brakeman-min 0.2.0

data/lib/checks.rb

@@ -0,0 +1,67 @@
+#Collects up results from running different checks.
+#
+#Checks can be added with +Check.add(check_class)+
+#
+#All .rb files in checks/ will be loaded.
+class Checks
+  @checks = []
+
+  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
+
+  #Add a check. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @checks << klass
+  end
+
+  #No need to use this directly.
+  def initialize
+    @warnings = []
+    @template_warnings = []
+    @model_warnings = []
+    @controller_warnings = []
+    @checks_run = []
+  end
+
+  #Add Warning to list of warnings to report.
+  #Warnings are split into four different arrays
+  #for template, controller, model, and generic warnings.
+  def add_warning warning
+    case warning.warning_set
+    when :template
+      @template_warnings << warning
+    when :warning
+      @warnings << warning
+    when :controller
+      @controller_warnings << warning
+    when :model
+      @model_warnings << warning
+    else
+      raise "Unknown warning: #{warning.warning_set}"
+    end
+  end
+
+  #Run all the checks on the given Tracker.
+  #Returns a new instance of Checks with the results.
+  def self.run_checks tracker
+    checks = self.new
+    @checks.each do |c|
+      #Run or don't run check based on options
+      unless OPTIONS[:skip_checks].include? c.to_s or 
+        (OPTIONS[:run_checks] and not OPTIONS[:run_checks].include? c.to_s)
+
+        warn " - #{c}"
+        c.new(checks, tracker).run_check
+
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        checks.checks_run << c.to_s[5..-1]
+      end
+    end
+    checks
+  end
+end
+
+#Load all files in checks/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f| 
+  require f.match(/(checks\/.*)\.rb$/)[0]
+end

data/lib/checks/base_check.rb

@@ -0,0 +1,353 @@
+require 'rubygems'
+require 'sexp_processor'
+require 'processors/output_processor'
+require 'warning'
+require 'util'
+
+#Basis of vulnerability checks.
+class BaseCheck < SexpProcessor
+  include ProcessorHelper
+  include Util
+  attr_reader :checks, :tracker
+
+  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
+
+  #Initialize Check with Checks.
+  def initialize checks, tracker
+    super()
+    @results = [] #only to check for duplicates
+    @checks = checks
+    @tracker = tracker
+    @string_interp = false
+    @current_template = @current_module = @current_class = @current_method = nil
+    self.strict = false
+    self.auto_shift_type = false
+    self.require_empty = false
+    self.default_method = :process_default
+    self.warn_on_default = false
+  end
+
+  #Add result to result list, which is used to check for duplicates
+  def add_result result, location = nil
+    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[1]
+    location = location[:name] if location.is_a? Hash
+    location = location.to_sym
+
+    @results << [result.line, location, result]
+  end
+
+  #Default Sexp processing. Iterates over each value in the Sexp
+  #and processes them if they are also Sexps.
+  def process_default exp
+    type = exp.shift
+    exp.each_with_index do |e, i|
+      if sexp? e
+        process e
+      else
+        e
+      end
+    end
+
+    exp.unshift type
+  end
+
+  #Process calls and check if they include user input
+  def process_call exp
+    process exp[1] if sexp? exp[1]
+    process exp[3]
+
+    if ALL_PARAMETERS.include? exp[1] or ALL_PARAMETERS.include? exp or params? exp[1]
+      @has_user_input = :params
+    elsif exp[1] == COOKIES or exp == COOKIES or cookies? exp[1]
+      @has_user_input = :cookies
+    elsif sexp? exp[1] and model_name? exp[1][1]
+      @has_user_input = :model
+    end
+
+    exp
+  end
+
+  #Note that params are included in current expression
+  def process_params exp
+    @has_user_input = :params
+    exp
+  end
+
+  #Note that cookies are included in current expression
+  def process_cookies exp
+    @has_user_input = :cookies
+    exp
+  end
+
+  private
+
+  #Report a warning 
+  def warn options
+    @checks.add_warning Warning.new(options.merge({ :check => self.class.to_s }))
+  end 
+
+  #Run _exp_ through OutputProcessor to get a nice String.
