brakeman-lib 4.8.2 → 4.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53e42567258ccfcd4e8c53055d74b9d92cf3dd864a0ef60ce19b9b9362e9976c
-  data.tar.gz: 2b6f35eb78b76165311bd092253a41cdc5d0bba4aa585e80ef64e97b22d899a1
+  metadata.gz: 43b7d1a166362e6f078be06194adde0e9acc6f6ee5bbe6b54212a4dddb0335ad
+  data.tar.gz: fd3fcf8965f5125991e51dce67d18415ca3f5db6f431a4076c16acbf1a3bd906
 SHA512:
-  metadata.gz: 3fcfd0a1b757fb5d6d27640dc72c3fdc672e611869186e82622ea3972ed10fbe7a5eaaa16b08040532f80917ed5bc374f7276ac4a6238caef74b989ff1f9e0cf
-  data.tar.gz: 3a924be974720bac6d762085d7353853be0243c7279818b305a133be8d3df8f0e3fba6720000a18f991c8de2e046b6bcb259b709d6558ba50b59c010504eb4f3
+  metadata.gz: a929f04cb48c9ccb434cfa3ee47791d263a1fc3d30acdea4459c25c8c7bcab7d72887369f893de1eed5418a059dd07e55a98157bd2729967f1b9e4c72a4b94f5
+  data.tar.gz: ead62901264f2d1230512894820ad8160ce6115a19ac32dd2ea3474ebb9b9a723e2090077ea6780b38c0b9d3f3b59e4c93ad55d8dbf613f9426475796a167ab3

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
 # 4.8.2 - 2020-05-12
 
 * Add check for CVE-2020-8159

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -498,6 +502,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -160,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -191,7 +206,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
 
@@ -203,7 +218,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
         warn :result => result,
           :warning_type => "Mass Assignment",
           :warning_code => :mass_assign_permit_all,
-          :message => "Parameters should be whitelisted for mass assignment",
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
           :confidence => :high
       end
     end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
 
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_template_injection.rb

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input through template injection"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -137,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }.freeze
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -214,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end

data/lib/brakeman/report/ignore/config.rb

@@ -94,6 +94,10 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/scanner.rb

@@ -94,11 +94,14 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
+    # Sometimes folks like to put constants in environment.rb
+    # so let's always process it even for newer Rails versions
+    process_config_file "environment.rb"
+
     if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
-      process_config_file "environment.rb"
       process_config_file "gems.rb"
     end
 

data/lib/brakeman/tracker.rb

@@ -198,8 +198,10 @@ class Brakeman::Tracker
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end
 
+  # This method does not return all constants at this time,
+  # just ones with "simple" values.
   def constant_lookup name
-    @constants.get_literal name unless @options[:disable_constant_tracking]
+    @constants.get_simple_value name unless @options[:disable_constant_tracking]
   end
 
   def find_class name

data/lib/brakeman/tracker/constants.rb

@@ -1,7 +1,10 @@
 require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 module Brakeman
   class Constant
+    include Brakeman::Util
+
     attr_reader :name, :name_array, :file, :value, :context
 
     def initialize name, value, context = {}
@@ -107,13 +110,11 @@ module Brakeman
       @constants[base_name] << Constant.new(name, value, context)
     end
 
-    LITERALS = [:lit, :false, :str, :true, :array, :hash]
-    def literal? exp
-      exp.is_a? Sexp and LITERALS.include? exp.node_type
-    end
-
-    def get_literal name
-      if x = self[name] and literal? x
+    # Returns constant values that are not too complicated.
+    # Right now that means literal values (string, array, etc.)
+    # or calls on Dir.glob(..).whatever.
+    def get_simple_value name
+      if x = self[name] and (literal? x or dir_glob? x)
         x
       else
         nil

data/lib/brakeman/util.rb

@@ -293,6 +293,22 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+
+  def literal? exp
+    exp.is_a? Sexp and LITERALS.include? exp.node_type
+  end
+
+  DIR_CONST = s(:const, :Dir)
+
+  # Dir.glob(...).whatever
+  def dir_glob? exp
+    exp = exp.block_call if node_type? exp, :iter
+    return unless call? exp
+
+    (exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
+  end
+
   #Returns true if the given _exp_ contains a :class node.
   #
   #Useful for checking if a module is just a module or if it is a namespace.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.2"
+  Version = "4.9.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -117,6 +117,8 @@ module Brakeman::WarningCodes
     :json_html_escape_config => 113,
     :json_html_escape_module => 114,
     :CVE_2020_8159 => 115,
+    :CVE_2020_8166 => 116,
+    :erb_template_injection => 117,
 
     :custom_check => 9090,
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.8.2
+  version: 4.9.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-12 00:00:00.000000000 Z
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-html
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -187,7 +201,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -197,7 +211,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -222,6 +236,7 @@ files:
 - lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
@@ -283,6 +298,7 @@ files:
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb