brakeman 1.8.3 → 1.9.0.pre1

data/lib/brakeman/checks/check_translate_bug.rb

@@ -1,7 +1,6 @@
 require 'brakeman/checks/base_check'
 
 #Check for vulnerability in translate() helper that allows cross-site scripting
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5
 class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
@@ -12,32 +11,34 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
         version_between?('3.0.0', '3.0.10') or
         version_between?('3.1.0', '3.1.1')
 
-      if uses_translate?
-        confidence = CONFIDENCE[:high]
+      confidence = if uses_translate?
+        CONFIDENCE[:high]
       else
-        confidence = CONFIDENCE[:med]
+        CONFIDENCE[:med]
       end
 
       version = tracker.config[:rails_version]
+      description = "have a vulnerability in the translate helper with keys ending in _html"
 
-      if version =~ /^3\.1/
-        message = "Versions before 3.1.2 have a vulnerability in the translate helper."
+      message = if version =~ /^3\.1/
+        "Versions before 3.1.2 #{description}."
       elsif version =~ /^3\.0/
-        message = "Versions before 3.0.11 have a vulnerability in translate helper."
+        "Versions before 3.0.11 #{description}."
       else
-        message = "Rails 2.3.x using the rails_xss plugin have a vulnerability in translate helper."
+        "Rails 2.3.x using the rails_xss plugin #{description}}."
       end
 
       warn :warning_type => "Cross Site Scripting",
         :message => message,
         :confidence => confidence,
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
     end
   end
 
   def uses_translate?
     Brakeman.debug "Finding calls to translate() or t()"
 
-    not tracker.find_call(:target => nil, :methods => [:t, :translate]).empty?
+    tracker.find_call(:target => nil, :methods => [:t, :translate]).any?
   end
 end

data/lib/brakeman/checks/check_validation_regex.rb

@@ -13,48 +13,73 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
   @description = "Report uses of validates_format_of with improper anchors"
 
   WITH = Sexp.new(:lit, :with)
+  FORMAT = Sexp.new(:lit, :format)
 
   def run_check
     active_record_models.each do |name, model|
       @current_model = name
       format_validations = model[:options][:validates_format_of]
+
       if format_validations
         format_validations.each do |v|
-          process_validator v
+          process_validates_format_of v
+        end
+      end
+
+      validates = model[:options][:validates]
+
+      if validates
+        validates.each do |v|
+          process_validates v
         end
       end
     end
   end
 
   #Check validates_format_of
-  def process_validator validator
+  def process_validates_format_of validator
     if value = hash_access(validator.last, WITH)
       check_regex value, validator
     end
   end
 
+  #Check validates ..., :format => ...
+  def process_validates validator
+    hash_arg = validator.last
+    return unless hash? hash_arg
+
+    value = hash_access(hash_arg, FORMAT)
+
+    if hash? value
+      value = hash_access(value, WITH)
+    end
+
+    if value
+      check_regex value, validator
+    end
+  end
+
   #Issue warning if the regular expression does not use
   #+\A+ and +\z+
   def check_regex value, validator
     return unless regexp? value
 
     regex = value.value.inspect
-    if regex =~ /^\/(.{2}).*(.{2})\/(m|i|x|n|e|u|s|o)*\z/
-      if $1 != "\\A" or ($2 != "\\Z" and $2 != "\\z")
-        warn :model => @current_model,
-          :warning_type => "Format Validation", 
-          :message => "Insufficient validation for '#{get_name validator}' using #{value.value.inspect}. Use \\A and \\z as anchors",
-          :line => value.line,
-          :confidence => CONFIDENCE[:high] 
-      end
+    unless regex =~ /\A\/\\A.*\\(z|Z)\/(m|i|x|n|e|u|s|o)*\z/
+      warn :model => @current_model,
+      :warning_type => "Format Validation",
+      :message => "Insufficient validation for '#{get_name validator}' using #{regex}. Use \\A and \\z as anchors",
+      :line => value.line,
+      :confidence => CONFIDENCE[:high]
     end
   end
 