+  def format_output exp
+    OutputProcessor.new.format(exp).gsub(/\r|\n/, "")
+  end
+
+  #Checks if the model inherits from parent,
+  def parent? tracker, model, parent
+    if model == nil
+      false
+    elsif model[:parent] == parent
+      true
+    elsif model[:parent]
+      parent? tracker, tracker.models[model[:parent]], parent
+    else
+      false
+    end
+  end
+
+  #Checks if mass assignment is disabled globally in an initializer.
+  def mass_assign_disabled? tracker
+    matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
+    if matches.empty?
+      false
+    else
+      matches.each do |result|
+        if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
+          return true
+        end
+      end
+    end
+  end
+
+  #This is to avoid reporting duplicates. Checks if the result has been
+  #reported already from the same line number.
+  def duplicate? result, location = nil
+    line = result.line
+    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[1]
+
+    location = location[:name] if location.is_a? Hash
+    location = location.to_sym
+    @results.each do |r|
+      if r[0] == line and r[1] == location
+        if OPTIONS[:combine_locations]
+          return true
+        elsif r[2] == result
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  #Ignores ignores
+  def process_ignore exp
+    exp
+  end
+
+  #Does not actually process string interpolation, but notes that it occurred.
+  def process_string_interp exp
+    @string_interp = true
+    exp
+  end
+
+  #Checks if an expression contains string interpolation.
+  def include_interp? exp
+    @string_interp = false
+    process exp
+    @string_interp
+  end
+
+  #Checks if _exp_ includes parameters or cookies, but this only works 
+  #with the base process_default.
+  def include_user_input? exp
+    @has_user_input = false
+    process exp
+    @has_user_input
+  end
+
+  #This is used to check for user input being used directly.
+  #
+  #Returns false if none is found, otherwise it returns an array
+  #where the first element is the type of user input 
+  #(either :params or :cookies) and the second element is the matching 
+  #expression
+  def has_immediate_user_input? exp
+    if params? exp
+      return :params, exp
+    elsif cookies? exp
+      return :cookies, exp
+    elsif call? exp
+      if sexp? exp[1]
+        if ALL_PARAMETERS.include? exp[1] or params? exp[1]
+          return :params, exp
+        elsif exp[1] == COOKIES
+          return :cookies, exp
+        else
+          false
+        end
+      else
+        false
+      end
+    elsif sexp? exp
+      case exp.node_type
+      when :string_interp
+        exp.each do |e|
+          if sexp? e
+            type, match = has_immediate_user_input?(e)
+            if type
+              return type, match
+            end
+          end
+        end
+        false
+      when :string_eval
+        if sexp? exp[1]
+          if exp[1].node_type == :rlist
+            exp[1].each do |e|
+              if sexp? e
+                type, match = has_immediate_user_input?(e)
+                if type
+                  return type, match
+                end
+              end
+            end
+            false
+          else
+            has_immediate_user_input? exp[1]
+          end
+        end
+      when :format
+        has_immediate_user_input? exp[1]
+      when :if
+        (sexp? exp[2] and has_immediate_user_input? exp[2]) or 
+        (sexp? exp[3] and has_immediate_user_input? exp[3])
+      else
+        false
+      end
+    end
+  end
+
+  #Checks for a model attribute at the top level of the
+  #expression.
+  def has_immediate_model? exp, out = nil
+    out = exp if out.nil?
+
+    if sexp? exp and exp.node_type == :output
+      exp = exp[1]
+    end
+
+    if call? exp
+      target = exp[1]
+      method = exp[2]
+
+      if call? target and not method.to_s[-1,1] == "?"
+        has_immediate_model? target, out
+      elsif model_name? target 
+        exp
+      else
+        false
+      end
+    elsif sexp? exp
+      case exp.node_type
+      when :string_interp
+        exp.each do |e|
+          if sexp? e and match = has_immediate_model?(e, out)
+            return match
+          end
+        end
+        false
+      when :string_eval
+        if sexp? exp[1]
+          if exp[1].node_type == :rlist
+            exp[1].each do |e|
+              if sexp? e and match = has_immediate_model?(e, out)
+                return match
+              end
+            end
+            false
+          else
+            has_immediate_model? exp[1], out
+          end
+        end
+      when :format
+        has_immediate_model? exp[1], out
+      when :if
+        ((sexp? exp[2] and has_immediate_model? exp[2], out) or 
+         (sexp? exp[3] and has_immediate_model? exp[3], out))
+      else
+        false
+      end
+    end
+  end
+
+  #Checks if +exp+ is a model name.
