brakeman-lib 3.3.1

data/lib/brakeman/checks/check_link_to.rb

@@ -0,0 +1,132 @@
+require 'brakeman/checks/check_cross_site_scripting'
+
+#Checks for calls to link_to in versions of Ruby where link_to did not
+#escape the first argument.
+#
+#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
+class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for XSS in link_to in versions before 3.0"
+
+  def run_check
+    return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?
+
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @known_dangerous = []
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    tracker.find_call(:target => false, :method => :link_to).each {|call| process_result call}
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+
+    first_arg = call.first_arg
+    second_arg = call.second_arg
+
+    @matched = false
+
+    #Skip if no arguments(?) or first argument is a hash
+    return if first_arg.nil? or hash? first_arg
+
+    if version_between? "2.0.0", "2.2.99"
+      check_argument result, first_arg
+
+      if second_arg and not hash? second_arg
+        check_argument result, second_arg
+      end
+    elsif second_arg
+      #Only check first argument if there is a second argument
+      #in Rails 2.3.x
+      check_argument result, first_arg
+    end
+  end
+
+  # Check the argument for possible xss exploits
+  def check_argument result, exp
+    argument = process(exp)
+    !check_user_input(result, argument) && !check_method(result, argument) && !check_matched(result, @matched)
+  end
+
+  # Check we should warn about the user input
+  def check_user_input(result, argument)
+    input = has_immediate_user_input?(argument)
+    return false unless input
+
+    message = "Unescaped #{friendly_type_of input} in link_to"
+
+    warn_xss(result, message, input, CONFIDENCE[:high])
+  end
+
+  # Check if we should warn about the specified method
+  def check_method(result, argument)
+    return false if tracker.options[:ignore_model_output]
+    match = has_immediate_model?(argument)
+    return false unless match
+    method = match.method
+    return false if IGNORE_MODEL_METHODS.include? method
+
+    confidence = CONFIDENCE[:med]
+    confidence = CONFIDENCE[:high] if likely_model_attribute? match
+    warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
+  end
+
+  # Check if we should warn about the matched result
+  def check_matched(result, matched = nil)
+    return false unless matched
+    return false if matched.type == :model and tracker.options[:ignore_model_output]
+
+    message = "Unescaped #{friendly_type_of matched} in link_to"
+
+    warn_xss(result, message, @matched, CONFIDENCE[:med])
+  end
+
+  # Create a warn for this xss
+  def warn_xss(result, message, user_input, confidence)
+    add_result(result)
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :xss_link_to,
+      :message => message,
+      :user_input => user_input,
+      :confidence => confidence,
+      :link_path => "link_to"
+
+    true
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+  def actually_process_call exp
+    return if @matched
+
+    target = exp.target
+    target = process target.dup if sexp? target
+
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    #TODO: Needs test? I think this is broken?
+    return exp if model_name? target and context == [:call, :arglist]
+
+    super
+  end
+end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -0,0 +1,115 @@
+require 'brakeman/checks/check_cross_site_scripting'
+
+#Checks for calls to link_to which pass in potentially hazardous data
+#to the second argument.  While this argument must be html_safe to not break 
+#the html, it must also be url safe as determined by calling a 
+#:url_safe_method.  This prevents attacks such as javascript:evil() or 
+#data:<encoded XSS> which is html_safe, but not safe as an href
+#Props to Nick Green for the idea.
+class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
+  Brakeman::Checks.add self
+                        
+  @description = "Checks to see if values used for hrefs are sanitized using a :url_safe_method to protect against javascript:/data: XSS"
+
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box,
+                           :field_field, :fields_for, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :polymorphic_url, :radio_button, :select, :slice,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u, :url_for,
+                           :will_paginate].merge(tracker.options[:url_safe_methods] || [])
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    methods = tracker.find_call :target => false, :method => :link_to 
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+    @matched = false
+    url_arg = process call.second_arg
+
+    #Ignore situations where the href is an interpolated string
+    #with something before the user input
+    return if string_interp?(url_arg) && !url_arg[1].chomp.empty?
