brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/checks/check_content_tag.rb

@@ -45,6 +45,16 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def process_result result
     return if duplicate? result
 
+    case result[:location][:type]
+    when :template
+      @current_template = result[:location][:template]
+    when :class
+      @current_class = result[:location][:class]
+      @current_method = result[:location][:method]
+    end
+
+    @current_file = result[:location][:file]
+
     call = result[:call] = result[:call].dup
 
     args = call.arglist
@@ -85,6 +95,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         end
       end
     end
+  ensure
+    @current_template = @current_class = @current_method = @current_file = nil
   end
 
   def check_argument result, exp

data/lib/brakeman/checks/check_cookie_serialization.rb

@@ -0,0 +1,22 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for use of Marshal for cookie serialization"
+
+  def run_check
+    tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
+      setting = result[:call].first_arg
+
+      if symbol? setting and [:marshal, :hybrid].include? setting.value
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :unsafe_cookie_serialization,
+          :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
+          :confidence => :medium,
+          :link_path => "unsafe_deserialization"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -33,6 +33,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
 
+  def initialize *args
+    super
+    @matched = @mark = false
+  end
+
   #Run check
   def run_check
     setup
@@ -57,12 +62,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     if exp.node_type == :output
       out = exp.value
-    elsif exp.node_type == :escaped_output
-      if raw_call? exp
-        out = exp.value.first_arg
-      elsif html_safe_call? exp
-        out = exp.value.target
-      end
+    end
+
+    if raw_call? exp
+      out = exp.value.first_arg
+    elsif html_safe_call? exp
+      out = exp.value.target
     end
 
     return if call? out and ignore_call? out.target, out.method
@@ -282,7 +287,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   def setup
     @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
+                           :field_field, :fields_for, :form_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
@@ -311,11 +316,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     end
 
     json_escape_on = false
-    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+    initializers = tracker.find_call(target: :ActiveSupport, method: :escape_html_entities_in_json=)
+    initializers.each {|result| json_escape_on = true?(result[:call].first_arg) }
 
     if tracker.config.escape_html_entities_in_json?
-        json_escape_on = true
+      json_escape_on = true
     elsif version_between? "4.0.0", "9.9.9"
       json_escape_on = true
     end

data/lib/brakeman/checks/check_default_routes.rb

@@ -6,6 +6,11 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
 
   @description = "Checks for default routes"
 
+  def initialize *args
+    super
+    @actions_allowed_on_controller = nil
+  end
+
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check

data/lib/brakeman/checks/check_deserialize.rb

@@ -9,6 +9,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_yaml
     check_csv
     check_marshal
+    check_oj
   end
 
   def check_yaml
@@ -23,6 +24,26 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_methods :Marshal, :load, :restore
   end
 
+  def check_oj
+    check_methods :Oj, :object_load # Always unsafe, regardless of mode
+
+    unsafe_mode = :object
+    safe_default = oj_safe_default?
+
+    tracker.find_call(:target => :Oj, :method => :load).each do |result|
+      call = result[:call]
+      options = call.second_arg
+
+      if options and hash? options and mode = hash_access(options, :mode)
+        if symbol? mode and mode.value == unsafe_mode
+          check_deserialize result, :Oj
+        end
+      elsif not safe_default
+        check_deserialize result, :Oj
+      end
+    end
+  end
+
   def check_methods target, *methods
     tracker.find_call(:target => target, :methods => methods ).each do |result|
       check_deserialize result, target
@@ -53,4 +74,32 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
         :link_path => "unsafe_deserialization"
     end
   end
+
+  private
+
+  def oj_safe_default?
+    safe_default = false
+
+    if tracker.find_call(target: :Oj, method: :mimic_JSON).any?
+      safe_default = true
+    elsif result = tracker.find_call(target: :Oj, method: :default_options=).first
+      options = result[:call].first_arg
+
+      if oj_safe_mode? options
+        safe_default = true
+      end
+    end
+
+    safe_default
+  end
+
+  def oj_safe_mode? options
+    if hash? options and mode = hash_access(options, :mode)
+      if symbol? mode and mode != :object
+        return true
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -43,6 +43,6 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
   end
 
   def potentially_dangerous? method_name
-    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+    method_name.match(/^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/)
   end
 end

data/lib/brakeman/checks/check_evaluation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :warning_type => "Dangerous Eval",
         :warning_code => :code_eval,
         :message => "User input in eval",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_execute.rb

