brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/checks/check_basic_auth.rb

@@ -0,0 +1,89 @@
+require 'brakeman/checks/base_check'
+
+#Checks if password is stored in controller
+#when using http_basic_authenticate_with
+#
+#Only for Rails >= 3.1
+class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for the use of http_basic_authenticate_with"
+
+  def run_check
+    return if version_between? "0.0.0", "3.0.99"
+
+    check_basic_auth_filter
+    check_basic_auth_request
+  end
+
+  def check_basic_auth_filter
+    controllers = tracker.controllers.select do |name, c|
+      c[:options][:http_basic_authenticate_with]
+    end
+
+    Hash[controllers].each do |name, controller|
+      controller[:options][:http_basic_authenticate_with].each do |call|
+
+        if pass = get_password(call) and string? pass
+          warn :controller => name,
+              :warning_type => "Basic Auth",
+              :warning_code => :basic_auth_password,
+              :message => "Basic authentication password stored in source code",
+              :code => call,
+              :confidence => 0,
+              :file => controller[:file]
+
+          break
+        end
+      end
+    end
+  end
+
+  # Look for
+  #  authenticate_or_request_with_http_basic do |username, password|
+  #    username == "foo" && password == "bar"
+  #  end
+  def check_basic_auth_request
+    tracker.find_call(:target => nil, :method => :authenticate_or_request_with_http_basic).each do |result|
+      if include_password_literal? result
+          warn :result => result,
+              :code => @include_password,
+              :warning_type => "Basic Auth",
+              :warning_code => :basic_auth_password,
+              :message => "Basic authentication password stored in source code",
+              :confidence => 0
+      end
+    end
+  end
+
+  # Check if the block of a result contains a comparison of password to string
+  def include_password_literal? result
+    @password_var = result[:block_args].last
+    @include_password = false
+    process result[:block]
+    @include_password
+  end
+
+  # Looks for :== calls on password var
+  def process_call exp
+    target = exp.target
+
+    if node_type?(target, :lvar) and
+      target.value == @password_var and
+      exp.method == :== and
+      string? exp.first_arg
+
+      @include_password = exp
+    end
+
+    exp
+  end
+
+  def get_password call
+    arg = call.first_arg
+
+    return false if arg.nil? or not hash? arg
+
+    hash_access(arg, :password)
+  end
+end

data/lib/brakeman/checks/check_content_tag.rb

@@ -0,0 +1,162 @@
+require 'brakeman/checks/check_cross_site_scripting'
+
+#Checks for unescaped values in `content_tag`
+#
+#    content_tag :tag, body
+#                       ^-- Unescaped in Rails 2.x
+#
+#    content_tag, :tag, body, attribute => value
+#                                ^-- Unescaped in all versions
+#
+#    content_tag, :tag, body, attribute => value
+#                                            ^
+#                                            |
+#            Escaped by default, can be explicitly escaped
+#            or not by passing in (true|false) as fourth argument
+class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for XSS in calls to content_tag"
+
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @known_dangerous = []
+    methods = tracker.find_call :target => false, :method => :content_tag
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    @mark = nil
+
+    Brakeman.debug "Checking for XSS in content_tag"
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    call = result[:call] = result[:call].dup
+
+    args = call.arglist
+
+    tag_name = args[1]
+    content = args[2]
+    attributes = args[3]
+    escape_attr = args[4]
+
+    @matched = false
+
+    #Silly, but still dangerous if someone uses user input in the tag type
+    check_argument result, tag_name
+
+    #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
+    unless @matched or (tracker.options[:rails3] and not raw? content)
+      check_argument result, content
+    end
+
+    #Attribute keys are never escaped, so check them for user input
+    if not @matched and hash? attributes and not request_value? attributes
+      hash_iterate(attributes) do |k, v|
+        check_argument result, k
+        return if @matched
+      end
+    end
+
+    #By default, content_tag escapes attribute values passed in as a hash.
+    #But this behavior can be disabled. So only check attributes hash
+    #if they are explicitly not escaped.
+    if not @matched and attributes and false? escape_attr
+      if request_value? attributes or not hash? attributes
+        check_argument result, attributes
+      else #check hash values
+        hash_iterate(attributes) do |k, v|
+          check_argument result, v
+          return if @matched
+        end
+      end
+    end
+  end
+
+  def check_argument result, exp
+    #Check contents of raw() calls directly
+    if call? exp and exp.method == :raw
+      arg = process exp.first_arg
+    else
+      arg = process exp
+    end
+
+    if input = has_immediate_user_input?(arg)
+      message = "Unescaped #{friendly_type_of input} in content_tag"
+
+      add_result result
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :xss_content_tag,
+        :message => message,
+        :user_input => input.match,
+        :confidence => CONFIDENCE[:high],
+        :link_path => "content_tag"
+
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
+      method = match[2]
+
+      unless IGNORE_MODEL_METHODS.include? method
+        add_result result
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :xss_content_tag,
+          :message => "Unescaped model attribute in content_tag",
+          :user_input => match,
+          :confidence => confidence,
+          :link_path => "content_tag"
+      end
+
+    elsif @matched
+      return if @matched.type == :model and tracker.options[:ignore_model_output]
+
+      message = "Unescaped #{friendly_type_of @matched} in content_tag"
+
+      add_result result
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :xss_content_tag,
+        :message => message,
+        :user_input => @matched.match,
+        :confidence => CONFIDENCE[:med],
+        :link_path => "content_tag"
+    end
+  end
+
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      @mark = false
+    end
+
+    exp
+  end
+
+  def raw? exp
+    call? exp and exp.method == :raw
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -0,0 +1,334 @@
+require 'brakeman/checks/base_check'
+require 'brakeman/processors/lib/find_call'
+require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/util'
+require 'set'
+
+#This check looks for unescaped output in templates which contains
+#parameters or model attributes.
+#
+#For example:
+#
+# <%= User.find(:id).name %>
+# <%= params[:id] %>
+class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unescaped output in views"
+
+  #Model methods which are known to be harmless
+  IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
+
+  MODEL_METHODS = Set[:all, :find, :first, :last, :new]
+
+  IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
+
+  HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
+
+  XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
+
+  URI = Sexp.new(:const, :URI)
+
+  CGI = Sexp.new(:const, :CGI)
+
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
+
+  #Run check
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    @known_dangerous = Set[:truncate, :concat]
+
+    if version_between? "2.0.0", "3.0.5"
+      @known_dangerous << :auto_link
+    elsif version_between? "3.0.6", "3.0.99"
+      @ignore_methods << :auto_link
+    end
+
+    if version_between? "2.0.0", "2.3.14"
+      @known_dangerous << :strip_tags
+    end
+
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+
+    if tracker.config[:rails][:active_support] and
+      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
+
+        json_escape_on = true
+    end
+
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
+    else
+      @safe_input_attributes << :to_json
+      Brakeman.debug("Automatic to_json escaping is enabled.")
+    end
+
+    tracker.each_template do |name, template|
+      Brakeman.debug "Checking #{name} for XSS"
+
+      @current_template = template
+
+      template[:outputs].each do |out|
+        unless check_for_immediate_xss out
+          @matched = false
+          @mark = false
+          process out
+        end
+      end
+    end
+  end
+
+  def check_for_immediate_xss exp
+    return :duplicate if duplicate? exp
+
+    if exp.node_type == :output
+      out = exp.value
+    elsif exp.node_type == :escaped_output and raw_call? exp
+      out = exp.value.first_arg
+    end
+
+    if input = has_immediate_user_input?(out)
+      add_result exp
+
+      message = "Unescaped #{friendly_type_of input}"
+
+      warn :template => @current_template,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => :cross_site_scripting,
+        :message => message,
+        :code => input.match,
+        :confidence => CONFIDENCE[:high]
+
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
+      method = if call? match
+                 match.method
+               else
+                 nil
+               end
+
+      unless IGNORE_MODEL_METHODS.include? method
+        add_result exp
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        message = "Unescaped model attribute"
+        link_path = "cross_site_scripting"
+        warning_code = :cross_site_scripting
+
+        if node_type?(out, :call, :attrasgn) && out.method == :to_json
+          message += " in JSON hash"
+          link_path += "_to_json"
+          warning_code = :xss_to_json
+        end
+
+        code = find_chain out, match
+        warn :template => @current_template,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => warning_code,
+          :message => message,
+          :code => code,
+          :confidence => confidence,
+          :link_path => link_path
+      end
+
+    else
+      false
+    end
+  end
+
+  #Process an output Sexp
+  def process_output exp
+    process exp.value.dup
+  end
+
+  #Look for calls to raw()
+  #Otherwise, ignore
+  def process_escaped_output exp
+    unless check_for_immediate_xss exp
+      if raw_call? exp and not duplicate? exp
+        process exp.value.first_arg
+      end
+    end
+    exp
+  end
+
+  #Check a call for user input
+  #
+  #
+  #Since we want to report an entire call and not just part of one, use @mark
+  #to mark when a call is started. Any dangerous values inside will then
+  #report the entire call chain.
