brakeman-min 3.1.4 → 3.1.5.pre1

data/lib/brakeman/checks/base_check.rb

@@ -35,6 +35,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = nil
     @has_user_input = nil
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
+    @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
   #Add result to result list, which is used to check for duplicates
@@ -71,12 +72,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Process calls and check if they include user input
   def process_call exp
-    process exp.target if sexp? exp.target
-    process_call_args exp
+    unless @comparison_ops.include? exp.method
+      process exp.target if sexp? exp.target
+      process_call_args exp
+    end
 
     target = exp.target
 
-    unless @safe_input_attributes.include? exp.method
+    unless always_safe_method? exp.method
       if params? target
         @has_user_input = Match.new(:params, exp)
       elsif cookies? target
@@ -123,6 +126,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   private
 
+  def always_safe_method? meth
+    @safe_input_attributes.include? meth or
+      @comparison_ops.include? meth
+  end
+
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }
@@ -286,7 +294,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def has_immediate_user_input? exp
     if exp.nil?
       false
-    elsif call? exp and not @safe_input_attributes.include? exp.method
+    elsif call? exp and not always_safe_method? exp.method
       if params? exp
         return Match.new(:params, exp)
       elsif cookies? exp
@@ -345,7 +353,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       target = exp.target
       method = exp.method
 
-      if @safe_input_attributes.include? method
+      if always_safe_method? method
         false
       elsif call? target and not method.to_s[-1,1] == "?"
         if has_immediate_model?(target, out)

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -0,0 +1,33 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for timing attack in basic auth (CVE-2015-7576)"
+
+  def run_check
+    @upgrade = case
+               when version_between?("0.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+
+    check_basic_auth_call
+  end
+
+  def check_basic_auth_call
+    tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
+      warn :result => result,
+        :warning_type => "Timing Attack",
+        :warning_code => :CVE_2015_7576,
+        :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+        :confidence => CONFIDENCE[:high],
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+    end
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -99,7 +99,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         link_path = "cross_site_scripting"
         warning_code = :cross_site_scripting
 
-        if node_type?(out, :call, :attrasgn) && out.method == :to_json
+        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
           message += " in JSON hash"
           link_path += "_to_json"
           warning_code = :xss_to_json
@@ -281,7 +281,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def setup
-    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+    @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
@@ -300,17 +300,23 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
 
-    if version_between? "2.0.0", "2.3.14"
+    if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
       @known_dangerous << :strip_tags
     end
 
+    if tracker.config.has_gem? :'rails-html-sanitizer' and
+       version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      @known_dangerous << :sanitize
+    end
+
     json_escape_on = false
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
     initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
     if tracker.config.escape_html_entities_in_json?
         json_escape_on = true
-    elsif version_between? "4.0.0", "5.0.0"
+    elsif version_between? "4.0.0", "9.9.9"
       json_escape_on = true
     end
 
@@ -328,7 +334,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def html_safe_call? exp
-    exp.value.node_type == :call and exp.value.method == :html_safe
+    call? exp.value and exp.value.method == :html_safe
   end
 
   def ignore_call? target, method
@@ -370,7 +376,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def safe_input_attribute? target, method
-    target and @safe_input_attributes.include? method
+    target and always_safe_method? method
   end
 
   def boolean_method? method

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -0,0 +1,49 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check unsafe usage of find_by_*"
+
+  def run_check
+    if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
+      tracker.find_call(:method => /^find_by_/).each do |result|
+        process_result result
+      end
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    call = result[:call]
+
+    if potentially_dangerous? call.method
+      call.each_arg do |arg|
+        if params? arg and not safe_call? arg
+          warn :result => result,
+            :warning_type => "SQL Injection",
+            :warning_code => :sql_injection_dynamic_finder,
+            :message => "MySQL integer conversion may cause 0 to match any string",
+            :confidence => CONFIDENCE[:med],
+            :user_input => arg
+
+          break
+        end
+      end
+    end
+  end
+
+  def safe_call? arg
+    return false unless call? arg
+
+    meth = arg.method
+    meth == :to_s or meth == :to_i
+  end
+
+  def potentially_dangerous? method_name
+    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+  end
+end

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -0,0 +1,39 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for mime type denial of service (CVE-2016-0751)"
+
+  def run_check
+    fix_version = case
+               when version_between?("3.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+
+    return if has_workaround?
+
+    message = "Rails #{rails_version} is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version #{fix_version}"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2016_0751,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:Mime, :const_set).any? do |match|
+      arg = match.call.first_arg
+
+      symbol? arg and arg.value == :LOOKUP
+    end
+  end
+end

