brakeman 1.9.5 → 2.0.0.pre2

data/lib/brakeman/call_index.rb

@@ -82,13 +82,13 @@ class Brakeman::CallIndex
   def remove_indexes_by_class classes
     @calls_by_method.each do |name, calls|
       calls.delete_if do |call|
-        call[:location][0] == :class and classes.include? call[:location][1]
+        call[:location][:type] == :class and classes.include? call[:location][:class]
       end
     end
 
     @calls_by_target.each do |name, calls|
       calls.delete_if do |call|
-        call[:location][0] == :class and classes.include? call[:location][1]
+        call[:location][:type] == :class and classes.include? call[:location][:class]
       end
     end
   end
@@ -206,8 +206,8 @@ class Brakeman::CallIndex
   end
 
   def from_template call, template_name
-    return false unless call[:location][0] == :template
+    return false unless call[:location][:type] == :template
     return true if template_name.nil?
-    call[:location][1] == template_name
+    call[:location][:template] == template_name
   end
 end

data/lib/brakeman/checks/base_check.rb

@@ -12,6 +12,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
 
   Match = Struct.new(:type, :match)
+  
+  class << self
+    attr_accessor :name
+  
+    def inherited(subclass)
+      subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
+    end
+  end
 
   #Initialize Check with Checks.
   def initialize(app_tree, tracker)
@@ -26,12 +34,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = nil
     @mass_assign_disabled = nil
     @has_user_input = nil
-    @safe_input_attributes = Set[:to_i, :to_f, :arel_table]
+    @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
   end
 
   #Add result to result list, which is used to check for duplicates
   def add_result result, location = nil
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][1]
+    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
     location = location[:name] if location.is_a? Hash
     location = location.to_sym
 
@@ -116,9 +124,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Report a warning
   def warn options
-    extra_opts = { :check => self.class.to_s, :relative_file => relative_path(options[:file]) }
+    extra_opts = { :check => self.class.to_s }
+
     warning = Brakeman::Warning.new(options.merge(extra_opts))
     warning.file = file_for warning
+    warning.relative_path = relative_path(warning.file)
 
     @warnings << warning
   end
@@ -163,7 +173,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = false
 
     if version_between?("3.1.0", "3.9.9") and
-      tracker.config[:rails] and
       tracker.config[:rails][:active_record] and
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
@@ -244,7 +253,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
 
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][1]
+    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
 
     location = location[:name] if location.is_a? Hash
     location = location.to_sym
@@ -507,4 +516,23 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     @active_record_models
   end
+
+  def friendly_type_of input_type
+    if input_type.is_a? Match
+      input_type = input_type.type
+    end
+
+    case input_type
+    when :params
+      "parameter value"
+    when :cookies
+      "cookie value"
+    when :request
+      "request value"
+    when :model
+      "model attribute"
+    else
+      "user input"
+    end
+  end
 end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -25,7 +25,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
               :code => call, 
-              :confidence => 0
+              :confidence => 0,
+              :file => controller[:file]
 
           break
         end

data/lib/brakeman/checks/check_content_tag.rb

@@ -45,7 +45,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     call = result[:call] = result[:call].dup
 
-    args = call.arglist 
+    args = call.arglist
 
     tag_name = args[1]
     content = args[2]
@@ -94,19 +94,12 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
     end
 
     if input = has_immediate_user_input?(arg)
-      case input.type
-      when :params
-        message = "Unescaped parameter value in content_tag"
-      when :cookies
-        message = "Unescaped cookie value in content_tag"
-      else
-        message = "Unescaped user input value in content_tag"
-      end
+      message = "Unescaped #{friendly_type_of input} in content_tag"
 
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting", 
+        :warning_type => "Cross Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input.match,
@@ -126,7 +119,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
           :warning_code => :xss_content_tag,
           :message => "Unescaped model attribute in content_tag",
           :user_input => match,
@@ -135,28 +128,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       end
 
     elsif @matched
-      message = "Unescaped "
-
-      case @matched.type
-      when :model
-        return if tracker.options[:ignore_model_output]
-        message << "model attribute"
-      when :params
-        message << "parameter"
-      when :cookies
-        message << "cookie"
-      when :session
-        message << "session"
-      else
-        message << "user input"
-      end
+      return if @matched.type == :model and tracker.options[:ignore_model_output]
 
-      message << " value in content_tag"
+      message = "Unescaped #{friendly_type_of @matched} in content_tag"
 
       add_result result
 
-      warn :result => result, 
-        :warning_type => "Cross Site Scripting", 
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched.match,

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -62,10 +62,17 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
     initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
+    if tracker.config[:rails][:active_support] and
+      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
+
+        json_escape_on = true
+    end
+
     if !json_escape_on or version_between? "0.0.0", "2.0.99"
       @known_dangerous << :to_json
       Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
     else
+      @safe_input_attributes << :to_json
       Brakeman.debug("Automatic to_json escaping is enabled.")
     end
 
@@ -97,16 +104,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     if input = has_immediate_user_input?(out)
       add_result exp
 
