brakeman-lib 5.2.2 → 5.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +17 -0
- data/lib/brakeman/app_tree.rb +9 -1
- data/lib/brakeman/checks/check_basic_auth.rb +4 -2
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -4
- data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
- data/lib/brakeman/checks/check_create_with.rb +4 -2
- data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
- data/lib/brakeman/checks/check_default_routes.rb +6 -3
- data/lib/brakeman/checks/check_deserialize.rb +2 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
- data/lib/brakeman/checks/check_digest_dos.rb +2 -1
- data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
- data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
- data/lib/brakeman/checks/check_escape_function.rb +2 -1
- data/lib/brakeman/checks/check_evaluation.rb +2 -1
- data/lib/brakeman/checks/check_execute.rb +6 -3
- data/lib/brakeman/checks/check_file_access.rb +2 -1
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
- data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
- data/lib/brakeman/checks/check_force_ssl.rb +2 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
- data/lib/brakeman/checks/check_header_dos.rb +2 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
- data/lib/brakeman/checks/check_json_encoding.rb +2 -1
- data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
- data/lib/brakeman/checks/check_json_parsing.rb +4 -2
- data/lib/brakeman/checks/check_link_to.rb +2 -1
- data/lib/brakeman/checks/check_link_to_href.rb +4 -2
- data/lib/brakeman/checks/check_mail_to.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
- data/lib/brakeman/checks/check_model_attributes.rb +4 -2
- data/lib/brakeman/checks/check_model_serialize.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
- data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
- data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -1
- data/lib/brakeman/checks/check_regex_dos.rb +2 -1
- data/lib/brakeman/checks/check_render.rb +4 -2
- data/lib/brakeman/checks/check_render_dos.rb +2 -1
- data/lib/brakeman/checks/check_render_inline.rb +4 -2
- data/lib/brakeman/checks/check_response_splitting.rb +2 -1
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
- data/lib/brakeman/checks/check_route_dos.rb +2 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
- data/lib/brakeman/checks/check_secrets.rb +2 -1
- data/lib/brakeman/checks/check_select_tag.rb +2 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
- data/lib/brakeman/checks/check_send.rb +2 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_session_settings.rb +6 -3
- data/lib/brakeman/checks/check_simple_format.rb +4 -2
- data/lib/brakeman/checks/check_single_quotes.rb +2 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
- data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +4 -2
- data/lib/brakeman/checks/check_sql_cves.rb +4 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
- data/lib/brakeman/checks/check_strip_tags.rb +6 -3
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
- data/lib/brakeman/checks/check_template_injection.rb +2 -1
- data/lib/brakeman/checks/check_translate_bug.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
- data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -1
- data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
- data/lib/brakeman/checks/check_weak_hash.rb +6 -3
- data/lib/brakeman/checks/check_without_protection.rb +2 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
- data/lib/brakeman/checks/eol_check.rb +4 -2
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +24 -1
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/report_csv.rb +2 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_table.rb +5 -5
- data/lib/brakeman/report/report_text.rb +2 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +5 -2
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +3 -2
@@ -39,7 +39,8 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
|
|
39
39
|
:file => model.file,
|
40
40
|
:line => args.line,
|
41
41
|
:confidence => :medium,
|
42
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
|
42
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ",
|
43
|
+
:cwe_id => [284]
|
43
44
|
end
|
44
45
|
|
45
46
|
def allow_destroy? arg
|
@@ -36,7 +36,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
36
36
|
:message => message,
|
37
37
|
:confidence => :medium,
|
38
38
|
:gem_info => gemfile_or_environment,
|
39
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
|
39
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
|
40
|
+
:cwe_id => [79]
|
40
41
|
end
|
41
42
|
|
42
43
|
def check_number_helper_usage
|
@@ -69,6 +70,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
69
70
|
:message => msg("Format options in ", msg_code(result[:call].method), " are not safe in ", msg_version(rails_version)),
|
70
71
|
:confidence => :high,
|
71
72
|
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
|
72
|
-
:user_input => match
|
73
|
+
:user_input => match,
|
74
|
+
:cwe_id => [79]
|
73
75
|
end
|
74
76
|
end
|
@@ -26,7 +26,8 @@ class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
|
|
26
26
|
:message => message,
|
27
27
|
:confidence => confidence,
|
28
28
|
:link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
|
29
|
-
:gem_info => gemfile_or_environment(gem_name)
|
29
|
+
:gem_info => gemfile_or_environment(gem_name),
|
30
|
+
:cwe_id => [22]
|
30
31
|
end
|
31
32
|
|
32
33
|
def uses_caches_page?
