+    end
+  end
+
+  def check_for_action_globs
+    return if allow_all_actions?
+    Brakeman.debug "Checking each controller for default routes"
+
+    tracker.routes.each do |name, actions|
+      if actions.is_a? Array and actions[0] == :allow_all_actions
+        @actions_allowed_on_controller = true
+        if actions[1].is_a? Hash and actions[1][:allow_verb]
+          verb = actions[1][:allow_verb]
+        else
+          verb = "any"
+        end
+        warn :controller => name,
+          :warning_type => "Default Routes",
+          :warning_code => :controller_default_routes,
+          :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
+          :line => actions[2],
+          :confidence => CONFIDENCE[:med],
+          :file => "#{tracker.app_path}/config/routes.rb"
+      end
+    end
+  end
+
+  def check_for_cve_2014_0130
+    case
+    when lts_version?("2.3.18.9")
+      #TODO: Should support LTS 3.0.20 too
+      return
+    when version_between?("2.0.0", "2.3.18")
+      upgrade = "3.2.18"
+    when version_between?("3.0.0", "3.2.17")
+      upgrade = "3.2.18"
+    when version_between?("4.0.0", "4.0.4")
+      upgrade = "4.0.5"
+    when version_between?("4.1.0", "4.1.0")
+      upgrade = "4.1.1"
+    else
+      return
+    end
+
+    if allow_all_actions? or @actions_allowed_on_controller
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Remote Code Execution",
+      :warning_code => :CVE_2014_0130,
+      :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
+      :confidence => confidence,
+      :file => "#{tracker.app_path}/config/routes.rb",
+      :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+  end
+
+  def allow_all_actions?
+    tracker.routes[:allow_all_actions]
+  end
+end

data/lib/brakeman/checks/check_deserialize.rb

@@ -0,0 +1,57 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDeserialize < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe deserialization of objects"
+
+  def run_check
+    check_yaml
+    check_csv
+    check_marshal
+  end
+
+  def check_yaml
+    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+  end
+
+  def check_csv
+    check_methods :CSV, :load
+  end
+
+  def check_marshal
+    check_methods :Marshal, :load, :restore
+  end
+
+  def check_methods target, *methods
+    tracker.find_call(:target => target, :methods => methods ).each do |result|
+      check_deserialize result, target
+    end
+  end
+
+  def check_deserialize result, target, arg = nil
+    return if duplicate? result
+    add_result result
+
+    arg ||= result[:call].first_arg
+    method = result[:call].method
+
+    if input = has_immediate_user_input?(arg)
+      confidence = CONFIDENCE[:high]
+    elsif input = include_user_input?(arg)
+      confidence = CONFIDENCE[:med]
+    end
+
+    if confidence
+      message = "#{target}.#{method} called with #{friendly_type_of input}"
+
+      warn :result => result,
+        :warning_type => "Remote Code Execution",
+        :warning_code => :unsafe_deserialize,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence,
+        :link_path => "unsafe_deserialization"
+    end
+  end
+end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -0,0 +1,55 @@
+require 'brakeman/checks/base_check'
+
+# Check for detailed exceptions enabled for production
+class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  LOCAL_REQUEST = s(:call, s(:call, nil, :request), :local?)
+
+  @description = "Checks for information disclosure displayed via detailed exceptions"
+
+  def run_check
+    check_local_request_config
+    check_detailed_exceptions
+  end
+
+  def check_local_request_config
+    if true? tracker.config.rails[:consider_all_requests_local]
+      warn :warning_type => "Information Disclosure",
+           :warning_code => :local_request_config,
+           :message => "Detailed exceptions are enabled in production",
+           :confidence => CONFIDENCE[:high],
+           :file => "config/environments/production.rb"
+    end
+  end
+
+  def check_detailed_exceptions
+    tracker.controllers.each do |name, controller|
+      controller.methods_public.each do |method_name, definition|
+        src = definition[:src]
+        body = src.body.last
+        next unless body
+
+        if method_name == :show_detailed_exceptions? and not safe? body
+          if true? body
+            confidence = CONFIDENCE[:high]
+          else
+            confidence = CONFIDENCE[:med]
+          end
+
+          warn :warning_type => "Information Disclosure",
+               :warning_code => :detailed_exceptions,
+               :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'",
+               :confidence => confidence,
+               :code => src,
+               :file => definition[:file]
+        end
+      end
+    end
+  end
+
+  def safe? body
+    false? body or
+    body == LOCAL_REQUEST
+  end
+end

data/lib/brakeman/checks/check_digest_dos.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for digest authentication DoS vulnerability"
+
+  def run_check
+    message = "Vulnerability in digest authentication (CVE-2012-3424). Upgrade to Rails version "
+
+    if version_between? "3.0.0", "3.0.15"
+      message << "3.0.16"
+    elsif version_between? "3.1.0", "3.1.6"
+      message << "3.1.7"
+    elsif version_between? "3.2.0", "3.2.5"
+      message << "3.2.7"
+    else
+      return
+    end
+
+    if with_http_digest?
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:low]
+    end
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2012_3424,
+      :message => message,
+      :confidence => confidence,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
+      :gem_info => gemfile_or_environment
+  end
+
+  def with_http_digest?
+    not tracker.find_call(:target => false, :method => [:authenticate_or_request_with_http_digest, :authenticate_with_http_digest]).empty?
+  end
+end

