brakeman 2.1.2 → 2.2.0

data/CHANGES

@@ -1,3 +1,12 @@
+# 2.2.0 
+
+ * Reduce command injection false positives
+ * Use Rails version from Gemfile if it is available
+ * Only add routes with actual names
+ * Ignore redirects to models using friendly_id (AJ Ostrow) 
+ * Support scanning Rails engines (Geoffrey Hichborn)
+ * Add check for detailed exceptions in production
+
 # 2.1.2
 
  * Do not attempt to load custom Haml filters

data/README.md

@@ -29,7 +29,7 @@ Using RubyGems:
 
     gem install brakeman
 
-Using Bundler, add to development group in Gemfile:
+Using Bundler, add to development group in Gemfile and set to not be required automatically:
 
     group :development do
       gem 'brakeman', :require => false
@@ -163,4 +163,6 @@ The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.ym
 
 The `-c` option can be used to specify a configuration file to use.
 
-# License see MIT-LICENSE
+# License
+
+see MIT-LICENSE

data/lib/brakeman/app_tree.rb

@@ -66,7 +66,7 @@ module Brakeman
     end
 
     def layout_exists?(name)
-      pattern = "#{@root}/app/views/layouts/#{name}.html.{erb,haml,slim}"
+      pattern = "#{@root}/{engines/*/,}app/views/layouts/#{name}.html.{erb,haml,slim}"
       !Dir.glob(pattern).empty?
     end
 
@@ -77,7 +77,7 @@ module Brakeman
   private
 
     def find_paths(directory, extensions = "*.rb")
-      pattern = @root + "/#{directory}/**/#{extensions}"
+      pattern = @root + "/{engines/*/,}#{directory}/**/#{extensions}"
 
       select_files(Dir.glob(pattern).sort)
     end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+# Check for detailed exceptions enabled for production
+class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  LOCAL_REQUEST = s(:call, s(:call, nil, :request), :local?)
+
+  @description = "Checks for information disclosure displayed via detailed exceptions"
+
+  def run_check
+    check_local_request_config
+    check_detailed_exceptions
+  end
+
+  def check_local_request_config
+    if true? tracker.config[:rails][:consider_all_requests_local]
+      warn :warning_type => "Information Disclosure",
+           :warning_code => :local_request_config,
+           :message => "Detailed exceptions are enabled in production",
+           :confidence => CONFIDENCE[:high],
+           :file => "config/environments/production.rb"
+    end
+  end
+
+  def check_detailed_exceptions
+    tracker.controllers.each do |name, controller|
+      controller[:public].each do |name, method|
+        body = method.body.last
+        next unless body
+
+        if name == :show_detailed_exceptions? and not safe? body
+          if true? body
+            confidence = CONFIDENCE[:high]
+          else
+            confidence = CONFIDENCE[:med]
+          end
+
+          warn :warning_type => "Information Disclosure",
+               :warning_code => :detailed_exceptions,
+               :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'",
+               :confidence => confidence,
+               :code => method,
+               :file => controller[:file]
+        end
+      end
+    end
+  end
+
+  def safe? body
+    false? body or
+    body == LOCAL_REQUEST
+  end
+end

data/lib/brakeman/checks/check_execute.rb

@@ -13,6 +13,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
   @description = "Finds instances of possible command injection"
 
+  SAFE_VALUES = [s(:const, :RAILS_ROOT),
+                  s(:call, s(:const, :Rails), :root),
+                  s(:call, s(:const, :Rails), :env)]
+
   #Check models, controllers, and views for command injection.
   def run_check
     Brakeman.debug "Finding system calls using ``"
@@ -38,9 +42,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     case call.method
     when :system, :exec
-      failure = include_user_input?(first_arg) || include_interp?(first_arg)
+      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
     else
-      failure = include_user_input?(args) || include_interp?(args)
+      failure = include_user_input?(args) || dangerous_interp?(args)
     end
 
