brakeman 2.4.3 → 2.5.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NzVjZjYxZWMzOTRhYzI0YTA0M2ZlYjkxNDQyZjFkZTNlYzYxZTk4ZA==
+  data.tar.gz: !binary |-
+    MjY3ZGNkNGJkYzZlOWJmNjI2MGVkMmYxNDMzMDVkOTBkMzZlN2JkYg==
+SHA512:
+  metadata.gz: !binary |-
+    YzZiNTlkMmU2OGRjOTdiZDA1ZWFhMmEwNzUyNzcwMmI5ZmNmOTRmOGRjMjc2
+    NTkzZTZmOTc0MzIyYTRjN2Y2ZDBjZjJiZDJlNmQ3NDhlM2E5YTZjNTA2ZDI1
+    MGM2NjNkY2YxYjNhZTVmNWJjZDZmNmE4ZGViNGJkNjc2ODdlNWU=
+  data.tar.gz: !binary |-
+    MTY0ZjY2ZjIyM2VkMTUxYWNhZjFiOGI0YTAzNTUzODhjZTI5MjMyNmNkNGE5
+    MTI1ZmM2MGIwMTg3ZjJkNmFjZjY3Zjk5NzNlNTQzNjk2NTc1ZmNhNDU3Nzhl
+    NmI1NTBkZDAwNjkzNjFiMGRiMzg0ODRmMjA4MGZlN2VhOGEyM2I=

data/CHANGES

@@ -1,3 +1,18 @@
+# 2.5.0
+
+ * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
+ * Add support for Rails 4 `before_actions` and friends
+ * Move SQLi CVE checks to `CheckSQLCVEs`
+ * Check for protected_attributes gem
+ * Fix SQLi detection in chain calls in scopes
+ * Add GitHub-flavored Markdown output format (Greg Ose)
+ * Fix false positives when sanitize() is used in SQL (Jeff Yip)
+ * Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
+ * Check all arguments in Model.select for SQLi
+ * Fix false positive when :host is specified in redirect
+ * Handle more non-literals in routes
+ * Add check for regex denial of service (Ben Toews) 
+
 # 2.4.3
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.

data/lib/brakeman.rb

@@ -24,6 +24,7 @@ module Brakeman
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
   #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :github_repo - github repo to use for file links (user/repo[/path][@ref])
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
@@ -77,6 +78,7 @@ module Brakeman
 
     options[:app_path] = File.expand_path(options[:app_path])
     options[:output_formats] = get_output_formats options
+    options[:github_url] = get_github_url options
 
     options
   end
@@ -166,6 +168,8 @@ module Brakeman
       [:to_tabs]
     when :json, :to_json
       [:to_json]
+    when :markdown, :to_markdown
+      [:to_markdown]
     else
       [:to_s]
     end
@@ -185,6 +189,8 @@ module Brakeman
         :to_tabs
       when /\.json$/i
         :to_json
+      when /\.md$/i
+        :to_markdown
       else
         :to_s
       end
@@ -192,6 +198,22 @@ module Brakeman
   end
   private_class_method :get_formats_from_output_files
 
+  def self.get_github_url options
+    if github_repo = options[:github_repo]
+      full_repo, ref = github_repo.split '@', 2
+      name, repo, path = full_repo.split '/', 3
+      unless name && repo && !(name.empty? || repo.empty?)
+        raise ArgumentError, "Invalid GitHub repository format"
+      end
+      path.chomp '/' if path
+      ref ||= 'master'
+      ['https://github.com', name, repo, 'blob', ref, path].compact.join '/'
+    else
+      nil
+    end
+  end
+  private_class_method :get_github_url
+
   #Output list of checks (for `-k` option)
   def self.list_checks
     require 'brakeman/scanner'

data/lib/brakeman/checks/base_check.rb

@@ -177,7 +177,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
       @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9")
+    elsif version_between?("4.0.0", "4.9.9") and not tracker.config[:gems][:protected_attributes]
       #May need to revisit dependng on what Rails 4 actually does/has
       @mass_assign_disabled = true
     else

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -10,6 +10,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
       version_between? "3.0.0", "3.2.16" or
       version_between? "4.0.0", "4.0.2"
 
+      return if lts_version? "2.3.18.8"
+
       check_number_helper_usage
       generic_warning unless @found_any
     end

data/lib/brakeman/checks/check_redirect.rb

@@ -31,7 +31,11 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     method = call.method
 
-    if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
+    if method == :redirect_to and
+        not only_path?(call) and
+        not explicit_host?(call) and
+        res = include_user_input?(call)
+
       add_result result
 
       if res.type == :immediate
@@ -109,6 +113,16 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     false
   end
 
+  def explicit_host? call
+    arg = call.first_arg
+
+    if hash? arg and value = hash_access(arg, :host)
+      return !has_immediate_user_input?(value)
+    end
+
+    false
+  end
+
   #+url_for+ is only_path => true by default. This checks to see if it is
   #set to false for some reason.
   def check_url_for call