|
@@ -38,6 +38,7 @@ class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
|
|
38
38
|
:warning_code => :dangerous_permit_key,
|
39
39
|
:message => "Potentially dangerous key allowed for mass assignment",
|
40
40
|
:confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
|
41
|
-
:user_input => key
|
41
|
+
:user_input => key,
|
42
|
+
:cwe_id => [915]
|
42
43
|
end
|
43
44
|
end
|
@@ -28,7 +28,8 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
|
|
28
28
|
:message => message,
|
29
29
|
:confidence => confidence,
|
30
30
|
:gem_info => gemfile_or_environment,
|
31
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
|
31
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion",
|
32
|
+
:cwe_id => [89]
|
32
33
|
end
|
33
34
|
end
|
34
35
|
|
@@ -57,7 +57,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
|
|
57
57
|
:warning_code => :dynamic_render_path,
|
58
58
|
:message => message,
|
59
59
|
:user_input => input,
|
60
|
-
:confidence => confidence
|
60
|
+
:confidence => confidence,
|
61
|
+
:cwe_id => [22]
|
61
62
|
end
|
62
63
|
end
|
63
64
|
|
@@ -78,7 +79,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
|
|
78
79
|
:warning_code => :dynamic_render_path_rce,
|
79
80
|
:message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
|
80
81
|
:user_input => view,
|
81
|
-
:confidence => :high
|
82
|
+
:confidence => :high,
|
83
|
+
:cwe_id => [22]
|
82
84
|
end
|
83
85
|
end
|
84
86
|
end
|
@@ -32,6 +32,7 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
|
|
32
32
|
:message => message,
|
33
33
|
:confidence => :high,
|
34
34
|
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
|
35
|
-
:gem_info => gemfile_or_environment
|
35
|
+
:gem_info => gemfile_or_environment,
|
36
|
+
:cwe_id => [20]
|
36
37
|
end
|
37
38
|
end
|
@@ -28,14 +28,16 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
|
|
28
28
|
:warning_code => :cross_site_scripting_inline,
|
29
29
|
:message => msg("Unescaped ", msg_input(input), " rendered inline"),
|
30
30
|
:user_input => input,
|
31
|
-
:confidence => :high
|
31
|
+
:confidence => :high,
|
32
|
+
:cwe_id => [79]
|
32
33
|
elsif input = has_immediate_model?(render_value)
|
33
34
|
warn :result => result,
|
34
35
|
:warning_type => "Cross-Site Scripting",
|
35
36
|
:warning_code => :cross_site_scripting_inline,
|
36
37
|
:message => "Unescaped model attribute rendered inline",
|
37
38
|
:user_input => input,
|
38
|
-
:confidence => :medium
|
39
|
+
:confidence => :medium,
|
40
|
+
:cwe_id => [79]
|
39
41
|
end
|
40
42
|
end
|
41
43
|
end
|
@@ -15,7 +15,8 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
|
|
15
15
|
:message => msg("Rails versions before 2.3.14 have a vulnerability content type handling allowing injection of headers ", msg_cve("CVE-2011-3186")),
|
16
16
|
:confidence => :medium,
|
17
17
|
:gem_info => gemfile_or_environment,
|
18
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
|
18
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion",
|
19
|
+
:cwe_id => [94]
|
19
20
|
end
|
20
21
|
end
|
21
22
|
end
|
@@ -53,6 +53,7 @@ class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
|
|
53
53
|
:message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
|
54
54
|
", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
|
55
55
|
:confidence => confidence,
|
56
|
-
:user_input => rel
|
56
|
+
