brakeman 0.0.2

data/lib/checks/check_default_routes.rb

@@ -0,0 +1,29 @@
+require 'checks/base_check'
+
+#Checks if default routes are allowed in routes.rb
+class CheckDefaultRoutes < BaseCheck
+  Checks.add self
+
+  #Checks for :allow_all_actions globally and for individual routes
+  #if it is not enabled globally.
+  def run_check
+    if tracker.routes[:allow_all_actions]
+      #Default routes are enabled globally
+      warn :warning_type => "Default Routes", 
+        :message => "All public methods in controllers are available as actions in routes.rb",
+        :line => tracker.routes[:allow_all_actions].line, 
+        :confidence => CONFIDENCE[:high],
+        :file => "#{OPTIONS[:app_path]}/config/routes.rb"
+    else #Report each controller separately
+      tracker.routes.each do |name, actions|
+        if actions == :allow_all_actions
+          warn :controller => name,
+            :warning_type => "Default Routes", 
+            :message => "Any public method in #{name} can be used as an action.",
+            :confidence => CONFIDENCE[:med],
+            :file => "#{OPTIONS[:app_path]}/config/routes.rb"
+        end
+      end
+    end
+  end
+end

data/lib/checks/check_evaluation.rb

@@ -0,0 +1,29 @@
+require 'checks/base_check'
+
+#This check looks for calls to +eval+, +instance_eval+, etc. which include
+#user input.
+class CheckEvaluation < BaseCheck
+  Checks.add self
+
+  #Process calls
+  def run_check
+    calls = tracker.find_call nil, [:eval, :instance_eval, :class_eval, :module_eval]
+
+    @templates = tracker.templates
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if result includes user input
+  def process_result result
+    if include_user_input? result[-1]
+      warn :result => result,
+        :warning_type => "Dangerous Eval",
+        :message => "User input in eval",
+        :code => result[-1],
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_execute.rb

@@ -0,0 +1,110 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Checks for string interpolation and parameters in calls to
+#Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
+#
+#Examples of command injection vulnerabilities:
+#
+# system("rf -rf #{params[:file]}")
+# exec(params[:command])
+# `unlink #{params[:something}`
+class CheckExecute < BaseCheck
+  Checks.add self
+
+  #Check models, controllers, and views for command injection.
+  def run_check
+    check_for_backticks tracker
+
+    calls = tracker.find_call [:IO, :Open3, :Kernel, []], [:exec, :popen, :popen3, :syscall, :system]
+
+    calls.each do |result|
+      process result
+    end
+  end
+
+  #Processes results from FindCall.
+  def process_result exp
+    call = exp[-1]
+
+    args = process call[3]
+
+    case call[2]
+    when :system, :exec
+      failure = include_user_input?(args[1]) || include_interp?(args[1])
+    else
+      failure = include_user_input?(args) || include_interp?(args)
+    end
+
+    if failure and not duplicate? call, exp[1]
+      add_result call, exp[1]
+
+      if @string_interp
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:high]
+      end
+
+      warn :result => exp,
+        :warning_type => "Command Injection", 
+        :message => "Possible command injection",
+        :line => call.line,
+        :code => call,
+        :confidence => confidence
+    end
+
+    exp
+  end
+
+  #Looks for calls using backticks such as
+  #
+  # `rm -rf #{params[:file]}`
+  def check_for_backticks tracker
+    tracker.each_method do |exp, set_name, method_name|
+      @current_set = set_name
+      @current_method = method_name
+
+      process exp
+    end 
+
+    @current_set = nil
+
+    tracker.each_template do |name, template|
+      @current_template = template
+
+      process template[:src]
+    end
+
+    @current_template = nil
+  end
+
+  #Processes backticks.
+  def process_dxstr exp
+    return exp if duplicate? exp 
+
+    add_result exp
+
+    if include_user_input? exp
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warning = { :warning_type => "Command Injection",
+      :message => "Possible command injection",
+      :line => exp.line,
+      :code => exp,
+      :confidence => confidence }
+
+    if @current_template
+      warning[:template] = @current_template
+    else
+      warning[:class] = @current_set
+      warning[:method] = @current_method
+    end
+
+    warn warning
+
+    exp
+  end
+end

data/lib/checks/check_file_access.rb

@@ -0,0 +1,46 @@
+require 'checks/base_check'
+require 'processors/lib/processor_helper'
+
+#Checks for user input in methods which open or manipulate files
+class CheckFileAccess < BaseCheck
+  Checks.add self
+
+  def run_check
+    methods = tracker.find_call [[:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], []], [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+
+    methods.concat tracker.find_call(:FileUtils, nil)
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    call = result[-1]
+
+    file_name = call[3][1]
+
+    if check = include_user_input?(file_name)
+      unless duplicate? call, result[1]
+        add_result call, result[1]
+
+        if check == :params
+          message = "Parameter"
+        elsif check == :cookies
+          message = "Cookie"
+        else
+          message = "User input"
+        end
+
+        message << " value used in file name"
+
+        warn :result => result,
+          :warning_type => "File Access",
+          :message => message, 
+          :confidence => CONFIDENCE[:high],
+          :line => call.line,
+          :code => call
+      end
+    end
+  end
+end

data/lib/checks/check_forgery_setting.rb

@@ -0,0 +1,25 @@
+require 'checks/base_check'
+
+#Checks that +protect_from_forgery+ is set in the ApplicationController
+class CheckForgerySetting < BaseCheck
+  Checks.add self
+
+  def run_check
+    app_controller = tracker.controllers[:ApplicationController]
+    if tracker.config[:rails][:action_controller] and
+      tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
+
+      warn :controller => :ApplicationController,
+        :warning_type => "Cross Site Request Forgery",
+        :message => "Forgery protection is disabled", 
+        :confidence => CONFIDENCE[:high]
+
+    elsif app_controller and not app_controller[:options][:protect_from_forgery]
+
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery", 
+        :message => "'protect_from_forgery' should be called in ApplicationController", 
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_mass_assignment.rb

