brakeman 1.5.3 → 1.6.0.pre1

data/lib/brakeman/checks/check_link_to_href.rb

@@ -40,10 +40,9 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #with something before the user input
     return if node_type?(url_arg, :string_interp) && !url_arg[1].chomp.empty?
 
-    type, match = has_immediate_user_input? url_arg
 
-    if type
-      case type
+    if input = has_immediate_user_input?(url_arg)
+      case input.type
       when :params
         message = "Unsafe parameter value in link_to href"
       when :cookies
@@ -57,6 +56,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
         warn :result => result,
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => input.match,
           :confidence => CONFIDENCE[:high]
       end
     elsif has_immediate_model? url_arg
@@ -72,9 +72,9 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       # attack. 
 
     elsif @matched
-      if @matched == :model and not tracker.options[:ignore_model_output]
+      if @matched.type == :model and not tracker.options[:ignore_model_output]
         message = "Unsafe model attribute in link_to href"
-      elsif @matched == :params
+      elsif @matched.type == :params
         message = "Unsafe parameter value in link_to href"
       end
 
@@ -83,6 +83,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
         warn :result => result, 
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => @matched.match,
           :confidence => CONFIDENCE[:med]
       end
     end

data/lib/brakeman/checks/check_mail_to.rb

@@ -38,10 +38,8 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
 
       args.each do |arg|
         if hash? arg
-          hash_iterate arg do |k, v|
-            if symbol? v and v[-1] == :javascript
-              return result
-            end
+          if hash_access(arg, :javascript)
+            return result
           end
         end
       end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -21,12 +21,10 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     return if models.empty?
 
-    @results = Set.new
 
     Brakeman.debug "Finding possible mass assignment calls on #{models.length} models"
     calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
       :attributes=, 
-      :update_attribute, 
       :update_attributes, 
       :update_attributes!,
       :create,
@@ -45,8 +43,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     check = check_call call
 
-    if check and not @results.include? call
-      @results << call
+    if check and not call.original_line and not duplicate? res
+      add_result res
 
       model = tracker.models[res[:chain].first]
 
@@ -54,10 +52,17 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
-      elsif include_user_input? call[3] and not hash? call[3][1] and not attr_protected
-        confidence = CONFIDENCE[:high]
+      elsif input = include_user_input?(call[3])
+        if not hash? call[3][1] and not attr_protected
+          confidence = CONFIDENCE[:high]
+          user_input = input.match
+        else
+          confidence = CONFIDENCE[:low]
+          user_input = input.match
+        end
       else
         confidence = CONFIDENCE[:low]
+        user_input = nil
       end
       
       warn :result => res, 
@@ -65,6 +70,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
         :message => "Unprotected mass assignment",
         :line => call.line,
         :code => call, 
+        :user_input => user_input,
         :confidence => confidence
     end
 

data/lib/brakeman/checks/check_redirect.rb

@@ -19,12 +19,16 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   end
 
   def process_result result
+    return if duplicate? result
+
     call = result[:call]
 
     method = call[2]
 
     if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
-      if res == :immediate
+      add_result result
+
+      if res.type == :immediate
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:low]
@@ -35,6 +39,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         :message => "Possible unprotected redirect",
         :line => call.line,
         :code => call,
+        :user_input => res.match,
         :confidence => confidence
     end
   end
@@ -60,16 +65,18 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     call[3].each do |arg|
       if call? arg 
-        if ALL_PARAMETERS.include? arg or arg[2] == COOKIES 
-          return :immediate
+        if request_value? arg
+          return Match.new(:immediate, arg)
+        elsif request_value? arg[1]
+          return Match.new(:immediate, arg[1])
         elsif arg[2] == :url_for and include_user_input? arg
-          return :immediate
+          return Match.new(:immediate, arg)
           #Ignore helpers like some_model_url?
         elsif arg[2].to_s =~ /_(url|path)$/
           return false
         end
-      elsif params? arg or cookies? arg
-        return :immediate
+      elsif request_value? arg
+        return Match.new(:immediate, arg)
       end
     end
 
