brakeman-lib 5.2.1 → 5.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +21 -0
- data/lib/brakeman/app_tree.rb +9 -1
- data/lib/brakeman/checks/check_basic_auth.rb +4 -2
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -4
- data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
- data/lib/brakeman/checks/check_create_with.rb +4 -2
- data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
- data/lib/brakeman/checks/check_default_routes.rb +6 -3
- data/lib/brakeman/checks/check_deserialize.rb +2 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
- data/lib/brakeman/checks/check_digest_dos.rb +2 -1
- data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
- data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
- data/lib/brakeman/checks/check_escape_function.rb +2 -1
- data/lib/brakeman/checks/check_evaluation.rb +2 -1
- data/lib/brakeman/checks/check_execute.rb +6 -3
- data/lib/brakeman/checks/check_file_access.rb +2 -1
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
- data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
- data/lib/brakeman/checks/check_force_ssl.rb +2 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
- data/lib/brakeman/checks/check_header_dos.rb +2 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
- data/lib/brakeman/checks/check_json_encoding.rb +2 -1
- data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
- data/lib/brakeman/checks/check_json_parsing.rb +4 -2
- data/lib/brakeman/checks/check_link_to.rb +2 -1
- data/lib/brakeman/checks/check_link_to_href.rb +4 -2
- data/lib/brakeman/checks/check_mail_to.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
- data/lib/brakeman/checks/check_model_attributes.rb +4 -2
- data/lib/brakeman/checks/check_model_serialize.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
- data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
- data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -1
- data/lib/brakeman/checks/check_regex_dos.rb +2 -1
- data/lib/brakeman/checks/check_render.rb +4 -2
- data/lib/brakeman/checks/check_render_dos.rb +2 -1
- data/lib/brakeman/checks/check_render_inline.rb +4 -2
- data/lib/brakeman/checks/check_response_splitting.rb +2 -1
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
- data/lib/brakeman/checks/check_route_dos.rb +2 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
- data/lib/brakeman/checks/check_secrets.rb +2 -1
- data/lib/brakeman/checks/check_select_tag.rb +2 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
- data/lib/brakeman/checks/check_send.rb +2 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_session_settings.rb +6 -3
- data/lib/brakeman/checks/check_simple_format.rb +4 -2
- data/lib/brakeman/checks/check_single_quotes.rb +2 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
- data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +7 -4
- data/lib/brakeman/checks/check_sql_cves.rb +4 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
- data/lib/brakeman/checks/check_strip_tags.rb +6 -3
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
- data/lib/brakeman/checks/check_template_injection.rb +2 -1
- data/lib/brakeman/checks/check_translate_bug.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection.rb +9 -3
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
- data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -1
- data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
- data/lib/brakeman/checks/check_weak_hash.rb +6 -3
- data/lib/brakeman/checks/check_without_protection.rb +2 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
- data/lib/brakeman/checks/eol_check.rb +4 -2
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +41 -2
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/report_csv.rb +2 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_table.rb +5 -5
- data/lib/brakeman/report/report_text.rb +2 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +5 -2
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +5 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: df75ab4f9b0d2b0ed8db5548e0f18e8fc7028b9ed19e3b05e583e62070aac6d3
|
4
|
+
data.tar.gz: 1af6b8a2ecd4286a7808b357779cfbd720bb263a371ca86fd9555bf806e97d01
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 32b3f95690c33c05aced581c94c60544c8b4d02ec85e001d2a67f54eedaad15f9bd52157d526d6ab3cc9d30f33fc07c155e6030cd6d75f8cac5b5ff82739daa1
|
7
|
+
data.tar.gz: 55ff958c1101ac534921807d105253c65b3ef62500b1354dacd42d922ac6f8ce446db1213398f95d80d87f8af47a4c430e3d38f13592aeaeadfa156b9f347a82
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,24 @@
|
|
1
|
+
# 5.3.0 - 2022-08-09
|
2
|
+
|
3
|
+
* Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
|
4
|
+
* Load rexml as a Brakeman dependency
|
5
|
+
* Fix "full call" information propagating unnecessarily
|
6
|
+
* Add check for CVE-2022-32209
|
7
|
+
* Add CWE information to warnings (Stephen Aghaulor)
|
8
|
+
|
9
|
+
# 5.2.3 - 2022-05-01
|
10
|
+
|
11
|
+
* Fix error with hash shorthand syntax
|
12
|
+
* Match order of interactive options with help message (Rory O'Kane)
|
13
|
+
|
14
|
+
# 5.2.2 - 2022-04-06
|
15
|
+
|
16
|
+
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
|
17
|
+
* Handle `nil` when joining values (Dan Buettner)
|
18
|
+
* Update message for unsafe reflection (Pedro Baracho)
|
19
|
+
* Add additional String methods for SQL injection check
|
20
|
+
* Respect equality in `if` conditions
|
21
|
+
|
1
22
|
# 5.2.1 - 2022-01-30
|
2
23
|
|
3
24
|
* Add warning codes for EOL software warnings
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -205,7 +205,7 @@ module Brakeman
|
|
205
205
|
paths.reject do |path|
|
206
206
|
relative_path = path.relative
|
207
207
|
|
208
|
-
if @skip_vendor and relative_path.include? 'vendor/'
|
208
|
+
if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
|
209
209
|
true
|
210
210
|
else
|
211
211
|
EXCLUDED_PATHS.any? do |excluded|
|
@@ -215,6 +215,14 @@ module Brakeman
|
|
215
215
|
end
|
216
216
|
end
|
217
217
|
|
218
|
+
def in_engine_paths?(path)
|
219
|
+
@engine_paths.any? { |p| path.absolute.include?(p) }
|
220
|
+
end
|
221
|
+
|
222
|
+
def in_add_libs_paths?(path)
|
223
|
+
@additional_libs_path.any? { |p| path.absolute.include?(p) }
|
224
|
+
end
|
225
|
+
|
218
226
|
def match_path files, path
|
219
227
|
absolute_path = Pathname.new(path)
|
220
228
|
# relative root never has a leading separator. But, we use a leading
|
@@ -31,7 +31,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
31
31
|
:message => "Basic authentication password stored in source code",
|
32
32
|
:code => call,
|
33
33
|
:confidence => :high,
|
34
|
-
:file => controller.file
|
34
|
+
:file => controller.file,
|
35
|
+
:cwe_id => [259]
|
35
36
|
break
|
36
37
|
end
|
37
38
|
end
|
@@ -50,7 +51,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
50
51
|
:warning_type => "Basic Auth",
|
51
52
|
:warning_code => :basic_auth_password,
|
52
53
|
:message => "Basic authentication password stored in source code",
|
53
|
-
:confidence => :high
|
54
|
+
:confidence => :high,
|
55
|
+
:cwe_id => [259]
|
54
56
|
end
|
55
57
|
end
|
56
58
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
|
|
27
27
|
:warning_code => :CVE_2015_7576,
|
28
28
|
:message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
|
29
29
|
:confidence => :high,
|
30
|
-
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
|
30
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
|
31
|
+
:cwe_id => [1254]
|
31
32
|
end
|
32
33
|
end
|
33
34
|
end
|
@@ -117,7 +117,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
117
117
|
:message => message,
|
118
118
|
:user_input => input,
|
119
119
|
:confidence => :high,
|
120
|
-
:link_path => "content_tag"
|
120
|
+
:link_path => "content_tag",
|
121
|
+
:cwe_id => [79]
|
121
122
|
|
122
123
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
|
123
124
|
unless IGNORE_MODEL_METHODS.include? match.method
|
@@ -135,7 +136,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
135
136
|
:message => msg("Unescaped model attribute in ", msg_code("content_tag")),
|
136
137
|
:user_input => match,
|
137
138
|
:confidence => confidence,
|
138
|
-
:link_path => "content_tag"
|
139
|
+
:link_path => "content_tag",
|
140
|
+
:cwe_id => [79]
|
139
141
|
end
|
140
142
|
|
141
143
|
elsif @matched
|
@@ -151,7 +153,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
151
153
|
:message => message,
|
152
154
|
:user_input => @matched,
|
153
155
|
:confidence => :medium,
|
154
|
-
:link_path => "content_tag"
|
156
|
+
:link_path => "content_tag",
|
157
|
+
:cwe_id => [79]
|
155
158
|
end
|
156
159
|
end
|
157
160
|
|
@@ -195,7 +198,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
195
198
|
:message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
|
196
199
|
:confidence => confidence,
|
197
200
|
:gem_info => gemfile_or_environment,
|
198
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
|
201
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
|
202
|
+
:cwe_id => [79]
|
199
203
|
end
|
200
204
|
end
|
201
205
|
|
@@ -15,7 +15,8 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
|
|
15
15
|
:warning_code => :unsafe_cookie_serialization,
|
16
16
|
:message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
|
17
17
|
:confidence => :medium,
|
18
|
-