   #Get the name of the attribute being validated.
   def get_name validator
     name = validator[1]
+
     if sexp? name
-      name[1]
+      name.value
     else
       name
     end

data/lib/brakeman/checks/check_without_protection.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
   #All results should be Model.new(...) or Model.attributes=() calls
   def process_result res
     call = res[:call]
-    last_arg = call.args.last
+    last_arg = call.last_arg
 
     if hash? last_arg and not call.original_line and not duplicate? res
 

data/lib/brakeman/options.rb

@@ -50,8 +50,8 @@ module Brakeman::Options
         opts.separator ""
         opts.separator "Scanning options:"
 
-        opts.on "-a", "--assume-routes", "Assume all controller methods are actions" do
-          options[:assume_all_routes] = true
+        opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (default)" do |assume|
+          options[:assume_all_routes] = assume
         end
 
         opts.on "-e", "--escape-html", "Escape HTML by default" do
@@ -71,6 +71,10 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
+        opts.on "--interprocedural", "Process method calls to known methods" do
+          options[:interprocedural] = true
+        end
+
         opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
           options[:ignore_ifs] = true
         end

data/lib/brakeman/processor.rb

@@ -12,8 +12,9 @@ module Brakeman
   class Processor
     include Util
 
-    def initialize options
-      @tracker = Tracker.new self, options
+    def initialize(app_tree, options)
+      @app_tree = app_tree
+      @tracker = Tracker.new(@app_tree, self, options)
     end
 
     def tracked_events
@@ -38,7 +39,7 @@ module Brakeman
     #Process controller source. +file_name+ is used for reporting
     def process_controller src, file_name
       if contains_class? src
-        ControllerProcessor.new(@tracker).process_controller src, file_name
+        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
       else
         LibraryProcessor.new(@tracker).process_library src, file_name
       end
@@ -47,13 +48,13 @@ module Brakeman
     #Process variable aliasing in controller source and save it in the
     #tracker.
     def process_controller_alias name, src, only_method = nil
-      ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src
     end
 
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new(@tracker).process result
+      AliasProcessor.new(@tracker).process_all result if result
     end
 
     #Process either an ERB or HAML template

data/lib/brakeman/processors/alias_processor.rb

@@ -24,6 +24,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @exp_context = []
     @current_module = nil
     @tracker = tracker #set in subclass as necessary
+    @helper_method_cache = {}
+    @helper_method_info = Hash.new({})
     set_env_defaults
   end
 
@@ -70,11 +72,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @exp_context.push exp
 
     begin
-      exp.each_with_index do |e, i|
-        next if i == 0
-
+      exp.map! do |e|
         if sexp? e and not e.empty?
-          exp[i] = process e
+          process e
         else
           e
         end
@@ -107,7 +107,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     target = exp.target
     method = exp.method
-    args = exp[3]
     first_arg = exp.first_arg
 
     #See if it is possible to simplify some basic cases
@@ -154,7 +153,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         temp_exp = process_array_access target, exp.args
         exp = temp_exp if temp_exp
       elsif hash? target
-        temp_exp = process_hash_access target, exp.args
+        temp_exp = process_hash_access target, first_arg
         exp = temp_exp if temp_exp
       end
     when :merge!, :update
@@ -204,7 +203,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_methdef exp
     env.scope do
       set_env_defaults
-      process exp.body
+      exp.body = process_all! exp.body
     end
     exp
   end
@@ -213,7 +212,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_selfdef exp
     env.scope do
       set_env_defaults
-      process exp.body
+      exp.body = process_all! exp.body
     end
     exp
   end
@@ -231,8 +230,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     if @inside_if and val = env[local]
       #avoid setting to value it already is (e.g. "1 or 1")
-      if val != exp.rhs and val[1] != exp.rhs and val[2] != exp.rhs
-        env[local] = Sexp.new(:or, val, exp.rhs).line(exp.line || -2)
+      if val != exp.rhs
+        unless node_type?(val, :or) and (val.rhs == exp.rhs or val.lhs == exp.rhs)
+          env[local] = Sexp.new(:or, val, exp.rhs).line(exp.line || -2)
+        end
       end
     else
       env[local] = exp.rhs
@@ -300,21 +301,22 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     tar_variable = exp.target
     target = exp.target = process(exp.target)
     method = exp.method
-    args = exp.args
+    index_arg = exp.first_arg
+    value_arg = exp.second_arg
 