-      case input.type
-      when :params
-        message = "Unescaped parameter value"
-      when :cookies
-        message = "Unescaped cookie value"
-      when :request
-        message = "Unescaped request value"
-      else
-        message = "Unescaped user input value"
-      end
+      message = "Unescaped #{friendly_type_of input}"
 
       warn :template => @current_template,
         :warning_type => "Cross Site Scripting",
@@ -187,15 +185,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       message = nil
 
       if @matched
-        case @matched.type
-        when :model
-          unless tracker.options[:ignore_model_output]
-            message = "Unescaped model attribute"
-          end
-        when :params
-          message = "Unescaped parameter value"
-        when :cookies
-          message = "Unescaped cookie value"
+        unless @matched.type and tracker.options[:ignore_model_output]
+          message = "Unescaped #{friendly_type_of @matched}"
         end
 
         if message and not duplicate? exp

data/lib/brakeman/checks/check_deserialize.rb

@@ -0,0 +1,57 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDeserialize < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe deserialization of objects"
+
+  def run_check
+    check_yaml
+    check_csv
+    check_marshal
+  end
+
+  def check_yaml
+    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+  end
+
+  def check_csv
+    check_methods :CSV, :load
+  end
+
+  def check_marshal
+    check_methods :Marshal, :load, :restore
+  end
+
+  def check_methods target, *methods
+    tracker.find_call(:target => target, :methods => methods ).each do |result|
+      check_deserialize result, target
+    end
+  end
+
+  def check_deserialize result, target, arg = nil
+    return if duplicate? result
+    add_result result
+
+    arg ||= result[:call].first_arg
+    method = result[:call].method
+
+    if input = has_immediate_user_input?(arg)
+      confidence = CONFIDENCE[:high]
+    elsif input = include_user_input?(arg)
+      confidence = CONFIDENCE[:med]
+    end
+
+    if confidence
+      message = "#{target}.#{method} called with #{friendly_type_of input}"
+
+      warn :result => result,
+        :warning_type => "Remote Code Execution",
+        :warning_code => :unsafe_deserialize,
+        :message => message,
+        :user_input => input.match,
+        :confidence => confidence,
+        :link_path => "unsafe_deserialization"
+    end
+  end
+end

data/lib/brakeman/checks/check_execute.rb

@@ -84,20 +84,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       user_input = nil
     end
 
-    warning = { :warning_type => "Command Injection",
+    warn :result => result,
+      :warning_type => "Command Injection",
       :warning_code => :command_injection,
       :message => "Possible command injection",
       :code => exp,
       :user_input => user_input,
-      :confidence => confidence }
-
-    if result[:location][0] == :template
-      warning[:template] = result[:location][1]
-    else
-      warning[:class] = result[:location][1]
-      warning[:method] = result[:location][2]
-    end
-
-    warn warning
+      :confidence => confidence
   end
 end

data/lib/brakeman/checks/check_file_access.rb

@@ -48,20 +48,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     end
 
     if match
-      case match.type
-      when :params
-        message = "Parameter"
-      when :cookies
-        message = "Cookie"
-      when :request
-        message = "Request"
-      when :model
-        message = "Model attribute"
-      else
-        message = "User input"
-      end
-
-      message << " value used in file name"
+      message = "#{friendly_type_of(match).capitalize} used in file name"
 
       warn :result => result,
         :warning_type => "File Access",

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -11,15 +11,15 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
 
   def run_check
     app_controller = tracker.controllers[:ApplicationController]
-    if tracker.config[:rails] and
-      tracker.config[:rails][:action_controller] and
+    if tracker.config[:rails][:action_controller] and
       tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
 
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_disabled,
         :message => "Forgery protection is disabled", 
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => app_controller[:file]
 
     elsif app_controller and not app_controller[:options][:protect_from_forgery]
 
@@ -27,7 +27,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_type => "Cross-Site Request Forgery", 
         :warning_code => :csrf_protection_missing,
         :message => "'protect_from_forgery' should be called in ApplicationController", 
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => app_controller[:file]
 
     elsif version_between? "2.1.0", "2.3.10"
       

data/lib/brakeman/checks/check_link_to.rb

@@ -68,14 +68,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     input = has_immediate_user_input?(argument)
     return false unless input
 
-    case input.type
-    when :params
-      message = "Unescaped parameter value in link_to"
-    when :cookies
-      message = "Unescaped cookie value in link_to"
-    else
-      message = "Unescaped user input value in link_to"
-    end
+    message = "Unescaped #{friendly_type_of input} in link_to"
 
     warn_xss(result, message, input.match, CONFIDENCE[:high])
   end
@@ -96,15 +89,11 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   # Check if we should warn about the matched result
   def check_matched(result, matched = nil)
     return false unless matched
-    message = nil
+    return false if matched.type == :model and tracker.options[:ignore_model_output]
 
-    if matched.type == :model and not tracker.options[:ignore_model_output]
-      message = "Unescaped model attribute in link_to"
-    elsif matched.type == :params
-      message = "Unescaped parameter value in link_to"
-    end
+    message = "Unescaped #{friendly_type_of matched} in link_to"
 
-    message ? warn_xss(result, message, @matched.match, CONFIDENCE[:med]) : false
+    warn_xss(result, message, @matched.match, CONFIDENCE[:med])
   end
 
   # Create a warn for this xss

data/lib/brakeman/checks/check_link_to_href.rb

@@ -42,14 +42,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
 
 
     if input = has_immediate_user_input?(url_arg)
-      case input.type
-      when :params
-        message = "Unsafe parameter value in link_to href"
-      when :cookies
-        message = "Unsafe cookie value in link_to href"
-      else
-        message = "Unsafe user input value in link_to href"
-      end
+      message = "Unsafe #{friendly_type_of input} in link_to href"
 
       unless duplicate? result
         add_result result

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -63,8 +63,12 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
         if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
           return
-        elsif not node_type? first_arg, :hash and not attr_protected
-          confidence = CONFIDENCE[:high]
+        elsif not node_type? first_arg, :hash
+          if attr_protected
+            confidence = CONFIDENCE[:med]
+          else
+            confidence = CONFIDENCE[:high]
+          end
           user_input = input.match
         else
           confidence = CONFIDENCE[:low]