brakeman 1.9.5 → 2.0.0.pre2

data/lib/brakeman/checks/check_model_attributes.rb

@@ -57,6 +57,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           warn :model => name,
             :file => model[:file],
             :warning_type => "Attribute Restriction",
+            :warning_code => :no_attr_accessible,
             :message => "Mass assignment is not restricted using attr_accessible",
             :confidence => CONFIDENCE[:high]
         elsif not tracker.options[:ignore_attr_protected]

data/lib/brakeman/checks/check_model_serialize.rb

@@ -59,7 +59,8 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         :warning_code => :CVE_2013_0277,
         :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
         :confidence => confidence,
-        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion"
+        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
+        :file => model[:file]
     end
   end
 end

data/lib/brakeman/checks/check_render.rb

@@ -47,22 +47,9 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         return
       end
 
-      message = "Render path contains "
-
-      case input.type
-      when :params
-        message << "parameter value"
-      when :cookies
-        message << "cookie value"
-      when :request
-        message << "request value"
-      when :model
-        #Skip models
-        return
-      else
-        message << "user input value"
-      end
+      return if input.type == :model #skip models
 
+      message = "Render path contains #{friendly_type_of input}"
 
       warn :result => result,
         :warning_type => "Dynamic Render Path",

data/lib/brakeman/checks/check_select_tag.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
     @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
 
     calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
-      result[:location][0] == :template
+      result[:location][:type] == :template
     end
 
     calls.each do |result|

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
     @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
 
     calls = tracker.find_call(:target => nil, :method => :select).select do |result|
-      result[:location][0] == :template
+      result[:location][:type] == :template
     end
 
     calls.each do |result|
@@ -47,7 +47,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
         confidence = CONFIDENCE[:low]
       end
 
-      warn :template => result[:location][1],
+      warn :template => result[:location][:template],
           :warning_type => "Cross Site Scripting",
           :warning_code => :select_options_vuln,
           :result => result,

data/lib/brakeman/checks/check_send.rb

@@ -16,6 +16,9 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   end
 
   def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
     process_call_args result[:call]
     target = process result[:call].target
 

data/lib/brakeman/checks/check_session_settings.rb

@@ -17,9 +17,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def run_check
-    settings = tracker.config[:rails] and
-                tracker.config[:rails][:action_controller] and
-                tracker.config[:rails][:action_controller][:session]
+    settings = tracker.config[:rails][:action_controller] &&
+               tracker.config[:rails][:action_controller][:session]
 
     check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb"
 

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -30,7 +30,9 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :warning_code => :csrf_blacklist,
         :message => "Use whitelist (:only => [..]) when skipping CSRF check",
         :code => filter,
-        :confidence => CONFIDENCE[:med]
+        :confidence => CONFIDENCE[:med],
+        :file => controller[:file]
+
     when :login_required, :authenticate_user!, :require_user
       warn :controller => controller[:name],
         :warning_code => :auth_blacklist,
@@ -38,7 +40,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :message => "Use whitelist (:only => [..]) when skipping authentication",
         :code => filter,
         :confidence => CONFIDENCE[:med],
-        :link => "authentication_whitelist"
+        :link => "authentication_whitelist",
+        :file => controller[:file]
     end
   end
 

data/lib/brakeman/checks/check_sql.rb

@@ -68,7 +68,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         if model[:options][:named_scope]
           model[:options][:named_scope].each do |args|
             call = make_call(nil, :named_scope, args).line(args.line)
-            scope_calls << { :call => call, :location => [:class, name ], :method => :named_scope }
+            scope_calls << { :call => call, :location => { :type => :class, :class => name }, :method => :named_scope }
           end
         end
        end
@@ -84,10 +84,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
               process_scope_with_block name, args
             elsif second_arg.node_type == :call
               call = second_arg
-              scope_calls << { :call => call, :location => [:class, name ], :method => call.method }
+              scope_calls << { :call => call, :location => { :type => :class, :class => name }, :method => call.method }
             else
               call = make_call(nil, :scope, args).line(args.line)
-              scope_calls << { :call => call, :location => [:class, name ], :method => :scope }
+              scope_calls << { :call => call, :location => { :type => :class, :class => name }, :method => :scope }
             end
           end
         end
@@ -98,64 +98,48 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2012_2660
-    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
-      warn :warning_type => 'SQL Injection',
-        :warning_code => :CVE_2012_2660,
-        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
-        :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
-    end
+    versions = [%w[2.0.0 2.3.14 2.3.17],
+                %w[3.0.0 3.0.12 3.0.13],
+                %w[3.1.0 3.1.4 3.1.5],
+                %w[3.2.0 3.2.3 3.2.4]]
+
+    cve_warning_for versions, "CVE-2012-2660", "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
   end
 
