brakeman-min 3.1.4 → 3.1.5.pre1

data/lib/brakeman/checks/check_sql.rb

@@ -59,14 +59,14 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         call = make_call(nil, :named_scope, args).line(args.line)
         scope_calls << scope_call_hash(call, name, :named_scope)
       end
-    elsif version_between?("3.1.0", "4.9.9")
+    elsif version_between?("3.1.0", "9.9.9")
       ar_scope_calls(:scope) do |name, args|
         second_arg = args[2]
         next unless sexp? second_arg
 
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
+        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
           process_scope_with_block(name, args)
-        elsif second_arg.node_type == :call
+        elsif call? second_arg
           call = second_arg
           scope_calls << scope_call_hash(call, name, call.method)
         else
@@ -107,7 +107,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls = Brakeman::FindAllCalls.new(tracker)
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
-    elsif block.node_type == :call
+    elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
          :location => { :type => :class, :class => model_name, :method => scope_name }
@@ -264,8 +264,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      # Model.where(params[:where])
-      arg
+      unless call? arg and params? arg.target and arg.method == :permit
+        # Model.where(params[:where])
+        arg
+      end
     elsif hash? arg
       #This is generally going to be a hash of column names and values, which
       #would escape the values. But the keys _could_ be user input.

data/lib/brakeman/checks/check_strip_tags.rb

@@ -5,16 +5,21 @@ require 'brakeman/checks/base_check'
 #
 #Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
 #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+#
+#Check for user of strip_tags with rails-html-sanitizer 1.0.2:
+#https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
 class Brakeman::CheckStripTags < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Report strip_tags vulnerabilities CVE-2011-2931 and CVE-2012-3465"
+  @description = "Report strip_tags vulnerabilities"
 
   def run_check
     if uses_strip_tags?
       cve_2011_2931
       cve_2012_3465
     end
+
+    cve_2015_7579
   end
 
   def cve_2011_2931
@@ -56,9 +61,29 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
   end
 
+  def cve_2015_7579
+    if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
+      if uses_strip_tags?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2015_7579,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
+
+    end
+  end
+
   def uses_strip_tags?
     Brakeman.debug "Finding calls to strip_tags()"
 
-    not tracker.find_call(:target => false, :method => :strip_tags).empty?
+    not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
   end
 end

data/lib/brakeman/options.rb

@@ -52,6 +52,12 @@ module Brakeman::Options
           options[:rails4] = true
         end
 
+        opts.on "-5", "--rails5", "Force Rails 5 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -110,12 +116,12 @@ module Brakeman::Options
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
         end
 
-        opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
+        opts.on "--skip-files file1,path2,etc", Array, "Skip processing of these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
           options[:skip_files] ||= Set.new
           options[:skip_files].merge files
         end
 
-        opts.on "--only-files file1,file2,etc", Array, "Process only these files" do |files|
+        opts.on "--only-files file1,path2,etc", Array, "Process only these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
           options[:only_files] ||= Set.new
           options[:only_files].merge files
         end

data/lib/brakeman/processors/alias_processor.rb

@@ -212,6 +212,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
+    if array_detect_all_literals? exp[1]
+      return exp.block_call.target[1]
+    end
+
     @exp_context.pop
 
     env.scope do
@@ -292,7 +296,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Handles x = y = z = 1
   def get_rhs exp
-    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :cvdecl, :cdecl
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
       get_rhs(exp.rhs)
     else
       exp
@@ -524,6 +528,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
   end
 
+  def array_detect_all_literals? exp
+    call? exp and
+    [:detect, :find].include? exp.method and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.first_arg.nil? and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?

data/lib/brakeman/processors/base_processor.rb

@@ -68,6 +68,14 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     call
   end
 
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
+
   #String with interpolation.
   def process_dstr exp
     exp = exp.dup

data/lib/brakeman/processors/controller_processor.rb

@@ -208,11 +208,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_defs exp
     name = exp.method_name
 
-    if exp[1].node_type == :self
+    if node_type? exp[1], :self
       if @current_class
         target = @current_class.name
       elsif @current_module
-        target = @current_module
+        target = @current_module.name
       else
         target = nil
       end

data/lib/brakeman/processors/erb_template_processor.rb

@@ -25,7 +25,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
 
         arg = exp.first_arg
 
-        if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
+        if call? arg and arg.method == :to_s #erb always calls to_s on output
           arg = arg.target
         end
 

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -21,7 +21,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
 
         #We want the actual content
-        if arg.node_type == :call and (arg.method == :to_s or arg.method == :html_safe!)
+        if call? arg and (arg.method == :to_s or arg.method == :html_safe!)
           arg = arg.target
         end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -5,6 +5,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
+  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
 
   #Processes call, looking for template output
   def process_call exp
@@ -90,7 +91,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     elsif target == nil and method == :find_and_preserve
       process exp.first_arg
     elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER
+      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
         @javascript = true
       end
 

data/lib/brakeman/processors/lib/basic_processor.rb

@@ -14,4 +14,20 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
   def process_default exp
     process_all exp
   end
+
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
+
+  def process_safe_attrasgn exp
+    if self.respond_to? :process_attrasgn
+      process_attrasgn exp
+    else
+      process_default exp
+    end
+  end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -24,11 +24,13 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   #Process body of method
   def process_defn exp
+    return exp unless @current_method
     process_all exp.body
   end
 
