brakeman-min 4.3.1 → 4.4.0

data/lib/brakeman/checks/check_render_dos.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
   end
 
   def warn_about_text_render
-    message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+    message = msg(msg_version(rails_version), " has a denial of service vulnerability ", msg_cve("CVE-2014-0082"), ". Upgrade to ", msg_version("3.2.17"))
 
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2014_0082,

data/lib/brakeman/checks/check_render_inline.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
           warn :result => result,
             :warning_type => "Cross-Site Scripting",
             :warning_code => :cross_site_scripting_inline,
-            :message => "Unescaped #{friendly_type_of input} rendered inline",
+            :message => msg("Unescaped ", msg_input(input), " rendered inline"),
             :user_input => input,
             :confidence => :high
         elsif input = has_immediate_model?(render_value)

data/lib/brakeman/checks/check_response_splitting.rb

@@ -12,7 +12,7 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
 
       warn :warning_type => "Response Splitting",
         :warning_code => :CVE_2011_3186,
-        :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
+        :message => msg("Rails versions before 2.3.14 have a vulnerability content type handling allowing injection of headers ", msg_cve("CVE-2011-3186")),
         :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"

data/lib/brakeman/checks/check_route_dos.rb

@@ -16,7 +16,7 @@ class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
                   end
 
     if controller_wildcards?
-      message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"
+      message = msg(msg_version(rails_version), " has a denial of service vulnerability with ", msg_code(":controller"), " routes ", msg_cve("CVE-2015-7581"), ". Upgrade to ", msg_version(fix_version))
 
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2015_7581,

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
       return
     end
 
-    message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+    message = msg(msg_version(rails_version), " has a vulnerability in ", msg_code("SafeBuffer"), ". Upgrade to ", msg_version(suggested_version), " or apply patches")
 
     warn :warning_type => "Cross-Site Scripting",
       :warning_code => :safe_buffer_vuln, 

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -44,7 +44,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
       next if duplicate? result
       add_result result
 
-      message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+      message = msg(msg_version(rails_version), " has a vulnerability in ", msg_code(method), ". Upgrade to ", msg_version(@fix_version), " or patch")
 
       warn :result => result,
         :warning_type => "Cross-Site Scripting",
@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = "Loofah #{tracker.config.gem_version(:loofah)} is vulnerable (CVE-2018-8048). Upgrade to 2.1.2"
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
 
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -94,7 +94,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version
-    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to #{upgrade_version}"
+    message = msg(msg_version(tracker.config.gem_version(:'rails-html-sanitizer'), "rails-html-sanitizer"), " is vulnerable ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, "rails-html-sanitizer"))
 
     if tracker.find_call(:target => false, :method => :sanitize).any?
       confidence = :high

data/lib/brakeman/checks/check_secrets.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
 
           warn :warning_code => :secret_in_source,
             :warning_type => "Authentication",
-            :message => "Hardcoded value for #{name} in source code",
+            :message => msg("Hardcoded value for ", msg_code(name), " in source code"),
             :confidence => :medium,
             :file => constant.file,
             :line => constant.line

data/lib/brakeman/checks/check_select_tag.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
 
     @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
 
-    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select_tag is vulnerable (CVE-2012-3463)"
+    @message = msg("Upgrade to ", msg_version(suggested_version), ". In ", msg_version(rails_version), " ", msg_code("select_tag"), " is vulnerable ", msg_cve("CVE-2012-3463"))
 
     calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
       result[:location][:type] == :template

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       return
     end
 
-    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select() helper is vulnerable"
+    @message = msg("Upgrade to ", msg_version(suggested_version), ". In ", msg_version(rails_version), " ", msg_code("select"), " helper is vulnerable")
 
     calls = tracker.find_call(:target => nil, :method => :select).select do |result|
       result[:location][:type] == :template

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "Session Manipulation",
         :warning_code => :session_key_manipulation,
-        :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
+        :message => msg(msg_input(input), " used as key in session hash"),
         :code => result[:call],
         :user_input => input,
         :confidence => confidence

data/lib/brakeman/checks/check_session_settings.rb

@@ -123,7 +123,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
         return
       end
 
-      if secrets["production"] and secret = secrets["production"]["secret_key_base"]
+      if secrets && secrets["production"] and secret = secrets["production"]["secret_key_base"]
         unless secret.include? "<%="
           line = yaml.lines.find_index { |l| l.include? secret } + 1
 

data/lib/brakeman/checks/check_simple_format.rb

@@ -16,7 +16,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
   end
 
   def generic_warning
-    message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+    message = msg(msg_version(rails_version), " has a vulnerability in ", msg_code("simple_format"), " ", msg_cve("CVE-2013-6416"), ". Upgrade to ", msg_version("4.0.2"))
 
     warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2013_6416,
@@ -50,7 +50,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
     warn :result => result,
       :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2013_6416_call,
-      :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
+      :message => msg("Values passed to ", msg_code("simple_format"), " are not safe in ", msg_version(rails_version)),
       :confidence => :high,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
       :user_input => match

data/lib/brakeman/checks/check_single_quotes.rb

@@ -16,17 +16,21 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   def run_check
     return if uses_rack_escape?
 
