brakeman-lib 4.8.1 → 4.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +7 -0
  3. data/README.md +5 -3
  4. data/lib/brakeman/checks/base_check.rb +1 -1
  5. data/lib/brakeman/checks/check_basic_auth.rb +2 -0
  6. data/lib/brakeman/checks/check_json_entity_escape.rb +38 -0
  7. data/lib/brakeman/checks/check_page_caching_cve.rb +37 -0
  8. data/lib/brakeman/options.rb +16 -0
  9. data/lib/brakeman/report/report_text.rb +37 -16
  10. data/lib/brakeman/tracker/config.rb +3 -3
  11. data/lib/brakeman/version.rb +1 -1
  12. data/lib/brakeman/warning_codes.rb +4 -0
  13. metadata +5 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a2e421e421971f6309de15b50d5305a37acf839e4023cd5b976cfb644f62b635
4
- data.tar.gz: cb219b5f4cac1dd286e88b6048dd675adb062be8d273d960364f830ed3fa9493
3
+ metadata.gz: 53e42567258ccfcd4e8c53055d74b9d92cf3dd864a0ef60ce19b9b9362e9976c
4
+ data.tar.gz: 2b6f35eb78b76165311bd092253a41cdc5d0bba4aa585e80ef64e97b22d899a1
5
5
  SHA512:
6
- metadata.gz: b7f76e5da87ef345f47de2a8c489e94f07ba5892a5ab796d9cc5ad147036d599d273d1b339e126ed4f6288efd1b6bfa3a77201787afbcbf83b0279acb6a57459
7
- data.tar.gz: 1544f86037df9fd49e3674c7bd39b4eec1f1e41378078a6077647506f7ba257db4aaa48191df5b8c11c736bc44ac054fc0e96e6b67d21e155977a2f8b7ce44f0
6
+ metadata.gz: 3fcfd0a1b757fb5d6d27640dc72c3fdc672e611869186e82622ea3972ed10fbe7a5eaaa16b08040532f80917ed5bc374f7276ac4a6238caef74b989ff1f9e0cf
7
+ data.tar.gz: 3a924be974720bac6d762085d7353853be0243c7279818b305a133be8d3df8f0e3fba6720000a18f991c8de2e046b6bcb259b709d6558ba50b59c010504eb4f3
data/CHANGES.md CHANGED
@@ -1,3 +1,10 @@
1
+ # 4.8.2 - 2020-05-12
2
+
3
+ * Add check for CVE-2020-8159
4
+ * Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
5
+ * Add `--text-fields` option
6
+ * Add check for escaping HTML entities in JSON configuration
7
+
1
8
  # 4.8.1 - 2020-04-06
2
9
 
3
10
  * Check SQL query strings using `String#strip` or `String.squish`
data/README.md CHANGED
@@ -16,9 +16,11 @@ Using RubyGems:
16
16
 
17
17
  Using Bundler:
18
18
 
19
- group :development do
20
- gem 'brakeman'
21
- end
19
+ ```ruby
20
+ group :development do
21
+ gem 'brakeman'
22
+ end
23
+ ```
22
24
 
23
25
  Using Docker:
24
26
 
data/lib/brakeman/checks/base_check.rb CHANGED
@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
467
467
  end
468
468
 
469
469
  def gemfile_or_environment gem_name = :rails
470
- if gem_name and info = tracker.config.get_gem(gem_name)
470
+ if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
471
471
  info
472
472
  elsif @app_tree.exists?("Gemfile")
473
473
  @app_tree.file_path "Gemfile"
data/lib/brakeman/checks/check_basic_auth.rb CHANGED
@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
57
57
 