@@ -21,6 +21,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   SHELL_ESCAPE_MODULE_METHODS = Set[:escape, :join, :shellescape, :shelljoin]
   SHELL_ESCAPE_MIXIN_METHODS = Set[:shellescape, :shelljoin]
 
+  # These are common shells that are known to allow the execution of commands
+  # via a -c flag. See dash_c_shell_command? for more info.
+  KNOWN_SHELL_COMMANDS = Set["sh", "bash", "ksh", "csh", "tcsh", "zsh"]
+
   SHELLWORDS = s(:const, :Shellwords)
 
   #Check models, controllers, and views for command injection.
@@ -42,6 +46,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  private
+
   #Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
@@ -54,7 +60,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         failure = include_user_input?(args) || dangerous_interp?(args)
       end
     when :system, :exec
-      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      # Normally, if we're in a `system` or `exec` call, we only are worried
+      # about shell injection when there's a single argument, because comma-
+      # separated arguments are always escaped by Ruby. However, an exception is
+      # when the first two arguments are something like "bash -c" because then
+      # the third argument is effectively the command being run and might be
+      # a malicious executable if it comes (partially or fully) from user input.
+      if dash_c_shell_command?(first_arg, call.second_arg)
+        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+      else
+        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      end
     else
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
@@ -77,6 +93,15 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  # @return [Boolean] true iff the command given by `first_arg`, `second_arg`
+  #   invokes a new shell process via `<shell_command> -c` (like `bash -c`)
+  def dash_c_shell_command?(first_arg, second_arg)
+    string?(first_arg) &&
+    KNOWN_SHELL_COMMANDS.include?(first_arg.value) &&
+    string?(second_arg) &&
+    second_arg.value == "-c"
+  end
+
   def check_open_calls
     tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
       if match = dangerous_open_arg?(result[:call].first_arg)
@@ -90,6 +115,24 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  def include_user_input? exp
+    if node_type? exp, :arglist, :dstr, :evstr, :dxstr
+      exp.each_sexp do |e|
+        if res = include_user_input?(e)
+          return res
+        end
+      end
+
+      false
+    else
+      if shell_escape? exp
+        false
+      else
+        super exp
+      end
+    end
+  end
+
   def dangerous_open_arg? exp
     if string_interp? exp
       # Check for input at start of string

data/lib/brakeman/checks/check_file_access.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
 
     file_name = call.first_arg
 
-    return if called_on_tempfile?(file_name)
+    return if called_on_tempfile?(file_name) || sanitized?(file_name)
 
     if match = has_immediate_user_input?(file_name)
       confidence = :high
@@ -71,6 +71,12 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     call?(file_name) && file_name.target == s(:const, :Tempfile)
   end
 
+  def sanitized? file
+    call?(file) &&
+      call?(file.target) &&
+      class_name(file.target.target) == :"ActiveStorage::Filename"
+  end
+
   def temp_file_method? exp
     if call? exp
       return true if exp.call_chain.include? :tempfile

data/lib/brakeman/checks/check_force_ssl.rb

@@ -0,0 +1,27 @@
+class Brakeman::CheckForceSSL < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Check that force_ssl setting is enabled in production"
+
+  def run_check
+    return if tracker.config.rails.empty? or tracker.config.rails_version.nil?
+    return if tracker.config.rails_version < "3.1.0"
+
+    force_ssl = tracker.config.rails[:force_ssl]
+
+    if false? force_ssl or force_ssl.nil?
+      line = if sexp? force_ssl
+               force_ssl.line
+             else
+               1
+             end
+
+      warn :warning_type => "Missing Encryption",
+        :warning_code => :force_ssl_disabled,
+        :message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
+        :confidence => :high,
+        :file => "config/environments/production.rb",
+        :line => line
+    end
+  end
+end

data/lib/brakeman/checks/check_header_dos.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:ActiveSupport, :on_load).any? and
-    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+    tracker.find_call(target: :ActiveSupport, method: :on_load).any? and
+      tracker.find_call(target: :"ActionView::LookupContext::DetailsKey", method: :class_eval).any?
   end
 end

