brakeman-lib 3.4.0 → 3.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e27ccfd7420f1e8272480ef9ca0de23fee00b540
-  data.tar.gz: 09ed85e36994255d6634bbcb7c8ca59e8790541b
+  metadata.gz: 41a53603e2fa56ad3a6fd895b93db05b1e532503
+  data.tar.gz: ec97788b6b989dd66c7dcc4698a86ec143a34eeb
 SHA512:
-  metadata.gz: 117943f4633a23ef3a34286fdcb7f445594c2bee527a6dea48e1a9b77bdff5b0e24aa563d22703e8caf34c4094ee17cdf6a83492ad9f247bcd00473984c0588c
-  data.tar.gz: c194c2535ff1db2743fcf66893d6d0dce2d5ff89ba7fc3a358c8a15564ea6de61bd0365f595051ab36eb6c6af987680fda94eba89aaca06d5d1085a584f31708
+  metadata.gz: ec25a806ebdb9aa3ad8842020a12a5b9b1e7c581b9bf4ead664ceeec9b2a00d6c63ffa71ad955e105660b8a39cb4a0db3ddf38a716ce3d7303438a2b5ee78076
+  data.tar.gz: d55e00d236e989175bace2779b3bf94390ec189542911ed408a73e07146076699d72ad6e2d1e3f560532e8cb43e10391a262a1900c302e8d7c52941d9d6121d3

data/CHANGES

@@ -1,3 +1,13 @@
+# 3.4.1
+
+* Show action help at start of interactive ignore
+* Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
+* Configurable engines path (Jason Yeo)
+* Use Ruby version to turn off SymbolDoS check
+* Pull Ruby version from `.ruby-version` or Gemfile
+* Avoid warning about `where_values_hash` in SQLi
+* Fix ignoring link interpolation not at beginning of string
+
 # 3.4.0
 
 * Add new `plain` report format

data/lib/brakeman.rb

@@ -146,7 +146,8 @@ module Brakeman
       :relative_path => false,
       :report_progress => true,
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
-      :output_color => true
+      :output_color => true,
+      :engine_paths => ["engines/*"]
     }
   end
 

data/lib/brakeman/app_tree.rb

@@ -19,6 +19,7 @@ module Brakeman
         init_options[:only_files] = regex_for_paths(options[:only_files])
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
+      init_options[:engine_paths] = options[:engine_paths]
       new(root, init_options)
     end
 
@@ -57,6 +58,9 @@ module Brakeman
       @skip_files = init_options[:skip_files]
       @only_files = init_options[:only_files]
       @additional_libs_path = init_options[:additional_libs_path] || []
+      @engine_paths = init_options[:engine_paths] || []
+      @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
+      @relative_engine_paths = @engine_paths - @absolute_engine_paths
     end
 
     def expand_path(path)
@@ -101,8 +105,7 @@ module Brakeman
     end
 
     def layout_exists?(name)
-      pattern = "#{@root}/{engines/*/,}app/views/layouts/#{name}.html.{erb,haml,slim}"
-      !Dir.glob(pattern).empty?
+      !Dir.glob("#{root_search_pattern}app/views/layouts/#{name}.html.{erb,haml,slim}").empty?
     end
 
     def lib_paths
@@ -121,10 +124,14 @@ module Brakeman
       @additional_libs_path.collect{ |path| find_paths path }.flatten
     end
 
-    def find_paths(directory, extensions = "*.rb")
-      pattern = @root + "/{engines/*/,}#{directory}/**/#{extensions}"
+    def find_paths(directory, extensions = ".rb")
+      select_files(glob_files(directory, "*", extensions).sort)
+    end
+
+    def glob_files(directory, name, extensions = ".rb")
+      pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
 
