brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -0,0 +1,48 @@
+require 'brakeman/checks/base_check'
+
+# Author: Paul Deardorff (themetric) 
+# Checks models to see if important foreign keys 
+# or attributes are exposed as attr_accessible when 
+# they probably shouldn't be. 
+
+class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+
+  SUSP_ATTRS = {
+    /admin/ => CONFIDENCE[:high], # Very dangerous unless some Rails authorization used 
+    /role/ => CONFIDENCE[:med],   
+    /banned/ => CONFIDENCE[:med], 
+    :account_id => CONFIDENCE[:high], 
+    /\S*_id(s?)\z/ => CONFIDENCE[:low] # All other foreign keys have weak/low confidence 
+  }
+
+  def run_check
+    check_models do |name, model|
+      accessible_attrs = model[:attr_accessible]
+      accessible_attrs.each do |attribute|
+        SUSP_ATTRS.each do |susp_attr, confidence|
+            if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute 
+              warn :model => name,    
+                :file => model[:file],                          
+                :warning_type => "Mass Assignment", 
+                :warning_code => :mass_assign_call,
+                :message => "Potentially dangerous attribute #{attribute} available for mass assignment.", 
+                :confidence => confidence 
+              break # Prevent from matching single attr multiple times
+            end 
+        end         
+      end 
+    end
+  end
+
+  def check_models
+    tracker.models.each do |name, model|
+      if !model[:attr_accessible].nil?
+        yield name, model
+      end
+    end
+  end
+ 
+end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -0,0 +1,118 @@
+require 'brakeman/checks/base_check'
+
+#Check if mass assignment is used with models
+#which inherit from ActiveRecord::Base.
+#
+#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models 
+#which do not use attr_accessible will be reported in a single warning
+class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
+
+  def run_check
+    return if mass_assign_disabled?
+
+    #Roll warnings into one warning for all models
+    if tracker.options[:collapse_mass_assignment]
+      no_accessible_names = []
+      protected_names = []
+
+      check_models do |name, model|
+        if model[:options][:attr_protected].nil?
+          no_accessible_names << name.to_s
+        elsif not tracker.options[:ignore_attr_protected]
+          protected_names << name.to_s
+        end
+      end
+
+      unless no_accessible_names.empty?
+        warn :model => no_accessible_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :warning_code => :no_attr_accessible,
+          :message => "Mass assignment is not restricted using attr_accessible",
+          :confidence => CONFIDENCE[:high]
+      end
+
+      unless protected_names.empty?
+        message, confidence, link = check_for_attr_protected_bypass
+
+        if link
+          warning_code = :CVE_2013_0276
+        else
+          warning_code = :attr_protected_used
+        end
+
+        warn :model => protected_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :warning_code => warning_code,
+          :message => message,
+          :confidence => confidence,
+          :link => link
+      end
+    else #Output one warning per model
+
+      check_models do |name, model|
+        if model[:options][:attr_protected].nil?
+          warn :model => name,
+            :file => model[:file],
+            :warning_type => "Attribute Restriction",
+            :warning_code => :no_attr_accessible,
+            :message => "Mass assignment is not restricted using attr_accessible",
+            :confidence => CONFIDENCE[:high]
+        elsif not tracker.options[:ignore_attr_protected]
+          message, confidence, link = check_for_attr_protected_bypass
+
+          if link
+            warning_code = :CVE_2013_0276
+          else
+            warning_code = :attr_protected_used
+          end
+
+          warn :model => name,
+            :file => model[:file],
+            :line => model[:options][:attr_protected].first.line,
+            :warning_type => "Attribute Restriction",
+            :warning_code => warning_code,
+            :message => message,
+            :confidence => confidence
+        end
+      end
+    end
+  end
+
+  def check_models
+    tracker.models.each do |name, model|
+      if unprotected_model? model
+        yield name, model
+      end
+    end
+  end
+
+  def check_for_attr_protected_bypass
+    upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      when version_between?("3.1.0", "3.1.10")
+                        "3.1.11"
+                      when version_between?("3.2.0", "3.2.11")
+                        "3.2.12"
+                      else
+                        nil
+                      end
+
+    if upgrade_version
+      message = "attr_protected is bypassable in #{tracker.config[:rails_version]}, use attr_accessible or upgrade to #{upgrade_version}"
+      confidence = CONFIDENCE[:high]
+      link = "https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion"
+    else
+      message = "attr_accessible is recommended over attr_protected"
+      confidence = CONFIDENCE[:med]
+      link = nil
+    end
+
+    return message, confidence, link
+  end
+end

data/lib/brakeman/checks/check_model_serialize.rb

@@ -0,0 +1,66 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Report uses of serialize in versions vulnerable to CVE-2013-0277"
+
+  def run_check
+    @upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      else
+                        nil
+                      end
+
+    return unless @upgrade_version
+
+    tracker.models.each do |name, model|
+      check_for_serialize model
+    end
+  end
+
+  #High confidence warning on serialized, unprotected attributes.
+  #Medium confidence warning for serialized, protected attributes.
+  def check_for_serialize model
+    if serialized_attrs = model[:options] && model[:options][:serialize]
+      attrs = Set.new
+
+      serialized_attrs.each do |arglist|
+        arglist.each do |arg|
+          attrs << arg if symbol? arg
+        end
+      end
+
+      if unsafe_attrs = model[:attr_accessible]
+        attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
+      elsif protected_attrs = model[:options][:attr_protected]
+        safe_attrs = Set.new
+
+        protected_attrs.each do |arglist|
+          arglist.each do |arg|
+            safe_attrs << arg if symbol? arg
+          end
+        end
+
+        attrs.delete_if { |attr| safe_attrs.include? attr }
+      end
+
+      if attrs.empty?
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:high]
+      end
+
+      warn :model => model[:name],
+        :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0277,
+        :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
+        :confidence => confidence,
+        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
+        :file => model[:file]
+    end
+  end
+end

data/lib/{checks → brakeman/checks}/check_nested_attributes.rb

@@ -1,10 +1,11 @@
-require 'checks/base_check'
-require 'processors/lib/find_call'
+require 'brakeman/checks/base_check'
 
 #Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
 #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
-class CheckNestedAttributes < BaseCheck
-  Checks.add self
+class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for nested attributes vulnerability in Rails 2.3.9 and 3.0.0"
 
   def run_check
     version = tracker.config[:rails_version]
@@ -19,13 +20,16 @@ class CheckNestedAttributes < BaseCheck
       end
 
       warn :warning_type => "Nested Attributes",
+        :warning_code => :CVE_2010_3933,
         :message => message,
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
     end
   end
 
   def uses_nested_attributes?
-    tracker.models.each do |name, model|
+    active_record_models.each do |name, model|
       return true if model[:options][:accepts_nested_attributes_for]
     end
 

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
+class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
+
+  def run_check
+    if (version_between?('2.0.0', '2.3.13') or 
+        version_between?('3.0.0', '3.0.9'))
+
+      if uses_quote_table_name?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      if tracker.config[:rails_version] =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in quote_table_name: CVE-2011-2930"
+      else
+        message = "Versions before 2.3.14 have a vulnerability in quote_table_name: CVE-2011-2930"
+      end
+
+      warn :warning_type => "SQL Injection",
+        :warning_code => :CVE_2011_2930,
+        :message => message,
+        :confidence => confidence,
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
+    end
+  end
+
+  def uses_quote_table_name?
+    Brakeman.debug "Finding calls to quote_table_name()"
+
+    not tracker.find_call(:target => false, :method => :quote_table_name).empty?
+  end
+end

