brakeman-lib 4.8.1 → 4.8.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +7 -0
- data/README.md +5 -3
- data/lib/brakeman/checks/base_check.rb +1 -1
- data/lib/brakeman/checks/check_basic_auth.rb +2 -0
- data/lib/brakeman/checks/check_json_entity_escape.rb +38 -0
- data/lib/brakeman/checks/check_page_caching_cve.rb +37 -0
- data/lib/brakeman/options.rb +16 -0
- data/lib/brakeman/report/report_text.rb +37 -16
- data/lib/brakeman/tracker/config.rb +3 -3
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +4 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 53e42567258ccfcd4e8c53055d74b9d92cf3dd864a0ef60ce19b9b9362e9976c
|
4
|
+
data.tar.gz: 2b6f35eb78b76165311bd092253a41cdc5d0bba4aa585e80ef64e97b22d899a1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3fcfd0a1b757fb5d6d27640dc72c3fdc672e611869186e82622ea3972ed10fbe7a5eaaa16b08040532f80917ed5bc374f7276ac4a6238caef74b989ff1f9e0cf
|
7
|
+
data.tar.gz: 3a924be974720bac6d762085d7353853be0243c7279818b305a133be8d3df8f0e3fba6720000a18f991c8de2e046b6bcb259b709d6558ba50b59c010504eb4f3
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
# 4.8.2 - 2020-05-12
|
2
|
+
|
3
|
+
* Add check for CVE-2020-8159
|
4
|
+
* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
|
5
|
+
* Add `--text-fields` option
|
6
|
+
* Add check for escaping HTML entities in JSON configuration
|
7
|
+
|
1
8
|
# 4.8.1 - 2020-04-06
|
2
9
|
|
3
10
|
* Check SQL query strings using `String#strip` or `String.squish`
|
data/README.md
CHANGED
@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
467
467
|
end
|
468
468
|
|
469
469
|
def gemfile_or_environment gem_name = :rails
|
470
|
-
if gem_name and info = tracker.config.get_gem(gem_name)
|
470
|
+
if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
|
471
471
|
info
|
472
472
|
elsif @app_tree.exists?("Gemfile")
|
473
473
|
@app_tree.file_path "Gemfile"
|
@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
57
57
|
|
58
58
|
# Check if the block of a result contains a comparison of password to string
|
59
59
|
def include_password_literal? result
|
60
|
+
return false if result[:block_args].nil?
|
61
|
+
|
60
62
|
@password_var = result[:block_args].last
|
61
63
|
@include_password = false
|
62
64
|
process result[:block]
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Check if HTML escaping is disabled for JSON output"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
check_config_setting
|
10
|
+
check_manual_disable
|
11
|
+
end
|
12
|
+
|
13
|
+
def check_config_setting
|
14
|
+
if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
|
15
|
+
warn :warning_type => "Cross-Site Scripting",
|
16
|
+
:warning_code => :json_html_escape_config,
|
17
|
+
:message => msg("HTML entities in JSON are not escaped by default"),
|
18
|
+
:confidence => :medium,
|
19
|
+
:file => "config/environments/production.rb",
|
20
|
+
:line => 1
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def check_manual_disable
|
25
|
+
tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
|
26
|
+
setting = result[:call].first_arg
|
27
|
+
|
28
|
+
if false? setting
|
29
|
+
warn :result => result,
|
30
|
+
:warning_type => "Cross-Site Scripting",
|
31
|
+
:warning_code => :json_html_escape_module,
|
32
|
+
:message => msg("HTML entities in JSON are not escaped by default"),
|
33
|
+
:confidence => :medium,
|
34
|
+
:file => "config/environments/production.rb"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Check for page caching vulnerability (CVE-2020-8159)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
gem_name = 'actionpack-page_caching'
|
10
|
+
gem_version = tracker.config.gem_version(gem_name.to_sym)
|
11
|
+
upgrade_version = '1.2.2'
|
12
|
+
cve = 'CVE-2020-8159'
|
13
|
+
|
14
|
+
return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
|
15
|
+
|
16
|
+
message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
|
17
|
+
|
18
|
+
if uses_caches_page?
|
19
|
+
confidence = :high
|
20
|
+
else
|
21
|
+
confidence = :weak
|
22
|
+
end
|
23
|
+
|
24
|
+
warn :warning_type => 'Directory Traversal',
|
25
|
+
:warning_code => :CVE_2020_8159,
|
26
|
+
:message => message,
|
27
|
+
:confidence => confidence,
|
28
|
+
:link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
|
29
|
+
:gem_info => gemfile_or_environment(gem_name)
|
30
|
+
end
|
31
|
+
|
32
|
+
def uses_caches_page?
|
33
|
+
tracker.controllers.any? do |name, controller|
|
34
|
+
controller.options.has_key? :caches_page
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -301,6 +301,22 @@ module Brakeman::Options
|
|
301
301
|
options[:github_repo] = repo
|
302
302
|
end
|
303
303
|
|
304
|
+
opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
|
305
|
+
valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
|
306
|
+
|
307
|
+
options[:text_fields] = format.map(&:to_sym)
|
308
|
+
|
309
|
+
if options[:text_fields] == [:all]
|
310
|
+
options[:text_fields] = valid_options
|
311
|
+
else
|
312
|
+
invalid_options = (options[:text_fields] - valid_options)
|
313
|
+
|
314
|
+
unless invalid_options.empty?