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -41,8 +41,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
-      match.last.first_arg == s(:lit, :MissingTranslation)
+    tracker.find_call(target: :I18n, method: :const_defined?, chained: true).any? do |match|
+      match[:call].first_arg == s(:lit, :MissingTranslation)
     end
   end
 end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -20,8 +20,8 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       end
 
     #Check for workaround
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
-      arg = result.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=, chained: true).each do |result|
+      arg = result[:call].first_arg
 
       return if string? arg and arg.value == "REXML"
     end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
 
+  def initialize *args
+    super
+    @uses_json_parse = nil
+  end
+
   def run_check
     check_cve_2013_0333
     check_cve_2013_0269
@@ -39,13 +44,13 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`
   def uses_gem_backend?
-    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+    matches = tracker.find_call(target: :'ActiveSupport::JSON', method: :backend=, chained: true)
 
     unless matches.empty?
       json_gem = s(:str, "JSONGem")
 
       matches.each do |result|
-        if result.call.first_arg == json_gem
+        if result[:call].first_arg == json_gem
           return true
         end
       end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -34,7 +34,12 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
-    url_arg = process call.second_arg
+
+    url_arg = if result[:block]
+                process call.first_arg
+              else
+                process call.second_arg
+              end
 
     if check_argument? url_arg
       url_arg = url_arg.first_arg

data/lib/brakeman/checks/check_mail_to.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0446,
         :message => message,
         :confidence => :high,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment, # Probably ignored now
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -30,8 +30,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:Mime, :const_set).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :Mime, method: :const_set).any? do |match|
+      arg = match[:call].first_arg
 
       symbol? arg and arg.value == :LOOKUP
     end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
 
         SUSP_ATTRS.each do |susp_attr, confidence|
           if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
-            warn :model => name,
+            warn :model => model,
               :file => model.file,
               :warning_type => "Mass Assignment",
               :warning_code => :dangerous_attr_accessible,

data/lib/brakeman/checks/check_model_attributes.rb

@@ -2,9 +2,6 @@ require 'brakeman/checks/base_check'
 
 #Check if mass assignment is used with models
 #which inherit from ActiveRecord::Base.
-#
-#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
-#which do not use attr_accessible will be reported in a single warning
 class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
@@ -15,26 +12,19 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
-      no_accessible_names = []
-      protected_names = []
-
-      check_models do |name, model|
-        if model.attr_protected.nil?
-          no_accessible_names << name.to_s
-        elsif not tracker.options[:ignore_attr_protected]
-          protected_names << name.to_s
-        end
-      end
+      Brakeman.notify "[Notice] The `collapse_mass_assignment` option has been removed."
+    end
 
-      unless no_accessible_names.empty?
-        warn :model => no_accessible_names.sort.join(", "),
+    check_models do |name, model|
+      if model.attr_protected.nil?
+        warn :model => model,
+          :file => model.file,
+          :line => model.top_line,
           :warning_type => "Attribute Restriction",
           :warning_code => :no_attr_accessible,
           :message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
           :confidence => :high
-      end
-
-      unless protected_names.empty?
+      elsif not tracker.options[:ignore_attr_protected]
         message, confidence, link = check_for_attr_protected_bypass
 
         if link
@@ -43,41 +33,13 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           warning_code = :attr_protected_used
         end
 
-        warn :model => protected_names.sort.join(", "),
+        warn :model => model,
+          :file => model.file,
+          :line => model.attr_protected.first.line,
           :warning_type => "Attribute Restriction",
           :warning_code => warning_code,
           :message => message,
-          :confidence => confidence,
-          :link => link
-      end
-    else #Output one warning per model
-
-      check_models do |name, model|
-        if model.attr_protected.nil?
-          warn :model => name,
-            :file => model.file,
-            :line => model.top_line,
-            :warning_type => "Attribute Restriction",
-            :warning_code => :no_attr_accessible,
-            :message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
-            :confidence => :high
-        elsif not tracker.options[:ignore_attr_protected]
-          message, confidence, link = check_for_attr_protected_bypass
-
-          if link
-            warning_code = :CVE_2013_0276
-          else
-            warning_code = :attr_protected_used
-          end
-
-          warn :model => name,
-            :file => model.file,
-            :line => model.attr_protected.first.line,
-            :warning_type => "Attribute Restriction",
-            :warning_code => warning_code,
-            :message => message,
-            :confidence => confidence
-        end
+          :confidence => confidence
       end
     end
   end