+  #
+  #Prior to using this method, either @tracker must be set to 
+  #the current tracker, or else @models should contain an array of the model
+  #names, which is available via tracker.models.keys
+  def model_name? exp
+    @models ||= @tracker.models.keys
+
+    if exp.is_a? Symbol
+      @models.include? exp
+    elsif sexp? exp
+      klass = nil
+      begin
+        klass = class_name exp
+      rescue StandardError
+      end
+
+      klass and @models.include? klass
+    else
+      false
+    end
+  end
+
+  #Finds entire method call chain where +target+ is a target in the chain
+  def find_chain exp, target
+    return unless sexp? exp 
+
+    case exp.node_type
+    when :output, :format
+      find_chain exp[1], target
+    when :call
+      if exp == target or include_target? exp, target
+        return exp 
+      end
+    else
+      exp.each do |e|
+        if sexp? e
+          res = find_chain e, target
+          return res if res
+        end
+      end
+      nil
+    end
+  end
+
+  #Returns true if +target+ is in +exp+
+  def include_target? exp, target
+    return false unless call? exp
+
+    exp.each do |e|
+      return true if e == target or include_target? e, target
+    end
+
+    false
+  end
+
+  #Returns true if low_version <= RAILS_VERSION <= high_version
+  def version_between? low_version, high_version
+    version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
+    low_version = low_version.split(".").map! { |n| n.to_i }
+    high_version = high_version.split(".").map! { |n| n.to_i }
+
+    version.each_with_index do |n, i|
+      if n < low_version[i] or n > high_version[i]
+        return false
+      end
+    end
+
+    return true
+  end
+end

data/lib/checks/check_cross_site_scripting.rb

@@ -0,0 +1,324 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+require 'processors/lib/processor_helper'
+require 'util'
+require 'set'
+
+#This check looks for unescaped output in templates which contains
+#parameters or model attributes.
+#
+#For example:
+#
+# <%= User.find(:id).name %>
+# <%= params[:id] %>
+class CheckCrossSiteScripting < BaseCheck
+  Checks.add self
+
+  #Ignore these methods and their arguments.
+  #It is assumed they will take care of escaping their output.
+  IGNORE_METHODS = Set.new([:h, :escapeHTML, :link_to, :text_field_tag, :hidden_field_tag,
+                           :image_tag, :select, :submit_tag, :hidden_field, :url_encode,
+                           :radio_button, :will_paginate, :button_to, :url_for, :mail_to,
+                           :fields_for, :label, :text_area, :text_field, :hidden_field, :check_box,
+                           :field_field]) 
+
+  IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
+
+  MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
+
+  IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
+
+  HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
+
+  URI = Sexp.new(:const, :URI)
+
+  CGI = Sexp.new(:const, :CGI)
+
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+
+  #Run check
+  def run_check 
+    IGNORE_METHODS.merge OPTIONS[:safe_methods]
+    @models = tracker.models.keys
+    @inspect_arguments = OPTIONS[:check_arguments]
+
+    CheckLinkTo.new(checks, tracker).run_check
+
+    tracker.each_template do |name, template|
+      @current_template = template
+
+      template[:outputs].each do |out|
+        type, match = has_immediate_user_input?(out[1])
+        if type and not duplicate? out
+            add_result out
+            case type
+            when :params
+              message = "Unescaped parameter value"
+            when :cookies
+              message = "Unescaped cookie value"
+            else
+              message = "Unescaped user input value"
+            end
+
+            warn :template => @current_template, 
+              :warning_type => "Cross Site Scripting",
+              :message => message,
+              :line => match.line,
+              :code => match,
+              :confidence => CONFIDENCE[:high]
+
+        elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(out[1])
+          method = match[2]
+
+          unless duplicate? out or IGNORE_MODEL_METHODS.include? method
+            add_result out
+
+            if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+              confidence = CONFIDENCE[:high]
+            else
+              confidence = CONFIDENCE[:med]
+            end
+
+            code = find_chain out, match
+            warn :template => @current_template,
+              :warning_type => "Cross Site Scripting", 
+              :message => "Unescaped model attribute",
+              :line => code.line,
+              :code => code,
+              :confidence => confidence
+          end
+
+        else
+          @matched = false
+          @mark = false
+          process out
+        end
+      end
+    end
+  end
+
+  #Process an output Sexp
+  def process_output exp
+    process exp[1].dup
+  end
+
+  #Check a call for user input
+  #
+  #
+  #Since we want to report an entire call and not just part of one, use @mark
+  #to mark when a call is started. Any dangerous values inside will then
+  #report the entire call chain.