:link_path => "unsafe_deserialization"
|
18
|
+
:link_path => "unsafe_deserialization",
|
19
|
+
:cwe_id => [565, 502]
|
19
20
|
end
|
20
21
|
end
|
21
22
|
end
|
@@ -39,7 +39,8 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
39
39
|
:result => result,
|
40
40
|
:message => @message,
|
41
41
|
:confidence => confidence,
|
42
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
|
42
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
|
43
|
+
:cwe_id => [915]
|
43
44
|
end
|
44
45
|
end
|
45
46
|
|
@@ -69,6 +70,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
69
70
|
:message => @message,
|
70
71
|
:gem_info => gemfile_or_environment,
|
71
72
|
:confidence => :medium,
|
72
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
|
73
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
|
74
|
+
:cwe_id => [915]
|
73
75
|
end
|
74
76
|
end
|
@@ -82,7 +82,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
82
82
|
:warning_code => :cross_site_scripting,
|
83
83
|
:message => message,
|
84
84
|
:code => input.match,
|
85
|
-
:confidence => :high
|
85
|
+
:confidence => :high,
|
86
|
+
:cwe_id => [79]
|
86
87
|
|
87
88
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
|
88
89
|
method = if call? match
|
@@ -116,7 +117,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
116
117
|
:message => message,
|
117
118
|
:code => match,
|
118
119
|
:confidence => confidence,
|
119
|
-
:link_path => link_path
|
120
|
+
:link_path => link_path,
|
121
|
+
:cwe_id => [79]
|
120
122
|
end
|
121
123
|
|
122
124
|
else
|
@@ -200,7 +202,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
200
202
|
:code => exp,
|
201
203
|
:user_input => @matched,
|
202
204
|
:confidence => confidence,
|
203
|
-
:link_path => link_path
|
205
|
+
:link_path => link_path,
|
206
|
+
:cwe_id => [79]
|
204
207
|
end
|
205
208
|
end
|
206
209
|
|
@@ -21,7 +21,8 @@ class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
|
|
21
21
|
:message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
|
22
22
|
:confidence => :medium,
|
23
23
|
:gem_info => gemfile_or_environment,
|
24
|
-
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
|
24
|
+
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
|
25
|
+
:cwe_id => [352]
|
25
26
|
end
|
26
27
|
end
|
27
28
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
27
27
|
:message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
|
28
28
|
:line => tracker.routes[:allow_all_actions].line,
|
29
29
|
:confidence => :high,
|
30
|
-
:file => "#{tracker.app_path}/config/routes.rb"
|
30
|
+
:file => "#{tracker.app_path}/config/routes.rb",
|
31
|
+
:cwe_id => [22]
|
31
32
|
end
|
32
33
|
end
|
33
34
|
|
@@ -49,7 +50,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
49
50
|
:message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
|
50
51
|
:line => actions[2],
|
51
52
|
:confidence => :medium,
|
52
|
-
:file => "#{tracker.app_path}/config/routes.rb"
|
53
|
+
:file => "#{tracker.app_path}/config/routes.rb",
|
54
|
+
:cwe_id => [22]
|
53
55
|
end
|
54
56
|
end
|
55
57
|
end
|
@@ -82,7 +84,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
82
84
|
:message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
|
83
85
|
:confidence => confidence,
|
84
86
|
:file => "#{tracker.app_path}/config/routes.rb",
|
85
|
-
:link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
|
87
|
+
:link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf",
|
88
|
+
:cwe_id => [22]
|
86
89
|
end
|
87
90
|
|
88
91
|
def allow_all_actions?
|
@@ -19,7 +19,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
19
19
|
:warning_code => :local_request_config,
|
20
20
|
:message => "Detailed exceptions are enabled in production",
|
21
21
|
:confidence => :high,
|
22
|
-
:file => "config/environments/production.rb"
|
22
|
+
:file => "config/environments/production.rb",
|
23
|
+
:cwe_id => [200]
|
23
24
|
end
|
24
25
|
end
|
25
26
|
|
@@ -42,7 +43,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
42
43
|
:message => msg("Detailed exceptions may be enabled in ", msg_code("show_detailed_exceptions?")),
|
43
44
|
:confidence => confidence,
|
44
45
|
:code => src,
|
45
|
-
:file => definition[:file]
|
46
|
+
:file => definition[:file],
|
47
|
+
:cwe_id => [200]
|
46
48
|
end
|
47
49
|
end
|
48
50
|
end
|
@@ -29,7 +29,8 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
|
|
29
29
|
:message => message,
|
30
30
|
:confidence => confidence,
|
31
31
|
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
|
32
|
-
:gem_info => gemfile_or_environment
|
32
|
+
:gem_info => gemfile_or_environment,
|
33
|
+
:cwe_id => [287]
|
33
34
|
end
|
34
35
|
|
35
36
|
def with_http_digest?