-      select_files(Dir.glob(pattern).sort)
+      Dir.glob(pattern)
     end
 
     def select_files(paths)
@@ -160,5 +167,15 @@ module Brakeman
 
       files.match(project_relative_path)
     end
+
+    def root_search_pattern
+      return @root_search_pattern if @root_search_pattern
+      abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+      rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+
+      roots = ([@root] + abs).join(",")
+      rel_engines = (rel + [""]).join("/,")
+      @root_search_patrern = "{#{roots}}/{#{rel_engines}}"
+    end
   end
 end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -7,41 +7,41 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Verifies that protect_from_forgery is enabled in ApplicationController"
+  @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base"
 
   def run_check
-    app_controller = tracker.controllers[:ApplicationController]
-    return unless app_controller and app_controller.ancestor? :"ActionController::Base"
-
-    if tracker.config.allow_forgery_protection?
-      csrf_warning :warning_code => :csrf_protection_disabled,
-        :message => "Forgery protection is disabled"
-
-    elsif app_controller and not app_controller.protect_from_forgery?
-      csrf_warning :warning_code => :csrf_protection_missing,
-        :message => "'protect_from_forgery' should be called in ApplicationController",
-        :line => app_controller.top_line
-
-    elsif version_between? "2.1.0", "2.3.10"
-      cve_2011_0447 "2.3.11"
-
-    elsif version_between? "3.0.0", "3.0.3"
-      cve_2011_0447 "3.0.4"
-
-    elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller.options[:protect_from_forgery]
-      unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
+    tracker.controllers
+    .select { |_, controller| controller.parent == :"ActionController::Base" }
+    .each do |name, controller|
+      if controller and not controller.protect_from_forgery?
+        csrf_warning :controller => name,
+          :warning_code => :csrf_protection_missing,
+          :message => "'protect_from_forgery' should be called in #{name}",
+          :file => controller.file,
+          :line => controller.top_line
+      elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery]
+        unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
           access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and
           access_arg.value == :exception
 
-        args = {
-          :warning_code => :csrf_not_protected_by_raising_exception,
-          :message => "protect_from_forgery should be configured with 'with: :exception'",
-          :confidence => CONFIDENCE[:med]
-        }
+          args = {
+            :controller => name,
+            :warning_type => "Cross-Site Request Forgery",
+            :warning_code => :csrf_not_protected_by_raising_exception,
+            :message => "protect_from_forgery should be configured with 'with: :exception'",
+            :confidence => CONFIDENCE[:med],
+            :file => controller.file
+          }
+
+          args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
 
-        args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
+          csrf_warning args
+        end
 
-        csrf_warning args
+      end
+
+      if controller.options[:protect_from_forgery]
+        check_cve_2011_0447
       end
     end
   end
@@ -50,14 +50,26 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
     opts = {
       :controller => :ApplicationController,
       :warning_type => "Cross-Site Request Forgery",
-      :confidence => CONFIDENCE[:high],
-      :file => tracker.controllers[:ApplicationController].file
+      :confidence => CONFIDENCE[:high]
     }.merge opts
 
     warn opts
   end
 
-  def cve_2011_0447 new_version
+  def check_cve_2011_0447
+    @warned_cve_2011_0447 ||= false
+    return if @warned_cve_2011_0447
+
+    if version_between? "2.1.0", "2.3.10"
+      new_version = "2.3.11"
+    elsif version_between? "3.0.0", "3.0.3"
+      new_version = "3.0.4"
+    else
+      return
+    end
+
+    @warned_cve_2011_0447 = true # only warn once
+
     csrf_warning :warning_code => :CVE_2011_0447,
       :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to #{new_version} or apply patches as needed",
       :gem_info => gemfile_or_environment,

data/lib/brakeman/checks/check_link_to_href.rb

@@ -1,14 +1,14 @@
 require 'brakeman/checks/check_cross_site_scripting'
 