     if failure and not duplicate? result
@@ -82,9 +86,11 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     if input = include_user_input?(exp)
       confidence = CONFIDENCE[:high]
       user_input = input.match
-    else
+    elsif input = dangerous?(exp)
       confidence = CONFIDENCE[:med]
-      user_input = nil
+      user_input = input
+    else
+      return
     end
 
     warn :result => result,
@@ -95,4 +101,39 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       :user_input => user_input,
       :confidence => confidence
   end
+
+  def dangerous? exp
+    exp.each_sexp do |e|
+      next if node_type? e, :lit, :str
+      next if SAFE_VALUES.include? e
+
+      if call? e and e.method == :to_s
+        e = e.target
+      end
+
+      if node_type? e, :or, :evstr, :string_eval, :string_interp
+        if res = dangerous?(e)
+          return res
+        end
+      else
+        return e
+      end
+    end
+
+    false
+  end
+
+  def dangerous_interp? exp
+    match = include_interp? exp
+    return unless match
+    interp = match.match
+
+    interp.each_sexp do |e|
+      if res = dangerous?(e)
+        return Match.new(:interp, res)
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/checks/check_redirect.rb

@@ -128,7 +128,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if node_type? exp, :or
       model_instance? exp.lhs or model_instance? exp.rhs
     elsif call? exp
-      if model_name? exp.target and
+      if model_name? exp.target or friendly_model? exp.target and
         (@model_find_calls.include? exp.method or exp.method.to_s.match(/^find_by_/))
         true
       else
@@ -137,6 +137,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     end
   end
 
+  #Returns true if exp is (probably) a friendly model instance
+  #using the FriendlyId gem
+  def friendly_model? exp
+    call? exp and model_name? exp.target and exp.method == :friendly
+  end
+  
   #Returns true if exp is (probably) a decorated model instance
   #using the Draper gem
   def decorated_model? exp

data/lib/brakeman/processors/gem_processor.rb

@@ -19,6 +19,11 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
       @tracker.config[:rails_version] = $1
     end
 
+    if @tracker.config[:rails_version] =~ /^(3|4)\./ and not @tracker.options[:rails3]
+      @tracker.options[:rails3] = true
+      Brakeman.notify "[Notice] Detected Rails #$1 application"
+    end
+
     if @tracker.config[:gems][:rails_xss]
       @tracker.config[:escape_html] = true
 

data/lib/brakeman/processors/lib/route_helper.rb

@@ -29,6 +29,8 @@ module Brakeman::RouteHelper
       route = route.value
     end
 
+    return unless route.is_a? String or route.is_a? Symbol
+
     route = route.to_sym
 
     if controller

data/lib/brakeman/scanner.rb

@@ -47,10 +47,10 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing configuration..."
-    process_config
     Brakeman.notify "Processing gems..."
     process_gems
+    Brakeman.notify "Processing configuration..."
+    process_config
     Brakeman.notify "Processing initializers..."
     process_initializers
     Brakeman.notify "Processing libs..."

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.1.2"
+  Version = "2.2.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -60,7 +60,9 @@ module Brakeman::WarningCodes
     :CVE_2013_1856 => 57,
     :CVE_2013_1857 => 58,
     :unsafe_symbol_creation => 59,
-    :dangerous_attr_accessible => 60
+    :dangerous_attr_accessible => 60,
+    :local_request_config => 61,
+    :detailed_exceptions => 62
   }
 
   def self.code name

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 7
   prerelease: 
   segments: 
   - 2
-  - 1
   - 2
-  version: 2.1.2
+  - 0
+  version: 2.2.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-09-18 00:00:00 Z
+date: 2013-10-28 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -87,12 +87,12 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 41
+        hash: 39
         segments: 
         - 1
         - 6
-        - 19
-        version: 1.6.19
+        - 20
+        version: 1.6.20
   type: :runtime
   version_requirements: *id005
 - !ruby/object:Gem::Dependency 
@@ -235,6 +235,7 @@ files:
 - lib/brakeman/warning_codes.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/checks/check_select_vulnerability.rb
+- lib/brakeman/checks/check_detailed_exceptions.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_single_quotes.rb
 - lib/brakeman/checks/check_model_serialize.rb