brakeman-lib 4.8.1 → 4.8.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a2e421e421971f6309de15b50d5305a37acf839e4023cd5b976cfb644f62b635
4
- data.tar.gz: cb219b5f4cac1dd286e88b6048dd675adb062be8d273d960364f830ed3fa9493
3
+ metadata.gz: 53e42567258ccfcd4e8c53055d74b9d92cf3dd864a0ef60ce19b9b9362e9976c
4
+ data.tar.gz: 2b6f35eb78b76165311bd092253a41cdc5d0bba4aa585e80ef64e97b22d899a1
5
5
  SHA512:
6
- metadata.gz: b7f76e5da87ef345f47de2a8c489e94f07ba5892a5ab796d9cc5ad147036d599d273d1b339e126ed4f6288efd1b6bfa3a77201787afbcbf83b0279acb6a57459
7
- data.tar.gz: 1544f86037df9fd49e3674c7bd39b4eec1f1e41378078a6077647506f7ba257db4aaa48191df5b8c11c736bc44ac054fc0e96e6b67d21e155977a2f8b7ce44f0
6
+ metadata.gz: 3fcfd0a1b757fb5d6d27640dc72c3fdc672e611869186e82622ea3972ed10fbe7a5eaaa16b08040532f80917ed5bc374f7276ac4a6238caef74b989ff1f9e0cf
7
+ data.tar.gz: 3a924be974720bac6d762085d7353853be0243c7279818b305a133be8d3df8f0e3fba6720000a18f991c8de2e046b6bcb259b709d6558ba50b59c010504eb4f3
data/CHANGES.md CHANGED
@@ -1,3 +1,10 @@
1
+ # 4.8.2 - 2020-05-12
2
+
3
+ * Add check for CVE-2020-8159
4
+ * Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
5
+ * Add `--text-fields` option
6
+ * Add check for escaping HTML entities in JSON configuration
7
+
1
8
  # 4.8.1 - 2020-04-06
2
9
 
3
10
  * Check SQL query strings using `String#strip` or `String.squish`
data/README.md CHANGED
@@ -16,9 +16,11 @@ Using RubyGems:
16
16
 
17
17
  Using Bundler:
18
18
 
19
- group :development do
20
- gem 'brakeman'
21
- end
19
+ ```ruby
20
+ group :development do
21
+ gem 'brakeman'
22
+ end
23
+ ```
22
24
 
23
25
  Using Docker:
24
26
 
@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
467
467
  end
468
468
 
469
469
  def gemfile_or_environment gem_name = :rails
470
- if gem_name and info = tracker.config.get_gem(gem_name)
470
+ if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
471
471
  info
472
472
  elsif @app_tree.exists?("Gemfile")
473
473
  @app_tree.file_path "Gemfile"
@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
57
57
 
58
58
  # Check if the block of a result contains a comparison of password to string
59
59
  def include_password_literal? result
60
+ return false if result[:block_args].nil?
61
+
60
62
  @password_var = result[:block_args].last
61
63
  @include_password = false
62
64
  process result[:block]
@@ -0,0 +1,38 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Check if HTML escaping is disabled for JSON output"
7
+
8
+ def run_check
9
+ check_config_setting
10
+ check_manual_disable
11
+ end
12
+
13
+ def check_config_setting
14
+ if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
15
+ warn :warning_type => "Cross-Site Scripting",
16
+ :warning_code => :json_html_escape_config,
17
+ :message => msg("HTML entities in JSON are not escaped by default"),
18
+ :confidence => :medium,
19
+ :file => "config/environments/production.rb",
20
+ :line => 1
21
+ end
22
+ end
23
+
24
+ def check_manual_disable
25
+ tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
26
+ setting = result[:call].first_arg
27
+
28
+ if false? setting
29
+ warn :result => result,
30
+ :warning_type => "Cross-Site Scripting",
31
+ :warning_code => :json_html_escape_module,
32
+ :message => msg("HTML entities in JSON are not escaped by default"),
33
+ :confidence => :medium,
34
+ :file => "config/environments/production.rb"
35
+ end
36
+ end
37
+ end
38
+ end
@@ -0,0 +1,37 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Check for page caching vulnerability (CVE-2020-8159)"
7
+
8
+ def run_check
9
+ gem_name = 'actionpack-page_caching'
10
+ gem_version = tracker.config.gem_version(gem_name.to_sym)
11
+ upgrade_version = '1.2.2'
12
+ cve = 'CVE-2020-8159'
13
+
14
+ return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
15
+
16
+ message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
17
+
18
+ if uses_caches_page?
19
+ confidence = :high
20
+ else
21
+ confidence = :weak
22
+ end
23
+
24
+ warn :warning_type => 'Directory Traversal',
25
+ :warning_code => :CVE_2020_8159,
26
+ :message => message,
27
+ :confidence => confidence,
28
+ :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
29
+ :gem_info => gemfile_or_environment(gem_name)
30
+ end
31
+
32
+ def uses_caches_page?
33
+ tracker.controllers.any? do |name, controller|
34
+ controller.options.has_key? :caches_page
35
+ end
36
+ end
37
+ end
@@ -301,6 +301,22 @@ module Brakeman::Options
301
301
  options[:github_repo] = repo
302
302
  end
303
303
 
