brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/checks/check_render.rb

@@ -0,0 +1,62 @@
+require 'brakeman/checks/base_check'
+
+#Check calls to +render()+ for dangerous values
+class Brakeman::CheckRender < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Finds calls to render that might allow file access"
+
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render result
+    end
+  end
+
+  def process_render result
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_dynamic_path result
+    when :inline
+    when :js
+    when :json
+    when :text
+    when :update
+    when :xml
+    end
+  end
+
+  #Check if path to action or file is determined dynamically
+  def check_for_dynamic_path result
+    view = result[:call][2]
+
+    if sexp? view and not duplicate? result
+      add_result result
+
+
+      if input = has_immediate_user_input?(view)
+        confidence = CONFIDENCE[:high]
+      elsif input = include_user_input?(view)
+        if node_type? view, :string_interp, :dstr
+          confidence = CONFIDENCE[:med]
+        else
+          confidence = CONFIDENCE[:low]
+        end
+      else
+        return
+      end
+
+      return if input.type == :model #skip models
+
+      message = "Render path contains #{friendly_type_of input}"
+
+      warn :result => result,
+        :warning_type => "Dynamic Render Path",
+        :warning_code => :dynamic_render_path,
+        :message => message,
+        :user_input => input.match,
+        :confidence => confidence
+    end
+  end
+end 

data/lib/brakeman/checks/check_response_splitting.rb

@@ -0,0 +1,21 @@
+require 'brakeman/checks/base_check'
+
+#Warn about response splitting in Rails versions before 2.3.13
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
+class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Report response splitting in Rails 2.3.0 - 2.3.13"
+
+  def run_check
+    if version_between?('2.3.0', '2.3.13')
+
+      warn :warning_type => "Response Splitting",
+        :warning_code => :CVE_2011_3186,
+        :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
+    end
+  end
+end

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -0,0 +1,31 @@
+require 'brakeman/checks/base_check'
+
+#Check for unsafe manipulation of strings
+#Right now this is just a version check for
+#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
+class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for Rails versions with SafeBuffer bug"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :safe_buffer_vuln, 
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+#sanitize and sanitize_css are vulnerable:
+#CVE-2013-1855 and CVE-2013-1857
+class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with vulnerable sanitize and sanitize_css"
+
+  def run_check
+    @fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        return
+      end
+
+    check_cve_2013_1855
+    check_cve_2013_1857
+  end
+
+  def check_cve_2013_1855
+    check_for_cve :sanitize_css, :CVE_2013_1855, "https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"
+  end
+
+  def check_cve_2013_1857
+    check_for_cve :sanitize, :CVE_2013_1857, "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ"
+  end
+
+  def check_for_cve method, code, link
+    tracker.find_call(:target => false, :method => method).each do |result|
+      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+
+      if include_user_input? result[:call]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:medium]
+      end
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => code,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :link_path => link
+    end
+  end
+end

data/lib/brakeman/checks/check_select_tag.rb

@@ -0,0 +1,60 @@
+require 'brakeman/checks/base_check'
+
+#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
+#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
+class Brakeman::CheckSelectTag < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.16"
+      suggested_version = "3.0.17"
+    elsif version_between? "3.1.0", "3.1.7"
+      suggested_version = "3.1.8"
+    elsif version_between? "3.2.0", "3.2.7"
+      suggested_version = "3.2.8"
+    else
+      return
+    end
+
+    @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
+
+    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
+
+    calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #Check if select_tag is called with user input in :prompt option
+  def process_result result
+    return if duplicate? result
+    add_result result
+
+    #Only concerned if user input is supplied for :prompt option
+    last_arg = result[:call].last_arg
+
+    if hash? last_arg
+      prompt_option = hash_access last_arg, :prompt
+
+      if call? prompt_option and @ignore_methods.include? prompt_option.method
+        return
+      elsif sexp? prompt_option and input = include_user_input?(prompt_option)
+
+        warn :warning_type => "Cross Site Scripting",
+          :warning_code => :CVE_2012_3463,
+          :result => result,
+          :message => @message,
+          :confidence => CONFIDENCE[:high],
+          :user_input => input.match,
+          :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+
+#Checks for select() helper vulnerability in some versions of Rails 3
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select() helper"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    elsif version_between? "2.0.0", "2.3.14"
+      suggested_version = "3 or use options_for_select"
+    else
+      return
+    end
+
+    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
+
+    calls = tracker.find_call(:target => nil, :method => :select).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    third_arg = result[:call].third_arg
+
+    #Check for user input in options parameter
+    if sexp? third_arg and include_user_input? third_arg
+      add_result result
+
+      if node_type? third_arg, :string_interp, :dstr
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :template => result[:location][:template],
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :select_options_vuln,
+          :result => result,
+          :message => @message,
+          :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_send.rb

