brakeman-lib 4.5.1 → 4.7.2

data/lib/brakeman/checks/check_header_dos.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:ActiveSupport, :on_load).any? and
-    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+    tracker.find_call(target: :ActiveSupport, method: :on_load).any? and
+      tracker.find_call(target: :"ActionView::LookupContext::DetailsKey", method: :class_eval).any?
   end
 end

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -41,8 +41,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
-      match.last.first_arg == s(:lit, :MissingTranslation)
+    tracker.find_call(target: :I18n, method: :const_defined?, chained: true).any? do |match|
+      match[:call].first_arg == s(:lit, :MissingTranslation)
     end
   end
 end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -20,8 +20,8 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       end
 
     #Check for workaround
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
-      arg = result.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=, chained: true).each do |result|
+      arg = result[:call].first_arg
 
       return if string? arg and arg.value == "REXML"
     end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -44,13 +44,13 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`
   def uses_gem_backend?
-    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+    matches = tracker.find_call(target: :'ActiveSupport::JSON', method: :backend=, chained: true)
 
     unless matches.empty?
       json_gem = s(:str, "JSONGem")
 
       matches.each do |result|
-        if result.call.first_arg == json_gem
+        if result[:call].first_arg == json_gem
           return true
         end
       end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -158,7 +158,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
-    tracker.find_call(:method => :permit!).each do |result|
+    tracker.find_call(:method => :permit!, :nested => true).each do |result|
       if params? result[:call].target and not result[:chain].include? :slice
         warn_on_permit! result
       end

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -30,8 +30,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:Mime, :const_set).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :Mime, method: :const_set).any? do |match|
+      arg = match[:call].first_arg
 
       symbol? arg and arg.value == :LOOKUP
     end

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -53,6 +53,6 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
   end
 
   def workaround?
-    tracker.check_initializers([], :will_be_destroyed?).any?
+    tracker.find_call(method: :will_be_destroyed?).any?
   end
 end

data/lib/brakeman/checks/check_reverse_tabnabbing.rb

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for reverse tabnabbing cases on 'link_to' calls"
+
+  def run_check
+    calls = tracker.find_call :methods => :link_to
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return unless original? result and result[:call].last_arg
+
+    html_opts = result[:call].last_arg
+    return unless hash? html_opts
+
+    target = hash_access html_opts, :target
+    unless target &&
+          (string?(target) && target.value == "_blank" ||
+          symbol?(target) && target.value == :_blank)
+      return
+    end
+
+    target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
+
+    # `url_for` and `_path` calls lead to urls on to the same origin.
+    # That means that an adversary would need to run javascript on
+    # the victim application's domain. If that is the case, the adversary
+    # already has the ability to redirect the victim user anywhere.
+    # Also statically provided URLs (interpolated or otherwise) are also
+    # ignored as they produce many false positives.
+    return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)
+
+    rel = hash_access html_opts, :rel
+    confidence = :medium
+
+    if rel && string?(rel) then
+      rel_opt = rel.value
+      return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")
+
+      if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
+        confidence = :weak
+      end
+    end
+
+    warn :result => result,
+      :warning_type => "Reverse Tabnabbing",
+      :warning_code => :reverse_tabnabbing,
+      :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
+                      ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
+      :confidence => confidence,
+      :user_input => rel
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.2.1")
 
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -90,7 +90,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.1.2"
+    loofah_version and loofah_version < "2.2.1"
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_session_settings.rb

@@ -21,8 +21,11 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
     check_for_issues settings, @app_tree.file_path("config/environment.rb")
 
-    ["session_store.rb", "secret_token.rb"].each do |file|
-      if tracker.initializers[file] and not ignored? file
+    session_store = @app_tree.file_path("config/initializers/session_store.rb")
+    secret_token = @app_tree.file_path("config/initializers/secret_token.rb")
+
+    [session_store, secret_token].each do |file|
+      if tracker.initializers[file] and not ignored? file.basename
         process tracker.initializers[file]
       end
     end

data/lib/brakeman/checks/check_sql.rb

@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def find_scope_calls
     scope_calls = []
 