data/lib/brakeman/checks/check_redirect.rb

@@ -0,0 +1,177 @@
+require 'brakeman/checks/base_check'
+
+#Reports any calls to +redirect_to+ which include parameters in the arguments.
+#
+#For example:
+#
+# redirect_to params.merge(:action => :elsewhere)
+class Brakeman::CheckRedirect < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for calls to redirect_to with user input as arguments"
+
+  def run_check
+    Brakeman.debug "Finding calls to redirect_to()"
+
+    @model_find_calls = Set[:all, :find, :find_by_sql, :first, :last, :new]
+
+    if tracker.options[:rails3]
+      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
+    end
+
+    @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
+      process_result res
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    call = result[:call]
+
+    method = call.method
+
+    if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
+      add_result result
+
+      if res.type == :immediate
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => result,
+        :warning_type => "Redirect",
+        :warning_code => :open_redirect,
+        :message => "Possible unprotected redirect",
+        :code => call,
+        :user_input => res.match,
+        :confidence => confidence
+    end
+  end
+
+  #Custom check for user input. First looks to see if the user input
+  #is being output directly. This is necessary because of tracker.options[:check_arguments]
+  #which can be used to enable/disable reporting output of method calls which use
+  #user input as arguments.
+  def include_user_input? call, immediate = :immediate
+    Brakeman.debug "Checking if call includes user input"
+
+    arg = call.first_arg
+
+    # if the first argument is an array, rails assumes you are building a
+    # polymorphic route, which will never jump off-host
+    return false if array? arg
+
+    if tracker.options[:ignore_redirect_to_model]
+      if model_instance?(arg) or decorated_model?(arg)
+        return false
+      end
+    end
+
+    if res = has_immediate_model?(arg)
+      return Match.new(immediate, res)
+    elsif call? arg
+      if request_value? arg
+        return Match.new(immediate, arg)
+      elsif request_value? arg.target
+        return Match.new(immediate, arg.target)
+      elsif arg.method == :url_for and include_user_input? arg
+        return Match.new(immediate, arg)
+        #Ignore helpers like some_model_url?
+      elsif arg.method.to_s =~ /_(url|path)\z/
+        return false
+      end
+    elsif request_value? arg
+      return Match.new(immediate, arg)
+    end
+
+    if tracker.options[:check_arguments] and call? arg
+      include_user_input? arg, false  #I'm doubting if this is really necessary...
+    else
+      false
+    end
+  end
+
+  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  #nullifies the danger posed by redirecting with user input
+  def only_path? call
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return true if true?(value)
+      end
+    elsif call? arg and arg.method == :url_for
+      return check_url_for(arg)
+    end
+
+    false
+  end
+
+  #+url_for+ is only_path => true by default. This checks to see if it is
+  #set to false for some reason.
+  def check_url_for call
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return false if false?(value)
+      end
+    end
+
+    true
+  end
+
+  #Returns true if exp is (probably) a model instance
+  def model_instance? exp
+    if node_type? exp, :or
+      model_instance? exp.lhs or model_instance? exp.rhs
+    elsif call? exp
+      if model_name? exp.target and
+        (@model_find_calls.include? exp.method or exp.method.to_s.match(/^find_by_/))
+        true
+      else
+        association?(exp.target, exp.method)
+      end
+    end
+  end
+
+  #Returns true if exp is (probably) a decorated model instance
+  #using the Draper gem
+  def decorated_model? exp
+    if node_type? exp, :or
+      decorated_model? exp.lhs or decorated_model? exp.rhs
+    else
+      tracker.config[:gems] and
+      tracker.config[:gems][:draper] and
+      call? exp and
+      node_type?(exp.target, :const) and
+      exp.target.value.to_s.match(/Decorator$/) and
+      exp.method == :decorate
+    end
+  end
+
+  #Check if method is actually an association in a Model
+  def association? model_name, meth
+    if call? model_name
+      return association? model_name.target, meth
+    elsif model_name? model_name
+      model = tracker.models[class_name(model_name)]
+    else
+      return false
+    end
+
+    return false unless model
+
+    model[:associations].each do |name, args|
+      args.each do |arg|
+        if symbol? arg and arg.value == meth
+          return true
+        end
+      end
+    end
+
+    false
+  end
+end