|
@@ -36,7 +36,8 @@ class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
|
|
36
36
|
:warning_code => :divide_by_zero,
|
37
37
|
:message => "Potential division by zero",
|
38
38
|
:confidence => confidence,
|
39
|
-
:user_input => denominator
|
39
|
+
:user_input => denominator,
|
40
|
+
:cwe_id => [369]
|
40
41
|
end
|
41
42
|
end
|
42
43
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
|
|
27
27
|
:warning_code => :sql_injection_dynamic_finder,
|
28
28
|
:message => "MySQL integer conversion may cause 0 to match any string",
|
29
29
|
:confidence => :medium,
|
30
|
-
:user_input => arg
|
30
|
+
:user_input => arg,
|
31
|
+
:cwe_id => [89]
|
31
32
|
|
32
33
|
break
|
33
34
|
end
|
@@ -15,7 +15,8 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
|
|
15
15
|
:message => msg("Rails versions before 2.3.14 have a vulnerability in the ", msg_code("escape"), " method when used with Ruby 1.8 ", msg_cve("CVE-2011-2932")),
|
16
16
|
:confidence => :high,
|
17
17
|
:gem_info => gemfile_or_environment,
|
18
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
|
18
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion",
|
19
|
+
:cwe_id => [79]
|
19
20
|
end
|
20
21
|
end
|
21
22
|
end
|
@@ -117,7 +117,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
117
117
|
:message => "Possible command injection",
|
118
118
|
:code => call,
|
119
119
|
:user_input => failure,
|
120
|
-
:confidence => confidence
|
120
|
+
:confidence => confidence,
|
121
|
+
:cwe_id => [77]
|
121
122
|
end
|
122
123
|
end
|
123
124
|
|
@@ -138,7 +139,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
138
139
|
:warning_code => :command_injection,
|
139
140
|
:message => msg("Possible command injection in ", msg_code("open")),
|
140
141
|
:user_input => match,
|
141
|
-
:confidence => :high
|
142
|
+
:confidence => :high,
|
143
|
+
:cwe_id => [77]
|
142
144
|
end
|
143
145
|
end
|
144
146
|
end
|
@@ -201,7 +203,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
201
203
|
:message => "Possible command injection",
|
202
204
|
:code => exp,
|
203
205
|
:user_input => input,
|
204
|
-
:confidence => confidence
|
206
|
+
:confidence => confidence,
|
207
|
+
:cwe_id => [77]
|
205
208
|
end
|
206
209
|
|
207
210
|
# This method expects a :dstr or :evstr node
|
@@ -25,7 +25,8 @@ class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
|
|
25
25
|
:message => msg(msg_version(rails_version), " has a file existence disclosure vulnerability. Upgrade to ", msg_version(fix_version), " or disable serving static assets"),
|
26
26
|
:confidence => :high,
|
27
27
|
:gem_info => gemfile_or_environment,
|
28
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
|
28
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ",
|
29
|
+
:cwe_id => [22]
|
29
30
|
end
|
30
31
|
end
|
31
32
|
|
@@ -15,7 +15,8 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
|
|
15
15
|
:message => msg("Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed", msg_cve("CVE-2011-2929")),
|
16
16
|
:confidence => :high,
|
17
17
|
:gem_info => gemfile_or_environment,
|
18
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
|
18
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion",
|
19
|
+
:cwe_id => [20]
|
19
20
|
end
|
20
21
|
end
|
21
22
|
|
@@ -21,7 +21,8 @@ class Brakeman::CheckForceSSL < Brakeman::BaseCheck
|
|
21
21
|
:message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
|
22
22
|
:confidence => :high,
|
23
23
|
:file => "config/environments/production.rb",
|
24
|
-
:line => line
|
24
|
+
:line => line,
|
25
|
+
:cwe_id => [311]
|
25
26
|
end
|
26
27
|
end
|
27
28
|
end
|
@@ -52,7 +52,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
|
|
52
52
|
opts = {
|
53
53
|
:controller => :ApplicationController,
|
54
54
|
:warning_type => "Cross-Site Request Forgery",
|
55
|
-
:confidence => :high
|
55
|
+
:confidence => :high,
|
56
|
+
:cwe_id => [352]
|
56
57
|
}.merge opts
|
57
58
|
|
58
59
|
warn opts
|
@@ -76,6 +77,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
|
|
76
77
|
:message => msg("CSRF protection is flawed in unpatched versions of ", msg_version(rails_version), " ", msg_cve("CVE-2011-0447"), ". Upgrade to ", msg_version(new_version), " or apply patches as needed"),
|
77
78
|
:gem_info => gemfile_or_environment,
|
78
79
|
:file => nil,
|
79
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
|
80
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion",
|
81
|
+
:cwe_id => [352]
|
80
82
|
end
|
81
83
|
end
|
@@ -20,7 +20,8 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
|
|
20
20
|
:message => message,
|
21
21
|
:confidence => :medium,
|
22
22
|
:gem_info => gemfile_or_environment,
|
23
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
|
23
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ",
|
24
|
+
:cwe_id => [20]
|
24
25
|
end
|
25
26
|
end
|
26
27
|
|
@@ -23,7 +23,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
|
|
23
23
|
:message => message,
|
24
24
|
:confidence => :medium,
|
25
25
|
:gem_info => gemfile_or_environment(:i18n),
|
26
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
|
26
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ",
|
27
|
+
:cwe_id => [79]
|
27
28
|
end
|
28
29
|
end
|
29
30
|
|
@@ -31,6 +31,7 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
|
|
31
31
|
:message => msg(msg_version(rails_version), " with JRuby has a vulnerability in XML parser. Upgrade to ", msg_version(fix_version), " or patch"),
|
32
32
|
:confidence => :high,
|
33
33
|
:gem_info => gemfile_or_environment,
|
34
|
-
:link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
|
34
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ",
|
35
|
+
:cwe_id => [20]
|
35
36
|
end
|
36
37
|
end
|
@@ -26,7 +26,8 @@ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
|
|
26
26
|
:message => message,
|
27
27
|
:confidence => confidence,
|
28
28
|
:gem_info => gemfile_or_environment,
|
29
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
|
29
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ",
|
30
|
+
:cwe_id => [79]
|
30
31
|
end
|
31
32
|
end
|
32
33
|
|
@@ -17,7 +17,8 @@ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
|
|
17
17
|
:message => msg("HTML entities in JSON are not escaped by default"),
|
18
18
|
:confidence => :medium,
|
19
19
|
:file => "config/environments/production.rb",
|
20
|
-
:line => 1
|
20
|
+
:line => 1,
|
21
|
+
:cwe_id => [79]
|
21
22
|
end
|
22
23
|
end
|
23
24
|
|
@@ -31,7 +32,8 @@ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
|
|
31
32
|
:warning_code => :json_html_escape_module,
|
32
33
|
:message => msg("HTML entities in JSON are not escaped by default"),
|
33
34
|
:confidence => :medium,
|
34
|
-
:file => "config/environments/production.rb"
|
35
|
+
:file => "config/environments/production.rb",
|
36
|
+
:cwe_id => [79]
|
35
37
|
end
|
36
38
|
end
|
37
39
|
end
|
@@ -33,7 +33,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
|
|
33
33
|
:message => message,
|
34
34
|
:confidence => :high,
|
35
35
|
:gem_info => gem_info,
|
36
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
|
36
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion",
|
37
|
+
:cwe_id => [74] # TODO: is this the best CWE for this?
|
37
38
|
end
|
38
39
|
end
|
39
40
|
|
@@ -98,7 +99,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
|
|
98
99
|
:message => message,
|
99
100
|
:confidence => confidence,
|
100
101
|
:gem_info => gemfile_or_environment(name),
|
101
|
-
:link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
|
102
|
+
:link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion",
|
103
|
+
:cwe_id => [74] # TODO: is this the best CWE for this?
|
102
104
|
end
|
103
105
|
|
104
106
|
def uses_json_parse?