 #Checks for calls to link_to which pass in potentially hazardous data
-#to the second argument.  While this argument must be html_safe to not break 
-#the html, it must also be url safe as determined by calling a 
-#:url_safe_method.  This prevents attacks such as javascript:evil() or 
+#to the second argument.  While this argument must be html_safe to not break
+#the html, it must also be url safe as determined by calling a
+#:url_safe_method.  This prevents attacks such as javascript:evil() or
 #data:<encoded XSS> which is html_safe, but not safe as an href
 #Props to Nick Green for the idea.
 class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
   Brakeman::Checks.add self
-                        
+
   @description = "Checks to see if values used for hrefs are sanitized using a :url_safe_method to protect against javascript:/data: XSS"
 
   def run_check
@@ -23,7 +23,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
 
-    methods = tracker.find_call :target => false, :method => :link_to 
+    methods = tracker.find_call :target => false, :method => :link_to
     methods.each do |call|
       process_result call
     end
@@ -40,19 +40,15 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       url_arg = url_arg.first_arg
     end
 
-    #Ignore situations where the href is an interpolated string
-    #with something before the user input
-    return if string_interp?(url_arg) && !url_arg[1].chomp.empty?
-
     return if call? url_arg and ignore_call? url_arg.target, url_arg.method
 
     if input = has_immediate_user_input?(url_arg)
       message = "Unsafe #{friendly_type_of input} in link_to href"
 
-      unless duplicate? result or call_on_params? url_arg
+      unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match
         add_result result
         warn :result => result,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
           :warning_code => :xss_link_to_href,
           :message => message,
           :user_input => input,
@@ -61,19 +57,19 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       end
     elsif has_immediate_model? url_arg or model_find_call? url_arg
 
-      # Decided NOT warn on models.  polymorphic_path is called it a model is 
+      # Decided NOT warn on models.  polymorphic_path is called it a model is
       # passed to link_to (which passes it to url_for)
 
     elsif array? url_arg
-      # Just like models, polymorphic path/url is called if the argument is 
-      # an array      
+      # Just like models, polymorphic path/url is called if the argument is
+      # an array
 
     elsif hash? url_arg
 
       # url_for uses the key/values pretty carefully and I don't see a risk.
       # IF you have default routes AND you accept user input for :controller
-      # and :only_path, then MAYBE you could trigger a javascript:/data: 
-      # attack. 
+      # and :only_path, then MAYBE you could trigger a javascript:/data:
+      # attack.
 
     elsif @matched
       if @matched.type == :model and not tracker.options[:ignore_model_output]
@@ -82,10 +78,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
         message = "Unsafe parameter value in link_to href"
       end
 
-      if message and not duplicate? result
+      if message and not duplicate? result and not ignore_interpolation? url_arg, @matched.match
         add_result result
-        warn :result => result, 
-          :warning_type => "Cross Site Scripting", 
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
           :warning_code => :xss_link_to_href,
           :message => message,
           :user_input => @matched,
@@ -95,6 +91,24 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     end
   end
 
+  #Ignore situations where the href is an interpolated string
+  #with something before the user input
+  def ignore_interpolation? arg, suspect
+    return unless string_interp? arg
+    return true unless arg[1].chomp.empty? # plain string before interpolation
+
+    first_interp = arg.find_nodes(:evstr).first
+    return unless first_interp
+
+    first_interp[1].deep_each do |e|
+      if suspect == e
+        return false
+      end
+    end
+
+    true
+  end
+
   def ignore_call? target, method
     decorated_model? method or super
   end

data/lib/brakeman/checks/check_sql.rb

@@ -549,7 +549,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]
+    :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
+    :where_values_hash
+  ]
 
   def safe_value? exp
     return true unless sexp? exp

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -9,6 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
 
   def run_check
     return if rails_version and rails_version >= "5.0.0"
+    return if tracker.config.ruby_version >= "2.2"
 
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 # Checks for string interpolation and parameters in calls to
 # String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.
 #
-# Exploit examples at: http://blog.conviso.com.br/2013/02/exploiting-unsafe-reflection-in.html
+# Exploit examples at: http://blog.conviso.com.br/exploiting-unsafe-reflection-in-rubyrails-applications/
 class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   Brakeman::Checks.add self
 

data/lib/brakeman/options.rb

@@ -136,6 +136,11 @@ module Brakeman::Options
           options[:additional_libs_path].merge paths
         end
 