-    case
-    when version_between?('2.0.0', '2.3.14')
-      message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
-    when version_between?('3.0.0', '3.0.16')
-      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
-    when version_between?('3.1.0', '3.1.7')
-      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
-    when version_between?('3.2.0', '3.2.7')
-      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
+    if version_between? '2.0.0', '2.3.14'
+      message = msg("All Rails 2.x versions do not escape single quotes ", msg_cve("CVE-2012-3464"))
     else
-      return
+      message = msg(msg_version(rails_version), " does not escape single quotes ", msg_cve("CVE-2012-3464"), ". Upgrade to ")
+
+      case
+      when version_between?('3.0.0', '3.0.16')
+        message << msg_version('3.0.17')
+      when version_between?('3.1.0', '3.1.7')
+        message << msg_version('3.1.8')
+      when version_between?('3.2.0', '3.2.7')
+        message << msg_version('3.2.8')
+      else
+        return
+      end
     end
 
     warn :warning_type => "Cross-Site Scripting",

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => "Use whitelist (:only => [..]) when skipping CSRF check",
+        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => "Use whitelist (:only => [..]) when skipping authentication",
+        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link => "authentication_whitelist",

data/lib/brakeman/checks/check_sprockets_path_traversal.rb

@@ -0,0 +1,39 @@
+class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for CVE-2018-3760"
+
+  def run_check
+    sprockets_version = tracker.config.gem_version(:sprockets)
+
+    return unless sprockets_version
+    return if has_workaround?
+
+    case
+    when version_between?("0.0.0", "2.12.4", sprockets_version)
+      upgrade_version = "2.12.5"
+      confidence = :weak
+    when version_between?("3.0.0", "3.7.1", sprockets_version)
+      upgrade_version = "3.7.2"
+      confidence = :high
+    when version_between?("4.0.0.beta1", "4.0.0.beta7", sprockets_version)
+      upgrade_version = "4.0.0.beta8"
+      confidence = :high
+    else
+      return
+    end
+
+    message = msg(msg_version(sprockets_version, "sprockets"), " has a path traversal vulnerability ", msg_cve("CVE-2018-3760"), ". Upgrade to ", msg_version(upgrade_version, "sprockets"), " or newer")
+
+    warn :warning_type => "Path Traversal",
+      :warning_code => :CVE_2018_3760,
+      :message => message,
+      :confidence => confidence,
+      :gem_info => gemfile_or_environment(:sprockets),
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
+  end
+
+  def has_workaround?
+    false? (tracker.config.rails[:assets] and tracker.config.rails[:assets][:compile])
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -247,7 +247,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "SQL Injection",
         :warning_code => :sql_injection_limit_offset,
-        :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection",
+        :message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_sql_cves.rb

@@ -78,7 +78,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
 
     warn :warning_type => 'SQL Injection',
       :warning_code => code,
-      :message => "Rails #{rails_version} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
       :confidence => :high,
       :gem_info => gemfile_or_environment,
       :link_path => link
@@ -98,7 +98,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
 
     warn :warning_type => 'SQL Injection',
       :warning_code => :CVE_2014_0080,
-      :message => "Rails #{rails_version} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
       :confidence => :high,
       :gem_info => gemfile_or_environment(:pg),
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"

data/lib/brakeman/checks/check_strip_tags.rb

@@ -25,9 +25,9 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
   def cve_2011_2931
     if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
       if rails_version =~ /^3/
-        message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
+        message = msg("Versions before 3.0.10 have a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2011-2931"))
       else
-        message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
+        message = msg("Versions before 2.3.13 have a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2011-2931"))
       end
 
       warn :warning_type => "Cross-Site Scripting",
@@ -40,15 +40,17 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
   end
 
   def cve_2012_3465
+    message = msg(msg_version(rails_version), " has a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2012-3465"), ". Upgrade to ")
+
     case
     when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
-      message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
+      message = msg("All Rails 2.x versions have a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2012-3465"))
     when version_between?('3.0.10', '3.0.16')
-      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
+      message << msg_version('3.0.17')
     when version_between?('3.1.0', '3.1.7')
-      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
+      message << msg_version('3.1.8')
     when version_between?('3.2.0', '3.2.7')
-      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
+      message << msg_version('3.2.8')
     else
       return
     end
@@ -69,13 +71,13 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
         confidence = :medium
       end
 