|
315
|
+
raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
|
316
|
+
end
|
317
|
+
end
|
318
|
+
end
|
319
|
+
|
304
320
|
opts.on "-w",
|
305
321
|
"--confidence-level LEVEL",
|
306
322
|
["1", "2", "3"],
|
@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
145
145
|
end
|
146
146
|
|
147
147
|
def output_warning w
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
148
|
+
text_format = tracker.options[:text_fields] ||
|
149
|
+
[:confidence, :category, :check, :message, :code, :file, :line]
|
150
|
+
|
151
|
+
text_format.map do |option|
|
152
|
+
format_line(w, option)
|
153
|
+
end.compact
|
154
|
+
end
|
155
|
+
|
156
|
+
def format_line w, option
|
157
|
+
case option
|
158
|
+
when :confidence
|
159
|
+
label('Confidence', confidence(w.confidence))
|
160
|
+
when :category
|
161
|
+
label('Category', w.warning_type.to_s)
|
162
|
+
when :check
|
163
|
+
label('Check', w.check.gsub(/^Brakeman::Check/, ''))
|
164
|
+
when :message
|
152
165
|
label('Message', w.message)
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
166
|
+
when :code
|
167
|
+
if w.code
|
168
|
+
label('Code', format_code(w))
|
169
|
+
end
|
170
|
+
when :file
|
171
|
+
label('File', warning_file(w))
|
172
|
+
when :line
|
173
|
+
if w.line
|
174
|
+
label('Line', w.line)
|
175
|
+
end
|
176
|
+
when :link
|
177
|
+
label('Link', w.link)
|
178
|
+
when :fingerprint
|
179
|
+
label('Fingerprint', w.fingerprint)
|
180
|
+
when :category_id
|
181
|
+
label('Category ID', w.warning_code)
|
182
|
+
when :render_path
|
183
|
+
if w.called_from
|
184
|
+
label('Render Path', w.called_from.join(" > "))
|
185
|
+
end
|
163
186
|
end
|
164
|
-
|
165
|
-
out
|
166
187
|
end
|
167
188
|
|
168
189
|
def double_space title, values
|
@@ -54,7 +54,7 @@ module Brakeman
|
|
54
54
|
end
|
55
55
|
|
56
56
|
def gem_version name
|
57
|
-
extract_version @gems.dig(name, :version)
|
57
|
+
extract_version @gems.dig(name.to_sym, :version)
|
58
58
|
end
|
59
59
|
|
60
60
|
def add_gem name, version, file, line
|
@@ -67,11 +67,11 @@ module Brakeman
|
|
67
67
|
end
|
68
68
|
|
69
69
|
def has_gem? name
|
70
|
-
!!@gems[name]
|
70
|
+
!!@gems[name.to_sym]
|
71
71
|
end
|
72
72
|
|
73
73
|
def get_gem name
|
74
|
-
@gems[name]
|
74
|
+
@gems[name.to_sym]
|
75
75
|
end
|
76
76
|
|
77
77
|
def set_rails_version version = nil
|
data/lib/brakeman/version.rb
CHANGED
@@ -114,6 +114,10 @@ module Brakeman::WarningCodes
|
|
114
114
|
:unsafe_cookie_serialization => 110,
|
115
115
|
:reverse_tabnabbing => 111,
|
116
116
|
:mass_assign_permit_all => 112,
|
117
|
+
:json_html_escape_config => 113,
|
118
|
+
:json_html_escape_module => 114,
|
119
|
+
:CVE_2020_8159 => 115,
|
120
|
+
|
117
121
|
:custom_check => 9090,
|
118
122
|
}
|
119
123
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.8.
|
4
|
+
version: 4.8.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-05-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -240,6 +240,7 @@ files:
|
|
240
240
|
- lib/brakeman/checks/check_i18n_xss.rb
|
241
241
|
- lib/brakeman/checks/check_jruby_xml.rb
|
242
242
|
- lib/brakeman/checks/check_json_encoding.rb
|
243
|
+
- lib/brakeman/checks/check_json_entity_escape.rb
|
243
244
|
- lib/brakeman/checks/check_json_parsing.rb
|
244
245
|
- lib/brakeman/checks/check_link_to.rb
|
245
246
|
- lib/brakeman/checks/check_link_to_href.rb
|
@@ -252,6 +253,7 @@ files:
|
|
252
253
|
- lib/brakeman/checks/check_nested_attributes.rb
|
253
254
|
- lib/brakeman/checks/check_nested_attributes_bypass.rb
|
254
255
|
- lib/brakeman/checks/check_number_to_currency.rb
|
256
|
+
- lib/brakeman/checks/check_page_caching_cve.rb
|
255
257
|
- lib/brakeman/checks/check_permit_attributes.rb
|
256
258
|
- lib/brakeman/checks/check_quote_table_name.rb
|
257
259
|
- lib/brakeman/checks/check_redirect.rb
|
@@ -406,7 +408,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
406
408
|
- !ruby/object:Gem::Version
|
407
409
|
version: '0'
|
408
410
|
requirements: []
|
409
|
-
rubygems_version: 3.
|
411
|
+
rubygems_version: 3.1.2
|
410
412
|
signing_key:
|
411
413
|
specification_version: 4
|
412
414
|
summary: Security vulnerability scanner for Ruby on Rails.
|