:user_input => rel,
|
57
|
+
:cwe_id => [1022]
|
57
58
|
end
|
58
59
|
end
|
@@ -23,7 +23,8 @@ class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
|
|
23
23
|
:message => message,
|
24
24
|
:confidence => :medium,
|
25
25
|
:gem_info => gemfile_or_environment,
|
26
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
|
26
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ",
|
27
|
+
:cwe_id => [399]
|
27
28
|
end
|
28
29
|
end
|
29
30
|
|
@@ -26,6 +26,7 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
|
|
26
26
|
:warning_code => :safe_buffer_vuln,
|
27
27
|
:message => message,
|
28
28
|
:confidence => :medium,
|
29
|
-
:gem_info => gemfile_or_environment
|
29
|
+
:gem_info => gemfile_or_environment,
|
30
|
+
:cwe_id => [79]
|
30
31
|
end
|
31
32
|
end
|
@@ -0,0 +1,120 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for vunerable uses of sanitize (CVE-2022-32209)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
@specific_warning = false
|
10
|
+
|
11
|
+
@gem_version = tracker.config.gem_version :'rails-html-sanitizer'
|
12
|
+
if version_between? "0.0.0", "1.4.2", @gem_version
|
13
|
+
check_config
|
14
|
+
check_sanitize_calls
|
15
|
+
check_safe_list_allowed_tags
|
16
|
+
|
17
|
+
unless @specific_warning
|
18
|
+
# General warning about the vulnerable version
|
19
|
+
cve_warning
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def cve_warning confidence: :weak, result: nil
|
25
|
+
return if result and not original? result
|
26
|
+
|
27
|
+
message = msg(msg_version(@gem_version, 'rails-html-sanitizer'),
|
28
|
+
" is vulnerable to cross-site scripting when ",
|
29
|
+
msg_code('select'),
|
30
|
+
" and ",
|
31
|
+
msg_code("style"),
|
32
|
+
" tags are allowed ",
|
33
|
+
msg_cve("CVE-2022-32209")
|
34
|
+
)
|
35
|
+
|
36
|
+
unless result
|
37
|
+
message << ". Upgrade to 1.4.3 or newer"
|
38
|
+
end
|
39
|
+
|
40
|
+
warn :warning_type => "Cross-Site Scripting",
|
41
|
+
:warning_code => :CVE_2022_32209,
|
42
|
+
:message => message,
|
43
|
+
:confidence => confidence,
|
44
|
+
:gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
|
45
|
+
:link_path => "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
|
46
|
+
:cwe_id => [79],
|
47
|
+
:result => result
|
48
|
+
end
|
49
|
+
|
50
|
+
# Look for
|
51
|
+
# config.action_view.sanitized_allowed_tags = ["select", "style"]
|
52
|
+
def check_config
|
53
|
+
sanitizer_config = tracker.config.rails.dig(:action_view, :sanitized_allowed_tags)
|
54
|
+
|
55
|
+
if sanitizer_config and include_both_tags? sanitizer_config
|
56
|
+
@specific_warning = true
|
57
|
+
cve_warning confidence: :high
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
# Look for
|
62
|
+
# sanitize ..., tags: ["select", "style"]
|
63
|
+
# and
|
64
|
+
# Rails::Html::SafeListSanitizer.new.sanitize(..., tags: ["select", "style"])
|
65
|
+
def check_sanitize_calls
|
66
|
+
tracker.find_call(method: :sanitize, target: nil).each do |result|
|
67
|
+
check_tags_option result
|
68
|
+
end
|
69
|
+
|
70
|
+
tracker.find_call(method: :sanitize, target: :'Rails::Html::SafeListSanitizer.new').each do |result|
|
71
|
+
check_tags_option result
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
# Look for
|
76
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
|
77
|
+
def check_safe_list_allowed_tags
|
78
|
+