-    if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |model, args|
-        call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, model, :named_scope)
-      end
-    elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |model, args|
-        second_arg = args[2]
-        next unless sexp? second_arg
-
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(model, args)
-        elsif call? second_arg
-          call = second_arg
-          scope_calls << scope_call_hash(call, model, call.method)
-        else
-          call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, model, :scope)
-        end
+    # Used in pre-3.1.0 versions of Rails
+    ar_scope_calls(:named_scope) do |model, args|
+      call = make_call(nil, :named_scope, args).line(args.line)
+      scope_calls << scope_call_hash(call, model, :named_scope)
+    end
+
+    # Use in 3.1.0 and later
+    ar_scope_calls(:scope) do |model, args|
+      second_arg = args[2]
+      next unless sexp? second_arg
+
+      if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+        process_scope_with_block(model, args)
+      elsif call? second_arg
+        call = second_arg
+        scope_calls << scope_call_hash(call, model, call.method)
+      else
+        call = make_call(nil, :scope, args).line(args.line)
+        scope_calls << scope_call_hash(call, model, :scope)
       end
     end
 
     scope_calls
   end
 
-  def ar_scope_calls(symbol_name = :named_scope, &block)
+  def ar_scope_calls(symbol_name, &block)
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
+  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
     if node_type? exp, :evstr
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     if not sexp? value
       nil
-    elsif call? value and value.method == :to_s
+    elsif call? value and TO_STRING_METHODS.include? value.method
       unsafe_string_interp? value.target
     elsif call? value and safe_literal_target? value
       nil
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp
           exp
-        elsif exp.method == :to_s
+        elsif TO_STRING_METHODS.include? exp.method
           find_dangerous_value exp.target, ignore_hash
         else
           check_call exp

data/lib/brakeman/checks/check_xml_dos.rb

@@ -34,8 +34,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=).any? do |match|
+      arg = match[:call].first_arg
       if string? arg
         value = arg.value
         value == 'Nokogiri' or value == 'LibXML'

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -48,21 +48,17 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
       #Look for ActionController::Base.param_parsers.delete(Mime::XML)
-      params_parser = s(:call,
-                        s(:colon2, s(:const, :ActionController), :Base),
-                        :param_parsers)
-
-      matches = tracker.check_initializers(params_parser, :delete)
+      matches = tracker.find_call(target: :"ActionController::Base.param_parsers", method: :delete)
     else
       #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+      matches = tracker.find_call(target: :"ActionDispatch::ParamsParser::DEFAULT_PARSERS", method: :delete)
     end
 
     unless matches.empty?
       mime_xml = s(:colon2, s(:const, :Mime), :XML)
 
       matches.each do |result|
-        if result.call.first_arg == mime_xml
+        if result[:call].first_arg == mime_xml
           return true
         end
       end
@@ -74,18 +70,14 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
   #in Rails 2.x apps
   def enabled_yaml_parser?
-    param_parsers = s(:call,
-                      s(:colon2, s(:const, :ActionController), :Base),
-                      :param_parsers)
-
-    matches = tracker.check_initializers(param_parsers, :[]=)
+    matches = tracker.find_call(target: :'ActionController::Base.param_parsers', method: :[]=)
 
     mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
 
     matches.each do |result|
-      if result.call.first_arg == mime_yaml and
-        symbol? result.call.second_arg and
-        result.call.second_arg.value == :yaml
+      if result[:call].first_arg == mime_yaml and
+        symbol? result[:call].second_arg and
+        result[:call].second_arg.value == :yaml
 
         return true
       end
@@ -96,16 +88,16 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
 
   def disabled_xml_dangerous_types?
     if version_between? "0.0.0", "2.3.14"
-      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", method: :delete)
     else
-      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::XmlMini::PARSING", method: :delete)
     end
 
     symbols_off = false
     yaml_off = false
 
     matches.each do |result|
-      arg = result.call.first_arg
+      arg = result[:call].first_arg
 
       if string? arg
         if arg.value == "yaml"

data/lib/brakeman/differ.rb

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
 
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
 
     warnings
   end
 
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning 
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-
-      true
+      warning[:fingerprint]
     end
   end
 end

data/lib/brakeman/file_parser.rb

@@ -33,17 +33,13 @@ module Brakeman
       end
     end
 
-    def parse_ruby input, path, parser = RubyParser.new
+    def parse_ruby input, path
       begin
         Brakeman.debug "Parsing #{path}"
-        parser.parse input, path, @timeout
+        RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        if parser.class == RubyParser
-          return parse_ruby(input, path, RubyParser.latest)
-        else
-          @tracker.error e, "Could not parse #{path}"
-          nil
-        end
+        @tracker.error e, "Could not parse #{path}"
+        nil
       rescue Timeout::Error => e
         @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
         nil

data/lib/brakeman/file_path.rb

@@ -35,6 +35,11 @@ module Brakeman
       @relative = relative_path
     end
 
+    # Just the file name, no path
+    def basename
+      @basename ||= File.basename(self.relative)
+    end
+
     # Read file from absolute path.
     def read
       File.read self.absolute
@@ -67,5 +72,14 @@ module Brakeman
     def to_s
       self.to_str
     end
+
+    def hash
+      @hash ||= [@absolute, @relative].hash
+    end
+
+    def eql? rhs
+      @absolute == rhs.absolute and
+        @relative == rhs.relative
+    end
   end
 end