brakeman-lib 5.2.1 → 5.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (100) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +21 -0
  3. data/lib/brakeman/app_tree.rb +9 -1
  4. data/lib/brakeman/checks/check_basic_auth.rb +4 -2
  5. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
  6. data/lib/brakeman/checks/check_content_tag.rb +8 -4
  7. data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
  8. data/lib/brakeman/checks/check_create_with.rb +4 -2
  9. data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
  10. data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
  11. data/lib/brakeman/checks/check_default_routes.rb +6 -3
  12. data/lib/brakeman/checks/check_deserialize.rb +2 -1
  13. data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
  14. data/lib/brakeman/checks/check_digest_dos.rb +2 -1
  15. data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
  16. data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
  17. data/lib/brakeman/checks/check_escape_function.rb +2 -1
  18. data/lib/brakeman/checks/check_evaluation.rb +2 -1
  19. data/lib/brakeman/checks/check_execute.rb +6 -3
  20. data/lib/brakeman/checks/check_file_access.rb +2 -1
  21. data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
  22. data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
  23. data/lib/brakeman/checks/check_force_ssl.rb +2 -1
  24. data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
  25. data/lib/brakeman/checks/check_header_dos.rb +2 -1
  26. data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
  27. data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
  28. data/lib/brakeman/checks/check_json_encoding.rb +2 -1
  29. data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
  30. data/lib/brakeman/checks/check_json_parsing.rb +4 -2
  31. data/lib/brakeman/checks/check_link_to.rb +2 -1
  32. data/lib/brakeman/checks/check_link_to_href.rb +4 -2
  33. data/lib/brakeman/checks/check_mail_to.rb +2 -1
  34. data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
  35. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
  36. data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
  37. data/lib/brakeman/checks/check_model_attributes.rb +4 -2
  38. data/lib/brakeman/checks/check_model_serialize.rb +2 -1
  39. data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
  40. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
  41. data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
  42. data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
  43. data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
  44. data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
  45. data/lib/brakeman/checks/check_redirect.rb +2 -1
  46. data/lib/brakeman/checks/check_regex_dos.rb +2 -1
  47. data/lib/brakeman/checks/check_render.rb +4 -2
  48. data/lib/brakeman/checks/check_render_dos.rb +2 -1
  49. data/lib/brakeman/checks/check_render_inline.rb +4 -2
  50. data/lib/brakeman/checks/check_response_splitting.rb +2 -1
  51. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
  52. data/lib/brakeman/checks/check_route_dos.rb +2 -1
  53. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
  54. data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
  55. data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
  56. data/lib/brakeman/checks/check_secrets.rb +2 -1
  57. data/lib/brakeman/checks/check_select_tag.rb +2 -1
  58. data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
  59. data/lib/brakeman/checks/check_send.rb +2 -1
  60. data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
  61. data/lib/brakeman/checks/check_session_settings.rb +6 -3
  62. data/lib/brakeman/checks/check_simple_format.rb +4 -2
  63. data/lib/brakeman/checks/check_single_quotes.rb +2 -1
  64. data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
  65. data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
  66. data/lib/brakeman/checks/check_sql.rb +7 -4
  67. data/lib/brakeman/checks/check_sql_cves.rb +4 -2
  68. data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
  69. data/lib/brakeman/checks/check_strip_tags.rb +6 -3
  70. data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
  71. data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
  72. data/lib/brakeman/checks/check_template_injection.rb +2 -1
  73. data/lib/brakeman/checks/check_translate_bug.rb +2 -1
  74. data/lib/brakeman/checks/check_unsafe_reflection.rb +9 -3
  75. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
  76. data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
  77. data/lib/brakeman/checks/check_validation_regex.rb +2 -1
  78. data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
  79. data/lib/brakeman/checks/check_weak_hash.rb +6 -3
  80. data/lib/brakeman/checks/check_without_protection.rb +2 -1
  81. data/lib/brakeman/checks/check_xml_dos.rb +2 -1
  82. data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
  83. data/lib/brakeman/checks/eol_check.rb +4 -2
  84. data/lib/brakeman/options.rb +1 -1
  85. data/lib/brakeman/processors/alias_processor.rb +41 -2
  86. data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
  87. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  88. data/lib/brakeman/report/report_csv.rb +2 -0
  89. data/lib/brakeman/report/report_junit.rb +2 -2
  90. data/lib/brakeman/report/report_table.rb +5 -5
  91. data/lib/brakeman/report/report_text.rb +2 -0
  92. data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
  93. data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
  94. data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
  95. data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
  96. data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
  97. data/lib/brakeman/version.rb +1 -1
  98. data/lib/brakeman/warning.rb +5 -2
  99. data/lib/brakeman/warning_codes.rb +1 -0
  100. metadata +5 -4
@@ -24,7 +24,8 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
24
24
  :message => message,
25
25
  :confidence => :high,
26
26
  :gem_info => gemfile_or_environment,
27
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
27
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion",
28
+ :cwe_id => [20]
28
29
  end
29
30
  end
30
31
 
@@ -39,7 +39,8 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
39
39
  :file => model.file,
40
40
  :line => args.line,
41
41
  :confidence => :medium,
42
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
42
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ",
43
+ :cwe_id => [284]
43
44
  end
44
45
 
45
46
  def allow_destroy? arg
@@ -36,7 +36,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
36
36
  :message => message,
37
37
  :confidence => :medium,
38
38
  :gem_info => gemfile_or_environment,
39
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
39
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
40
+ :cwe_id => [79]
40
41
  end
41
42
 
42
43
  def check_number_helper_usage
@@ -69,6 +70,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
69
70
  :message => msg("Format options in ", msg_code(result[:call].method), " are not safe in ", msg_version(rails_version)),
70
71
  :confidence => :high,
71
72
  :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
72
- :user_input => match
73
+ :user_input => match,
74
+ :cwe_id => [79]
73
75
  end
74
76
  end
@@ -26,7 +26,8 @@ class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
26
26
  :message => message,
27
27
  :confidence => confidence,
28
28
  :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
29
- :gem_info => gemfile_or_environment(gem_name)
29
+ :gem_info => gemfile_or_environment(gem_name),
30
+ :cwe_id => [22]
30
31
  end
31
32
 
32
33
  def uses_caches_page?
@@ -38,6 +38,7 @@ class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
38
38
  :warning_code => :dangerous_permit_key,
39
39
  :message => "Potentially dangerous key allowed for mass assignment",
40
40
  :confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
41
- :user_input => key
41
+ :user_input => key,
42
+ :cwe_id => [915]
42
43
  end
43
44
  end
@@ -28,7 +28,8 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
28
28
  :message => message,
29
29
  :confidence => confidence,
30
30
  :gem_info => gemfile_or_environment,
31
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
31
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion",
32
+ :cwe_id => [89]
32
33
  end
33
34
  end
34
35
 
@@ -55,7 +55,8 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
55
55
  :message => "Possible unprotected redirect",
56
56
  :code => call,
57
57
  :user_input => res,
58
- :confidence => confidence
58
+ :confidence => confidence,
59
+ :cwe_id => [601]
59
60
  end
60
61
  end
61
62
 
@@ -51,7 +51,8 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
51
51
  :warning_code => :regex_dos,
52
52
  :message => message,
53
53
  :confidence => confidence,
54
- :user_input => match
54
+ :user_input => match,
55
+ :cwe_id => [20, 185]
55
56
  end
56
57
  end
57
58
  end
@@ -57,7 +57,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
57
57
  :warning_code => :dynamic_render_path,
58
58
  :message => message,
59
59
  :user_input => input,
60
- :confidence => confidence
60
+ :confidence => confidence,
61
+ :cwe_id => [22]
61
62
  end
62
63
  end
63
64
 
@@ -78,7 +79,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
78
79
  :warning_code => :dynamic_render_path_rce,
79
80
  :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
80
81
  :user_input => view,
81
- :confidence => :high
82
+ :confidence => :high,
83
+ :cwe_id => [22]
82
84
  end
83
85
  end
84
86
  end
@@ -32,6 +32,7 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
32
32
  :message => message,
33
33
  :confidence => :high,
34
34
  :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
35
- :gem_info => gemfile_or_environment
35
+ :gem_info => gemfile_or_environment,
36
+ :cwe_id => [20]
36
37
  end
37
38
  end
@@ -28,14 +28,16 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
28
28
  :warning_code => :cross_site_scripting_inline,
29
29
  :message => msg("Unescaped ", msg_input(input), " rendered inline"),
30
30
  :user_input => input,
31
- :confidence => :high
31
+ :confidence => :high,
32
+ :cwe_id => [79]
32
33
  elsif input = has_immediate_model?(render_value)
33
34
  warn :result => result,
34
35
  :warning_type => "Cross-Site Scripting",
35
36
  :warning_code => :cross_site_scripting_inline,
36
37
  :message => "Unescaped model attribute rendered inline",
37
38
  :user_input => input,
38
- :confidence => :medium
39
+ :confidence => :medium,
40
+ :cwe_id => [79]
39
41
  end
40
42
  end
41
43
  end
@@ -15,7 +15,8 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
15
15
  :message => msg("Rails versions before 2.3.14 have a vulnerability content type handling allowing injection of headers ", msg_cve("CVE-2011-3186")),
16
16
  :confidence => :medium,
17
17
  :gem_info => gemfile_or_environment,
18
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
18
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion",
19
+ :cwe_id => [94]
19
20
  end
20
21
  end
21
22
  end
@@ -53,6 +53,7 @@ class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
53
53
  :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
54
54
  ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
55
55
  :confidence => confidence,
56
- :user_input => rel
56
+ :user_input => rel,
57
+ :cwe_id => [1022]
57
58
  end
58
59
  end
@@ -23,7 +23,8 @@ class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
23
23
  :message => message,
24
24
  :confidence => :medium,
25
25
  :gem_info => gemfile_or_environment,
26
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
26
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ",
27
+ :cwe_id => [399]
27
28
  end
28
29
  end
29
30
 
@@ -26,6 +26,7 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
26
26
  :warning_code => :safe_buffer_vuln,
27
27
  :message => message,
28
28
  :confidence => :medium,
29
- :gem_info => gemfile_or_environment
29
+ :gem_info => gemfile_or_environment,
30
+ :cwe_id => [79]
30
31
  end
31
32
  end
@@ -0,0 +1,120 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Checks for vunerable uses of sanitize (CVE-2022-32209)"
7
+
8
+ def run_check
9
+ @specific_warning = false
10
+
11
+ @gem_version = tracker.config.gem_version :'rails-html-sanitizer'
12
+ if version_between? "0.0.0", "1.4.3", @gem_version
13
+ check_config
14
+ check_sanitize_calls
15
+ check_safe_list_allowed_tags
16
+
17
+ unless @specific_warning
18
+ # General warning about the vulnerable version
19
+ cve_warning
20
+ end
21
+ end
22
+ end
23
+
24
+ def cve_warning confidence: :weak, result: nil
25
+ return if result and not original? result
26
+
27
+ message = msg(msg_version(@gem_version, 'rails-html-sanitizer'),
28
+ " is vulnerable to cross-site scripting when ",
29
+ msg_code('select'),
30
+ " and ",
31
+ msg_code("style"),
32
+ " tags are allowed ",
33
+ msg_cve("CVE-2022-32209")
34
+ )
35
+
36
+ unless result
37
+ message << ". Upgrade to 1.4.3 or newer"
38
+ end
39
+
40
+ warn :warning_type => "Cross-Site Scripting",
41
+ :warning_code => :CVE_2022_32209,
42
+ :message => message,
43
+ :confidence => confidence,
44
+ :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
45
+ :link_path => "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
46
+ :cwe_id => [79],
47
+ :result => result
48
+ end
49
+
50
+ # Look for
51
+ # config.action_view.sanitized_allowed_tags = ["select", "style"]
52
+ def check_config
53
+ sanitizer_config = tracker.config.rails.dig(:action_view, :sanitized_allowed_tags)
54
+
55
+ if sanitizer_config and include_both_tags? sanitizer_config
56
+ @specific_warning = true
57
+ cve_warning confidence: :high
58
+ end
59
+ end
60
+
61
+ # Look for
62
+ # sanitize ..., tags: ["select", "style"]
63
+ # and
64
+ # Rails::Html::SafeListSanitizer.new.sanitize(..., tags: ["select", "style"])
65
+ def check_sanitize_calls
66
+ tracker.find_call(method: :sanitize, target: nil).each do |result|
67
+ check_tags_option result
68
+ end
69
+
70
+ tracker.find_call(method: :sanitize, target: :'Rails::Html::SafeListSanitizer.new').each do |result|
71
+ check_tags_option result
72
+ end
73
+ end
74
+
75
+ # Look for
76
+ # Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
77
+ def check_safe_list_allowed_tags
78
+ tracker.find_call(target: :'Rails::Html::SafeListSanitizer', method: :allowed_tags=).each do |result|
79
+ check_result result, result[:call].first_arg
80
+ end
81
+ end
82
+
83
+ private
84
+
85
+ def check_tags_option result
86
+ options = result[:call].last_arg
87
+
88
+ if options
89
+ check_result result, hash_access(options, :tags)
90
+ end
91
+ end
92
+
93
+ def check_result result, arg
94
+ if include_both_tags? arg
95
+ @specific_warning = true
96
+ cve_warning confidence: :high, result: result
97
+ end
98
+ end
99
+
100
+ def include_both_tags? exp
101
+ return unless sexp? exp
102
+
103
+ has_tag? exp, 'select' and
104
+ has_tag? exp, 'style'
105
+ end
106
+
107
+ def has_tag? exp, tag
108
+ tag_sym = tag.to_sym
109
+
110
+ exp.each_sexp do |e|
111
+ if string? e and e.value == tag
112
+ return true
113
+ elsif symbol? e and e.value == tag_sym
114
+ return true
115
+ end
116
+ end
117
+
118
+ false
119
+ end
120
+ end
@@ -51,7 +51,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
51
51
  :warning_code => code,
52
52
  :message => message,
53
53
  :confidence => :high,
54
- :link_path => link
54
+ :link_path => link,
55
+ :cwe_id => [79]
55
56
  end
56
57
  end
57
58
 
@@ -83,7 +84,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
83
84
  :message => message,
84
85
  :gem_info => gemfile_or_environment(:loofah),
85
86
  :confidence => confidence,
86
- :link_path => "https://github.com/flavorjones/loofah/issues/144"
87
+ :link_path => "https://github.com/flavorjones/loofah/issues/144",
88
+ :cwe_id => [79]
87
89
  end
88
90
  end
89
91
 
@@ -108,6 +110,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
108
110
  :message => message,
109
111
  :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
110
112
  :confidence => confidence,
111
- :link_path => link
113
+ :link_path => link,
114
+ :cwe_id => [79]
112
115
  end
113
116
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
27
27
  :message => msg("Hardcoded value for ", msg_code(name), " in source code"),
28
28
  :confidence => :medium,
29
29
  :file => constant.file,
30
- :line => constant.line
30
+ :line => constant.line,
31
+ :cwe_id => [798]
31
32
  end
32
33
  end
33
34
  end
@@ -52,7 +52,8 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
52
52
  :message => @message,
53
53
  :confidence => :high,
54
54
  :user_input => input,
55
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
55
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion",
56
+ :cwe_id => [79]
56
57
  end
57
58
  end
58
59
  end
@@ -54,7 +54,8 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
54
54
  :warning_code => :select_options_vuln,
55
55
  :result => result,
56
56
  :message => @message,
57
- :confidence => confidence
57
+ :confidence => confidence,
58
+ :cwe_id => [79]
58
59
  end
59
60
  end
60
61
  end
@@ -29,7 +29,8 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
29
29
  :warning_code => :dangerous_send,
30
30
  :message => "User controlled method execution",
31
31
  :user_input => input,
32
- :confidence => :high
32
+ :confidence => :high,
33
+ :cwe_id => [77]
33
34
  end
34
35
  end
35
36
 
@@ -28,7 +28,8 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
28
28
  :warning_code => :session_key_manipulation,
29
29
  :message => msg(msg_input(input), " used as key in session hash"),
30
30
  :user_input => input,
31
- :confidence => confidence
31
+ :confidence => confidence,
32
+ :cwe_id => [20] # TODO: what cwe should this be? it seems like it's looking for authz bypass
32
33
  end
33
34
  end
34
35
  end
@@ -142,7 +142,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
142
142
  :message => "Session cookies should be set to HTTP only",
143
143
  :confidence => :high,
144
144
  :line => line,
145
- :file => file
145
+ :file => file,
146
+ :cwe_id => [1004]
146
147
 
147
148
  end
148
149
 
@@ -152,7 +153,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
152
153
  :message => "Session secret should not be included in version control",
153
154
  :confidence => :high,
154
155
  :line => line,
155
- :file => file
156
+ :file => file,
157
+ :cwe_id => [798]
156
158
  end
157
159
 
158
160
  def warn_about_secure_only line, file
@@ -161,7 +163,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
161
163
  :message => "Session cookie should be set to secure only",
162
164
  :confidence => :high,
163
165
  :line => line,
164
- :file => file
166
+ :file => file,
167
+ :cwe_id => [614]
165
168
  end
166
169
 
167
170
  def ignored? file
@@ -28,7 +28,8 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
28
28
  :message => message,
29
29
  :confidence => :medium,
30
30
  :gem_info => gemfile_or_environment,
31
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
31
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
32
+ :cwe_id => [79]
32
33
  end
33
34
 
34
35
  def check_simple_format_usage
@@ -58,6 +59,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
58
59
  :message => msg("Values passed to ", msg_code("simple_format"), " are not safe in ", msg_version(rails_version)),
59
60
  :confidence => :high,
60
61
  :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
61
- :user_input => match
62
+ :user_input => match,
63
+ :cwe_id => [79]
62
64
  end
63
65
  end
@@ -38,7 +38,8 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
38
38
  :message => message,
39
39
  :confidence => :medium,
40
40
  :gem_info => gemfile_or_environment,
41
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
41
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion",
42
+ :cwe_id => [79]
42
43
  end
43
44
 
44
45
  #Process initializers to see if they use workaround
@@ -29,7 +29,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
29
29
  :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
30
30
  :code => filter,
31
31
  :confidence => :medium,
32
- :file => controller.file
32
+ :file => controller.file,
33
+ :cwe_id => [352]
33
34
 
34
35
  when :login_required, :authenticate_user!, :require_user
35
36
  warn :controller => controller.name,
@@ -39,7 +40,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
39
40
  :code => filter,
40
41
  :confidence => :medium,
41
42
  :link_path => "authentication_whitelist",
42
- :file => controller.file
43
+ :file => controller.file,
44
+ :cwe_id => [287]
43
45
  end
44
46
  end
45
47
 
@@ -30,7 +30,8 @@ class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
30
30
  :message => message,
31
31
  :confidence => confidence,
32
32
  :gem_info => gemfile_or_environment(:sprockets),
33
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
33
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
34
+ :cwe_id => [22, 200]
34
35
  end
35
36
 
36
37
  def has_workaround?
@@ -247,7 +247,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
247
247
  :warning_code => :sql_injection,
248
248
  :message => "Possible SQL injection",
249
249
  :user_input => user_input,
250
- :confidence => confidence
250
+ :confidence => confidence,
251
+ :cwe_id => [89]
251
252
  end
252
253
 
253
254
  if check_for_limit_or_offset_vulnerability call.last_arg
@@ -261,7 +262,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
261
262
  :warning_type => "SQL Injection",
262
263
  :warning_code => :sql_injection_limit_offset,
263
264
  :message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
264
- :confidence => confidence
265
+ :confidence => confidence,
266
+ :cwe_id => [89]
265
267
  end
266
268
  end
267
269
 
@@ -405,7 +407,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
405
407
  nil
406
408
  end
407
409
 
408
- TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
410
+ TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
411
+ :strip_heredoc, :to_s, :tr]
409
412
 
410
413
  #Returns value if interpolated value is not something safe
411
414
  def unsafe_string_interp? exp
@@ -744,6 +747,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
744
747
  date_target? exp.target
745
748
  else
746
749
  false
747
- end
750
+ end
748
751
  end
749
752
  end
@@ -81,7 +81,8 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
81
81
  :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
82
82
  :confidence => :high,
83
83
  :gem_info => gemfile_or_environment,
84
- :link_path => link
84
+ :link_path => link,
85
+ :cwe_id => [89]
85
86
  end
86
87
 
87
88
  def upgrade_version? versions
@@ -101,6 +102,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
101
102
  :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
102
103
  :confidence => :high,
103
104
  :gem_info => gemfile_or_environment(:pg),
104
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
105
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ",
106
+ :cwe_id => [89]
105
107
  end
106
108
  end
@@ -43,6 +43,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
43
43
  :warning_type => "SSL Verification Bypass",
44
44
  :warning_code => :ssl_verification_bypass,
45
45
  :message => "SSL certificate verification was bypassed",
46
- :confidence => :high
46
+ :confidence => :high,
47
+ :cwe_id => [295]
47
48
  end
48
49
  end
@@ -35,7 +35,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
35
35
  :message => message,
36
36
  :gem_info => gemfile_or_environment,
37
37
  :confidence => :high,
38
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
38
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion",
39
+ :cwe_id => [79]
39
40
  end
40
41
  end
41
42
 
@@ -60,7 +61,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
60
61
  :message => message,
61
62
  :confidence => :high,
62
63
  :gem_info => gemfile_or_environment,
63
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
64
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion",
65
+ :cwe_id => [79]
64
66
  end
65
67
 
66
68
  def cve_2015_7579
@@ -78,7 +80,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
78
80
  :message => message,
79
81
  :confidence => confidence,
80
82
  :gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
81
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
83
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ",
84
+ :cwe_id => [79]
82
85
 
83
86
  end
84
87
  end
@@ -45,7 +45,8 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
45
45
  :warning_code => :unsafe_symbol_creation,
46
46
  :message => message,
47
47
  :user_input => input,
48
- :confidence => confidence
48
+ :confidence => confidence,
49
+ :cwe_id => [20]
49
50
  end
50
51
  end
51
52
 
@@ -23,7 +23,8 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
23
23
  :message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
24
24
  :confidence => :medium,
25
25
  :gem_info => gemfile_or_environment,
26
- :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
26
+ :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ",
27
+ :cwe_id => [20]
27
28
  end
28
29
  end
29
30
  end
@@ -26,7 +26,8 @@ class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
26
26
  :warning_code => :erb_template_injection,
27
27
  :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
28
28
  :user_input => input,
29
- :confidence => :high
29
+ :confidence => :high,
30
+ :cwe_id => [1336]
30
31
  end
31
32
  end
32
33
  end
@@ -33,7 +33,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
33
33
  :message => message,
34
34
  :confidence => confidence,
35
35
  :gem_info => gemfile_or_environment,
36
- :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
36
+ :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5",
37
+ :cwe_id => [79]
37
38
  end
38
39
  end
39
40