+        opts.on "--add-engines-path path1,path2,etc", Array, "Include these engines in the scan" do |paths|
+          options[:engine_paths] ||= Set.new
+          options[:engine_paths].merge paths
+        end
+
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"

data/lib/brakeman/processors/gem_processor.rb

@@ -21,19 +21,26 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   end
 
   def process_call exp
-    if exp.target == nil and exp.method == :gem
-      gem_name = exp.first_arg
-      return exp unless string? gem_name
+    if exp.target == nil
+      if exp.method == :gem
+        gem_name = exp.first_arg
+        return exp unless string? gem_name
 
-      gem_version = exp.second_arg
+        gem_version = exp.second_arg
 
-      version = if string? gem_version
-                  gem_version.value
-                else
-                  nil
-                end
+        version = if string? gem_version
+                    gem_version.value
+                  else
+                    nil
+                  end
 
-      @tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
+        @tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
+      elsif exp.method == :ruby
+        version = exp.first_arg
+        if string? version
+          @tracker.config.set_ruby_version version.value
+        end
+      end
     end
 
     exp

data/lib/brakeman/report/ignore/interactive.rb

@@ -58,11 +58,13 @@ module Brakeman
       HighLine.new.choose do |m|
         m.choice "Inspect all warnings" do
           @skip_ignored = false
+          pre_show_help
           process_warnings
         end
 
         m.choice "Hide previously ignored warnings" do
           @skip_ignored = true
+          pre_show_help
           process_warnings
         end
 
@@ -92,7 +94,20 @@ module Brakeman
         m.choice "s"
         m.choice "q"
         m.choice "?" do
-          say <<-HELP
+          show_help
+          "?"
+        end
+      end
+    end
+
+    def pre_show_help
+      say "-" * 20
+      say "Actions:", :cyan
+      show_help
+    end
+
+    def show_help
+      say <<-HELP
 i - Add warning to ignore list
 n - Add warning to ignore list and add note
 s - Skip this warning (will remain ignored or shown)
@@ -101,11 +116,7 @@ a - Ignore this warning and all remaining warnings
 k - Skip this warning and all remaining warnings
 q - Quit, do not update ignored warnings
 ? - Display this help
-          HELP
-
-          "?"
-        end
-      end
+      HELP
     end
 
     def penultimate_menu

data/lib/brakeman/scanner.rb

@@ -108,6 +108,10 @@ class Brakeman::Scanner
       tracker.config.escape_html = true
       Brakeman.notify "[Notice] Escaping HTML by default"
     end
+
+    if @app_tree.exists? ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+    end
   end
 
   def process_config_file file

data/lib/brakeman/tracker/config.rb

@@ -5,7 +5,7 @@ module Brakeman
     include Util
 
     attr_reader :rails, :tracker
-    attr_accessor :rails_version
+    attr_accessor :rails_version, :ruby_version
     attr_writer :erubis, :escape_html
     attr_reader :gems
 
@@ -16,6 +16,7 @@ module Brakeman
       @settings = {}
       @escape_html = nil
       @erubis = nil
+      @ruby_version = ""
     end
 
     def allow_forgery_protection?
@@ -92,6 +93,14 @@ module Brakeman
       end
     end
 
+    def set_ruby_version version
+      return unless version.is_a? String
+
+      if version =~ /(\d+\.\d+\.\d+)/
+        self.ruby_version = $1
+      end
+    end
+
     def session_settings
       @rails[:action_controller] &&
         @rails[:action_controller][:session]

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.4.0"
+  Version = "3.4.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 3.4.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-09-07 00:00:00.000000000 Z
+date: 2016-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.1
+        version: 3.8.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.1
+        version: 3.8.3
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement