brakeman-min 0.2.0

data/lib/checks/check_redirect.rb

@@ -0,0 +1,98 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Reports any calls to +redirect_to+ which include parameters in the arguments.
+#
+#For example:
+#
+# redirect_to params.merge(:action => :elsewhere)
+class CheckRedirect < BaseCheck
+  Checks.add self
+
+  def run_check
+    @tracker.find_call(nil, :redirect_to).each do |c|
+      process c
+    end
+  end
+
+  def process_result exp
+    call = exp[-1]
+
+    method = call[2]
+
+    if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
+      if res == :immediate
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => exp,
+        :warning_type => "Redirect",
+        :message => "Possible unprotected redirect",
+        :line => call.line,
+        :code => call,
+        :confidence => confidence
+    end
+
+    exp
+  end
+
+  #Custom check for user input. First looks to see if the user input
+  #is being output directly. This is necessary because of OPTIONS[:check_arguments]
+  #which can be used to enable/disable reporting output of method calls which use
+  #user input as arguments.
+  def include_user_input? call
+
+    if OPTIONS[:ignore_redirect_to_model] and call? call[3][1] and 
+      call[3][1][2] == :new and call[3][1][1]
+
+      begin
+        target = class_name call[3][1][1]
+        if @tracker.models.include? target
+          return false
+        end
+      rescue
+      end
+    end
+
+    call[3].each do |arg|
+      if call? arg 
+        if ALL_PARAMETERS.include? arg or arg[2] == COOKIES 
+          return :immediate
+        elsif arg[2] == :url_for and include_user_input? arg
+          return :immediate
+          #Ignore helpers like some_model_url?
+        elsif arg[2].to_s =~ /_(url|path)$/
+          return false
+        end
+      elsif params? arg or cookies? arg
+        return :immediate
+      end
+    end
+
+    if OPTIONS[:check_arguments]
+      super
+    else
+      false
+    end
+  end
+
+  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  #nullifies the danger posed by redirecting with user input
+  def only_path? call
+    call[3].each do |arg|
+      if hash? arg
+        hash_iterate(arg) do |k,v|
+          if symbol? k and k[1] == :only_path and v.is_a? Sexp and v[0] == :true
+            return true
+          end
+        end
+      elsif call? arg and arg[2] == :url_for
+        return only_path?(arg)
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_render.rb

@@ -0,0 +1,65 @@
+require 'checks/base_check'
+
+#Check calls to +render()+ for dangerous values
+class CheckRender < BaseCheck
+  Checks.add self
+
+  def run_check
+    tracker.each_method do |src, class_name, method_name|
+      @current_class = class_name
+      @current_method = method_name
+      process src
+    end
+
+    tracker.each_template do |name, template|
+      @current_template = template
+      process template[:src]
+    end
+  end
+
+  def process_render exp
+    case exp[1]
+    when :partial, :template, :action, :file
+      check_for_dynamic_path exp
+    when :inline
+    when :js
+    when :json
+    when :text
+    when :update
+    when :xml
+    end
+    exp
+  end
+
+  #Check if path to action or file is determined dynamically
+  def check_for_dynamic_path exp
+    view = exp[2]
+
+    if sexp? view and view.node_type != :str and view.node_type != :lit and not duplicate? exp
+
+      add_result exp
+
+      if include_user_input? view
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warning = { :warning_type => "Dynamic Render Path",
+        :message => "Render path is dynamic",
+        :line => exp.line,
+        :code => exp,
+        :confidence => confidence }
+
+
+      if @current_template
+        warning[:template] = @current_template
+      else
+        warning[:class] = @current_class
+        warning[:method] = @current_method
+      end
+
+      warn warning
+    end
+  end
+end 

data/lib/checks/check_send_file.rb

@@ -0,0 +1,15 @@
+require 'checks/check_file_access'
+require 'processors/lib/processor_helper'
+
+#Checks for user input in send_file()
+class CheckSendFile < CheckFileAccess
+  Checks.add self
+
+  def run_check
+    methods = tracker.find_call nil, :send_file
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+end

data/lib/checks/check_session_settings.rb

@@ -0,0 +1,36 @@
+require 'checks/base_check'
+
+class CheckSessionSettings < BaseCheck
+  Checks.add self
+
+  def run_check
+    settings = tracker.config[:rails] and
+                tracker.config[:rails][:action_controller] and
+                tracker.config[:rails][:action_controller][:session]
+
+    if settings and hash? settings
+      hash_iterate settings do |key, value|
+        if symbol? key
+
+          if key[1] == :session_http_only and 
+            sexp? value and
+            value.node_type == :false
+
+            warn :warning_type => "Session Setting",
+              :message => "Session cookies should be set to HTTP only",
+              :confidence => CONFIDENCE[:high]
+
+          elsif key[1] == :secret and 
+            string? value and
+            value[1].length < 30
+
+            warn :warning_type => "Session Setting",
+              :message => "Session secret should be at least 30 characters long",
+              :confidence => CONFIDENCE[:high]
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/checks/check_sql.rb

@@ -0,0 +1,124 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#This check tests for find calls which do not use Rails' auto SQL escaping
+#
+#For example:
+# Project.find(:all, :conditions => "name = '" + params[:name] + "'")
+#
+# Project.find(:all, :conditions => "name = '#{params[:name]}'")
+#
+# User.find_by_sql("SELECT * FROM projects WHERE name = '#{params[:name]}'")
+class CheckSQL < BaseCheck
+  Checks.add self
+
+  def run_check
+    @rails_version = tracker.config[:rails_version]
+    calls = tracker.find_model_find tracker.models.keys
+    calls.concat tracker.find_call([], /^(find.*|last|first|all|count|sum|average|minumum|maximum)$/)
+    calls.each do |c|
+      process c
+    end
+  end
+
+  #Process result from FindCall.
+  def process_result exp
+    call = exp[-1]
+
+    args = process call[3]
+
+    if call[2] == :find_by_sql
+      failed = check_arguments args[1]
+    elsif call[2].to_s =~ /^find/
+      failed = (args.length > 2 and check_arguments args[-1])
+    else
+      failed = (args.length > 1 and check_arguments args[-1])
+    end
+
+    if failed and not duplicate? call, exp[1]
+      add_result call, exp[1]
+
+      if include_user_input? args[-1]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :result => exp,
+        :warning_type => "SQL Injection",
+        :message => "Possible SQL injection",
+        :confidence => confidence
+    end
+
+    if check_for_limit_or_offset_vulnerability args[-1]
+      if include_user_input? args[-1]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => exp, 
+        :warning_type => "SQL Injection", 
+        :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection",
+        :confidence => confidence
+    end
+    exp
+  end
+
+  private
+
+  #Check arguments for any string interpolation
+  def check_arguments arg
+    if sexp? arg
+      case arg.node_type
+      when :hash
+        hash_iterate(arg) do |key, value|
+          if check_arguments value
+            return true
+          end
+        end
+      when :array
+        return check_arguments(arg[1])
+      when :string_interp
+        return true
+      when :call
+        return check_call(arg)
+      end
+    end
+
+    false
+  end
+
+  #Check call for user input and string building
+  def check_call exp
+    target = exp[1]
+    method = exp[2]
+    args = exp[3]
+    if sexp? target and 
+      (method == :+ or method == :<< or method == :concat) and 
+      (string? target or include_user_input? exp)
+
+      true
+    elsif call? target
+      check_call target
+    else
+      false
+    end
+  end
+
+  #Prior to Rails 2.1.1, the :offset and :limit parameters were not
+  #escaping input properly.
+  #
+  #http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
+  def check_for_limit_or_offset_vulnerability options
+    return false if @rails_version.nil? or @rails_version >= "2.1.1" or not hash? options
+
+    hash_iterate(options) do |key, value|
+      if symbol? key
+        return (key[1] == :limit or key[1] == :offset)
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_validation_regex.rb