   #Process body of method
   def process_defs exp
+    return exp unless @current_method
     process_all exp.body
   end
 
@@ -139,7 +141,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
         @current_class || @current_module || nil
       when :params, :session, :cookies
         exp.node_type
-      when :call
+      when :call, :safe_call
         if include_calls
           if exp.target.nil?
             exp.method
@@ -165,7 +167,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Returns method chain as an array
   #For example, User.human.alive.all would return [:User, :human, :alive, :all]
   def get_chain call
-    if node_type? call, :call, :attrasgn
+    if node_type? call, :call, :attrasgn, :safe_call, :safe_attrasgn
       get_chain(call.target) + [call.method]
     elsif call.nil?
       []

data/lib/brakeman/processors/lib/find_call.rb

@@ -102,7 +102,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     #  User.find(:first, :conditions => "user = '#{params['user']}').name
     #
     #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and node_type? exp.target, :call
+    if @in_depth and call? exp.target
       process exp.target
     end
 

data/lib/brakeman/processors/lib/render_path.rb

@@ -95,7 +95,8 @@ module Brakeman
     end
 
     def to_json *args
-      MultiJson.dump(@path)
+      require 'json'
+      JSON.generate(@path)
     end
 
     def initialize_copy original

data/lib/brakeman/processors/lib/route_helper.rb

@@ -31,6 +31,10 @@ module Brakeman::RouteHelper
 
     return unless route.is_a? String or route.is_a? Symbol
 
+    if route.is_a? String and controller.nil? and route.include? ":controller"
+      controller = ":controller"
+    end
+
     route = route.to_sym
 
     if controller

data/lib/brakeman/processors/model_processor.rb

@@ -163,11 +163,11 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     return exp unless @current_class
     name = exp.method_name
 
-    if exp[1].node_type == :self
+    if node_type? exp[1], :self
       if @current_class
         target = @current_class.name
       elsif @current_module
-        target = @current_module
+        target = @current_module.name
       else
         target = nil
       end

data/lib/brakeman/report/ignore/config.rb

@@ -1,5 +1,5 @@
 require 'set'
-require 'multi_json'
+require 'json'
 
 module Brakeman
   class IgnoreConfig
@@ -75,7 +75,7 @@ module Brakeman
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = MultiJson.load(File.read(file), :symbolize_keys => true)[:ignored_warnings]
+        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -107,7 +107,7 @@ module Brakeman
       }
 
       File.open file, "w" do |f|
-        f.puts MultiJson.dump(output, :pretty => true)
+        f.puts JSON.pretty_generate(output)
       end
     end
 

data/lib/brakeman/report/report_csv.rb

@@ -1,5 +1,4 @@
-Brakeman.load_brakeman_dependency 'csv'
-require "brakeman/report/initializers/faster_csv"
+require 'csv'
 require "brakeman/report/report_table"
 
 class Brakeman::Report::CSV < Brakeman::Report::Table

data/lib/brakeman/report/report_json.rb

@@ -1,6 +1,3 @@
-Brakeman.load_brakeman_dependency 'multi_json'
-require 'brakeman/report/initializers/multi_json'
-
 class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
@@ -32,7 +29,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
       :errors => errors
     }
 
-    MultiJson.dump(report_info, :pretty => true)
+    JSON.pretty_generate report_info
   end
 
   def convert_to_hashes warnings

data/lib/brakeman/scanner.rb

@@ -96,7 +96,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3]
+    if options[:rails3] or options[:rails4] or options[:rails5]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -155,8 +155,13 @@ class Brakeman::Scanner
       if @app_tree.exists?("script/rails")
         tracker.options[:rails3] = true
         Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif @app_tree.exists?("app/channels")
+        tracker.options[:rails3] = true
+        tracker.options[:rails4] = true
+        tracker.options[:rails5] = true
+        Brakeman.notify "[Notice] Detected Rails 5 application"
       elsif not @app_tree.exists?("script")
-        tracker.options[:rails3] = true # Probably need to do some refactoring
+        tracker.options[:rails3] = true
         tracker.options[:rails4] = true
         Brakeman.notify "[Notice] Detected Rails 4 application"
       end

data/lib/brakeman/tracker.rb

@@ -115,6 +115,23 @@ class Brakeman::Tracker
     end
   end
 
+
+  def each_class
+    classes = [self.controllers, self.models]
+
+    if @options[:index_libs]
+      classes << self.libs
+    end
+
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.src.each do |file, src|
+          yield src, set_name, file
+        end
+      end
+    end
+  end
+
   #Find a method call.
   #
   #Options:
@@ -178,6 +195,10 @@ class Brakeman::Tracker
       finder.process_source definition, :class => set_name, :method => method_name, :file => file
     end
 
+    self.each_class do |definition, set_name, file|
+      finder.process_source definition, :class => set_name, :file => file
+    end
+
     self.each_template do |name, template|
       finder.process_source template.src, :template => template, :file => template.file
     end

data/lib/brakeman/tracker/config.rb

@@ -7,6 +7,7 @@ module Brakeman
     attr_reader :rails, :tracker
     attr_accessor :rails_version
     attr_writer :erubis, :escape_html
+    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -76,6 +77,11 @@ module Brakeman
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             Brakeman.notify "[Notice] Detected Rails 4 application"
+          elsif @rails_version.start_with? "5"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            Brakeman.notify "[Notice] Detected Rails 5 application"
           end
         end
       end