@@ -0,0 +1,35 @@
+require 'brakeman/checks/base_check'
+
+#Checks if user supplied data is passed to send
+class Brakeman::CheckSend < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for unsafe use of Object#send"
+
+  def run_check
+    Brakeman.debug("Finding instances of #send")
+    calls = tracker.find_call :methods => [:send, :try, :__send__, :public_send]
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    process_call_args result[:call]
+    target = process result[:call].target
+
+    if input = has_immediate_user_input?(result[:call].first_arg)
+      warn :result => result,
+        :warning_type => "Dangerous Send",
+        :warning_code => :dangerous_send,
+        :message => "User controlled method execution",
+        :code => result[:call],
+        :user_input => input.match,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/brakeman/checks/check_send_file.rb

@@ -0,0 +1,19 @@
+require 'brakeman/checks/check_file_access'
+require 'brakeman/processors/lib/processor_helper'
+
+#Checks for user input in send_file()
+class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
+  Brakeman::Checks.add self
+
+  @description = "Check for user input in uses of send_file"
+
+  def run_check
+    Brakeman.debug "Finding all calls to send_file()"
+
+    methods = tracker.find_call :target => false, :method => :send_file
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+end

data/lib/brakeman/checks/check_session_settings.rb

@@ -0,0 +1,145 @@
+require 'brakeman/checks/base_check'
+
+#Checks for session key length and http_only settings
+class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for session key length and http_only settings"
+
+  def initialize *args
+    super
+
+    unless tracker.options[:rails3]
+      @session_settings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+    else
+      @session_settings = nil
+    end
+  end
+
+  def run_check
+    settings = tracker.config[:rails][:action_controller] &&
+               tracker.config[:rails][:action_controller][:session]
+
+    check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb"
+
+    ["session_store.rb", "secret_token.rb"].each do |file|
+      if tracker.initializers[file] and not ignored? file
+        process tracker.initializers[file]
+      end
+    end
+  end
+
+  #Looks for ActionController::Base.session = { ... }
+  #in Rails 2.x apps
+  #
+  #and App::Application.config.secret_token =
+  #in Rails 3.x apps
+  #
+  #and App::Application.config.secret_key_base =
+  #in Rails 4.x apps
+  def process_attrasgn exp
+    if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
+      check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+    end
+
+    if tracker.options[:rails3] and settings_target?(exp.target) and
+      (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
+
+      warn_about_secret_token exp, "#{tracker.options[:app_path]}/config/initializers/secret_token.rb"
+    end
+      
+    exp
+  end
+
+  #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
+  #in Rails 3.x apps
+  def process_call exp
+    if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
+      check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+    end
+      
+    exp
+  end
+
+  private
+
+  def settings_target? exp
+    call? exp and
+    exp.method == :config and
+    node_type? exp.target, :colon2 and
+    exp.target.rhs == :Application
+  end
+
+  def check_for_issues settings, file
+    if settings and hash? settings
+      if value = (hash_access(settings, :session_http_only) ||
+                  hash_access(settings, :http_only) ||
+                  hash_access(settings, :httponly))
+
+        if false? value
+          warn_about_http_only value, file
+        end
+      end
+
+      if value = hash_access(settings, :secret)
+        if string? value
+          warn_about_secret_token value, file
+        end
+      end
+    end
+  end
+
+  def check_for_rails3_issues settings, file
+    if settings and hash? settings
+      if value = hash_access(settings, :httponly)
+        if false? value
+          warn_about_http_only value, file
+        end
+      end
+
+      if value = hash_access(settings, :secure)
+        if false? value
+          warn_about_secure_only value, file
+        end
+      end
+    end
+  end
+
+  def warn_about_http_only value, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :http_cookies,
+      :message => "Session cookies should be set to HTTP only",
+      :confidence => CONFIDENCE[:high],
+      :line => value.line,
+      :file => file
+
+  end
+
+  def warn_about_secret_token value, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :session_secret,
+      :message => "Session secret should not be included in version control",
+      :confidence => CONFIDENCE[:high],
+      :line => value.line,
+      :file => file
+  end
+
+  def warn_about_secure_only value, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :secure_cookies,
+      :message => "Session cookie should be set to secure only",
+      :confidence => CONFIDENCE[:high],
+      :line => value.line,
+      :file => file
+  end
+
+  def ignored? file
+    if @app_tree.exists? ".gitignore"
+      input = @app_tree.read(".gitignore")
+
+      input.include? file
+    else
+      false
+    end
+  end
+end