|
@@ -56,7 +56,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
|
|
56
56
|
:message => message,
|
57
57
|
:user_input => input,
|
58
58
|
:confidence => :high,
|
59
|
-
:link_path => "link_to_href"
|
59
|
+
:link_path => "link_to_href",
|
60
|
+
:cwe_id => [79]
|
60
61
|
end
|
61
62
|
elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg)
|
62
63
|
return if ignore_model_call? url_arg, input or duplicate? result
|
@@ -70,7 +71,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
|
|
70
71
|
:message => message,
|
71
72
|
:user_input => input,
|
72
73
|
:confidence => :weak,
|
73
|
-
:link_path => "link_to_href"
|
74
|
+
:link_path => "link_to_href",
|
75
|
+
:cwe_id => [79]
|
74
76
|
end
|
75
77
|
end
|
76
78
|
|
@@ -25,7 +25,8 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
|
|
25
25
|
:message => message,
|
26
26
|
:confidence => :high,
|
27
27
|
:gem_info => gemfile_or_environment, # Probably ignored now
|
28
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
|
28
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion",
|
29
|
+
:cwe_id => [79]
|
29
30
|
end
|
30
31
|
end
|
31
32
|
|
@@ -99,7 +99,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
99
99
|
:message => "Unprotected mass assignment",
|
100
100
|
:code => call,
|
101
101
|
:user_input => input,
|
102
|
-
:confidence => confidence
|
102
|
+
:confidence => confidence,
|
103
|
+
:cwe_id => [915]
|
103
104
|
end
|
104
105
|
|
105
106
|
res
|
@@ -205,7 +206,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
205
206
|
:warning_type => "Mass Assignment",
|
206
207
|
:warning_code => :mass_assign_permit!,
|
207
208
|
:message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
|
208
|
-
:confidence => confidence
|
209
|
+
:confidence => confidence,
|
210
|
+
:cwe_id => [915]
|
209
211
|
end
|
210
212
|
|
211
213
|
def check_permit_all_parameters
|
@@ -217,7 +219,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
217
219
|
:warning_type => "Mass Assignment",
|
218
220
|
:warning_code => :mass_assign_permit_all,
|
219
221
|
:message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
|
220
|
-
:confidence => :high
|
222
|
+
:confidence => :high,
|
223
|
+
:cwe_id => [915]
|
221
224
|
end
|
222
225
|
end
|
223
226
|
end
|
@@ -26,7 +26,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
|
|
26
26
|
:message => message,
|
27
27
|
:confidence => :medium,
|
28
28
|
:gem_info => gemfile_or_environment,
|
29
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
|
29
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ",
|
30
|
+
:cwe_id => [399]
|
30
31
|
end
|
31
32
|
|
32
33
|
def has_workaround?
|
@@ -31,7 +31,8 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
31
31
|
:warning_code => :dangerous_attr_accessible,
|
32
32
|
:message => "Potentially dangerous attribute available for mass assignment",
|
33
33
|
:confidence => confidence,
|
34
|
-
:code => Sexp.new(:lit, attribute)
|
34
|
+
:code => Sexp.new(:lit, attribute),
|
35
|
+
:cwe_id => [915]
|
35
36
|
break # Prevent from matching single attr multiple times
|
36
37
|
end
|
37
38
|
end
|
@@ -23,7 +23,8 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
|
|
23
23
|
:warning_type => "Attribute Restriction",
|
24
24
|
:warning_code => :no_attr_accessible,
|
25
25
|
:message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
|
26
|
-
:confidence => :high
|
26
|
+
:confidence => :high,
|
27
|
+
:cwe_id => [915] # TODO: Should this be mass assignment?
|
27
28
|
elsif not tracker.options[:ignore_attr_protected]
|
28
29
|
message, confidence, link = check_for_attr_protected_bypass
|
29
30
|
|
@@ -39,7 +40,8 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
|
|
39
40
|
:warning_type => "Attribute Restriction",
|
40
41
|
:warning_code => warning_code,
|
41
42
|
:message => message,
|
42
|
-
:confidence => confidence
|
43
|
+
:confidence => confidence,
|
44
|
+
:cwe_id => [915] # TODO: Should this be mass assignment?
|
43
45
|
end
|
44
46
|
end
|
45
47
|
end
|
@@ -61,7 +61,8 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
|
|
61
61
|
:confidence => confidence,
|
62
62
|
:link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
|
63
63
|
:file => model.file,
|
64
|
-
:line => model.top_line
|
64
|
+
:line => model.top_line,
|
65
|
+
:cwe_id => [502]
|
65
66
|
end
|
66
67
|
end
|
67
68
|
end
|