@@ -85,10 +92,8 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def only_path? call
     call[3].each do |arg|
       if hash? arg
-        hash_iterate(arg) do |k,v|
-          if symbol? k and k[1] == :only_path and v.is_a? Sexp and v[0] == :true
-            return true
-          end
+        if value = hash_access(arg, :only_path)
+          return true if true?(value)
         end
       elsif call? arg and arg[2] == :url_for
         return check_url_for(arg)
@@ -103,10 +108,8 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def check_url_for call
     call[3].each do |arg|
       if hash? arg
-        hash_iterate(arg) do |k,v|
-          if symbol? k and k[1] == :only_path and v.is_a? Sexp and v[0] == :false
-            return false
-          end
+        if value = hash_access(arg, :only_path)
+          return false if false?(value)
         end
       end
     end

data/lib/brakeman/checks/check_render.rb

@@ -32,11 +32,10 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       add_result result
 
-      type, match = has_immediate_user_input? view
 
-      if type
+      if input = has_immediate_user_input?(view)
         confidence = CONFIDENCE[:high]
-      elsif type = include_user_input?(view)
+      elsif input = include_user_input?(view)
         if node_type? view, :string_interp, :dstr
           confidence = CONFIDENCE[:med]
         else
@@ -48,7 +47,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
       message = "Render path contains "
 
-      case type
+      case input.type
       when :params
         message << "parameter value"
       when :cookies
@@ -66,6 +65,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "Dynamic Render Path",
         :message => message,
+        :user_input => input.match,
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_send.rb

@@ -19,19 +19,21 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
     args = process result[:call][3]
     target = process result[:call][1]
 
-    if has_immediate_user_input? args[1]
+    if input = has_immediate_user_input?(args[1])
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User controlled method execution",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:high]
     end
 
-    if has_immediate_user_input?(target)
+    if input = has_immediate_user_input?(target)
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User defined target of method invocation",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:med]
     end
   end

data/lib/brakeman/checks/check_session_settings.rb

@@ -52,30 +52,25 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   def check_for_issues settings, file
     if settings and hash? settings
-      hash_iterate settings do |key, value|
-        if symbol? key
-
-          if key[1] == :session_http_only and 
-            sexp? value and
-            value.node_type == :false
-
-            warn :warning_type => "Session Setting",
-              :message => "Session cookies should be set to HTTP only",
-              :confidence => CONFIDENCE[:high],
-              :line => key.line,
-              :file => file
+      if value = hash_access(settings, :session_http_only)
+        if false? value
+          warn :warning_type => "Session Setting",
+            :message => "Session cookies should be set to HTTP only",
+            :confidence => CONFIDENCE[:high],
+            :line => value.line,
+            :file => file
+        end
+      end
 
-          elsif key[1] == :secret and 
-            string? value and
-            value[1].length < 30
+      if value = hash_access(settings, :secret)
+        if string? value and value[1].length < 30
 
-            warn :warning_type => "Session Setting",
-              :message => "Session secret should be at least 30 characters long",
-              :confidence => CONFIDENCE[:high],
-              :line => key.line,
-              :file => file
+          warn :warning_type => "Session Setting",
+            :message => "Session secret should be at least 30 characters long",
+            :confidence => CONFIDENCE[:high],
+            :line => value.line,
+            :file => file
 
-          end
         end
       end
     end

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -39,10 +39,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
     args = filter[3]
 
     if symbol? args[1] and args[1][1] == :verify_authenticity_token and hash? args.last
-      hash_iterate args.last do |k, v|
-        if symbol? k and k[1] == :except
-          return true
-        end
+      if hash_access(args.last, :except)
+        return true
       end
     end
 

data/lib/brakeman/checks/check_sql.rb

@@ -17,9 +17,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @rails_version = tracker.config[:rails_version]
 
     if tracker.options[:rails3]
-      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
+      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
     else
-      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
+      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
     end
 
     Brakeman.debug "Finding possible SQL calls on models"
@@ -122,15 +122,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     if failed and not call.original_line and not duplicate? result
       add_result result
 
-      if include_user_input? args[-1]
+      if input = include_user_input?(args[-1])
         confidence = CONFIDENCE[:high]
+        user_input = input.match
       else
         confidence = CONFIDENCE[:med]
+        user_input = nil
       end
 
       warn :result => result,
         :warning_type => "SQL Injection",
         :message => "Possible SQL injection",
+        :user_input => user_input,
         :confidence => confidence
     end
 