tracker.find_call(target: :'Rails::Html::SafeListSanitizer', method: :allowed_tags=).each do |result|
|
79
|
+
check_result result, result[:call].first_arg
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
private
|
84
|
+
|
85
|
+
def check_tags_option result
|
86
|
+
options = result[:call].last_arg
|
87
|
+
|
88
|
+
if options
|
89
|
+
check_result result, hash_access(options, :tags)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
def check_result result, arg
|
94
|
+
if include_both_tags? arg
|
95
|
+
@specific_warning = true
|
96
|
+
cve_warning confidence: :high, result: result
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def include_both_tags? exp
|
101
|
+
return unless sexp? exp
|
102
|
+
|
103
|
+
has_tag? exp, 'select' and
|
104
|
+
has_tag? exp, 'style'
|
105
|
+
end
|
106
|
+
|
107
|
+
def has_tag? exp, tag
|
108
|
+
tag_sym = tag.to_sym
|
109
|
+
|
110
|
+
exp.each_sexp do |e|
|
111
|
+
if string? e and e.value == tag
|
112
|
+
return true
|
113
|
+
elsif symbol? e and e.value == tag_sym
|
114
|
+
return true
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
118
|
+
false
|
119
|
+
end
|
120
|
+
end
|
@@ -51,7 +51,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
51
51
|
:warning_code => code,
|
52
52
|
:message => message,
|
53
53
|
:confidence => :high,
|
54
|
-
:link_path => link
|
54
|
+
:link_path => link,
|
55
|
+
:cwe_id => [79]
|
55
56
|
end
|
56
57
|
end
|
57
58
|
|
@@ -83,7 +84,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
83
84
|
:message => message,
|
84
85
|
:gem_info => gemfile_or_environment(:loofah),
|
85
86
|
:confidence => confidence,
|
86
|
-
:link_path => "https://github.com/flavorjones/loofah/issues/144"
|
87
|
+
:link_path => "https://github.com/flavorjones/loofah/issues/144",
|
88
|
+
:cwe_id => [79]
|
87
89
|
end
|
88
90
|
end
|
89
91
|
|
@@ -108,6 +110,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
108
110
|
:message => message,
|
109
111
|
:gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
|
110
112
|
:confidence => confidence,
|
111
|
-
:link_path => link
|
113
|
+
:link_path => link,
|
114
|
+
:cwe_id => [79]
|
112
115
|
end
|
113
116
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
|
|
27
27
|
:message => msg("Hardcoded value for ", msg_code(name), " in source code"),
|
28
28
|
:confidence => :medium,
|
29
29
|
:file => constant.file,
|
30
|
-
:line => constant.line
|
30
|
+
:line => constant.line,
|
31
|
+
:cwe_id => [798]
|
31
32
|
end
|
32
33
|
end
|
33
34
|
end
|
@@ -52,7 +52,8 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
|
|
52
52
|
:message => @message,
|
53
53
|
:confidence => :high,
|
54
54
|
:user_input => input,
|
55
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
|
55
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion",
|
56
|
+
:cwe_id => [79]
|
56
57
|
end
|
57
58
|
end
|
58
59
|
end
|
@@ -28,7 +28,8 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
|
|
28
28
|
:warning_code => :session_key_manipulation,
|
29
29
|
:message => msg(msg_input(input), " used as key in session hash"),
|
30
30
|
:user_input => input,
|
31
|
-
:confidence => confidence
|
31
|
+
:confidence => confidence,
|
32
|
+
:cwe_id => [20] # TODO: what cwe should this be? it seems like it's looking for authz bypass
|
32
33
|
end
|
33
34
|
end
|
34
35
|
end
|
@@ -142,7 +142,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
