RubyGems - brakeman - Versions diffs - 1.6.1 → 1.6.2 - Mend

brakeman 1.6.1 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

data/bin/brakeman +1 -1
data/lib/brakeman/checks/check_redirect.rb +16 -11
data/lib/brakeman/checks/check_sql.rb +36 -0
data/lib/brakeman/processors/controller_alias_processor.rb +15 -7
data/lib/brakeman/scanner.rb +1 -1
data/lib/brakeman/util.rb +3 -1
data/lib/brakeman/version.rb +1 -1
metadata +4 -5
data/lib/brakeman/processors/params_processor.rb +0 -76

data/bin/brakeman CHANGED Viewed

@@ -53,7 +53,7 @@ trap("INT") do
 end
 if options[:previous_results_json]
-  vulns = Brakeman.compare options
+  vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
   puts JSON.pretty_generate(vulns)
 else
   #Run scan and output a report

data/lib/brakeman/checks/check_redirect.rb CHANGED Viewed

@@ -13,6 +13,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def run_check
     Brakeman.debug "Finding calls to redirect_to()"
+    @model_find_calls = Set[:all, :find, :find_by_sql, :first, :last, :new]
+    if tracker.options[:rails3]
+      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
+    end
     @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
       process_result res
     end
@@ -50,20 +56,19 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def include_user_input? call
     Brakeman.debug "Checking if call includes user input"
-    if tracker.options[:ignore_redirect_to_model] and call? call[3][1] and
-      call[3][1][2] == :new and call[3][1][1]
+    args = call[3]
-      begin
-        target = class_name call[3][1][1]
-        if @tracker.models.include? target
-          return false
-        end
-      rescue
-      end
+    if tracker.options[:ignore_redirect_to_model] and call? args[1] and
+      (@model_find_calls.include? args[1][2] or args[1][2].to_s.match(/^find_by_/)) and
+      model_name? args[1][1]
+      return false
     end
-    call[3].each do |arg|
-      if call? arg
+    args.each do |arg|
+      if res = has_immediate_model?(arg)
+        return Match.new(:immediate, res)
+      elsif call? arg
         if request_value? arg
           return Match.new(:immediate, arg)
         elsif request_value? arg[1]

data/lib/brakeman/checks/check_sql.rb CHANGED Viewed

@@ -37,6 +37,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
+    Brakeman.debug "Checking version of Rails for CVE-2012-2660"
+    check_rails_version_for_cve_2012_2660
+    Brakeman.debug "Checking version of Rails for CVE-2012-2661"
+    check_rails_version_for_cve_2012_2661
+    Brakeman.debug "Checking version of Rails for CVE-2012-2695"
+    check_rails_version_for_cve_2012_2695
     Brakeman.debug "Processing possible SQL calls"
     calls.each do |c|
       process_result c
@@ -80,6 +89,33 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls
   end
+  def check_rails_version_for_cve_2012_2660
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+  def check_rails_version_for_cve_2012_2661
+    if version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Injection Vulnerability: CVE-2012-2661; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+  def check_rails_version_for_cve_2012_2695
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
   def process_scope_with_block model_name, args
     scope_name = args[1][1]
     block = args[-1][-1]

data/lib/brakeman/processors/controller_alias_processor.rb CHANGED Viewed

@@ -219,17 +219,25 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Returns an array of filter names
   def get_before_filters method, controller
+    return [] unless controller[:options] and controller[:options][:before_filters]
     filters = []
-    return filters unless controller[:options]
-    filter_list = controller[:options][:before_filters]
-    return filters unless filter_list
-    filter_list.each do |filter|
-      f = before_filter_to_hash filter
+    if controller[:before_filter_cache].nil?
+      filter_cache = []
+      controller[:options][:before_filters].each do |filter|
+        filter_cache << before_filter_to_hash(filter)
+      end
+      controller[:before_filter_cache] = filter_cache
+    end
+    controller[:before_filter_cache].each do |f|
       if f[:all] or
         (f[:only] == method) or
         (f[:only].is_a? Array and f[:only].include? method) or
-        (f[:except] == method) or
+        (f[:except].is_a? Symbol and f[:except] != method) or
         (f[:except].is_a? Array and not f[:except].include? method)
         filters.concat f[:methods]
@@ -254,7 +262,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     filter[:methods] = [args[0][1]]
     args[1..-1].each do |a|
-      filter[:methods] << a[1] unless a.node_type == :hash
+      filter[:methods] << a[1] if a.node_type == :lit
     end
     if args[-1].node_type == :hash

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -19,7 +19,7 @@ begin
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
-  exit
+  exit -1
 end
 #Scans the Rails application.

data/lib/brakeman/util.rb CHANGED Viewed

@@ -11,6 +11,8 @@ module Brakeman::Util
   REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :request_parameters, Sexp.new(:arglist))
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :parameters, Sexp.new(:arglist))
   REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :env, Sexp.new(:arglist))
   PARAMETERS = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
@@ -19,7 +21,7 @@ module Brakeman::Util
   SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
-  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS]
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.6.1"
+  Version = "1.6.2"
 end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  hash: 13
+  hash: 11
   prerelease:
   segments:
   - 1
   - 6
-  - 1
-  version: 1.6.1
+  - 2
+  version: 1.6.2
 platform: ruby
 authors:
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-05-23 00:00:00 Z
+date: 2012-06-13 00:00:00 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -202,7 +202,6 @@ files:
 - lib/brakeman/warning.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/processors/gem_processor.rb
-- lib/brakeman/processors/params_processor.rb
 - lib/brakeman/processors/controller_alias_processor.rb
 - lib/brakeman/processors/base_processor.rb
 - lib/brakeman/processors/controller_processor.rb

data/lib/brakeman/processors/params_processor.rb DELETED Viewed

@@ -1,76 +0,0 @@
-require 'sexp_processor'
-require 'set'
-#Looks for request parameters. Not used currently.
-class Brakeman::ParamsProcessor < SexpProcessor
-  attr_reader :result
-  def initialize
-    super()
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
-    @result = []
-    @matched = false
-    @mark = false
-    @watch_nodes = Set[:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn]
-    @params = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
-  end
-  def process_default exp
-    if @watch_nodes.include?(exp.node_type) and not @mark
-      @mark = true
-      @matched = false
-      process_these exp[1..-1]
-      if @matched
-        @result << exp
-        @matched = false
-      end
-      @mark = false
-    else
-      process_these exp[1..-1]
-    end
-    exp
-  end
-  def process_these exp
-    exp.each do |e|
-      if sexp? e and not e.empty?
-        process e
-      end
-    end
-  end
-  def process_call exp
-    if @mark
-      actually_process_call exp
-    else
-      @mark = true
-      actually_process_call exp
-      if @matched
-        @result << exp
-      end
-      @mark = @matched = false
-    end
-    exp
-  end
-  def actually_process_call exp
-    process exp[1]
-    process exp[3]
-    if exp[1] == @params or exp == @params
-      @matched = true
-    end
-  end
-  #Don't really care about condition
-  def process_if exp
-    process_these exp[2..-1]
-    exp
-  end
-end