brakeman-min 0.2.0

data/lib/checks/check_default_routes.rb

@@ -0,0 +1,29 @@
+require 'checks/base_check'
+
+#Checks if default routes are allowed in routes.rb
+class CheckDefaultRoutes < BaseCheck
+  Checks.add self
+
+  #Checks for :allow_all_actions globally and for individual routes
+  #if it is not enabled globally.
+  def run_check
+    if tracker.routes[:allow_all_actions]
+      #Default routes are enabled globally
+      warn :warning_type => "Default Routes", 
+        :message => "All public methods in controllers are available as actions in routes.rb",
+        :line => tracker.routes[:allow_all_actions].line, 
+        :confidence => CONFIDENCE[:high],
+        :file => "#{OPTIONS[:app_path]}/config/routes.rb"
+    else #Report each controller separately
+      tracker.routes.each do |name, actions|
+        if actions == :allow_all_actions
+          warn :controller => name,
+            :warning_type => "Default Routes", 
+            :message => "Any public method in #{name} can be used as an action.",
+            :confidence => CONFIDENCE[:med],
+            :file => "#{OPTIONS[:app_path]}/config/routes.rb"
+        end
+      end
+    end
+  end
+end

data/lib/checks/check_evaluation.rb

@@ -0,0 +1,27 @@
+require 'checks/base_check'
+
+#This check looks for calls to +eval+, +instance_eval+, etc. which include
+#user input.
+class CheckEvaluation < BaseCheck
+  Checks.add self
+
+  #Process calls
+  def run_check
+    calls = tracker.find_call nil, [:eval, :instance_eval, :class_eval, :module_eval]
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if result includes user input
+  def process_result result
+    if include_user_input? result[-1]
+      warn :result => result,
+        :warning_type => "Dangerous Eval",
+        :message => "User input in eval",
+        :code => result[-1],
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_execute.rb

@@ -0,0 +1,110 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Checks for string interpolation and parameters in calls to
+#Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
+#
+#Examples of command injection vulnerabilities:
+#
+# system("rf -rf #{params[:file]}")
+# exec(params[:command])
+# `unlink #{params[:something}`
+class CheckExecute < BaseCheck
+  Checks.add self
+
+  #Check models, controllers, and views for command injection.
+  def run_check
+    check_for_backticks tracker
+
+    calls = tracker.find_call [:IO, :Open3, :Kernel, []], [:exec, :popen, :popen3, :syscall, :system]
+
+    calls.each do |result|
+      process result
+    end
+  end
+
+  #Processes results from FindCall.
+  def process_result exp
+    call = exp[-1]
+
+    args = process call[3]
+
+    case call[2]
+    when :system, :exec
+      failure = include_user_input?(args[1]) || include_interp?(args[1])
+    else
+      failure = include_user_input?(args) || include_interp?(args)
+    end
+
+    if failure and not duplicate? call, exp[1]
+      add_result call, exp[1]
+
+      if @string_interp
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:high]
+      end
+
+      warn :result => exp,
+        :warning_type => "Command Injection", 
+        :message => "Possible command injection",
+        :line => call.line,
+        :code => call,
+        :confidence => confidence
+    end
+
+    exp
+  end
+
+  #Looks for calls using backticks such as
+  #
+  # `rm -rf #{params[:file]}`
+  def check_for_backticks tracker
+    tracker.each_method do |exp, set_name, method_name|
+      @current_set = set_name
+      @current_method = method_name
+
+      process exp
+    end 
+
+    @current_set = nil
+
+    tracker.each_template do |name, template|
+      @current_template = template
+
+      process template[:src]
+    end
+
+    @current_template = nil
+  end
+
+  #Processes backticks.
+  def process_dxstr exp
+    return exp if duplicate? exp 
+
+    add_result exp
+
+    if include_user_input? exp
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warning = { :warning_type => "Command Injection",
+      :message => "Possible command injection",
+      :line => exp.line,
+      :code => exp,
+      :confidence => confidence }
+
+    if @current_template
+      warning[:template] = @current_template
+    else
+      warning[:class] = @current_set
+      warning[:method] = @current_method
+    end
+
+    warn warning
+
+    exp
+  end
+end

data/lib/checks/check_file_access.rb

@@ -0,0 +1,46 @@
+require 'checks/base_check'
+require 'processors/lib/processor_helper'
+
+#Checks for user input in methods which open or manipulate files
+class CheckFileAccess < BaseCheck
+  Checks.add self
+
+  def run_check
+    methods = tracker.find_call [[:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], []], [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+
+    methods.concat tracker.find_call(:FileUtils, nil)
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    call = result[-1]
+
+    file_name = call[3][1]
+
+    if check = include_user_input?(file_name)
+      unless duplicate? call, result[1]
+        add_result call, result[1]
+
+        if check == :params
+          message = "Parameter"
+        elsif check == :cookies
+          message = "Cookie"
+        else
+          message = "User input"
+        end
+
+        message << " value used in file name"
+
+        warn :result => result,
+          :warning_type => "File Access",
+          :message => message, 
+          :confidence => CONFIDENCE[:high],
+          :line => call.line,
+          :code => call
+      end
+    end
+  end
+end