142
142
|
:message => "Session cookies should be set to HTTP only",
|
143
143
|
:confidence => :high,
|
144
144
|
:line => line,
|
145
|
-
:file => file
|
145
|
+
:file => file,
|
146
|
+
:cwe_id => [1004]
|
146
147
|
|
147
148
|
end
|
148
149
|
|
@@ -152,7 +153,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
152
153
|
:message => "Session secret should not be included in version control",
|
153
154
|
:confidence => :high,
|
154
155
|
:line => line,
|
155
|
-
:file => file
|
156
|
+
:file => file,
|
157
|
+
:cwe_id => [798]
|
156
158
|
end
|
157
159
|
|
158
160
|
def warn_about_secure_only line, file
|
@@ -161,7 +163,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
161
163
|
:message => "Session cookie should be set to secure only",
|
162
164
|
:confidence => :high,
|
163
165
|
:line => line,
|
164
|
-
:file => file
|
166
|
+
:file => file,
|
167
|
+
:cwe_id => [614]
|
165
168
|
end
|
166
169
|
|
167
170
|
def ignored? file
|
@@ -28,7 +28,8 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
|
|
28
28
|
:message => message,
|
29
29
|
:confidence => :medium,
|
30
30
|
:gem_info => gemfile_or_environment,
|
31
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
|
31
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
|
32
|
+
:cwe_id => [79]
|
32
33
|
end
|
33
34
|
|
34
35
|
def check_simple_format_usage
|
@@ -58,6 +59,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
|
|
58
59
|
:message => msg("Values passed to ", msg_code("simple_format"), " are not safe in ", msg_version(rails_version)),
|
59
60
|
:confidence => :high,
|
60
61
|
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
|
61
|
-
:user_input => match
|
62
|
+
:user_input => match,
|
63
|
+
:cwe_id => [79]
|
62
64
|
end
|
63
65
|
end
|
@@ -38,7 +38,8 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
|
|
38
38
|
:message => message,
|
39
39
|
:confidence => :medium,
|
40
40
|
:gem_info => gemfile_or_environment,
|
41
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
|
41
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion",
|
42
|
+
:cwe_id => [79]
|
42
43
|
end
|
43
44
|
|
44
45
|
#Process initializers to see if they use workaround
|
@@ -29,7 +29,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
29
29
|
:message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
|
30
30
|
:code => filter,
|
31
31
|
:confidence => :medium,
|
32
|
-
:file => controller.file
|
32
|
+
:file => controller.file,
|
33
|
+
:cwe_id => [352]
|
33
34
|
|
34
35
|
when :login_required, :authenticate_user!, :require_user
|
35
36
|
warn :controller => controller.name,
|
@@ -39,7 +40,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
39
40
|
:code => filter,
|
40
41
|
:confidence => :medium,
|
41
42
|
:link_path => "authentication_whitelist",
|
42
|
-
:file => controller.file
|
43
|
+
:file => controller.file,
|
44
|
+
:cwe_id => [287]
|
43
45
|
end
|
44
46
|
end
|
45
47
|
|
@@ -30,7 +30,8 @@ class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
|
|
30
30
|
:message => message,
|
31
31
|
:confidence => confidence,
|
32
32
|
:gem_info => gemfile_or_environment(:sprockets),
|
33
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
|
33
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
|
34
|
+
:cwe_id => [22, 200]
|
34
35
|
end
|
35
36
|
|
36
37
|
def has_workaround?