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -0,0 +1,49 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check unsafe usage of find_by_*"
+
+  def run_check
+    if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
+      tracker.find_call(:method => /^find_by_/).each do |result|
+        process_result result
+      end
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    call = result[:call]
+
+    if potentially_dangerous? call.method
+      call.each_arg do |arg|
+        if params? arg and not safe_call? arg
+          warn :result => result,
+            :warning_type => "SQL Injection",
+            :warning_code => :sql_injection_dynamic_finder,
+            :message => "MySQL integer conversion may cause 0 to match any string",
+            :confidence => CONFIDENCE[:med],
+            :user_input => arg
+
+          break
+        end
+      end
+    end
+  end
+
+  def safe_call? arg
+    return false unless call? arg
+
+    meth = arg.method
+    meth == :to_s or meth == :to_i
+  end
+
+  def potentially_dangerous? method_name
+    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+  end
+end

data/lib/brakeman/checks/check_escape_function.rb

@@ -0,0 +1,21 @@
+require 'brakeman/checks/base_check'
+
+#Check for versions with vulnerable html escape method
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
+class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions before 2.3.14 which have a vulnerable escape method"
+
+  def run_check
+    if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
+
+      warn :warning_type => 'Cross Site Scripting',
+        :warning_code => :CVE_2011_2932,
+        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
+    end
+  end
+end

data/lib/brakeman/checks/check_evaluation.rb

@@ -0,0 +1,36 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for calls to +eval+, +instance_eval+, etc. which include
+#user input.
+class Brakeman::CheckEvaluation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding eval-like calls"
+    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
+
+    Brakeman.debug "Processing eval-like calls"
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Dangerous Eval",
+        :warning_code => :code_eval,
+        :message => "User input in eval",
+        :code => result[:call],
+        :user_input => input,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/brakeman/checks/check_execute.rb

@@ -0,0 +1,167 @@
+require 'brakeman/checks/base_check'
+
+#Checks for string interpolation and parameters in calls to
+#Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
+#
+#Examples of command injection vulnerabilities:
+#
+# system("rf -rf #{params[:file]}")
+# exec(params[:command])
+# `unlink #{params[:something}`
+class Brakeman::CheckExecute < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Finds instances of possible command injection"
+
+  SAFE_VALUES = [s(:const, :RAILS_ROOT),
+                  s(:call, s(:const, :Rails), :root),
+                  s(:call, s(:const, :Rails), :env)]
+
+  #Check models, controllers, and views for command injection.
+  def run_check
+    Brakeman.debug "Finding system calls using ``"
+    check_for_backticks tracker
+
+    check_open_calls
+
+    Brakeman.debug "Finding other system calls"
+    calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
+      :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
+        :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
+        :popen3, :spawn, :syscall, :system]
+
+    Brakeman.debug "Processing system calls"
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #Processes results from Tracker#find_call.
+  def process_result result
+    call = result[:call]
+    args = call.arglist
+    first_arg = call.first_arg
+
+    case call.method
+    when :popen
+      unless array? first_arg
+        failure = include_user_input?(args) || dangerous_interp?(args)
+      end
+    when :system, :exec
+      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+    else
+      failure = include_user_input?(args) || dangerous_interp?(args)
+    end
+
+    if failure and not duplicate? result
+      add_result result
+
+      if failure.type == :interp #Not from user input
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:high]
+      end
+
+      warn :result => result,
+        :warning_type => "Command Injection",
+        :warning_code => :command_injection,
+        :message => "Possible command injection",
+        :code => call,
+        :user_input => failure,
+        :confidence => confidence
+    end
+  end
+
+  def check_open_calls
+    tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
+      if match = dangerous_open_arg?(result[:call].first_arg)
+        warn :result => result,
+          :warning_type => "Command Injection",
+          :warning_code => :command_injection,
+          :message => "Possible command injection in open()",
+          :user_input => match,
+          :confidence => CONFIDENCE[:high]
+      end
+    end
+  end
+
+  def dangerous_open_arg? exp
+    if string_interp? exp
+      # Check for input at start of string
+      exp[1] == "" and
+        node_type? exp[2], :evstr and
+        has_immediate_user_input? exp[2]
+    else
+      has_immediate_user_input? exp
+    end
+  end
+
+  #Looks for calls using backticks such as
+  #
+  # `rm -rf #{params[:file]}`
+  def check_for_backticks tracker
+    tracker.find_call(:target => nil, :method => :`).each do |result|
+      process_backticks result
+    end
+  end
+
+  #Processes backticks.
+  def process_backticks result
+    return if duplicate? result
+
+    add_result result
+
+    exp = result[:call]
+
+    if input = include_user_input?(exp)
+      confidence = CONFIDENCE[:high]
+    elsif input = dangerous?(exp)
+      confidence = CONFIDENCE[:med]
+    else
+      return
+    end
+
+    warn :result => result,
+      :warning_type => "Command Injection",
+      :warning_code => :command_injection,
+      :message => "Possible command injection",
+      :code => exp,
+      :user_input => input,
+      :confidence => confidence
+  end
+
+  def dangerous? exp
+    exp.each_sexp do |e|
+      next if node_type? e, :lit, :str
+      next if SAFE_VALUES.include? e
+
+      if call? e and e.method == :to_s
+        e = e.target
+      end
+
+      if node_type? e, :or, :evstr, :dstr
+        if res = dangerous?(e)
+          return res
+        end
+      else
+        return e
+      end
+    end
+
+    false
+  end
+
+  def dangerous_interp? exp
+    match = include_interp? exp
+    return unless match
+    interp = match.match
+
+    interp.each_sexp do |e|
+      if res = dangerous?(e)
+        return Match.new(:interp, res)
+      end
+    end
+
+    false
+  end
+end