brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/checks/check_model_serialize.rb

@@ -54,7 +54,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         confidence = :high
       end
 
-      warn :model => model.name,
+      warn :model => model,
         :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0277,
         :message => msg("Serialized attributes are vulnerable in ", msg_version(rails_version), ", upgrade to ", msg_version(@upgrade_version), " or patch"),

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -22,17 +22,17 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
       if opts = model.options[:accepts_nested_attributes_for]
         opts.each do |args|
           if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
-            warn_about_nested_attributes name, model, args
+            warn_about_nested_attributes model, args
           end
         end
       end
     end
   end
 
-  def warn_about_nested_attributes name, model, args
+  def warn_about_nested_attributes model, args
     message = msg(msg_version(rails_version), " does not call ", msg_code(":reject_if"), " option when ", msg_code(":allow_destroy"), " is ", msg_code("false"), " ", msg_cve("CVE-2015-7577"))
 
-    warn :model => name,
+    warn :model => model,
       :warning_type => "Nested Attributes",
       :warning_code => :CVE_2015_7577,
       :message => message,
@@ -53,6 +53,6 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
   end
 
   def workaround?
-    tracker.check_initializers([], :will_be_destroyed?).any?
+    tracker.find_call(method: :will_be_destroyed?).any?
   end
 end

data/lib/brakeman/checks/check_reverse_tabnabbing.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for reverse tabnabbing cases on 'link_to' calls"
+
+  def run_check
+    calls = tracker.find_call :methods => :link_to
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return unless original? result and result[:call].last_arg
+
+    html_opts = result[:call].last_arg
+    return unless hash? html_opts
+
+    target = hash_access html_opts, :target
+    return unless target && string?(target) && target.value == "_blank"
+
+    target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
+
+    # `url_for` and `_path` calls lead to urls on to the same origin.
+    # That means that an adversary would need to run javascript on
+    # the victim application's domain. If that is the case, the adversary
+    # already has the ability to redirect the victim user anywhere.
+    # Also statically provided URLs (interpolated or otherwise) are also
+    # ignored as they produce many false positives.
+    return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)
+
+    rel = hash_access html_opts, :rel
+    confidence = :medium
+
+    if rel && string?(rel) then
+      rel_opt = rel.value
+      return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")
+
+      if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
+        confidence = :weak
+      end
+    end
+
+    warn :result => result,
+      :warning_type => "Reverse Tabnabbing",
+      :warning_code => :reverse_tabnabbing,
+      :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
+                      ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
+      :confidence => confidence,
+      :user_input => rel
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.2.1")
 
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -90,7 +90,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.1.2"
+    loofah_version and loofah_version < "2.2.1"
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_secrets.rb

@@ -35,6 +35,6 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
 
   def looks_like_secret? name
     # REST_AUTH_SITE_KEY is the pepper in Devise
-    name.match /password|secret|(rest_auth_site|api)_key$/i
+    name.match(/password|secret|(rest_auth_site|api)_key$/i)
   end
 end

data/lib/brakeman/checks/check_send.rb

@@ -28,7 +28,6 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :warning_type => "Dangerous Send",
         :warning_code => :dangerous_send,
         :message => "User controlled method execution",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
         :warning_type => "Session Manipulation",
         :warning_code => :session_key_manipulation,
         :message => msg(msg_input(input), " used as key in session hash"),
-        :code => result[:call],
         :user_input => input,
         :confidence => confidence
     end

data/lib/brakeman/checks/check_session_settings.rb

@@ -19,10 +19,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def run_check
     settings = tracker.config.session_settings 
 
-    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
+    check_for_issues settings, @app_tree.file_path("config/environment.rb")
 