|
@@ -247,7 +247,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
247
247
|
:warning_code => :sql_injection,
|
248
248
|
:message => "Possible SQL injection",
|
249
249
|
:user_input => user_input,
|
250
|
-
:confidence => confidence
|
250
|
+
:confidence => confidence,
|
251
|
+
:cwe_id => [89]
|
251
252
|
end
|
252
253
|
|
253
254
|
if check_for_limit_or_offset_vulnerability call.last_arg
|
@@ -261,7 +262,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
261
262
|
:warning_type => "SQL Injection",
|
262
263
|
:warning_code => :sql_injection_limit_offset,
|
263
264
|
:message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
|
264
|
-
:confidence => confidence
|
265
|
+
:confidence => confidence,
|
266
|
+
:cwe_id => [89]
|
265
267
|
end
|
266
268
|
end
|
267
269
|
|
@@ -81,7 +81,8 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
|
|
81
81
|
:message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
|
82
82
|
:confidence => :high,
|
83
83
|
:gem_info => gemfile_or_environment,
|
84
|
-
:link_path => link
|
84
|
+
:link_path => link,
|
85
|
+
:cwe_id => [89]
|
85
86
|
end
|
86
87
|
|
87
88
|
def upgrade_version? versions
|
@@ -101,6 +102,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
|
|
101
102
|
:message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
|
102
103
|
:confidence => :high,
|
103
104
|
:gem_info => gemfile_or_environment(:pg),
|
104
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
|
105
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ",
|
106
|
+
:cwe_id => [89]
|
105
107
|
end
|
106
108
|
end
|
@@ -43,6 +43,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
|
|
43
43
|
:warning_type => "SSL Verification Bypass",
|
44
44
|
:warning_code => :ssl_verification_bypass,
|
45
45
|
:message => "SSL certificate verification was bypassed",
|
46
|
-
:confidence => :high
|
46
|
+
:confidence => :high,
|
47
|
+
:cwe_id => [295]
|
47
48
|
end
|
48
49
|
end
|
@@ -35,7 +35,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
35
35
|
:message => message,
|
36
36
|
:gem_info => gemfile_or_environment,
|
37
37
|
:confidence => :high,
|
38
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
|
38
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion",
|
39
|
+
:cwe_id => [79]
|
39
40
|
end
|
40
41
|
end
|
41
42
|
|
@@ -60,7 +61,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
60
61
|
:message => message,
|
61
62
|
:confidence => :high,
|
62
63
|
:gem_info => gemfile_or_environment,
|
63
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
|
64
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion",
|
65
|
+
:cwe_id => [79]
|
64
66
|
end
|
65
67
|
|
66
68
|
def cve_2015_7579
|
@@ -78,7 +80,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
78
80
|
:message => message,
|
79
81
|
:confidence => confidence,
|
80
82
|
:gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
|
81
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
|
83
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ",
|
84
|
+
:cwe_id => [79]
|
82
85
|
|
83
86
|
end
|
84
87
|
end
|
@@ -23,7 +23,8 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
|
|
23
23
|
:message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
|
24
24
|
:confidence => :medium,
|
25
25
|
:gem_info => gemfile_or_environment,
|
26
|
-
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
|
26
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ",
|
27
|
+
:cwe_id => [20]
|
27
28
|
end
|
28
29
|
end
|
29
30
|
end
|
@@ -26,7 +26,8 @@ class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
|
|
26
26
|
:warning_code => :erb_template_injection,
|
27
27
|
:message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
|
28
28
|
:user_input => input,
|
29
|
-
:confidence => :high
|
29
|
+
:confidence => :high,
|
30
|
+
:cwe_id => [1336]
|
30
31
|
end
|
31
32
|
end
|
32
33
|
end
|
@@ -33,7 +33,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
|
|
33
33
|
:message => message,
|
34
34
|
:confidence => confidence,
|
35
35
|
:gem_info => gemfile_or_environment,
|
36
|
-
:link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
|
36
|
+
:link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5",
|
37
|
+
:cwe_id => [79]
|
37
38
|
end
|
38
39
|
end
|
39
40
|
|
@@ -40,7 +40,8 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
|
|
40
40
|
:message => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
|
41
41
|
:code => result[:call],
|
42
42
|
:confidence => :weak,
|
43
|
-
:user_input => input
|
43
|
+
:user_input => input,
|
44
|
+
:cwe_id => [285]
|
44
45
|
end
|
45
46
|
|
46
47
|
def optional_belongs_to? exp
|
@@ -91,7 +91,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
|
|
91
91
|
:warning_code => :validation_regex,
|
92
92
|
:message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
|
93
93
|
:line => value.line,
|
94
|
-
:confidence => :high
|
94
|
+
:confidence => :high,
|
95
|
+
:cwe_id => [777]
|
95
96
|
end
|
96
97
|
end
|
97
98
|
|