brakeman-lib 4.5.0 → 4.7.1

data/lib/brakeman/checks/check_model_serialize.rb

@@ -54,7 +54,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         confidence = :high
       end
 
-      warn :model => model.name,
+      warn :model => model,
         :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0277,
         :message => msg("Serialized attributes are vulnerable in ", msg_version(rails_version), ", upgrade to ", msg_version(@upgrade_version), " or patch"),

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -22,17 +22,17 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
       if opts = model.options[:accepts_nested_attributes_for]
         opts.each do |args|
           if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
-            warn_about_nested_attributes name, model, args
+            warn_about_nested_attributes model, args
           end
         end
       end
     end
   end
 
-  def warn_about_nested_attributes name, model, args
+  def warn_about_nested_attributes model, args
     message = msg(msg_version(rails_version), " does not call ", msg_code(":reject_if"), " option when ", msg_code(":allow_destroy"), " is ", msg_code("false"), " ", msg_cve("CVE-2015-7577"))
 
-    warn :model => name,
+    warn :model => model,
       :warning_type => "Nested Attributes",
       :warning_code => :CVE_2015_7577,
       :message => message,
@@ -53,6 +53,6 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
   end
 
   def workaround?
-    tracker.check_initializers([], :will_be_destroyed?).any?
+    tracker.find_call(method: :will_be_destroyed?).any?
   end
 end

data/lib/brakeman/checks/check_reverse_tabnabbing.rb

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for reverse tabnabbing cases on 'link_to' calls"
+
+  def run_check
+    calls = tracker.find_call :methods => :link_to
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return unless original? result and result[:call].last_arg
+
+    html_opts = result[:call].last_arg
+    return unless hash? html_opts
+
+    target = hash_access html_opts, :target
+    unless target &&
+          (string?(target) && target.value == "_blank" ||
+          symbol?(target) && target.value == :_blank)
+      return
+    end
+
+    target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
+
+    # `url_for` and `_path` calls lead to urls on to the same origin.
+    # That means that an adversary would need to run javascript on
+    # the victim application's domain. If that is the case, the adversary
+    # already has the ability to redirect the victim user anywhere.
+    # Also statically provided URLs (interpolated or otherwise) are also
+    # ignored as they produce many false positives.
+    return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)
+
+    rel = hash_access html_opts, :rel
+    confidence = :medium
+
+    if rel && string?(rel) then
+      rel_opt = rel.value
+      return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")
+
+      if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
+        confidence = :weak
+      end
+    end
+
+    warn :result => result,
+      :warning_type => "Reverse Tabnabbing",
+      :warning_code => :reverse_tabnabbing,
+      :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
+                      ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
+      :confidence => confidence,
+      :user_input => rel
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.2.1")
 
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -90,7 +90,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.1.2"
+    loofah_version and loofah_version < "2.2.1"
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_secrets.rb

@@ -35,6 +35,6 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
 
   def looks_like_secret? name
     # REST_AUTH_SITE_KEY is the pepper in Devise
-    name.match /password|secret|(rest_auth_site|api)_key$/i
+    name.match(/password|secret|(rest_auth_site|api)_key$/i)
   end
 end

data/lib/brakeman/checks/check_session_settings.rb

@@ -19,10 +19,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def run_check
     settings = tracker.config.session_settings 
 
-    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
+    check_for_issues settings, @app_tree.file_path("config/environment.rb")
 
-    ["session_store.rb", "secret_token.rb"].each do |file|
-      if tracker.initializers[file] and not ignored? file
+    session_store = @app_tree.file_path("config/initializers/session_store.rb")
+    secret_token = @app_tree.file_path("config/initializers/secret_token.rb")
+
+    [session_store, secret_token].each do |file|
+      if tracker.initializers[file] and not ignored? file.basename
         process tracker.initializers[file]
       end
     end
@@ -42,13 +45,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
-      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_issues exp.first_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
       (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
-      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
+      warn_about_secret_token exp.line, @app_tree.file_path("config/initializers/secret_token.rb")
     end
 
     exp
@@ -58,7 +61,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
-      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_rails3_issues exp.second_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     exp
@@ -109,10 +112,10 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def check_secrets_yaml
-    secrets_file = "config/secrets.yml"
+    secrets_file = @app_tree.file_path("config/secrets.yml")
 
-    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
-      yaml = @app_tree.read secrets_file
+    if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
+      yaml = secrets_file.read
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
       begin
@@ -127,7 +130,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
         unless secret.include? "<%="
           line = yaml.lines.find_index { |l| l.include? secret } + 1
 
-          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
+          warn_about_secret_token line, @app_tree.file_path(secrets_file)
         end
       end
     end
@@ -163,9 +166,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   def ignored? file
     [".", "config", "config/initializers"].each do |dir|
-      ignore_file = "#{dir}/.gitignore"
+      ignore_file = @app_tree.file_path("#{dir}/.gitignore")
       if @app_tree.exists? ignore_file
-        input = @app_tree.read(ignore_file)
+        input = ignore_file.read 
 
         return true if input.include? file
       end

data/lib/brakeman/checks/check_simple_format.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
 