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+
+#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
+class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for nested attributes vulnerability (CVE-2015-7577)"
+
+  def run_check
+    if version_between? "3.1.0", "3.2.22" or
+       version_between? "4.0.0", "4.1.14" or
+       version_between? "4.2.0", "4.2.5"
+
+      unless workaround?
+        check_nested_attributes
+      end
+    end
+  end
+
+  def check_nested_attributes
+    active_record_models.each do |name, model|
+      if opts = model.options[:accepts_nested_attributes_for]
+        opts.each do |args|
+          if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
+            warn_about_nested_attributes name, model, args
+          end
+        end
+      end
+    end
+  end
+
+  def warn_about_nested_attributes name, model, args
+    message = "Rails #{rails_version} does not call :reject_if option when :allow_destroy is false (CVE-2015-7577)"
+
+    warn :model => name,
+      :warning_type => "Nested Attributes",
+      :warning_code => :CVE_2015_7577,
+      :message => message,
+      :file => model.file,
+      :line => args.line,
+      :confidence => CONFIDENCE[:med],
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
+  end
+
+  def allow_destroy? arg
+    hash? arg and
+      false? hash_access(arg, :allow_destroy)
+  end
+
+  def reject_if? arg
+    hash? arg and
+      hash_access(arg, :reject_if)
+  end
+
+  def workaround?
+    tracker.check_initializers([], :will_be_destroyed?).any?
+  end
+end

data/lib/brakeman/checks/check_render.rb

@@ -4,7 +4,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckRender < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Finds calls to render that might allow file access"
+  @description = "Finds calls to render that might allow file access or code execution"
 
   def run_check
     tracker.find_call(:target => nil, :method => :render).each do |result|
@@ -17,7 +17,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
     case result[:call].render_type
     when :partial, :template, :action, :file
-      check_for_dynamic_path result
+      check_for_rce(result) or
+        check_for_dynamic_path(result)
     when :inline
     when :js
     when :json
@@ -34,7 +35,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       add_result result
 
-
       if input = has_immediate_user_input?(view)
         if string_interp? view
           confidence = CONFIDENCE[:med]
@@ -48,6 +48,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
 
       return if input.type == :model #skip models
+      return if safe_param? input.match
 
       message = "Render path contains #{friendly_type_of input}"
 
@@ -59,4 +60,33 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         :confidence => confidence
     end
   end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view
+        add_result result
+        return if safe_param? view
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
+          :user_input => view,
+          :confidence => CONFIDENCE[:high]
+      end
+    end
+  end
+
+  def safe_param? exp
+    if params? exp and call? exp and exp.method == :[]
+      arg = exp.first_arg
+      symbol? arg and [:controller, :action].include? arg.value
+    end
+  end
 end 

data/lib/brakeman/checks/check_route_dos.rb

@@ -0,0 +1,42 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for route DoS (CVE-2015-7581)"
+
+  def run_check
+    fix_version = case
+                  when version_between?("4.0.0", "4.1.14")
+                    "4.1.14.1"
+                  when version_between?("4.2.0", "4.2.5")
+                    "4.2.5.1"
+                  else
+                    return
+                  end
+
+    if controller_wildcards?
+      message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"
+
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2015_7581,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
+    end
+  end
+
+  def controller_wildcards?
+    tracker.routes.each do |name, actions|
+      if name == :':controllerController'
+        # awful hack for routes with :controller in them
+        return true
+      elsif string? actions and actions.value.include? ":controller"
+        return true
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -17,12 +17,17 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
         '3.1.12'
       when version_between?('3.2.0', '3.2.12')
         '3.2.13'
-      else
-        return
       end
 
-    check_cve_2013_1855
-    check_cve_2013_1857
+    if @fix_version
+      check_cve_2013_1855
+      check_cve_2013_1857
+    elsif tracker.config.has_gem? :'rails-html-sanitizer' and
+          version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
+      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
+    end
   end
 
   def check_cve_2013_1855
@@ -54,4 +59,21 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
         :link_path => link
     end
   end
+
+  def warn_sanitizer_cve cve, link
+    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
+
+    if tracker.find_call(:target => false, :method => :sanitize).any?
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => cve.tr('-', '_').to_sym,
+      :message => message,
+      :gem_info => gemfile_or_environment,
+      :confidence => confidence,
+      :link_path => link
+  end
 end