@@ -0,0 +1,60 @@
+require 'checks/base_check'
+
+#Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
+#as anchors in the given regular expression.
+#
+#For example:
+#
+# #Allows anything after new line
+# validates_format_of :user_name, :with => /^\w+$/
+class CheckValidationRegex < BaseCheck
+  Checks.add self
+
+  WITH = Sexp.new(:lit, :with)
+
+  def run_check
+    tracker.models.each do |name, model|
+      @current_model = name
+      format_validations = model[:options][:validates_format_of]
+      if format_validations
+        format_validations.each do |v|
+          process_validator v
+        end
+      end
+    end
+  end
+
+  #Check validates_format_of
+  def process_validator validator
+    hash_iterate(validator[-1]) do |key, value|
+      if key == WITH
+        check_regex value, validator
+      end
+    end
+  end
+
+  #Issue warning if the regular expression does not use
+  #+\A+ and +\z+
+  def check_regex value, validator
+    return unless regexp? value
+
+    regex = value[1].inspect
+    if regex =~ /[^\A].*[^\z]\/(m|i|x|n|e|u|s|o)*\z/
+      warn :model => @current_model,
+        :warning_type => "Format Validation", 
+        :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
+        :line => value.line,
+        :confidence => CONFIDENCE[:high] 
+    end
+  end
+
+  #Get the name of the attribute being validated.
+  def get_name validator
+    name = validator[1]
+    if sexp? name
+      name[1]
+    else
+      name
+    end
+  end
+end

data/lib/format/style.css

@@ -0,0 +1,105 @@
+/* CSS style used for HTML reports */
+
+body {
+  font-family: sans-serif;
+  color: #161616;
+}
+
+p {
+  font-weight: bold;
+  font-size: 11pt;
+  color: #2D0200;
+ }
+
+ th {
+   background-color: #980905;
+   border-bottom: 5px solid #530200;
+   color: white;
+   font-size: 11pt;
+   padding: 1px 8px 1px 8px;
+ }
+
+ td {
+   border-bottom: 2px solid white;
+   font-family: monospace;
+   padding: 5px 8px 1px 8px;
+ }
+
+ table {
+   background-color: #FCF4D4;
+   border-collapse: collapse;
+ }
+
+ h1 {
+   color: #2D0200;
+   font-size: 14pt;
+ }
+
+ h2 {
+   color: #2D0200;
+   font-size: 12pt;
+ }
+
+ span.high-confidence {
+   font-weight:bold;
+   color: red;
+ }
+
+ span.med-confidence {
+ }
+
+ span.weak-confidence {
+   color:gray;
+ }
+
+ div.warning_message {
+   cursor: pointer;
+ }
+
+ div.warning_message:hover {
+   background-color: white;
+ }
+
+ table.context {
+   margin-top: 5px;
+   margin-bottom: 5px;
+   border-left: 1px solid #90e960;
+   color: #212121;
+ }
+
+ tr.context {
+   background-color: white;
+ }
+
+ tr.first {
+   border-top: 1px solid #7ecc54;
+   padding-top: 2px;
+ }
+
+ tr.error {
+  background-color: #f4c1c1 !important
+ }
+
+ tr.near_error {
+  background-color: #f4d4d4 !important
+ }
+
+ tr.alt {
+   background-color: #e8f4d4;
+ }
+
+ td.context {
+   padding: 2px 10px 0px 6px;
+   border-bottom: none;
+ }
+
+ td.context_line {
+   padding: 2px 8px 0px 7px;
+   border-right: 1px solid #b3bda4;
+   border-bottom: none;
+   color: #6e7465;
+ }
+
+ pre.context {
+   margin-bottom: 1px;
+ }