brakeman-min 4.8.1 → 4.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92ecc405f5d8aa44662d99820f962df8e9b2fe6391837b06639511c7cb7a24bc
-  data.tar.gz: e991cb7e2732104d3859973aedad74ddce99157f5143c0799c90c2c489289e44
+  metadata.gz: 18fa42d2a0eeaf565724bb5145f59142b6402af3be0f6ee49bebb970d70b9c22
+  data.tar.gz: 7f99ebf29f9bffeb5e85affc301d51737daf8a33af1460920a3dd89a06146dc5
 SHA512:
-  metadata.gz: 6fc22f32bfead785a7fe0b5ac06289b323b2a047528f4d1da238b8e0d233ecfabb37a869a51c72698974d9b15e7818d47ef2fafc8dd57fc578bce46c3f3a29b3
-  data.tar.gz: 5b96b57238d6e2813dbd83744c32ba546e116e205d0b3546bc52010621394ee7c8f012c258155aed021010e535c8f8ee706108059f7c8ef54019a66a25658d03
+  metadata.gz: b4120572b0427c8dd6f7b3640b7943bf96e4a0637ee26aa124e4dbebc2887da242f70e4d20917c144b72fa76568565d5b503340695f5b4ffd7b79d8f9ac34e82
+  data.tar.gz: 6ea04eadc2c4a63ba6df485f04618486a89457666588f65705731347b47ec7f2fe5517b2bb66a55e0ba2637a1c4518ea57f35ca730b11c5f06abc1d18f6741a8

data/CHANGES.md

@@ -1,3 +1,10 @@
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
 # 4.8.1 - 2020-04-06
 
 * Check SQL query strings using `String#strip` or `String.squish`

data/README.md

@@ -16,9 +16,11 @@ Using RubyGems:
 
 Using Bundler:
 
-    group :development do
-      gem 'brakeman'
-    end
+```ruby
+group :development do
+  gem 'brakeman'
+end
+```
 
 Using Docker:
 

data/lib/brakeman/checks/base_check.rb

@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config.get_gem(gem_name)
+    if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
       info
     elsif @app_tree.exists?("Gemfile")
       @app_tree.file_path "Gemfile"

data/lib/brakeman/checks/check_basic_auth.rb

@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   # Check if the block of a result contains a comparison of password to string
   def include_password_literal? result
+    return false if result[:block_args].nil?
+
     @password_var = result[:block_args].last
     @include_password = false
     process result[:block]

data/lib/brakeman/checks/check_json_entity_escape.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check if HTML escaping is disabled for JSON output"
+
+  def run_check
+    check_config_setting
+    check_manual_disable
+  end
+
+  def check_config_setting
+    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :json_html_escape_config,
+        :message => msg("HTML entities in JSON are not escaped by default"),
+        :confidence => :medium,
+        :file => "config/environments/production.rb",
+        :line => 1
+    end
+  end
+
+  def check_manual_disable
+    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
+      setting = result[:call].first_arg
+
+      if false? setting
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :json_html_escape_module,
+          :message => msg("HTML entities in JSON are not escaped by default"),
+          :confidence => :medium,
+          :file => "config/environments/production.rb"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_page_caching_cve.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for page caching vulnerability (CVE-2020-8159)"
+
+  def run_check
+    gem_name = 'actionpack-page_caching'
+    gem_version = tracker.config.gem_version(gem_name.to_sym)
+    upgrade_version = '1.2.2'
+    cve = 'CVE-2020-8159'
+
+    return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
+
+    message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
+
+    if uses_caches_page?
+      confidence = :high
+    else
+      confidence = :weak
+    end
+
+    warn :warning_type => 'Directory Traversal',
+      :warning_code => :CVE_2020_8159,
+      :message => message,
+      :confidence => confidence,
+      :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
+      :gem_info => gemfile_or_environment(gem_name)
+  end
+
+  def uses_caches_page?
+    tracker.controllers.any? do |name, controller|
+      controller.options.has_key? :caches_page
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -301,6 +301,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
 
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+
+          options[:text_fields] = format.map(&:to_sym)
+
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/report/report_text.rb

@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   end
 
   def output_warning w
-    out = [
-      label('Confidence', confidence(w.confidence)),
-      label('Category', w.warning_type.to_s),
-      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
+    text_format = tracker.options[:text_fields] ||
+      [:confidence, :category, :check, :message, :code, :file, :line]
+
+    text_format.map do |option|
+      format_line(w, option)
+    end.compact
+  end
+
+  def format_line w, option
+    case option
+    when :confidence
+      label('Confidence', confidence(w.confidence))
+    when :category
+      label('Category', w.warning_type.to_s)
+    when :check
+      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+    when :message
       label('Message', w.message)
-    ]
-
-    if w.code
-      out << label('Code', format_code(w))
-    end
-
-    out << label('File', warning_file(w))
-
-    if w.line
-      out << label('Line', w.line)
+    when :code
+      if w.code
+        label('Code', format_code(w))
+      end
+    when :file
+      label('File', warning_file(w))
+    when :line
+      if w.line
+        label('Line', w.line)
+      end
+    when :link
+      label('Link', w.link)
+    when :fingerprint
+      label('Fingerprint', w.fingerprint)
+    when :category_id
+      label('Category ID', w.warning_code)
+    when :render_path
+      if w.called_from
+        label('Render Path', w.called_from.join(" > "))
+      end
     end
-
-    out
   end
 
   def double_space title, values

data/lib/brakeman/tracker/config.rb

@@ -54,7 +54,7 @@ module Brakeman
     end
 
     def gem_version name
-      extract_version @gems.dig(name, :version)
+      extract_version @gems.dig(name.to_sym, :version)
     end
 
     def add_gem name, version, file, line
@@ -67,11 +67,11 @@ module Brakeman
     end
 
     def has_gem? name
-      !!@gems[name]
+      !!@gems[name.to_sym]
     end
 
     def get_gem name
-      @gems[name]
+      @gems[name.to_sym]
     end
 
     def set_rails_version version = nil

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.1"
+  Version = "4.8.2"
 end

data/lib/brakeman/warning_codes.rb

@@ -114,6 +114,10 @@ module Brakeman::WarningCodes
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
     :mass_assign_permit_all => 112,
+    :json_html_escape_config => 113,
+    :json_html_escape_module => 114,
+    :CVE_2020_8159 => 115,
+
     :custom_check => 9090,
   }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.8.1
+  version: 4.8.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-07 00:00:00.000000000 Z
+date: 2020-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -164,6 +164,7 @@ files:
 - lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_json_encoding.rb
+- lib/brakeman/checks/check_json_entity_escape.rb
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
@@ -176,6 +177,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_page_caching_cve.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -330,7 +332,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.