@@ -215,10 +218,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_for_limit_or_offset_vulnerability options
     return false if @rails_version.nil? or @rails_version >= "2.1.1" or not hash? options
 
-    hash_iterate(options) do |key, value|
-      if symbol? key
-        return (key[1] == :limit or key[1] == :offset)
-      end
+    if hash_access(options, :limit) or hash_access(options[:offset])
+      return true
     end
 
     false

data/lib/brakeman/checks/check_validation_regex.rb

@@ -28,10 +28,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
 
   #Check validates_format_of
   def process_validator validator
-    hash_iterate(validator[-1]) do |key, value|
-      if key == WITH
-        check_regex value, validator
-      end
+    if value = hash_access(validator[-1], WITH)
+      check_regex value, validator
     end
   end
 

data/lib/brakeman/checks/check_without_protection.rb

@@ -23,12 +23,9 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
     return if models.empty?
 
-    @results = Set.new
-
     Brakeman.debug "Finding all mass assignments"
     calls = tracker.find_call :targets => models, :methods => [:new,
       :attributes=, 
-      :update_attribute, 
       :update_attributes, 
       :update_attributes!,
       :create,
@@ -45,16 +42,18 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
     call = res[:call]
     last_arg = call[3][-1]
 
-    if hash? last_arg and not @results.include? call
+    if hash? last_arg and not call.original_line and not duplicate? res
 
-      hash_iterate(last_arg) do |k,v|
-        if symbol? k and k[1] == :without_protection and v[0] == :true
-          @results << call
+      if value = hash_access(last_arg, :without_protection)
+        if true? value
+          add_result res
 
-          if include_user_input? call[3]
+          if input = include_user_input?(call[3])
             confidence = CONFIDENCE[:high]
+            user_input = input.match
           else
             confidence = CONFIDENCE[:med]
+            user_input = nil
           end
 
           warn :result => res, 
@@ -62,9 +61,9 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
             :message => "Unprotected mass assignment",
             :line => call.line,
             :code => call, 
+            :user_input => user_input,
             :confidence => confidence
 
-          break
         end
       end
     end

data/lib/brakeman/differ.rb

@@ -0,0 +1,61 @@
+# extracting the diff logic to it's own class for consistency. Currently handles
+# an array of Brakeman::Warnings or plain hash representations.  
+class Brakeman::Differ
+  DEFAULT_HASH = {:new => [], :fixed => []}
+  attr_reader :old_warnings, :new_warnings
+
+  def initialize new_warnings, old_warnings
+    @new_warnings = new_warnings
+    @old_warnings = old_warnings
+  end
+
+  def diff
+    # get the type of elements
+    return DEFAULT_HASH if @new_warnings.empty?
+
+    warnings = {}
+    warnings[:new] = @new_warnings - @old_warnings
+    warnings[:fixed] = @old_warnings - @new_warnings
+
+    second_pass(warnings)
+  end
+
+  # second pass to cleanup any vulns which have changed in line number only.
+  # Given a list of new warnings, delete pairs of new/fixed vulns that differ
+  # only by line number.
+  # Horrible O(n^2) performance.  Keep n small :-/
+  def second_pass(warnings)
+    # keep track of the number of elements deleted because the index numbers
+    # won't update as the list is modified
+    elements_deleted_offset = 0
+
+    # dup this list since we will be deleting from it and the iterator gets confused.
+    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
+    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
+      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
+        if eql_except_line_number new_warning, fixed_warning
+          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
+          elements_deleted_offset += 1
+          warnings[:fixed].delete_at(fixed_warning_id)
+          break
+        end
+      end
+    end
+
+    warnings
+  end
+
+  def eql_except_line_number new_warning, fixed_warning
+    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
+    if new_warning.is_a? Brakeman::Warning 
+      new_warning = new_warning.to_hash
+      fixed_warning = fixed_warning.to_hash
+    end
+
+    new_warning.keys.reject{|k,v| k == :line}.each do |attr|
+      return false if new_warning[attr] != fixed_warning[attr]
+    end
+
+    true
+  end
+end