brakeman 1.7.0 → 1.7.1

data/README.md

@@ -1,6 +1,6 @@
 ![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
 
-![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)
+![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/presidentbeef/brakeman)
 
 # Brakeman
 

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button,
+                           :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
                            :text_field_tag, :url_encode, :url_for,
                            :will_paginate].merge tracker.options[:safe_methods]
@@ -54,8 +54,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
 
-    if tracker.options[:rails3]
-      @ignore_methods << :select
+    if version_between? "2.0.0", "2.3.14"
+      @known_dangerous << :strip_tags
     end
 
     tracker.each_template do |name, template|

data/lib/brakeman/checks/check_select_tag.rb

@@ -0,0 +1,59 @@
+require 'brakeman/checks/base_check'
+
+#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
+#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
+class Brakeman::CheckSelectTag < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.16"
+      suggested_version = "3.0.17"
+    elsif version_between? "3.1.0", "3.1.7"
+      suggested_version = "3.1.8"
+    elsif version_between? "3.2.0", "3.2.7"
+      suggested_version = "3.2.8"
+    else
+      return
+    end
+
+    @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
+
+    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
+
+    calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
+      result[:location][0] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #Check if select_tag is called with user input in :prompt option
+  def process_result result
+    return if duplicate? result
+    add_result result
+
+    #Only concerned if user input is supplied for :prompt option
+    last_arg = result[:call][3][-1]
+
+    if hash? last_arg
+      prompt_option = hash_access last_arg, :prompt
+
+      if call? prompt_option and @ignore_methods.include? prompt_option[2]
+        return
+      elsif sexp? prompt_option and input = include_user_input?(prompt_option)
+
+        warn :warning_type => "Cross Site Scripting",
+          :result => result,
+          :message => @message,
+          :confidence => CONFIDENCE[:high],
+          :user_input => input.match,
+          :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -5,7 +5,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
+  @description = "Looks for unsafe uses of select() helper"
 
   def run_check
 
@@ -15,6 +15,8 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       suggested_version = "3.1.4"
     elsif version_between? "3.2.0", "3.2.1"
       suggested_version = "3.2.2"
+    elsif version_between? "2.0.0", "3.0.0"
+      suggested_version = "3 or use options_for_select"
     else
       return
     end

data/lib/brakeman/checks/check_single_quotes.rb

@@ -0,0 +1,100 @@
+require 'brakeman/checks/base_check'
+
+#Checks for versions which do not escape single quotes.
+#https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
+class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  RACK_UTILS = Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)
+
+  @description = "Check for versions which do not escape single quotes (CVE-2012-3464)"
+
+  def initialize *args
+    super
+    @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
+  end
+
+  def run_check
+    return if uses_rack_escape?
+
+    case
+    when version_between?('2.0.0', '2.3.14')
+      message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
+    when version_between?('3.0.0', '3.0.16')
+      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
+    else
+      return
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
+  end
+
+  #Process initializers to see if they use workaround
+  #by replacing Erb::Util.html_escape
+  def uses_rack_escape?
+    @tracker.initializers.each do |name, src|
+      process src
+    end
+
+    @uses_rack_escape
+  end
+
+  #Look for
+  #
+  #    class ERB
+  def process_class exp
+    if exp[1] == :ERB
+      @inside_erb = true
+      process exp[-1]
+      @inside_erb = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    module Util
+  def process_module exp
+    if @inside_erb and exp[1] == :Util
+      @inside_util = true
+      process exp[-1]
+      @inside_util = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    def html_escape
+  def process_defn exp
+    if @inside_util and exp[1] == :html_escape
+      @inside_html_escape = true
+      process exp[-1]
+      @inside_html_escape = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    Rack::Utils.escape_html
+  def process_call exp
+    if @inside_html_escape and exp[1] == RACK_UTILS and exp[2] == :escape_html
+      @uses_rack_escape = true
+    else
+      process exp[1] if exp[1]
+    end
+
+    exp
+  end
+end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -1,30 +1,59 @@
 require 'brakeman/checks/base_check'
 
-#Checks for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10
+#Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
+#https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
+#
+#Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
 #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
 class Brakeman::CheckStripTags < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Report strip_tags vulnerability in versions before 2.3.13 and 3.0.10"
+  @description = "Report strip_tags vulnerabilities CVE-2011-2931 and CVE-2012-3465"
 
   def run_check
-    if (version_between?('2.0.0', '2.3.12') or 
-        version_between?('3.0.0', '3.0.9')) and uses_strip_tags?
+    if uses_strip_tags?
+      cve_2011_2931
+      cve_2012_3465
+    end
+  end
 
+  def cve_2011_2931
+    if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
       if tracker.config[:rails_version] =~ /^3/
-        message = "Versions before 3.0.10 have a vulnerability in strip_tags: CVE-2011-2931"
+        message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
       else
-        message = "Versions before 2.3.13 have a vulnerability in strip_tags: CVE-2011-2931"
+        message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
       end
 
       warn :warning_type => "Cross Site Scripting",
         :message => message,
-        :confidence => CONFIDENCE[:high],
         :file => gemfile_or_environment,
+        :confidence => CONFIDENCE[:high],
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
     end
   end
 
+  def cve_2012_3465
+    case
+    when (version_between?('2.0.0', '2.3.14') and tracker.config[:escape_html])
+      message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
+    when version_between?('3.0.10', '3.0.16')
+      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
+    else
+      return
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :message => message,
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
+  end
+
   def uses_strip_tags?
     Brakeman.debug "Finding calls to strip_tags()"
 

data/lib/brakeman/templates/header.html.erb

@@ -1,6 +1,7 @@
 <!DOCTYPE HTML SYSTEM>
 <html>
 <head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <title>Brakeman Report</title>
   <script>
     function toggle(context) {

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.7.0"
+  Version = "1.7.1"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 11
+  hash: 9
   prerelease: 
   segments: 
   - 1
   - 7
-  - 0
-  version: 1.7.0
+  - 1
+  version: 1.7.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-07-31 00:00:00 Z
+date: 2012-08-13 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -205,6 +205,7 @@ files:
 - lib/brakeman/format/style.css
 - lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/check_single_quotes.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_forgery_setting.rb
@@ -215,6 +216,7 @@ files:
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_select_tag.rb
 - lib/brakeman/checks/check_mass_assignment.rb
 - lib/brakeman/checks/check_link_to_href.rb
 - lib/brakeman/checks/check_filter_skipping.rb