   def check_rails_version_for_cve_2012_2661
-    if version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
-      warn :warning_type => 'SQL Injection',
-        :warning_code => :CVE_2012_2661,
-        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Injection Vulnerability: CVE-2012-2661; Upgrade to 3.2.5, 3.1.5, 3.0.13',
-        :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
-    end
+    versions = [%w[3.0.0 3.0.12 3.0.13],
+                %w[3.1.0 3.1.4 3.1.5],
+                %w[3.2.0 3.2.3 3.2.5]]
+
+    cve_warning_for versions, "CVE-2012-2661", "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
   end
 
   def check_rails_version_for_cve_2012_2695
-    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
-      warn :warning_type => 'SQL Injection',
-        :warning_code => :CVE_2012_2695,
-        :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
-        :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
-    end
+    versions = [%w[2.0.0 2.3.14 2.3.15],
+                %w[3.0.0 3.0.13 3.0.14],
+                %w[3.1.0 3.1.5 3.1.6],
+                %w[3.2.0 3.2.5 3.2.6]]
+
+    cve_warning_for versions, "CVE-2012-2695", "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
   end
 
   def check_rails_version_for_cve_2012_5664
-    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.17") || version_between?("3.1.0", "3.1.8") || version_between?("3.2.0", "3.2.9")
-      warn :warning_type => 'SQL Injection',
-        :warning_code => :CVE_2012_5664,
-        :message => 'All versions of Rails before 3.0.18, 3.1.9, and 3.2.10 contain a SQL Injection Vulnerability: CVE-2012-5664; Upgrade to 3.2.10, 3.1.9, 3.0.18',
-        :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
-    end
+    versions = [%w[2.0.0 2.3.14 2.3.15],
+                %w[3.0.0 3.0.17 3.0.18],
+                %w[3.1.0 3.1.8 3.1.9],
+                %w[3.2.0 3.2.9 3.2.18]]
+
+    cve_warning_for versions, "CVE-2012-5664", "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
   end
 
   def check_rails_version_for_cve_2013_0155
-    if version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
-      message = 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19'
-    elsif version_between?("2.0.0", "2.3.15")
-      message = "Rails #{@rails_version} contains a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 2.3.16"
-    end
+    versions = [%w[2.0.0 2.3.15 2.3.16],
+                %w[3.0.0 3.0.18 3.0.19],
+                %w[3.1.0 3.1.9 3.1.10],
+                %w[3.2.0 3.2.10 3.2.11]]
 
-    if message
-      warn :warning_type => 'SQL Injection',
-        :warning_code => :CVE_2013_0155,
-        :message => message,
-        :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
-    end
+
+    cve_warning_for versions, "CVE-2013-0155", "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
   end
 
   def process_scope_with_block model_name, args
@@ -166,7 +150,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     if block.node_type == :block
       find_calls = Brakeman::FindAllCalls.new tracker
 
-      find_calls.process_source block, model_name, scope_name
+      find_calls.process_source block, :class => model_name, :method => scope_name
 
       find_calls.calls.each do |call|
         if @sql_targets.include? call[:method]
@@ -174,7 +158,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         end
       end
     elsif block.node_type == :call
-      process_result :target => block.target, :method => block.method, :call => block, :location => [:class, model_name, scope_name]
+      process_result :target => block.target, :method => block.method, :call => block,
+        :location => { :type => :class, :class => model_name, :method => scope_name }
     end
   end
 
@@ -618,4 +603,28 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     call = result[:call]
     call? call.target and call.target.method == :constantize
   end
+
+  def upgrade_version? versions
+    versions.each do |low, high, upgrade|
+      if version_between? low, high
+        return upgrade
+      end
+    end
+
+    false
+  end
+
+  def cve_warning_for versions, cve, link
+    upgrade_version = upgrade_version? versions
+    return unless upgrade_version
+
+    code = cve.tr('-', '_').to_sym
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => code,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => link
+  end
 end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -33,8 +33,12 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   end
 
   def check_unsafe_symbol_creation result
+    return if duplicate? result or result[:call].original_line
+
+    add_result result
 
     call = result[:call]
+
     if result[:method] == :to_sym
       args = [call.target]
     else
@@ -48,20 +52,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
     end
 
     if confidence
-      input_type = case input.type
-                   when :params
-                     "parameter value"
-                   when :cookies
-                     "cookies value"
-                   when :request
-                     "request value"
-                   when :model
-                     "model attribute"
-                   else
-                     "user input"
-                   end
-
-      message = "Symbol conversion from unsafe string (#{input_type})"
+      message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
 
       warn :result => result,
         :warning_type => "Denial of Service",

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -18,7 +18,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   end
 
   def check_unsafe_reflection result
-    return if duplicate? result
+    return if duplicate? result or result[:call].original_line
     add_result result
 
     call = result[:call] 
@@ -38,20 +38,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
     end
 
     if confidence
-      input_type = case input.type
-                   when :params
-                     "parameter value"
-                   when :cookies
-                     "cookies value"
-                   when :request
-                     "request value"
-                   when :model
-                     "model attribute"
-                   else
-                     "user input"
-                   end
-
-      message = "Unsafe Reflection method #{method} called with #{input_type}"
+      message = "Unsafe Reflection method #{method} called with #{friendly_type_of input}"
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/options.rb

