RubyGems - brakeman-llm - Versions diffs - 0.0.1 - Mend

brakeman-llm 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ef666ad931136eb76564a777cb88fbae6d82faa923ecd53157b007743eb55168
+  data.tar.gz: 5cbfb90e111f4d2fd70d9e5871707ceb8ec60ac4d1399044786a93b3c1862b00
+SHA512:
+  metadata.gz: 0aeef7aade75c790d635c4c89db188d9b4fa210021d02add11cd59e795b3ed15b80a2550460cd33dba0c245d46c1d46bc16bf6c9ef219c80ddcd68c6e58a5500
+  data.tar.gz: 11faf76793129732bc14fbfb40a29fcaf69581ccb7ce21099e9c8682d80a14e0be9837a505d60f41dadc2debccd633326cd9be9103e596b4b7dcc918192c1566

data/bin/brakeman-llm ADDED Viewed

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+#Adjust path in case called directly and not through gem
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), '..', 'lib')
+Encoding.default_external = 'UTF-8'
+require 'brakeman-llm'
+require 'brakeman/commandline'
+Brakeman::Commandline.start

data/docs/warning_types/CVE-2010-3933/index.markdown ADDED Viewed

@@ -0,0 +1,17 @@
+---
+layout: page
+title: "Nested Attributes (CVE-2010-3933)"
+date: 2012-06-19 16:59
+comments: false
+sharing: true
+footer: true
+---
+Rails 2.3.9 and 3.0.0 are vulnerable to an attack on nested attributes wherein a malicious user could alter data in any record in the system.
+It is recommended to upgrade to at least 2.3.10 or 3.0.1.
+For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c).
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/CVE-2011-0446/index.markdown ADDED Viewed

@@ -0,0 +1,17 @@
+---
+layout: page
+title: "Mail Link (CVE-2011-0446)"
+date: 2012-06-19 16:55
+comments: false
+sharing: true
+footer: true
+---
+Certain versions of Rails were vulnerable to a cross-site scripting vulnerability mail\_to.
+Versions of Rails after 2.3.10 or 3.0.3 are not affected. Updating or removing the mail\_to links is advised.
+For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81).
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/CVE-2011-3186/index.markdown ADDED Viewed

@@ -0,0 +1,17 @@
+---
+layout: page
+title: "Response Splitting (CVE-2011-3186)"
+date: 2012-06-19 17:02
+comments: false
+sharing: true
+footer: true
+---
+Response splitting is a simple attack that can be used as part or a larger exploit chain. A malicious user sends data that causes the HTTP response header to include unintended newline characters which are interpreted as the end of the header. The attacker may then forge their own response body and an entirely false HTTP response, essentailly hijacking the entire page load.
+Versions of Rails 2 previous to 2.3.13 were vulnerable to this type of attack. The Rails 3 branch is not affected.
+For more details see [CVE-2011-3186](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768).
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/attribute_restriction/index.markdown ADDED Viewed

@@ -0,0 +1,32 @@
+---
+layout: page
+title: "Attribute Restriction"
+date: 2011-11-10 12:46
+comments: false
+sharing: true
+footer: true
+---
+This warning type only applies to Ruby on Rails applications which are not using [strong parameters](https://guides.rubyonrails.org/action_controller_overview.html#strong-parameters).
+Note that disabling mass assignment globally will suppress these warnings.
+#### Missing Protection
+This warning comes up if a model does not limit what attributes can be set through [mass assignment](https://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment).
+In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
+#### Use of Blacklist
+Brakeman also warns on use of `attr_protected` - especially since it was found to be [vulnerable to bypass](https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion). Warnings for mass assignment on models using `attr_protected` will be reported, but at a lower confidence level.
+#### Suggested Remediation
+For newer Ruby on Rails applications, query parameters should be whitelisted before use via strong parameters.
+For older Ruby on Rails applications, each model should use `attr_accessible` to carefully whitelist which attributes may be set via mass assignment, if any.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/authentication/index.markdown ADDED Viewed

@@ -0,0 +1,23 @@
+---
+layout: page
+title: "Authentication"
+date: 2016-06-29 16:15
+comments: false
+sharing: true
+footer: true
+---
+"Authentication" is the act of verifying that a user or client is who they say they are.
+Right now, the only Brakeman warning in the authentication category is regarding hardcoded passwords.
+Brakeman will warn about constants with literal string values that appear to be passwords.
+Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code.
+Typically source code is available to a wide number of people inside an organization, and there have been many instances of source
+code leaking to the public. Passwords and secrets should be stored in a separate, secure location to limit access.
+Additionally, it is recommended not to use a single password for accessing sensitive information.
+Each user should have their own password to make it easier to audit and revoke access.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/authentication_whitelist/index.markdown ADDED Viewed