-    ["session_store.rb", "secret_token.rb"].each do |file|
-      if tracker.initializers[file] and not ignored? file
+    session_store = @app_tree.file_path("config/initializers/session_store.rb")
+    secret_token = @app_tree.file_path("config/initializers/secret_token.rb")
+
+    [session_store, secret_token].each do |file|
+      if tracker.initializers[file] and not ignored? file.basename
         process tracker.initializers[file]
       end
     end
@@ -42,13 +45,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
-      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_issues exp.first_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
       (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
-      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
+      warn_about_secret_token exp.line, @app_tree.file_path("config/initializers/secret_token.rb")
     end
 
     exp
@@ -58,7 +61,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
-      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_rails3_issues exp.second_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     exp
@@ -109,10 +112,10 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def check_secrets_yaml
-    secrets_file = "config/secrets.yml"
+    secrets_file = @app_tree.file_path("config/secrets.yml")
 
-    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
-      yaml = @app_tree.read secrets_file
+    if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
+      yaml = secrets_file.read
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
       begin
@@ -127,7 +130,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
         unless secret.include? "<%="
           line = yaml.lines.find_index { |l| l.include? secret } + 1
 
-          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
+          warn_about_secret_token line, @app_tree.file_path(secrets_file)
         end
       end
     end
@@ -163,9 +166,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   def ignored? file
     [".", "config", "config/initializers"].each do |dir|
-      ignore_file = "#{dir}/.gitignore"
+      ignore_file = @app_tree.file_path("#{dir}/.gitignore")
       if @app_tree.exists? ignore_file
-        input = @app_tree.read(ignore_file)
+        input = ignore_file.read 
 
         return true if input.include? file
       end

data/lib/brakeman/checks/check_simple_format.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
 
   @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
 
+  def initialize *args
+    super
+    @found_any = false
+  end
+
   def run_check
     if version_between? "4.0.0", "4.0.1"
       @inspect_arguments = true

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
-        :link => "authentication_whitelist",
+        :link_path => "authentication_whitelist",
         :file => controller.file
     end
   end

data/lib/brakeman/checks/check_sql.rb

@@ -14,12 +14,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   @description = "Check for SQL injection"
 
   def run_check
-    narrow_targets = [:exists?, :select]
+    # Avoid reporting `user_input` on silly values when generating warning.
+    # Note that we retroactively find `user_input` inside the "dangerous" value.
+    @safe_input_attributes.merge IGNORE_METHODS_IN_SQL
 
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! << :not if tracker.options[:rails4]
+    @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
+    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -43,6 +46,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding possible SQL calls on models"
     calls = tracker.find_call(:methods => @sql_targets, :nested => true)
 
+    narrow_targets = [:exists?, :select]
     calls.concat tracker.find_call(:targets => active_record_models.keys, :methods => narrow_targets, :chained => true)
 
     Brakeman.debug "Finding possible SQL calls with no target"
@@ -68,23 +72,23 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls = []
 
     if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |name, args|
+      ar_scope_calls(:named_scope) do |model, args|
         call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, name, :named_scope)
+        scope_calls << scope_call_hash(call, model, :named_scope)
       end
     elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |name, args|
+      ar_scope_calls(:scope) do |model, args|
         second_arg = args[2]
         next unless sexp? second_arg
 
         if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(name, args)
+          process_scope_with_block(model, args)
         elsif call? second_arg
           call = second_arg
-          scope_calls << scope_call_hash(call, name, call.method)
+          scope_calls << scope_call_hash(call, model, call.method)
         else
           call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, name, :scope)
+          scope_calls << scope_call_hash(call, model, :scope)
         end
       end
     end
@@ -93,37 +97,34 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def ar_scope_calls(symbol_name = :named_scope, &block)
-    return_array = []
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
         model_args.each do |args|
-          yield name, args
-          return_array << [name, args]
+          yield model, args
         end
       end
     end
-    return_array
   end
 
-  def scope_call_hash(call, name, method)
-    { :call => call, :location => { :type => :class, :class => name }, :method => :named_scope }
+  def scope_call_hash(call, model, method)
+    { :call => call, :location => { :type => :class, :class => model.name, :file => model.file }, :method => :named_scope }
   end
 