     if method == :[]=
-      index = exp.first_arg = process(args.first)
-      value = exp.second_arg = process(args.second)
-      match = Sexp.new(:call, target, :[], Sexp.new(:arglist, index))
+      index = exp.first_arg = process(index_arg)
+      value = exp.second_arg = process(value_arg)
+      match = Sexp.new(:call, target, :[], index)
       env[match] = value
 
       if hash? target
         env[tar_variable] = hash_insert target.deep_clone, index, value
       end
     elsif method.to_s[-1,1] == "="
-      value = exp.first_arg = process(args.first)
+      value = exp.first_arg = process(index_arg)
       #This is what we'll replace with the value
-      match = Sexp.new(:call, target, method.to_s[0..-2].to_sym, Sexp.new(:arglist))
+      match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
       if @inside_if and val = env[match]
         if val != value
@@ -336,7 +338,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     hash = hash.deep_clone
     hash_iterate args do |key, replacement|
       hash_insert hash, key, replacement
-      match = Sexp.new(:call, hash, :[], Sexp.new(:arglist, key))
+      match = Sexp.new(:call, hash, :[], key)
       env[match] = replacement
     end
     hash
@@ -361,7 +363,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     target = exp[1] = process(exp[1])
     index = exp[2][1] = process(exp[2][1])
     value = exp[4] = process(exp[4])
-    match = Sexp.new(:call, target, :[], Sexp.new(:arglist, index))
+    match = Sexp.new(:call, target, :[], index)
 
     unless env[match]
       if request_value? target
@@ -383,7 +385,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     value = exp[4] = process(exp[4])
     method = exp[2]
 
-    match = Sexp.new(:call, target, method.to_s[0..-2].to_sym, Sexp.new(:arglist))
+    match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
     unless env[match]
       env[match] = value
@@ -392,8 +394,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  #This is the right hand side value of a multiple assignment,
+  #like `x = y, z`
   def process_svalue exp
-    exp[1]
+    exp.value
   end
 
   #Constant assignments like
@@ -423,9 +427,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if true? condition
       exps = [exp.then_clause]
     elsif false? condition
-      exps = exp[3..-1]
+      exps = [exp.else_clause]
     else
-      exps = exp[2..-1]
+      exps = [exp.then_clause, exp.else_clause]
     end
 
     was_inside = @inside_if
@@ -461,15 +465,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   #Process hash access by returning the value associated
-  #with the given arguments.
-  def process_hash_access target, args
-    if args.length == 1
-      index = args[0]
-
-      hash_access(target, index)
-    else
-      nil
-    end
+  #with the given argument.
+  def process_hash_access target, index
+    hash_access(target, index)
   end
 
   #Join two array literals into one.
@@ -482,8 +480,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Join two string literals into one.
   def join_strings string1, string2
     result = Sexp.new(:str)
-    result[1] = string1[1] + string2[1]
-    if result[1].length > 50
+    result.value = string1.value + string2.value
+
+    if result.value.length > 50
       string1
     else
       result
@@ -492,18 +491,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   #Returns a new SexpProcessor::Environment containing only instance variables.
   #This is useful, for example, when processing views.
-  def only_ivars include_request_vars = false
+  def only_ivars include_request_vars = false, lenv = nil
+    lenv ||= env
     res = SexpProcessor::Environment.new
 
     if include_request_vars
-      env.all.each do |k, v|
+      lenv.all.each do |k, v|
         #TODO Why would this have nil values?
         if (k.node_type == :ivar or request_value? k) and not v.nil?
           res[k] = v.dup
         end
       end
     else
-      env.all.each do |k, v|
+      lenv.all.each do |k, v|
         #TODO Why would this have nil values?
         if k.node_type == :ivar and not v.nil?
           res[k] = v.dup
@@ -514,6 +514,117 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     res
   end
 