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      message = nil
+
+      if @matched
+        unless @matched.type and tracker.options[:ignore_model_output]
+          message = "Unescaped #{friendly_type_of @matched}"
+        end
+
+        if message and not duplicate? exp
+          add_result exp
+
+          link_path = "cross_site_scripting"
+          if @known_dangerous.include? exp.method
+            confidence = CONFIDENCE[:high]
+            if exp.method == :to_json
+              message += " in JSON hash"
+              link_path += "_to_json"
+            end
+          else
+            confidence = CONFIDENCE[:low]
+          end
+
+          warn :template => @current_template,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => :xss_to_json,
+            :message => message,
+            :code => exp,
+            :user_input => @matched.match,
+            :confidence => confidence,
+            :link_path => link_path
+        end
+      end
+
+      @mark = @matched = false
+    end
+
+    exp
+  end
+
+  def actually_process_call exp
+    return if @matched
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+
+    method = exp.method
+
+    #Ignore safe items
+    if ignore_call? target, method
+      @matched = false
+    elsif sexp? target and model_name? target[1] #TODO: use method call?
+      @matched = Match.new(:model, exp)
+    elsif cookies? exp
+      @matched = Match.new(:cookies, exp)
+    elsif @inspect_arguments and params? exp
+      @matched = Match.new(:params, exp)
+    elsif @inspect_arguments
+      process_call_args exp
+    end
+  end
+
+  #Note that params have been found
+  def process_params exp
+    @matched = Match.new(:params, exp)
+    exp
+  end
+
+  #Note that cookies have been found
+  def process_cookies exp
+    @matched = Match.new(:cookies, exp)
+    exp
+  end
+
+  #Ignore calls to render
+  def process_render exp
+    exp
+  end
+
+  #Process as default
+  def process_string_interp exp
+    process_default exp
+  end
+
+  #Process as default
+  def process_format exp
+    process_default exp
+  end
+
+  #Ignore output HTML escaped via HAML
+  def process_format_escaped exp
+    exp
+  end
+
+  #Ignore condition in if Sexp
+  def process_if exp
+    process exp.then_clause if sexp? exp.then_clause
+    process exp.else_clause if sexp? exp.else_clause
+    exp
+  end
+
+  def raw_call? exp
+    exp.value.node_type == :call and exp.value.method == :raw
+  end
+
+  def ignore_call? target, method
+    ignored_method?(target, method) or
+    safe_input_attribute?(target, method) or
+    ignored_model_method?(method) or
+    form_builder_method?(target, method) or
+    haml_escaped?(target, method) or
+    boolean_method?(method) or
+    cgi_escaped?(target, method) or
+    xml_escaped?(target, method)
+  end
+
+  def ignored_model_method? method
+    @matched and
+    @matched.type == :model and
+    IGNORE_MODEL_METHODS.include? method
+  end
+
+  def ignored_method? target, method
+    target.nil? and
+    (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)
+  end
+
+  def cgi_escaped? target, method
+    method == :escape and
+    (target == URI or target == CGI)
+  end
+
+  def haml_escaped? target, method
+    method == :html_escape and target == HAML_HELPERS
+  end
+
+  def xml_escaped? target, method
+    method == :escape_xml and target == XML_HELPER
+  end
+
+  def form_builder_method? target, method
+    target == FORM_BUILDER and @ignore_methods.include? method
+  end
+
+  def safe_input_attribute? target, method
+    target and @safe_input_attributes.include? method
+  end
+
+  def boolean_method? method
+    method.to_s.end_with? "?"
+  end
+end