+
+    return if call? url_arg and ignore_call? url_arg.target, url_arg.method
+
+    if input = has_immediate_user_input?(url_arg)
+      message = "Unsafe #{friendly_type_of input} in link_to href"
+
+      unless duplicate? result
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :warning_code => :xss_link_to_href,
+          :message => message,
+          :user_input => input,
+          :confidence => CONFIDENCE[:high],
+          :link_path => "link_to_href"
+      end
+    elsif has_immediate_model? url_arg or model_find_call? url_arg
+
+      # Decided NOT warn on models.  polymorphic_path is called it a model is 
+      # passed to link_to (which passes it to url_for)
+
+    elsif array? url_arg
+      # Just like models, polymorphic path/url is called if the argument is 
+      # an array      
+
+    elsif hash? url_arg
+
+      # url_for uses the key/values pretty carefully and I don't see a risk.
+      # IF you have default routes AND you accept user input for :controller
+      # and :only_path, then MAYBE you could trigger a javascript:/data: 
+      # attack. 
+
+    elsif @matched
+      if @matched.type == :model and not tracker.options[:ignore_model_output]
+        message = "Unsafe model attribute in link_to href"
+      elsif @matched.type == :params
+        message = "Unsafe parameter value in link_to href"
+      end
+
+      if message and not duplicate? result
+        add_result result
+        warn :result => result, 
+          :warning_type => "Cross Site Scripting", 
+          :warning_code => :xss_link_to_href,
+          :message => message,
+          :user_input => @matched,
+          :confidence => CONFIDENCE[:med],
+          :link_path => "link_to_href"
+      end
+    end
+  end
+
+  def ignore_call? target, method
+    decorated_model? method or super
+  end
+
+  def decorated_model? method
+    tracker.config.has_gem? :draper and
+      method == :decorate
+  end
+
+  def ignored_method? target, method
+    @ignore_methods.include? method or
+      method.to_s =~ /_path$/ or
+      (target.nil? and method.to_s =~ /_url$/)
+  end
+
+  def model_find_call? exp
+    return unless call? exp
+
+    MODEL_METHODS.include? exp.method or
+      exp.method.to_s =~ /^find_by_/
+  end
+end

data/lib/brakeman/checks/check_mail_to.rb

@@ -0,0 +1,49 @@
+require 'brakeman/checks/base_check'
+
+#Check for cross site scripting vulnerability in mail_to :encode => :javascript
+#with certain versions of Rails (< 2.3.11 or < 3.0.4).
+#
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+class Brakeman::CheckMailTo < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for mail_to XSS vulnerability in certain versions"
+
+  def run_check
+    if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
+      message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
+
+      if version_between? "2.3.0", "2.3.10"
+        message << "2.3.11"
+      else
+        message << "3.0.4"
+      end
+
+      warn :result => result,
+        :warning_type => "Mail Link",
+        :warning_code => :CVE_2011_0446,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
+    end
+  end
+
+  #Check for javascript encoding of mail_to address
+  #    mail_to email, name, :encode => :javascript
+  def mail_to_javascript?
+    Brakeman.debug "Checking calls to mail_to for javascript encoding"
+
+    tracker.find_call(:target => false, :method => :mail_to).each do |result|
+      result[:call].each_arg do |arg|
+        if hash? arg
+          if option = hash_access(arg, :encode)
+            return result if symbol? option and option.value == :javascript
+          end
+        end
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -0,0 +1,198 @@
+require 'brakeman/checks/base_check'
+require 'set'
+
+#Checks for mass assignments to models.
+#
+#See http://guides.rubyonrails.org/security.html#mass-assignment for details
+class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Finds instances of mass assignment"
+
+  def initialize(*)
+    super
+    @mass_assign_calls = nil
+  end
+
+  def run_check
+    check_mass_assignment
+    check_permit!
+  end
+
+  def find_mass_assign_calls
+    return @mass_assign_calls if @mass_assign_calls
+
+    models = []
+    tracker.models.each do |name, m|
+      if m.is_a? Hash
+        p m
+      end
+      if m.unprotected_model?