@@ -91,13 +91,18 @@ module Brakeman::Options
         opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
           options[:url_safe_methods] ||= Set.new
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
-        end        
+        end
 
         opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
           options[:skip_files] ||= Set.new
           options[:skip_files].merge files
         end
 
+        opts.on "--only-files file1,file2,etc", Array, "Process only these files" do |files|
+          options[:only_files] ||= Set.new
+          options[:only_files].merge files
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end
@@ -128,11 +133,11 @@ module Brakeman::Options
         opts.separator "Output options:"
 
         opts.on "-d", "--debug", "Lots of output" do
-          options[:debug] = true 
+          options[:debug] = true
         end
 
-        opts.on "-f", 
-          "--format TYPE", 
+        opts.on "-f",
+          "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json],
           "Specify output formats. Default is text" do |type|
 
@@ -173,13 +178,13 @@ module Brakeman::Options
           options[:summary_only] = true
         end
 
-        opts.on "--relative-paths", "Output relative file paths in reports" do
-          options[:relative_paths] = true
+        opts.on "--absolute-paths", "Output absolute file paths in reports" do
+          options[:absolute_paths] = true
         end
 
-        opts.on "-w", 
-          "--confidence-level LEVEL", 
-          ["1", "2", "3"], 
+        opts.on "-w",
+          "--confidence-level LEVEL",
+          ["1", "2", "3"],
           "Set minimal confidence level (1 - 3)" do |level|
 
           options[:min_confidence] =  3 - level.to_i

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -64,16 +64,9 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     end
   end
 
-  #Processes a class which is probably a controller.
-  #(This method should be retired - only classes should ever be processed
-  # and @current_module will never be set, leading to inaccurate class names)
+  #Skip it, must be an inner class
   def process_class exp
-    @current_class = class_name(exp.class_name)
-    if @current_module
-      @current_class = ("#@current_module::#@current_class").to_sym
-    end
-
-    process_default exp
+    exp
   end
 
   #Processes a method definition, which may include
@@ -226,7 +219,8 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     while controller
       filters = get_before_filters(method, controller) + filters
 
-      controller = @tracker.controllers[controller[:parent]]
+      controller = @tracker.controllers[controller[:parent]] ||
+                   @tracker.libs[controller[:parent]]
     end
 
     filters

data/lib/brakeman/processors/controller_processor.rb

@@ -24,15 +24,6 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_class exp
     name = class_name(exp.class_name)
 
-    if @controller
-      Brakeman.debug "[Notice] Skipping inner class: #{name}"
-      return ignore
-    end
-
-    if @current_module
-      name = (@current_module.to_s + "::" + name.to_s).to_sym
-    end
-
     begin
       parent = class_name exp.parent_name
     rescue StandardError => e
@@ -40,6 +31,59 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       parent = nil
     end
 
+    #If inside a real controller, treat any other classes as libraries.
+    #But if not inside a controller already, then the class may include
+    #a real controller, so we can't take this shortcut.
+    if @controller and @controller[:name].to_s.end_with? "Controller"
+      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      return exp
+    end
+
+    if not name.to_s.end_with? "Controller"
+      Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
+
+      current_controller = @controller
+
+      #Set the class to be a module in order to get the right namespacing.
+      #Add class to libraries, in case it is needed later (e.g. it's used
+      #as a parent class for a controller.)
+      #However, still want to process it in this class, so have to set
+      #@controller to this not-really-a-controller thing.
+      process_module exp do
+        name = @current_module
+
+        if @tracker.libs[name.to_sym]
+          @controller = @tracker.libs[name]
+        else
+          set_controller name, parent, exp
+          @tracker.libs[name.to_sym] = @controller
+        end
+
+        process_all exp.body
+      end
+
+      @controller = current_controller
+
+      return exp
+    end
+
+    if @current_module
+      name = (@current_module.to_s + "::" + name.to_s).to_sym
+    end
+
+    set_controller name, parent, exp
+
+    @tracker.controllers[@controller[:name]] = @controller
+
+    exp.body = process_all! exp.body
+    set_layout_name
+
+    @controller = nil
+    exp
+  end
+
+  def set_controller name, parent, exp
     @controller = { :name => name,
                     :parent => parent,
                     :includes => [],
@@ -49,11 +93,6 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
                     :options => {:before_filters => []},
                     :src => exp,
                     :file => @file_name }
-    @tracker.controllers[@controller[:name]] = @controller
-    exp.body = process_all! exp.body
-    set_layout_name
-    @controller = nil
-    exp
   end
 
   #Look for specific calls inside the controller