brakeman 1.7.0 → 1.7.1

Sign up to get free protection for your applications and to get access to all the features.
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
2
2
 
3
- ![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)
3
+ ![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/presidentbeef/brakeman)
4
4
 
5
5
  # Brakeman
6
6
 
@@ -38,7 +38,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
38
38
  @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
39
39
  :field_field, :fields_for, :h, :hidden_field,
40
40
  :hidden_field, :hidden_field_tag, :image_tag, :label,
41
- :link_to, :mail_to, :radio_button,
41
+ :link_to, :mail_to, :radio_button, :select,
42
42
  :submit_tag, :text_area, :text_field,
43
43
  :text_field_tag, :url_encode, :url_for,
44
44
  :will_paginate].merge tracker.options[:safe_methods]
@@ -54,8 +54,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
54
54
  @ignore_methods << :auto_link
55
55
  end
56
56
 
57
- if tracker.options[:rails3]
58
- @ignore_methods << :select
57
+ if version_between? "2.0.0", "2.3.14"
58
+ @known_dangerous << :strip_tags
59
59
  end
60
60
 
61
61
  tracker.each_template do |name, template|
@@ -0,0 +1,59 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ #Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
4
+ #https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
5
+ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
6
+ Brakeman::Checks.add self
7
+
8
+ @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
9
+
10
+ def run_check
11
+
12
+ if version_between? "3.0.0", "3.0.16"
13
+ suggested_version = "3.0.17"
14
+ elsif version_between? "3.1.0", "3.1.7"
15
+ suggested_version = "3.1.8"
16
+ elsif version_between? "3.2.0", "3.2.7"
17
+ suggested_version = "3.2.8"
18
+ else
19
+ return
20
+ end
21
+
22
+ @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
23
+
24
+ @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
25
+
26
+ calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
27
+ result[:location][0] == :template
28
+ end
29
+
30
+ calls.each do |result|
31
+ process_result result
32
+ end
33
+ end
34
+
35
+ #Check if select_tag is called with user input in :prompt option
36
+ def process_result result
37
+ return if duplicate? result
38
+ add_result result
39
+
40
+ #Only concerned if user input is supplied for :prompt option
41
+ last_arg = result[:call][3][-1]
42
+
43
+ if hash? last_arg
44
+ prompt_option = hash_access last_arg, :prompt
45
+
46
+ if call? prompt_option and @ignore_methods.include? prompt_option[2]
47
+ return
48
+ elsif sexp? prompt_option and input = include_user_input?(prompt_option)
49
+
50
+ warn :warning_type => "Cross Site Scripting",
51
+ :result => result,
52
+ :message => @message,
53
+ :confidence => CONFIDENCE[:high],
54
+ :user_input => input.match,
55
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
56
+ end
57
+ end
58
+ end
59
+ end
@@ -5,7 +5,7 @@ require 'brakeman/checks/base_check'
5
5
  class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
6
6
  Brakeman::Checks.add self
7
7
 
8
- @description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
8
+ @description = "Looks for unsafe uses of select() helper"
9
9
 
10
10
  def run_check
11
11
 
@@ -15,6 +15,8 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
15
15
  suggested_version = "3.1.4"
16
16
  elsif version_between? "3.2.0", "3.2.1"
17
17
  suggested_version = "3.2.2"
18
+ elsif version_between? "2.0.0", "3.0.0"
19
+ suggested_version = "3 or use options_for_select"
18
20
  else
19
21
  return
20
22
  end
@@ -0,0 +1,100 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ #Checks for versions which do not escape single quotes.
4
+ #https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
5
+ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
6
+ Brakeman::Checks.add self
7
+ RACK_UTILS = Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)
8
+
9
+ @description = "Check for versions which do not escape single quotes (CVE-2012-3464)"
10
+
11
+ def initialize *args
12
+ super
13
+ @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
14
+ end
15
+
16
+ def run_check
17
+ return if uses_rack_escape?
18
+
19
+ case
20
+ when version_between?('2.0.0', '2.3.14')
21
+ message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
22
+ when version_between?('3.0.0', '3.0.16')
23
+ message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
24
+ when version_between?('3.1.0', '3.1.7')
25
+ message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
26
+ when version_between?('3.2.0', '3.2.7')
27
+ message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
28
+ else
29
+ return
30
+ end
31
+
32
+ warn :warning_type => "Cross Site Scripting",
33
+ :message => message,
34
+ :confidence => CONFIDENCE[:med],
35
+ :file => gemfile_or_environment,
36
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
37
+ end
38
+
39
+ #Process initializers to see if they use workaround
40
+ #by replacing Erb::Util.html_escape
41
+ def uses_rack_escape?
42
+ @tracker.initializers.each do |name, src|
43
+ process src
44
+ end
45
+
46
+ @uses_rack_escape
47
+ end
48
+
49
+ #Look for
50
+ #
51
+ # class ERB
52
+ def process_class exp
53
+ if exp[1] == :ERB
54
+ @inside_erb = true
55
+ process exp[-1]
56
+ @inside_erb = false
57
+ end
58
+
59
+ exp
60
+ end
61
+
62
+ #Look for
63
+ #
64
+ # module Util
65
+ def process_module exp
66
+ if @inside_erb and exp[1] == :Util
67
+ @inside_util = true
68
+ process exp[-1]
69
+ @inside_util = false
70
+ end
71
+
72
+ exp
73
+ end
74
+
75
+ #Look for
76
+ #
77
+ # def html_escape
78
+ def process_defn exp
79
+ if @inside_util and exp[1] == :html_escape
80
+ @inside_html_escape = true
81
+ process exp[-1]
82
+ @inside_html_escape = false
83
+ end
84
+
85
+ exp
86
+ end
87
+
88
+ #Look for
89
+ #
90
+ # Rack::Utils.escape_html
91
+ def process_call exp
92
+ if @inside_html_escape and exp[1] == RACK_UTILS and exp[2] == :escape_html
93
+ @uses_rack_escape = true
94
+ else
95
+ process exp[1] if exp[1]
96
+ end
97
+
98
+ exp
99
+ end
100
+ end
@@ -1,30 +1,59 @@
1
1
  require 'brakeman/checks/base_check'
2
2
 