+        models << name
+      end
+    end
+
+    return [] if models.empty?
+
+    Brakeman.debug "Finding possible mass assignment calls on #{models.length} models"
+    @mass_assign_calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
+      :attributes=,
+      :update_attributes,
+      :update_attributes!,
+      :create,
+      :create!,
+      :build,
+      :first_or_create,
+      :first_or_create!,
+      :first_or_initialize!,
+      :assign_attributes,
+      :update
+    ]
+  end
+
+  def check_mass_assignment
+    return if mass_assign_disabled?
+
+    Brakeman.debug "Processing possible mass assignment calls"
+    find_mass_assign_calls.each do |result|
+      process_result result
+    end
+  end
+
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[:call]
+
+    check = check_call call
+
+    if check and not call.original_line and not duplicate? res
+      add_result res
+
+      model = tracker.models[res[:chain].first]
+
+      attr_protected = (model and model.attr_protected)
+
+      if attr_protected and tracker.options[:ignore_attr_protected]
+        return
+      elsif input = include_user_input?(call.arglist)
+        first_arg = call.first_arg
+
+        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+          return
+        elsif not node_type? first_arg, :hash
+          if attr_protected
+            confidence = CONFIDENCE[:med]
+          else
+            confidence = CONFIDENCE[:high]
+          end
+        else
+          confidence = CONFIDENCE[:low]
+        end
+      elsif node_type? call.first_arg, :lit, :str
+        return
+      else
+        confidence = CONFIDENCE[:low]
+        input = nil
+      end
+
+      warn :result => res,
+        :warning_type => "Mass Assignment",
+        :warning_code => :mass_assign_call,
+        :message => "Unprotected mass assignment",
+        :code => call,
+        :user_input => input,
+        :confidence => confidence
+    end
+
+    res
+  end
+
+  #Want to ignore calls to Model.new that have no arguments
+  def check_call call
+    process_call_args call
+
+    if call.method == :update
+      arg = call.second_arg
+    else
+      arg = call.first_arg
+    end
+
+    if arg.nil? #empty new()
+      false
+    elsif hash? arg and not include_user_input? arg
+      false
+    elsif all_literal_args? call
+      false
+    else
+      true
+    end
+  end
+
+  LITERALS = Set[:lit, :true, :false, :nil, :string]
+
+  def all_literal_args? exp
+    if call? exp
+      exp.each_arg do |arg|
+        return false unless literal? arg
+      end
+
+      true
+    else
+      exp.all? do |arg|
+        literal? arg
+      end
+    end
+
+  end
+
+  def literal? exp
+    if sexp? exp
+      if exp.node_type == :hash
+        all_literal_args? exp
+      else
+        LITERALS.include? exp.node_type
+      end
+    else
+      true
+    end
+  end
+
+  # Look for and warn about uses of Parameters#permit! for mass assignment
+  def check_permit!
+    tracker.find_call(:method => :permit!).each do |result|
+      if params? result[:call].target and not result[:chain].include? :slice
+        warn_on_permit! result
+      end
+    end
+  end
+
+  # Look for actual use of params in mass assignment to avoid
+  # warning about uses of Parameters#permit! without any mass assignment
+  # or when mass assignment is restricted by model instead.
+  def subsequent_mass_assignment? result
+    location = result[:location]
+    line = result[:call].line
+    find_mass_assign_calls.any? do |call|
+      call[:location] == location and
+      params? call[:call].first_arg and
+      call[:call].line >= line
+    end
+  end
+
+  def warn_on_permit! result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    confidence = if subsequent_mass_assignment? result
+                   CONFIDENCE[:high]
+                 else
+                   CONFIDENCE[:med]
+                 end
+
+    warn :result => result,
+      :warning_type => "Mass Assignment",
+      :warning_code => :mass_assign_permit!,
+      :message => "Parameters should be whitelisted for mass assignment",
+      :confidence => confidence
+  end
+end