data/lib/checks/check_forgery_setting.rb

@@ -0,0 +1,42 @@
+require 'checks/base_check'
+
+#Checks that +protect_from_forgery+ is set in the ApplicationController.
+#
+#Also warns for CSRF weakness in certain versions of Rails:
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
+class CheckForgerySetting < BaseCheck
+  Checks.add self
+
+  def run_check
+    app_controller = tracker.controllers[:ApplicationController]
+    if tracker.config[:rails][:action_controller] and
+      tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
+
+      warn :controller => :ApplicationController,
+        :warning_type => "Cross Site Request Forgery",
+        :message => "Forgery protection is disabled", 
+        :confidence => CONFIDENCE[:high]
+
+    elsif app_controller and not app_controller[:options][:protect_from_forgery]
+
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery", 
+        :message => "'protect_from_forgery' should be called in ApplicationController", 
+        :confidence => CONFIDENCE[:high]
+
+    elsif version_between? "2.1.0", "2.3.10"
+      
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery",
+        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches",
+        :confidence => CONFIDENCE[:high]
+
+    elsif version_between? "3.0.0", "3.0.3"
+
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery",
+        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4",
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_mail_to.rb

@@ -0,0 +1,48 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for cross site scripting vulnerability in mail_to :encode => :javascript
+#with certain versions of Rails (< 2.3.11 or < 3.0.4).
+#
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+class CheckMailTo < BaseCheck
+  Checks.add self
+
+  def run_check
+    if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
+      message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
+
+      if version_between? "2.3.0", "2.3.10"
+        message << "2.3.11"
+      else
+        message << "3.0.4"
+      end
+
+      warn :result => result,
+        :warning_type => "Mail Link",
+        :message => message,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  #Check for javascript encoding of mail_to address
+  #    mail_to email, name, :encode => :javascript
+  def mail_to_javascript?
+    tracker.find_call([], :mail_to).each do |result|
+      call = result[-1]
+      args = call[-1]
+
+      args.each do |arg|
+        if hash? arg
+          hash_iterate arg do |k, v|
+            if symbol? v and v[-1] == :javascript
+              return result
+            end
+          end
+        end
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_mass_assignment.rb

@@ -0,0 +1,72 @@
+require 'checks/base_check'
+
+#Checks for mass assignments to models.
+#
+#See http://guides.rubyonrails.org/security.html#mass-assignment for details
+class CheckMassAssignment < BaseCheck
+  Checks.add self
+
+  def run_check
+    return if mass_assign_disabled? tracker
+
+    models = []
+    tracker.models.each do |name, m|
+      if parent?(tracker, m, :"ActiveRecord::Base") and m[:attr_accessible].nil?
+        models << name
+      end
+    end
+
+    return if models.empty?
+
+    @results = Set.new
+
+    calls = tracker.find_call models, [:new,
+      :attributes=, 
+      :update_attribute, 
+      :update_attributes, 
+      :update_attributes!]
+
+    calls.each do |result|
+      process result
+    end
+  end
+
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[-1]
+
+    check = check_call call
+
+    if check and not @results.include? call
+      @results << call
+
+      if include_user_input? call[3]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+      
+      warn :result => res, 
+        :warning_type => "Mass Assignment", 
+        :message => "Unprotected mass assignment",
+        :line => call.line,
+        :code => call, 
+        :confidence => confidence
+    end
+    res
+  end
+
+  #Want to ignore calls to Model.new that have no arguments
+  def check_call call
+    args = process call[3]
+    if args.length <= 1 #empty new()
+      false
+    elsif hash? args[1]
+      #Still should probably check contents of hash
+      false
+    else
+      true
+    end
+  end
+
+end

data/lib/checks/check_model_attributes.rb

@@ -0,0 +1,36 @@
+require 'checks/base_check'
+
+#Check if mass assignment is used with models
+#which inherit from ActiveRecord::Base.
+#
+#If OPTIONS[:collapse_mass_assignment] is +true+ (default), all models which do
+#not use attr_accessible will be reported in a single warning
+class CheckModelAttributes < BaseCheck
+  Checks.add self
+
+  def run_check
+    return if mass_assign_disabled? tracker
+
+    names = []
+
+    tracker.models.each do |name, model|
+      if model[:attr_accessible].nil? and parent? tracker, model, :"ActiveRecord::Base"
+        if OPTIONS[:collapse_mass_assignment]
+          names << name.to_s
+        else
+          warn :model => name, 
+            :warning_type => "Attribute Restriction",
+            :message => "Mass assignment is not restricted using attr_accessible", 
+            :confidence => CONFIDENCE[:high]
+        end
+      end
+    end
+
+    if OPTIONS[:collapse_mass_assignment] and not names.empty?
+      warn :model => names.sort.join(", "), 
+        :warning_type => "Attribute Restriction", 
+        :message => "Mass assignment is not restricted using attr_accessible", 
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_nested_attributes.rb

@@ -0,0 +1,34 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
+class CheckNestedAttributes < BaseCheck
+  Checks.add self
+
+  def run_check
+    version = tracker.config[:rails_version]
+
+    if (version == "2.3.9" or version == "3.0.0") and uses_nested_attributes?
+      message = "Vulnerability in nested attributes (CVE-2010-3933). Upgrade to Rails version "
+
+      if version == "2.3.9"
+        message << "2.3.10"
+      else
+        message << "3.0.1"
+      end
+
+      warn :warning_type => "Nested Attributes",
+        :message => message,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  def uses_nested_attributes?
+    tracker.models.each do |name, model|
+      return true if model[:options][:accepts_nested_attributes_for]
+    end
+
+    false
+  end
+end