-      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
+      message = msg(msg_version("1.0.2", "rails-html-sanitizer"), " is vulnerable (CVE-2015-7579). Upgrade to ", msg_version("1.0.3", "rails-html-sanitizer"))
 
       warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2015_7579,
         :message => message,
         :confidence => confidence,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
 
     end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       return if safe_parameter? input.match
       return if symbolizing_attributes? input
 
-      message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
+      message = msg("Symbol conversion from unsafe string in ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Denial of Service",

data/lib/brakeman/checks/check_symbol_dos_cve.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
     if fix_version && active_record_models.any?
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2013_1854,
-        :message => "Rails #{rails_version} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
         :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"

data/lib/brakeman/checks/check_translate_bug.rb

@@ -18,15 +18,15 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
         :medium
       end
 
-      description = "have a vulnerability in the translate helper with keys ending in _html"
+      description = [" has a vulnerability in the translate helper with keys ending in ", msg_code("_html")]
 
       message = if rails_version =~ /^3\.1/
-        "Versions before 3.1.2 #{description}."
-      elsif rails_version =~ /^3\.0/
-        "Versions before 3.0.11 #{description}."
-      else
-        "Rails 2.3.x using the rails_xss plugin #{description}."
-      end
+                  msg(msg_version(rails_version), *description, ". Upgrade to ", msg_version("3.1.2"))
+                elsif rails_version =~ /^3\.0/
+                  msg(msg_version(rails_version), *description, ". Upgrade to ", msg_version("3.0.11"))
+                else
+                  msg("Rails 2.3.x using the rails_xss plugin", *description)
+                end
 
       warn :warning_type => "Cross-Site Scripting",
         :warning_code => :translate_vuln,

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -37,7 +37,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
     end
 
     if confidence
-      message = "Unsafe reflection method #{method} called with #{friendly_type_of input}"
+      message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -37,7 +37,7 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Unscoped Find",
       :warning_code => :unscoped_find,
-      :message      => "Unscoped call to #{result[:target]}##{result[:method]}",
+      :message      => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
       :code         => result[:call],
       :confidence   => :weak,
       :user_input   => input

data/lib/brakeman/checks/check_validation_regex.rb

@@ -89,7 +89,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
       warn :model => @current_model,
       :warning_type => "Format Validation",
       :warning_code => :validation_regex,
-      :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors",
+      :message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
       :line => value.line,
       :confidence => :high
     end

data/lib/brakeman/checks/check_weak_hash.rb

@@ -39,20 +39,19 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
       confidence = :medium
     end
 
+    message = msg("Weak hashing algorithm used")
 
-    alg = case call.target.last
-          when :MD5
-           " (MD5)"
-           when :SHA1
-            " (SHA1)"
-          else
-            ""
-          end
+    case call.target.last
+    when :MD5
+      message << ": " << msg_lit("MD5")
+    when :SHA1
+      message << ": " << msg_lit("SHA1")
+    end
 
     warn :result => result,
       :warning_type => "Weak Hash",
       :warning_code => :weak_hash_digest,
-      :message => "Weak hashing algorithm#{alg} used",
+      :message => message,
       :confidence => confidence,
       :user_input => input
   end
@@ -62,19 +61,19 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
 
     call = result[:call]
 
-    alg = case call.third_arg.last
-           when :MD5
-             'MD5'
-           when :SHA1
-             'SHA1'
-           else
-             return
-           end
+    message = msg("Weak hashing algorithm used in HMAC")
+
+    case call.third_arg.last
+    when :MD5
+      message << ": " << msg_lit("MD5")
+    when :SHA1
+      message << ": " << msg_lit("SHA1")
+    end
 
     warn :result => result,
       :warning_type => "Weak Hash",
       :warning_code => :weak_hash_hmac,
-      :message => "Weak hashing algorithm (#{alg}) used in HMAC",
+      :message => message,
       :confidence => :medium
   end
 
@@ -90,7 +89,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
         warn :result => result,
           :warning_type => "Weak Hash",
           :warning_code => :weak_hash_digest,
-          :message => "Weak hashing algorithm (#{alg}) used",
+          :message => msg("Weak hashing algorithm used: ", msg_lit(alg)),
           :confidence => :medium
       end
     end