@@ -0,0 +1,72 @@
+require 'checks/base_check'
+
+#Checks for mass assignments to models.
+#
+#See http://guides.rubyonrails.org/security.html#mass-assignment for details
+class CheckMassAssignment < BaseCheck
+  Checks.add self
+
+  def run_check
+    return if mass_assign_disabled? tracker
+
+    models = []
+    tracker.models.each do |name, m|
+      if parent?(tracker, m, :"ActiveRecord::Base") and m[:attr_accessible].nil?
+        models << name
+      end
+    end
+
+    return if models.empty?
+
+    @results = Set.new
+
+    calls = tracker.find_call models, [:new,
+      :attributes=, 
+      :update_attribute, 
+      :update_attributes, 
+      :update_attributes!]
+
+    calls.each do |result|
+      process result
+    end
+  end
+
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[-1]
+
+    check = check_call call
+
+    if check and not @results.include? call
+      @results << call
+
+      if include_user_input? call[3]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+      
+      warn :result => res, 
+        :warning_type => "Mass Assignment", 
+        :message => "Unprotected mass assignment",
+        :line => call.line,
+        :code => call, 
+        :confidence => confidence
+    end
+    res
+  end
+
+  #Want to ignore calls to Model.new that have no arguments
+  def check_call call
+    args = process call[3]
+    if args.length <= 1 #empty new()
+      false
+    elsif hash? args[1]
+      #Still should probably check contents of hash
+      false
+    else
+      true
+    end
+  end
+
+end

data/lib/checks/check_model_attributes.rb

@@ -0,0 +1,36 @@
+require 'checks/base_check'
+
+#Check if mass assignment is used with models
+#which inherit from ActiveRecord::Base.
+#
+#If OPTIONS[:collapse_mass_assignment] is +true+ (default), all models which do
+#not use attr_accessible will be reported in a single warning
+class CheckModelAttributes < BaseCheck
+  Checks.add self
+
+  def run_check
+    return if mass_assign_disabled? tracker
+
+    names = []
+
+    tracker.models.each do |name, model|
+      if model[:attr_accessible].nil? and parent? tracker, model, :"ActiveRecord::Base"
+        if OPTIONS[:collapse_mass_assignment]
+          names << name.to_s
+        else
+          warn :model => name, 
+            :warning_type => "Attribute Restriction",
+            :message => "Mass assignment is not restricted using attr_accessible", 
+            :confidence => CONFIDENCE[:high]
+        end
+      end
+    end
+
+    if OPTIONS[:collapse_mass_assignment] and not names.empty?
+      warn :model => names.sort.join(", "), 
+        :warning_type => "Attribute Restriction", 
+        :message => "Mass assignment is not restricted using attr_accessible", 
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_redirect.rb

@@ -0,0 +1,98 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Reports any calls to +redirect_to+ which include parameters in the arguments.
+#
+#For example:
+#
+# redirect_to params.merge(:action => :elsewhere)
+class CheckRedirect < BaseCheck
+  Checks.add self
+
+  def run_check
+    @tracker.find_call(nil, :redirect_to).each do |c|
+      process c
+    end
+  end
+
+  def process_result exp
+    call = exp[-1]
+
+    method = call[2]
+
+    if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
+      if res == :immediate
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => exp,
+        :warning_type => "Redirect",
+        :message => "Possible unprotected redirect",
+        :line => call.line,
+        :code => call,
+        :confidence => confidence
+    end
+
+    exp
+  end
+
+  #Custom check for user input. First looks to see if the user input
+  #is being output directly. This is necessary because of OPTIONS[:check_arguments]
+  #which can be used to enable/disable reporting output of method calls which use
+  #user input as arguments.
+  def include_user_input? call
+
+    if OPTIONS[:ignore_redirect_to_model] and call? call[3][1] and 
+      call[3][1][2] == :new and call[3][1][1]
+
+      begin
+        target = class_name call[3][1][1]
+        if @tracker.models.include? target
+          return false
+        end
+      rescue
+      end
+    end
+
+    call[3].each do |arg|
+      if call? arg 
+        if ALL_PARAMETERS.include? arg or arg[2] == COOKIES 
+          return :immediate
+        elsif arg[2] == :url_for and include_user_input? arg
+          return :immediate
+          #Ignore helpers like some_model_url?
+        elsif arg[2].to_s =~ /_(url|path)$/
+          return false
+        end
+      elsif params? arg or cookies? arg
+        return :immediate
+      end
+    end
+
+    if OPTIONS[:check_arguments]
+      super
+    else
+      false
+    end
+  end
+
+  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  #nullifies the danger posed by redirecting with user input
+  def only_path? call
+    call[3].each do |arg|
+      if hash? arg
+        hash_iterate(arg) do |k,v|
+          if symbol? k and k[1] == :only_path and v.is_a? Sexp and v[0] == :true
+            return true
+          end
+        end
+      elsif call? arg and arg[2] == :url_for
+        return only_path?(arg)
+      end
+    end
+
+    false
+  end
+end