+  def only_request_vars
+    res = SexpProcessor::Environment.new
+
+    env.all.each do |k, v|
+      if request_value? k and not v.nil?
+        res[k] = v.dup
+      end
+    end
+
+    res
+  end
+
+  def get_call_value call
+    method_name = call.method
+
+    #Look for helper methods and see if we can get a return value
+    if found_method = find_method(method_name, @current_class)
+      helper = found_method[:method]
+
+      if sexp? helper
+        value = process_helper_method helper, call.args
+        value.line(call.line)
+        return value
+      else
+        raise "Unexpected value for method: #{found_method}"
+      end
+    else
+      call
+    end
+  end
+
+  def process_helper_method method_exp, args
+    method_name = method_exp.method_name
+    Brakeman.debug "Processing method #{method_name}"
+
+    info = @helper_method_info[method_name]
+
+    #If method uses instance variables, then include those and request
+    #variables (params, etc) in the method environment. Otherwise,
+    #only include request variables.
+    if info[:uses_ivars]
+      meth_env = only_ivars(:include_request_vars)
+    else
+      meth_env = only_request_vars
+    end
+
+    #Add arguments to method environment
+    assign_args method_exp, args, meth_env
+
+
+    #Find return values if method does not depend on environment/args
+    values = @helper_method_cache[method_name]
+
+    unless values
+      #Serialize environment for cache key
+      meth_values = meth_env.instance_variable_get(:@env).to_a
+      meth_values.sort!
+      meth_values = meth_values.to_s
+
+      digest = Digest::SHA1.new.update(meth_values << method_name.to_s).to_s.to_sym
+
+      values = @helper_method_cache[digest]
+    end
+
+    if values
+      #Use values from cache
+      values[:ivar_values].each do |var, val|
+        env[var] = val
+      end
+
+      values[:return_value]
+    else
+      #Find return value for method
+      frv = Brakeman::FindReturnValue.new
+      value = frv.get_return_value(method_exp.body_list, meth_env)
+
+      ivars = {}
+
+      only_ivars(false, meth_env).all.each do |var, val|
+        env[var] = val
+        ivars[var] = val
+      end
+
+      if not frv.uses_ivars? and args.length == 0
+        #Store return value without ivars and args if they are not used
+        @helper_method_cache[method_exp.method_name] = { :return_value => value, :ivar_values => ivars }
+      else
+        @helper_method_cache[digest] = { :return_value => value, :ivar_values => ivars }
+      end
+
+      #Store information about method, just ivar usage for now
+      @helper_method_info[method_name] = { :uses_ivars => frv.uses_ivars? }
+
+      value
+    end
+  end
+
+  def assign_args method_exp, args, meth_env = SexpProcessor::Environment.new
+    formal_args = method_exp.formal_args
+
+    formal_args.each_with_index do |arg, index|
+      next if index == 0
+
+      if arg.is_a? Symbol and sexp? args[index - 1]
+        meth_env[Sexp.new(:lvar, arg)] = args[index - 1]
+      end
+    end
+
+    meth_env
+  end
+
   #Set line nunber for +exp+ and every Sexp it contains. Used when replacing
   #expressions, so warnings indicate the correct line.
   def set_line exp, line_number
@@ -530,8 +641,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   #Finds the inner most call target which is not the target of a call to <<
   def find_push_target exp
-    if call? exp and exp[2] == :<<
-      find_push_target exp[1]
+    if call? exp and exp.method == :<<
+      find_push_target exp.target
     else
       exp
     end
@@ -544,4 +655,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     false
   end
+
+  def find_method *args
+    nil
+  end
 end