 
-  def process_scope_with_block model_name, args
+  def process_scope_with_block model, args
     scope_name = args[1][1]
     block = args[-1][-1]
 
     # Search lambda for calls to query methods
     if block.node_type == :block
       find_calls = Brakeman::FindAllCalls.new(tracker)
-      find_calls.process_source(block, :class => model_name, :method => scope_name)
+      find_calls.process_source(block, :class => model.name, :method => scope_name, :file => model.file)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
     elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
-         :location => { :type => :class, :class => model_name, :method => scope_name }
+          :location => { :type => :class, :class => model.name, :method => scope_name, :file => model.file }
 
         block = block.target
       end
@@ -184,7 +185,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :not
+                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist
@@ -294,7 +295,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         # Model.where(params[:where])
         arg
       end
-    elsif hash? arg
+    elsif hash? arg and not kwsplat? arg
       #This is generally going to be a hash of column names and values, which
       #would escape the values. But the keys _could_ be user input.
       check_hash_keys arg
@@ -452,7 +453,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :dstr
       check_string_interp exp
     when :hash
-      check_hash_values exp unless ignore_hash
+      if kwsplat? exp and has_immediate_user_input? exp
+        exp
+      elsif not ignore_hash
+        check_hash_values exp
+      else
+        nil
+      end
     when :if
       unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
     when :call

data/lib/brakeman/checks/check_validation_regex.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
 
   def run_check
     active_record_models.each do |name, model|
-      @current_model = name
+      @current_model = model
       format_validations = model.options[:validates_format_of]
 
       if format_validations

data/lib/brakeman/checks/check_xml_dos.rb

@@ -34,8 +34,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=).any? do |match|
+      arg = match[:call].first_arg
       if string? arg
         value = arg.value
         value == 'Nokogiri' or value == 'LibXML'

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -48,21 +48,17 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
       #Look for ActionController::Base.param_parsers.delete(Mime::XML)
-      params_parser = s(:call,
-                        s(:colon2, s(:const, :ActionController), :Base),
-                        :param_parsers)
-
-      matches = tracker.check_initializers(params_parser, :delete)
+      matches = tracker.find_call(target: :"ActionController::Base.param_parsers", method: :delete)
     else
       #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+      matches = tracker.find_call(target: :"ActionDispatch::ParamsParser::DEFAULT_PARSERS", method: :delete)
     end
 
     unless matches.empty?
       mime_xml = s(:colon2, s(:const, :Mime), :XML)
 
       matches.each do |result|
-        if result.call.first_arg == mime_xml
+        if result[:call].first_arg == mime_xml
           return true
         end
       end
@@ -74,18 +70,14 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
   #in Rails 2.x apps
   def enabled_yaml_parser?
-    param_parsers = s(:call,
-                      s(:colon2, s(:const, :ActionController), :Base),
-                      :param_parsers)
-
-    matches = tracker.check_initializers(param_parsers, :[]=)
+    matches = tracker.find_call(target: :'ActionController::Base.param_parsers', method: :[]=)
 
     mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
 
     matches.each do |result|
-      if result.call.first_arg == mime_yaml and
-        symbol? result.call.second_arg and
-        result.call.second_arg.value == :yaml
+      if result[:call].first_arg == mime_yaml and
+        symbol? result[:call].second_arg and
+        result[:call].second_arg.value == :yaml
 
         return true
       end
@@ -96,16 +88,16 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
 
   def disabled_xml_dangerous_types?
     if version_between? "0.0.0", "2.3.14"
-      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", method: :delete)
     else
-      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::XmlMini::PARSING", method: :delete)
     end
 
     symbols_off = false
     yaml_off = false
 
     matches.each do |result|
-      arg = result.call.first_arg
+      arg = result[:call].first_arg
 
       if string? arg
         if arg.value == "yaml"