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      message = nil
+
+      if @matched == :model and not OPTIONS[:ignore_model_output]
+        message = "Unescaped model attribute" 
+      elsif @matched == :params
+        message = "Unescaped parameter value" 
+      end
+
+      if message and not duplicate? exp
+        add_result exp
+
+        warn :template => @current_template, 
+          :warning_type => "Cross Site Scripting", 
+          :message => message,
+          :line => exp.line,
+          :code => exp,
+          :confidence => CONFIDENCE[:low]
+      end
+
+      @mark = @matched = false
+    end
+
+    exp
+  end
+
+  def actually_process_call exp
+    return if @matched
+    target = exp[1]
+    if sexp? target
+      target = process target
+    end
+
+    method = exp[2]
+    args = exp[3]
+
+    #Ignore safe items
+    if (target.nil? and (IGNORE_METHODS.include? method or method.to_s =~ IGNORE_LIKE)) or
+      (@matched == :model and IGNORE_MODEL_METHODS.include? method) or
+      (target == HAML_HELPERS and method == :html_escape) or
+      ((target == URI or target == CGI) and method == :escape) or
+      (target == FORM_BUILDER and IGNORE_METHODS.include? method) or
+      (method.to_s[-1,1] == "?")
+
+      exp[0] = :ignore
+      @matched = false
+    elsif sexp? exp[1] and model_name? exp[1][1]
+
+      @matched = :model
+    elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
+
+      @matched = :params
+    elsif @inspect_arguments
+      process args
+    end
+  end
+
+  #Note that params have been found
+  def process_params exp
+    @matched = :params
+    exp
+  end
+
+  #Note that cookies have been found
+  def process_cookies exp
+    @matched = :cookies
+    exp
+  end
+
+  #Ignore calls to render
+  def process_render exp
+    exp
+  end
+
+  #Process as default
+  def process_string_interp exp
+    process_default exp
+  end
+
+  #Process as default
+  def process_format exp
+    process_default exp
+  end
+
+  #Ignore output HTML escaped via HAML
+  def process_format_escaped exp
+    exp
+  end
+
+  #Ignore condition in if Sexp
+  def process_if exp
+    exp[2..-1].each do |e|
+      process e if sexp? e
+    end
+    exp
+  end
+end
+
+#This _only_ checks calls to link_to
+class CheckLinkTo < CheckCrossSiteScripting
+  IGNORE_METHODS = IGNORE_METHODS - [:link_to]
+
+  def run_check
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    methods = tracker.find_call [], :link_to 
+
+    @models = tracker.models.keys
+    @inspect_arguments = OPTIONS[:check_arguments]
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[-1] = result[-1].dup
+
+    @matched = false
+
+    return if call[3][1].nil?
+
+    #Only check first argument for +link_to+, as the second
+    #will *usually* be a record or escaped.
+    first_arg = process call[3][1]
+
+    type, match = has_immediate_user_input? first_arg
+
+    if type
+      case type
+      when :params
+        message = "Unescaped parameter value in link_to"
+      when :cookies
+        message = "Unescaped cookie value in link_to"
+      else
+        message = "Unescaped user input value in link_to"
+      end
+
+      unless duplicate? result
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :message => message,
+          :confidence => CONFIDENCE[:high]
+      end
+
+    elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(first_arg)
+      method = match[2]
+
+      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
+        add_result result
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :message => "Unescaped model attribute in link_to",
+          :confidence => confidence
+      end
+
+    elsif @matched
+      if @matched == :model and not OPTIONS[:ignore_model_output]
+        message = "Unescaped model attribute in link_to"
+      elsif @matched == :params
+        message = "Unescaped parameter value in link_to"
+      end
+
+      if message and not duplicate? result
+        add_result result
+
+        warn :result => result, 
+          :warning_type => "Cross Site Scripting", 
+          :message => message,
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+
+  def actually_process_call exp
+    return if @matched
+
+    target = exp[1]
+    if sexp? target
+      target = process target.dup
+    end
+
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    if model_name? target and context == [:call, :arglist]
+      return exp
+    end
+
+    super
+  end
+end