304
+ opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
305
+ valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
306
+
307
+ options[:text_fields] = format.map(&:to_sym)
308
+
309
+ if options[:text_fields] == [:all]
310
+ options[:text_fields] = valid_options
311
+ else
312
+ invalid_options = (options[:text_fields] - valid_options)
313
+
314
+ unless invalid_options.empty?
315
+ raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
316
+ end
317
+ end
318
+ end
319
+
304
320
  opts.on "-w",
305
321
  "--confidence-level LEVEL",
306
322
  ["1", "2", "3"],
@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
145
145
  end
146
146
 
147
147
  def output_warning w
148
- out = [
149
- label('Confidence', confidence(w.confidence)),
150
- label('Category', w.warning_type.to_s),
151
- label('Check', w.check.gsub(/^Brakeman::Check/, '')),
148
+ text_format = tracker.options[:text_fields] ||
149
+ [:confidence, :category, :check, :message, :code, :file, :line]
150
+
151
+ text_format.map do |option|
152
+ format_line(w, option)
153
+ end.compact
154
+ end
155
+
156
+ def format_line w, option
157
+ case option
158
+ when :confidence
159
+ label('Confidence', confidence(w.confidence))
160
+ when :category
161
+ label('Category', w.warning_type.to_s)
162
+ when :check
163
+ label('Check', w.check.gsub(/^Brakeman::Check/, ''))
164
+ when :message
152
165
  label('Message', w.message)
153
- ]
154
-
155
- if w.code
156
- out << label('Code', format_code(w))
157
- end
158
-
159
- out << label('File', warning_file(w))
160
-
161
- if w.line
162
- out << label('Line', w.line)
166
+ when :code
167
+ if w.code
168
+ label('Code', format_code(w))
169
+ end
170
+ when :file
171
+ label('File', warning_file(w))
172
+ when :line
173
+ if w.line
174
+ label('Line', w.line)
175
+ end
176
+ when :link
177
+ label('Link', w.link)
178
+ when :fingerprint
179
+ label('Fingerprint', w.fingerprint)
180
+ when :category_id
181
+ label('Category ID', w.warning_code)
182
+ when :render_path
183
+ if w.called_from
184
+ label('Render Path', w.called_from.join(" > "))
185
+ end
163
186
  end
164
-
165
- out
166
187
  end
167
188
 
168
189
  def double_space title, values
@@ -54,7 +54,7 @@ module Brakeman
54
54
  end
55
55
 
56
56
  def gem_version name
57
- extract_version @gems.dig(name, :version)
57
+ extract_version @gems.dig(name.to_sym, :version)
58
58
  end
59
59
 
60
60
  def add_gem name, version, file, line
@@ -67,11 +67,11 @@ module Brakeman
67
67
  end
68
68
 
69
69
  def has_gem? name
70
- !!@gems[name]
70
+ !!@gems[name.to_sym]
71
71
  end
72
72
 
73
73
  def get_gem name
74
- @gems[name]
74
+ @gems[name.to_sym]
75
75
  end
76
76
 
77
77
  def set_rails_version version = nil
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.8.1"
2
+ Version = "4.8.2"
3
3
  end
@@ -114,6 +114,10 @@ module Brakeman::WarningCodes
114
114
  :unsafe_cookie_serialization => 110,
115
115
  :reverse_tabnabbing => 111,
116
116
  :mass_assign_permit_all => 112,
117
+ :json_html_escape_config => 113,
118
+ :json_html_escape_module => 114,
119
+ :CVE_2020_8159 => 115,
120
+
117
121
  :custom_check => 9090,
118
122
  }
119
123
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.8.1
4
+ version: 4.8.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-04-07 00:00:00.000000000 Z
11
+ date: 2020-05-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -240,6 +240,7 @@ files:
240
240
  - lib/brakeman/checks/check_i18n_xss.rb
241
241
  - lib/brakeman/checks/check_jruby_xml.rb
242
242
  - lib/brakeman/checks/check_json_encoding.rb
243
+ - lib/brakeman/checks/check_json_entity_escape.rb
243
244
  - lib/brakeman/checks/check_json_parsing.rb
244
245
  - lib/brakeman/checks/check_link_to.rb
245
246
  - lib/brakeman/checks/check_link_to_href.rb
@@ -252,6 +253,7 @@ files:
252
253
  - lib/brakeman/checks/check_nested_attributes.rb
253
254
  - lib/brakeman/checks/check_nested_attributes_bypass.rb
254
255
  - lib/brakeman/checks/check_number_to_currency.rb
256
+ - lib/brakeman/checks/check_page_caching_cve.rb
255
257
  - lib/brakeman/checks/check_permit_attributes.rb
256
258
  - lib/brakeman/checks/check_quote_table_name.rb
257
259
  - lib/brakeman/checks/check_redirect.rb
@@ -406,7 +408,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
406
408
  - !ruby/object:Gem::Version
407
409
  version: '0'
408
410
  requirements: []
409
- rubygems_version: 3.0.8
411
+ rubygems_version: 3.1.2
410
412
  signing_key:
411
413
  specification_version: 4
412
414
  summary: Security vulnerability scanner for Ruby on Rails.