@@ -0,0 +1,13 @@
+---
+layout: page
+title: "Authentication Whitelist"
+date: 2013-03-01 11:33
+comments: true
+sharing: true
+footer: true
+---
+When skipping `before_filter`s with security implications, a "whitelist" approach using `only` should be used instead of `except`. This ensures actions are protected by default, and unprotected only by exception.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/basic_auth/index.markdown ADDED Viewed

@@ -0,0 +1,14 @@
+---
+layout: page
+title: "Basic Authentication"
+date: 2011-11-10 12:47
+comments: false
+sharing: true
+footer: true
+---
+<script>
+window.location.replace("http://brakemanscanner.org/docs/warning_types/basic_authentication/");
+</script>
+Content moved to [Basic Authentication](basic_authentication/).

data/docs/warning_types/basic_authentication/index.markdown ADDED Viewed

@@ -0,0 +1,25 @@
+---
+layout: page
+title: "Basic Authentication"
+date: 2011-11-10 12:52
+comments: false
+sharing: true
+footer: true
+---
+In Rails 3.1, a new feature was added to simplify basic authentication.
+The example provided in the official [Rails Guide](http://guides.rubyonrails.org/getting_started.html) looks like this:
+    class PostsController < ApplicationController
+      http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
+      #...
+    end
+This warning will be raised if `http_basic_authenticate_with` is used and the password is found to be a string (i.e., stored somewhere in the code).
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/command_injection/index.markdown ADDED Viewed

@@ -0,0 +1,26 @@
+---
+layout: page
+title: "Command Injection"
+date: 2011-11-09 14:33
+comments: false
+sharing: true
+footer: true
+---
+Injection is #1 on the 2010 [OWASP Top Ten](https://web.archive.org/web/20190223031311/https://www.owasp.org/index.php/Top_10_2010-A1) web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
+There are many ways to run commands in Ruby:
+    `ls #{params[:file]}`
+    system("ls #{params[:dir]}")
+    exec("md5sum #{params[:input]}")
+Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
+See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#command-line-injection) for details.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/content_tag/index.markdown ADDED Viewed

@@ -0,0 +1,30 @@
+---
+layout: page
+title: "Cross Site Scripting (Content Tag)"
+date: 2012-09-04 12:44
+comments: false
+sharing: true
+footer: true
+---
+Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://web.archive.org/web/20190223031311/https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
+[content\_tag](http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) is a view helper which generates an HTML tag with some content:
+    >> content_tag :p, "Hi!"
+    => "<p>Hi!</p>"
+In Rails 2, this content is unescaped (although attribute values are escaped):
+    >> content_tag :p, "<script>alert(1)</script>"
+    => "<p><script>alert(1)</script></p>"
+In Rails 3, the content is escaped. However, only the *content* and the tag attribute *values* are escaped. The tag and attribute names are never escaped in Rails 2 or 3.
+This is more dangerous than a typical method call because `content_tag` marks its output as "HTML safe", meaning the `rails_xss` plugin and Rails 3 auto-escaping will not escape its output. Due to this, `content_tag` should be used carefully if user input is provided as an argument.
+Note that while `content_tag` does have an `escape` parameter, this only applies to tag attribute *values* and is true by default.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/cross-site_request_forgery/index.markdown ADDED Viewed

@@ -0,0 +1,19 @@
+---
+layout: page
+title: "Cross Site Request Forgery"
+date: 2011-11-10 12:24
+comments: false
+sharing: true
+footer: true
+---
+Cross-site request forgery is #5 on the [OWASP Top Ten](https://web.archive.org/web/20190223031311/https://www.owasp.org/index.php/Top_10_2010-A5). CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
+This warning is raised when no call to `protect_from_forgery` is found in `ApplicationController`. This method prevents CSRF.
+For Rails 4 applications, it is recommended that you use `protect_from_forgery :with => :exception`. This code is inserted into newly generated applications. The default is to `nil` out the session object, which has been a source of many CSRF bypasses due to session memoization.
+See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) for details.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/cross_site_request_forgery/index.markdown ADDED Viewed

@@ -0,0 +1,18 @@
+---
+layout: page
+title: "Cross-Site Request Forgery"
+date: 2011-11-10 16:15
+comments: false
+sharing: true
+footer: true
+---
+<script>
+window.location.replace("http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/");
+</script>
+Content has moved to [Cross-Site Request Forgery](/docs/warning_types/cross-site_request_forgery/)
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/cross_site_scripting/index.markdown ADDED Viewed