3
- #Checks for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10
3
+ #Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
4
+ #https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
5
+ #
6
+ #Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
4
7
  #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
5
8
  class Brakeman::CheckStripTags < Brakeman::BaseCheck
6
9
  Brakeman::Checks.add self
7
10
 
8
- @description = "Report strip_tags vulnerability in versions before 2.3.13 and 3.0.10"
11
+ @description = "Report strip_tags vulnerabilities CVE-2011-2931 and CVE-2012-3465"
9
12
 
10
13
  def run_check
11
- if (version_between?('2.0.0', '2.3.12') or
12
- version_between?('3.0.0', '3.0.9')) and uses_strip_tags?
14
+ if uses_strip_tags?
15
+ cve_2011_2931
16
+ cve_2012_3465
17
+ end
18
+ end
13
19
 
20
+ def cve_2011_2931
21
+ if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
14
22
  if tracker.config[:rails_version] =~ /^3/
15
- message = "Versions before 3.0.10 have a vulnerability in strip_tags: CVE-2011-2931"
23
+ message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
16
24
  else
17
- message = "Versions before 2.3.13 have a vulnerability in strip_tags: CVE-2011-2931"
25
+ message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
18
26
  end
19
27
 
20
28
  warn :warning_type => "Cross Site Scripting",
21
29
  :message => message,
22
- :confidence => CONFIDENCE[:high],
23
30
  :file => gemfile_or_environment,
31
+ :confidence => CONFIDENCE[:high],
24
32
  :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
25
33
  end
26
34
  end
27
35
 
36
+ def cve_2012_3465
37
+ case
38
+ when (version_between?('2.0.0', '2.3.14') and tracker.config[:escape_html])
39
+ message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
40
+ when version_between?('3.0.10', '3.0.16')
41
+ message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
42
+ when version_between?('3.1.0', '3.1.7')
43
+ message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
44
+ when version_between?('3.2.0', '3.2.7')
45
+ message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
46
+ else
47
+ return
48
+ end
49
+
50
+ warn :warning_type => "Cross Site Scripting",
51
+ :message => message,
52
+ :confidence => CONFIDENCE[:high],
53
+ :file => gemfile_or_environment,
54
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
55
+ end
56
+
28
57
  def uses_strip_tags?
29
58
  Brakeman.debug "Finding calls to strip_tags()"
30
59
 
@@ -1,6 +1,7 @@
1
1
  <!DOCTYPE HTML SYSTEM>
2
2
  <html>
3
3
  <head>
4
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
4
5
  <title>Brakeman Report</title>
5
6
  <script>
6
7
  function toggle(context) {
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "1.7.0"
2
+ Version = "1.7.1"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 11
4
+ hash: 9
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 7
9
- - 0
10
- version: 1.7.0
9
+ - 1
10
+ version: 1.7.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2012-07-31 00:00:00 Z
18
+ date: 2012-08-13 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: activesupport
@@ -205,6 +205,7 @@ files:
205
205
  - lib/brakeman/format/style.css
206
206
  - lib/brakeman/checks/check_select_vulnerability.rb
207
207
  - lib/brakeman/checks/check_escape_function.rb
208
+ - lib/brakeman/checks/check_single_quotes.rb
208
209
  - lib/brakeman/checks/check_basic_auth.rb
209
210
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
210
211
  - lib/brakeman/checks/check_forgery_setting.rb
@@ -215,6 +216,7 @@ files:
215
216
  - lib/brakeman/checks/check_response_splitting.rb
216
217
  - lib/brakeman/checks/check_mail_to.rb
217
218
  - lib/brakeman/checks/check_sql.rb
219
+ - lib/brakeman/checks/check_select_tag.rb
218
220
  - lib/brakeman/checks/check_mass_assignment.rb
219
221
  - lib/brakeman/checks/check_link_to_href.rb
220
222
  - lib/brakeman/checks/check_filter_skipping.rb