58
58
  # Check if the block of a result contains a comparison of password to string
59
59
  def include_password_literal? result
60
+ return false if result[:block_args].nil?
61
+
60
62
  @password_var = result[:block_args].last
61
63
  @include_password = false
62
64
  process result[:block]
data/lib/brakeman/checks/check_json_entity_escape.rb ADDED
@@ -0,0 +1,38 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Check if HTML escaping is disabled for JSON output"
7
+
8
+ def run_check
9
+ check_config_setting
10
+ check_manual_disable
11
+ end
12
+
13
+ def check_config_setting
14
+ if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
15
+ warn :warning_type => "Cross-Site Scripting",
16
+ :warning_code => :json_html_escape_config,
17
+ :message => msg("HTML entities in JSON are not escaped by default"),
18
+ :confidence => :medium,
19
+ :file => "config/environments/production.rb",
20
+ :line => 1
21
+ end
22
+ end
23
+
24
+ def check_manual_disable
25
+ tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
26
+ setting = result[:call].first_arg
27
+
28
+ if false? setting
29
+ warn :result => result,
30
+ :warning_type => "Cross-Site Scripting",
31
+ :warning_code => :json_html_escape_module,
32
+ :message => msg("HTML entities in JSON are not escaped by default"),
33
+ :confidence => :medium,
34
+ :file => "config/environments/production.rb"
35
+ end
36
+ end
37
+ end
38
+ end
data/lib/brakeman/checks/check_page_caching_cve.rb ADDED
@@ -0,0 +1,37 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Check for page caching vulnerability (CVE-2020-8159)"
7
+
8
+ def run_check
9
+ gem_name = 'actionpack-page_caching'
10
+ gem_version = tracker.config.gem_version(gem_name.to_sym)
11
+ upgrade_version = '1.2.2'
12
+ cve = 'CVE-2020-8159'
13
+
14
+ return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
15
+
16
+ message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
17
+
18
+ if uses_caches_page?
19
+ confidence = :high
20
+ else
21
+ confidence = :weak
22
+ end
23
+
24
+ warn :warning_type => 'Directory Traversal',
25
+ :warning_code => :CVE_2020_8159,
26
+ :message => message,
27
+ :confidence => confidence,
28
+ :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
29
+ :gem_info => gemfile_or_environment(gem_name)
30
+ end
31
+
32
+ def uses_caches_page?
33
+ tracker.controllers.any? do |name, controller|
34
+ controller.options.has_key? :caches_page
35
+ end
36
+ end
37
+ end
data/lib/brakeman/options.rb CHANGED
@@ -301,6 +301,22 @@ module Brakeman::Options
301
301
  options[:github_repo] = repo
302
302
  end
303
303
 
304
+ opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
305
+ valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
306
+
307
+ options[:text_fields] = format.map(&:to_sym)
308
+
309
+ if options[:text_fields] == [:all]
310
+ options[:text_fields] = valid_options
311
+ else
312
+ invalid_options = (options[:text_fields] - valid_options)
313
+
314
+ unless invalid_options.empty?
315
+ raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
316
+ end
317
+ end
318
+ end
319
+
304
320
  opts.on "-w",
305
321
  "--confidence-level LEVEL",
306
322
  ["1", "2", "3"],
data/lib/brakeman/report/report_text.rb CHANGED
@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
145
145
  end
146
146
 