@@ -0,0 +1,64 @@
+---
+layout: page
+title: "Cross Site Scripting"
+date: 2011-11-09 13:34
+comments: false
+sharing: true
+footer: true
+---
+Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://web.archive.org/web/20190223031311/https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
+XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
+In Rails 2.x, values need to be explicitly escaped (e.g., by using the `h` method). In Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the `raw` method to output a value directly.
+See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-scripting-xss) for more details.
+### Query Parameters and Cookies
+Rails 2.x example in ERB:
+    <%= params[:query] %>
+Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the `params` or `cookies` is being directly output to a view. In such cases, it will issue a warning like:
+    Unescaped parameter value near line 3: params[:query]
+By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
+For example:
+    <%= some_method(cookie[:name]) %>
+This raises a warning like:
+    Unescaped cookie value near line 5: some_method(cookies[:oreo])
+However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
+Some methods are known to Brakeman to either be dangerous (`link_to` is one) or safe (`escape_once`). Users can specify safe methods using the `--safe-methods` option. Alternatively, Brakeman can be set to _only_ warn when values are used directly with the `--report-direct` option.
+### Model Attributes
+Because (many) models come from database values, Brakeman mistrusts them by default.
+For example, if `@user` is an instance of a model set in an action like
+    def set_user
+      @user = User.first
+    end
+and there is a view with
+    <%= @user.name %>
+Brakeman will raise a warning like
+    Unescaped model attribute near line 3: User.first.name
+If you trust all your data (although you probably shouldn't), this can be disabled with `--ignore-model-output`.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/cross_site_scripting_to_json/index.markdown ADDED Viewed

@@ -0,0 +1,55 @@
+---
+layout: page
+title: "Cross Site Scripting (JSON)"
+date: 2012-08-29 18:09
+comments: false
+sharing: true
+footer: true
+---
+Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://web.archive.org/web/20190223031311/https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
+XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.  Calls to `Hash#to_json` can be used to trigger XSS.  Brakeman will check to see if there are any calls to `Hash#to_json` with `ActiveSupport#escape_html_entities_in_json` set to false (or if you are running Rails < 2.1.0 which did not have this functionality).
+`ActiveSupport#escape_html_entities_in_json` was introduced in the "new\_rails\_defaults" initializer in Rails 2.1.0 which is set to `false` by default.  In Rails 3.0.0, `true` became the default setting.  Setting this value to `true` will automatically escape '<', '>', '&' which are commonly used to break out of code generated by a to\_json call.
+See [ActiveSupport#escape\_html\_entities\_in\_json](http://rubydoc.info/docs/rails/ActiveSupport/JSON/Encoding.escape_html_entities_in_json=) for more details.
+### Exploiting to\_json
+Consider the following snippet of Rails 2.x ERB:
+    # controller
+    @attrs = {:email => 'some@email.com</script><script>alert(document.domain)//'}
+    <!-- view -->
+    <script>
+      var attributes = <%= @attrs.to_json %>
+    </script>
+Which generates the following html:
+    <script>
+      var attributes = {"email":"some@email.com</script><script>alert(document.domain)//"}
+    </script>
+While the generated Javascript appears valid, the browser parses the script tags first, so it sees something like this:
+    <script>
+      var attributes = {"email":"some@email.com
+    </script>
+    <script>
+      alert(document.domain)//"}
+    </script>
+The attribute assignment causes a Javascript error, but the alert triggers just fine!
+With `escape_html_entities_in_json = true`, you will receive the following innocuous output:
+    <script>
+      var attributes = {"email":"some@email.com\u003C/script\u003E\u003Cscript\u003Ealert(document.domain)//"}
+    </script>
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/dangerous_eval/index.markdown ADDED Viewed

@@ -0,0 +1,13 @@
+---
+layout: page
+title: "Dangerous Evaluation"
+date: 2011-11-10 12:47
+comments: false
+sharing: true
+footer: true
+---
+User input in an `eval` statement is VERY dangerous, so this will always raise a warning. Brakeman looks for calls to `eval`, `instance_eval`, `class_eval`, and `module_eval`.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/dangerous_evaluation/index.markdown ADDED Viewed

@@ -0,0 +1,14 @@
+---
+layout: page
+title: "Dangerous Evaluation"
+date: 2011-11-10 16:04
+comments: false
+sharing: true
+footer: true
+---
+<script>
+window.location.replace("http://brakemanscanner.org/docs/warning_types/dangerous_eval/");
+</script>
+Content moved to [Dangerous Eval](dangerous_eval/).