   @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
 
+  def initialize *args
+    super
+    @found_any = false
+  end
+
   def run_check
     if version_between? "4.0.0", "4.0.1"
       @inspect_arguments = true

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
-        :link => "authentication_whitelist",
+        :link_path => "authentication_whitelist",
         :file => controller.file
     end
   end

data/lib/brakeman/checks/check_sql.rb

@@ -21,7 +21,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! << :not if tracker.options[:rails4]
+    @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
+    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -71,23 +72,23 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls = []
 
     if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |name, args|
+      ar_scope_calls(:named_scope) do |model, args|
         call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, name, :named_scope)
+        scope_calls << scope_call_hash(call, model, :named_scope)
       end
     elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |name, args|
+      ar_scope_calls(:scope) do |model, args|
         second_arg = args[2]
         next unless sexp? second_arg
 
         if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(name, args)
+          process_scope_with_block(model, args)
         elsif call? second_arg
           call = second_arg
-          scope_calls << scope_call_hash(call, name, call.method)
+          scope_calls << scope_call_hash(call, model, call.method)
         else
           call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, name, :scope)
+          scope_calls << scope_call_hash(call, model, :scope)
         end
       end
     end
@@ -96,37 +97,34 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def ar_scope_calls(symbol_name = :named_scope, &block)
-    return_array = []
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
         model_args.each do |args|
-          yield name, args
-          return_array << [name, args]
+          yield model, args
         end
       end
     end
-    return_array
   end
 
-  def scope_call_hash(call, name, method)
-    { :call => call, :location => { :type => :class, :class => name }, :method => :named_scope }
+  def scope_call_hash(call, model, method)
+    { :call => call, :location => { :type => :class, :class => model.name, :file => model.file }, :method => :named_scope }
   end
 
 
-  def process_scope_with_block model_name, args
+  def process_scope_with_block model, args
     scope_name = args[1][1]
     block = args[-1][-1]
 
     # Search lambda for calls to query methods
     if block.node_type == :block
       find_calls = Brakeman::FindAllCalls.new(tracker)
-      find_calls.process_source(block, :class => model_name, :method => scope_name)
+      find_calls.process_source(block, :class => model.name, :method => scope_name, :file => model.file)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
     elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
-         :location => { :type => :class, :class => model_name, :method => scope_name }
+          :location => { :type => :class, :class => model.name, :method => scope_name, :file => model.file }
 
         block = block.target
       end
@@ -187,7 +185,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :not
+                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist

data/lib/brakeman/checks/check_validation_regex.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
 
   def run_check
     active_record_models.each do |name, model|
-      @current_model = name
+      @current_model = model
       format_validations = model.options[:validates_format_of]
 
       if format_validations

data/lib/brakeman/checks/check_xml_dos.rb

@@ -34,8 +34,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=).any? do |match|
+      arg = match[:call].first_arg
       if string? arg
         value = arg.value
         value == 'Nokogiri' or value == 'LibXML'

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -48,21 +48,17 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
       #Look for ActionController::Base.param_parsers.delete(Mime::XML)
-      params_parser = s(:call,
-                        s(:colon2, s(:const, :ActionController), :Base),
-                        :param_parsers)
-
-      matches = tracker.check_initializers(params_parser, :delete)
+      matches = tracker.find_call(target: :"ActionController::Base.param_parsers", method: :delete)
     else
       #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+      matches = tracker.find_call(target: :"ActionDispatch::ParamsParser::DEFAULT_PARSERS", method: :delete)
     end
 
     unless matches.empty?
       mime_xml = s(:colon2, s(:const, :Mime), :XML)
 
       matches.each do |result|
-        if result.call.first_arg == mime_xml
+        if result[:call].first_arg == mime_xml
           return true
         end
       end
@@ -74,18 +70,14 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
   #in Rails 2.x apps
   def enabled_yaml_parser?
-    param_parsers = s(:call,
-                      s(:colon2, s(:const, :ActionController), :Base),
-                      :param_parsers)
-
-    matches = tracker.check_initializers(param_parsers, :[]=)
+    matches = tracker.find_call(target: :'ActionController::Base.param_parsers', method: :[]=)
 
     mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
 
     matches.each do |result|
-      if result.call.first_arg == mime_yaml and
-        symbol? result.call.second_arg and
-        result.call.second_arg.value == :yaml
+      if result[:call].first_arg == mime_yaml and
+        symbol? result[:call].second_arg and
+        result[:call].second_arg.value == :yaml
 
         return true
       end
@@ -96,16 +88,16 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
 
   def disabled_xml_dangerous_types?
     if version_between? "0.0.0", "2.3.14"
-      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", method: :delete)
     else
-      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::XmlMini::PARSING", method: :delete)
     end
 
     symbols_off = false
     yaml_off = false
 
     matches.each do |result|
-      arg = result.call.first_arg
+      arg = result[:call].first_arg
 
       if string? arg
         if arg.value == "yaml"

data/lib/brakeman/differ.rb

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
 
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
 
     warnings
   end
 
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning 
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-
-      true
+      warning[:fingerprint]
     end
   end
 end