147
147
  def output_warning w
148
- out = [
149
- label('Confidence', confidence(w.confidence)),
150
- label('Category', w.warning_type.to_s),
151
- label('Check', w.check.gsub(/^Brakeman::Check/, '')),
148
+ text_format = tracker.options[:text_fields] ||
149
+ [:confidence, :category, :check, :message, :code, :file, :line]
150
+
151
+ text_format.map do |option|
152
+ format_line(w, option)
153
+ end.compact
154
+ end
155
+
156
+ def format_line w, option
157
+ case option
158
+ when :confidence
159
+ label('Confidence', confidence(w.confidence))
160
+ when :category
161
+ label('Category', w.warning_type.to_s)
162
+ when :check
163
+ label('Check', w.check.gsub(/^Brakeman::Check/, ''))
164
+ when :message
152
165
  label('Message', w.message)
153
- ]
154
-
155
- if w.code
156
- out << label('Code', format_code(w))
157
- end
158
-
159
- out << label('File', warning_file(w))
160
-
161
- if w.line
162
- out << label('Line', w.line)
166
+ when :code
167
+ if w.code
168
+ label('Code', format_code(w))
169
+ end
170
+ when :file
171
+ label('File', warning_file(w))
172
+ when :line
173
+ if w.line
174
+ label('Line', w.line)
175
+ end
176
+ when :link
177
+ label('Link', w.link)
178
+ when :fingerprint
179
+ label('Fingerprint', w.fingerprint)
180
+ when :category_id
181
+ label('Category ID', w.warning_code)
182
+ when :render_path
183
+ if w.called_from
184
+ label('Render Path', w.called_from.join(" > "))
185
+ end
163
186
  end
164
-
165
- out
166
187
  end
167
188
 
168
189
  def double_space title, values
data/lib/brakeman/tracker/config.rb CHANGED
@@ -54,7 +54,7 @@ module Brakeman
54
54
  end
55
55
 
56
56
  def gem_version name
57
- extract_version @gems.dig(name, :version)
57
+ extract_version @gems.dig(name.to_sym, :version)
58
58
  end
59
59
 
60
60
  def add_gem name, version, file, line
@@ -67,11 +67,11 @@ module Brakeman
67
67
  end
68
68
 
69
69
  def has_gem? name
70
- !!@gems[name]
70
+ !!@gems[name.to_sym]
71
71
  end
72
72
 
73
73
  def get_gem name
74
- @gems[name]
74
+ @gems[name.to_sym]
75
75
  end
76
76
 
77
77
  def set_rails_version version = nil
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.8.1"
2
+ Version = "4.8.2"
3
3
  end
data/lib/brakeman/warning_codes.rb CHANGED
@@ -114,6 +114,10 @@ module Brakeman::WarningCodes
114
114
  :unsafe_cookie_serialization => 110,
115
115
  :reverse_tabnabbing => 111,
116
116
  :mass_assign_permit_all => 112,
117
+ :json_html_escape_config => 113,
118
+ :json_html_escape_module => 114,
119
+ :CVE_2020_8159 => 115,
120
+
117
121
  :custom_check => 9090,
118
122
  }
119
123
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.8.1
4
+ version: 4.8.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-04-07 00:00:00.000000000 Z
11
+ date: 2020-05-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -240,6 +240,7 @@ files:
240
240
  - lib/brakeman/checks/check_i18n_xss.rb
241
241
  - lib/brakeman/checks/check_jruby_xml.rb
242
242
  - lib/brakeman/checks/check_json_encoding.rb
243
+ - lib/brakeman/checks/check_json_entity_escape.rb
243
244
  - lib/brakeman/checks/check_json_parsing.rb
244
245
  - lib/brakeman/checks/check_link_to.rb
245
246
  - lib/brakeman/checks/check_link_to_href.rb
@@ -252,6 +253,7 @@ files:
252
253
  - lib/brakeman/checks/check_nested_attributes.rb
253
254
  - lib/brakeman/checks/check_nested_attributes_bypass.rb
254
255
  - lib/brakeman/checks/check_number_to_currency.rb
256
+ - lib/brakeman/checks/check_page_caching_cve.rb
255
257
  - lib/brakeman/checks/check_permit_attributes.rb
256
258
  - lib/brakeman/checks/check_quote_table_name.rb
257
259
  - lib/brakeman/checks/check_redirect.rb
@@ -406,7 +408,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
406
408
  - !ruby/object:Gem::Version
407
409
  version: '0'
408
410
  requirements: []
409
- rubygems_version: 3.0.8
411
+ rubygems_version: 3.1.2
410
412
  signing_key:
411
413
  specification_version: 4
412
414
  summary: Security vulnerability scanner for Ruby on Rails.