data/docs/warning_types/dangerous_send/index.markdown ADDED Viewed

@@ -0,0 +1,44 @@
+---
+layout: page
+title: "Dangerous Send"
+date: 2012-06-19 16:49
+comments: false
+sharing: true
+footer: true
+---
+Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
+It is much safer to whitelist the desired target or method.
+Unsafe use of method:
+    method = params[:method]
+    @result = User.send(method.to_sym)
+Safe:
+    method = params[:method] == 1 ? :method_a : :method_b
+    @result = User.send(method, *args)
+Unsafe use of target:
+    table = params[:table]
+    model = table.classify.constantize
+    @result = model.send(:method)
+Safe:
+    target = params[:target] == 1 ? Account : User
+    @result = target.send(:method, *args)
+Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.
+Safe:
+    args = params["args"] || []
+    @result = User.send(:method, *args)
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/default_routes/index.markdown ADDED Viewed

@@ -0,0 +1,27 @@
+---
+layout: page
+title: "Default Routes"
+date: 2011-11-10 12:40
+comments: false
+sharing: true
+footer: true
+---
+The general default routes warning means there is a call to
+    #Rails 2.x
+    map.connect ":controller/:action/:id"
+or
+    Rails 3.x
+    match ':controller(/:action(/:id(.:format)))'
+in `config/routes.rb`. This allows any public method on any controller to be called as an action.
+If this warning is reported for a particular controller, it means there is a route to that controller containing `:action`.
+Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/denial_of_service/index.markdown ADDED Viewed

@@ -0,0 +1,42 @@
+---
+layout: page
+title: "Denial of Service"
+date: 2013-05-16 12:47
+comments: false
+sharing: true
+footer: true
+---
+Denial of Service (DoS) is any attack which causes a service to become unavailable for legitimate clients.
+Denial of Service can be caused by consuming large amounts of network, memory, or CPU resources.
+### Regex DoS
+If an attacker can control the content of a regular expression, they may be able to construct a regular expression that requires exponential time to run.
+Brakeman will warn about dynamic regular expressions that inject user-supplied values.
+For example:
+    some.values.any? { |v| v.match /#{params[:query]}/ }
+More information:
+* [ReDoS](https://en.wikipedia.org/wiki/ReDoS)
+* [Catastrophic Backtracking](https://www.regular-expressions.info/catastrophic.html)
+* [Regular Expression Matching Can Be Simple And Fast](https://swtch.com/~rsc/regexp/regexp1.html)
+### Symbol DoS
+[Prior to Ruby 2.2](https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/), Symbols were not garbage collected. Creation of large numbers of Symbols could lead to a server running out of memory.
+If the application appears to be using an older version of Ruby, Brakeman checks for code where user input which is converted to a Symbol. When this is not restricted, an attacker could create an unlimited number of Symbols.
+Note: This is an optional check which can be enabled with `--enable SymbolDoS` or `--run-all-checks`.
+---
+[More Information](https://owasp.org/www-community/attacks/Denial_of_Service)
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/dynamic_render_path/index.markdown ADDED Viewed

@@ -0,0 +1,14 @@
+---
+layout: page
+title: "Dynamic Render Path"
+date: 2011-11-10 12:47
+comments: false
+sharing: true
+footer: true
+---
+<script>
+window.location.replace("http://brakemanscanner.org/docs/warning_types/dynamic_render_paths/");
+</script>
+Content has moved to [Dynamic Render Paths](dynamic_render_paths)

data/docs/warning_types/dynamic_render_paths/index.markdown ADDED Viewed

@@ -0,0 +1,17 @@
+---
+layout: page
+title: "Dynamic Render Path"
+date: 2011-11-10 12:47
+comments: false
+sharing: true
+footer: true
+---
+When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
+This warning is shown whenever the path to be rendered is not a static string or symbol.
+These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/evaluation/index.markdown ADDED Viewed

@@ -0,0 +1,14 @@
+---
+layout: page
+title: "Dangerous Evaluation"
+date: 2011-11-10 12:47
+comments: false
+sharing: true
+footer: true
+---
+<script>
+window.location.replace("http://brakemanscanner.org/docs/warning_types/dangerous_eval/");
+</script>
+Content moved to [Dangerous Eval](dangerous_eval/).

data/docs/warning_types/file_access/index.markdown ADDED Viewed

@@ -0,0 +1,23 @@
+---
+layout: page
+title: "File Access"
+date: 2011-11-10 16:06
+comments: false
+sharing: true
+footer: true
+---
+Using user input when accessing files (local or remote) will raise a warning in Brakeman.
+For example
+    File.open("/tmp/#{cookie[:file]}")
+will raise an error like
+    Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
+This type of vulnerability can be used to access arbitrary files on a server (including `/etc/passwd`.
+---
+Back to [Warning Types](/docs/warning_types)

data/docs/warning_types/format_validation/index.markdown ADDED Viewed

@@ -0,0 +1,15 @@
+---
+layout: page
+title: "Format Validation"
+date: 2011-11-10 12:44
+comments: false
+sharing: true
+footer: true
+---
+Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
+See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#regular-expressions) for details.
+---
+Back to [Warning Types](/docs/warning_types)