data/lib/brakeman/checks/check_regex_dos.rb

@@ -0,0 +1,69 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  ESCAPES = {
+    s(:const, :Regexp) => [
+      :escape,
+      :quote
+    ]
+  }
+
+  @description = "Searches regexes including user input"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding dynamic regexes"
+    calls = tracker.find_call :method => [:brakeman_regex_interp]
+
+    Brakeman.debug "Processing dynamic regexes"
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if regex includes user input
+  def process_result result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+    components = call[1..-1]
+
+    components.any? do |component|
+      next unless sexp? component
+
+      if match = has_immediate_user_input?(component)
+        confidence = CONFIDENCE[:high]
+      elsif match = has_immediate_model?(component)
+        match = Match.new(:model, match)
+        confidence = CONFIDENCE[:med]
+      elsif match = include_user_input?(component)
+        confidence = CONFIDENCE[:low]
+      end
+
+      if match
+        message = "#{friendly_type_of(match).capitalize} used in regex"
+
+        warn :result => result,
+          :warning_type => "Denial of Service",
+          :warning_code => :regex_dos,
+          :message => message,
+          :confidence => confidence,
+          :user_input => match.match
+      end
+    end
+  end
+
+  def process_call(exp)
+    if escape_methods = ESCAPES[exp.target]
+      if escape_methods.include? exp.method
+        return exp
+      end
+    end
+
+    super
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -9,7 +9,9 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
 
   def run_check
 
-    if version_between? "3.0.0", "3.0.11"
+    if lts_version? "2.3.18.7"
+      return
+    elsif version_between? "3.0.0", "3.0.11"
       suggested_version = "3.0.12"
     elsif version_between? "3.1.0", "3.1.3"
       suggested_version = "3.1.4"

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
 
   def run_check
     tracker.controllers.each do |name, controller|
-      filter_skips = (controller[:options][:skip_before_filter] || []) + (controller[:options][:skip_filter] || [])
+      filter_skips = controller[:options].values_at(:skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback).compact.flatten(1)
 
       filter_skips.each do |filter|
         process_skip_filter filter, controller

data/lib/brakeman/checks/check_sql.rb

@@ -46,13 +46,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
-    Brakeman.debug "Checking version of Rails for CVE issues"
-    check_rails_versions_against_cve_issues
-
     Brakeman.debug "Processing possible SQL calls"
     calls.each { |call| process_result call }
-
-    check_CVE_2014_0080
   end
 
   #Find calls to named_scope() or scope() in models
@@ -65,7 +60,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         call = make_call(nil, :named_scope, args).line(args.line)
         scope_calls << scope_call_hash(call, name, :named_scope)
       end
-    elsif version_between?("3.1.0", "3.9.9")
+    elsif version_between?("3.1.0", "4.9.9")
       ar_scope_calls(:scope) do |name, args|
         second_arg = args[2]
         next unless sexp? second_arg
@@ -114,8 +109,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
     elsif block.node_type == :call
-      process_result :target => block.target, :method => block.method, :call => block,
-        :location => { :type => :class, :class => model_name, :method => scope_name }
+      while call? block
+        process_result :target => block.target, :method => block.method, :call => block,
+         :location => { :type => :class, :class => model_name, :method => scope_name }
+
+        block = block.target
+      end
     end
   end
 
@@ -179,13 +178,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         check_order_arguments call.arglist
                       when :joins
                         check_joins_arguments call.first_arg
-                      when :from, :select
+                      when :from
                         unsafe_sql? call.first_arg
                       when :lock
                         check_lock_arguments call.first_arg
                       when :pluck
                         unsafe_sql? call.first_arg
-                      when :update_all
+                      when :update_all, :select
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg
@@ -540,7 +539,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql]
+    :to_sql, :sanitize]
 
   def safe_value? exp
     return true unless sexp? exp
@@ -639,82 +638,4 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
-
-  # TODO: Move all SQL CVE checks to separate class
-  def check_CVE_2014_0080
-    return unless version_between? "4.0.0", "4.0.2" and
-                  @tracker.config[:gems].include? :pg
-
-    warn :warning_type => 'SQL Injection',
-      :warning_code => :CVE_2014_0080,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
-      :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
-      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
-  end
-
-  def upgrade_version? versions
-    versions.each do |low, high, upgrade|
-      return upgrade if version_between? low, high
-    end
-
-    false
-  end
-
-  def check_rails_versions_against_cve_issues
-    issues = [
-      {
-        :cve => "CVE-2012-2660",
-        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
-      },
-      {
-        :cve => "CVE-2012-2661",
-        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
-      },
-      {
-        :cve => "CVE-2012-2695",
-        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
-      },
-      {
-        :cve => "CVE-2012-5664",
-        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
-      },
-      {
-        :cve => "CVE-2013-0155",
-        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
-      },
-
-    ]
-
-    unless lts_version? '2.3.18.6'
-     issues << {
-        :cve => "CVE-2013-6417",
-        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
-        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
-      }
-    end
-
-    issues.each do |cve_issue|
-      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
-    end
-  end
-
-  def cve_warning_for versions, cve, link
-    upgrade_version = upgrade_version? versions
-    return unless upgrade_version
-
-    code = cve.tr('-', '_').to_sym
-
-    warn :warning_type => 'SQL Injection',
-      :warning_code => code,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
-      :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
-      :link_path => link
-  end
 end

data/lib/brakeman/checks/check_sql_cves.rb

@@ -0,0 +1,89 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for several SQL CVEs"
+
+  def run_check
+    check_rails_versions_against_cve_issues
+    check_cve_2014_0080
+  end
+
+  def check_rails_versions_against_cve_issues
+    issues = [
+      {
+        :cve => "CVE-2012-2660",
+        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
+      },
+      {
+        :cve => "CVE-2012-2661",
+        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-2695",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-5664",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+      },
+      {
+        :cve => "CVE-2013-0155",
+        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
+      },
+
+    ]
+
+    unless lts_version? '2.3.18.6'
+     issues << {
+        :cve => "CVE-2013-6417",
+        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
+      }
+    end
+
+    issues.each do |cve_issue|
+      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
+    end
+  end
+
+  def cve_warning_for versions, cve, link
+    upgrade_version = upgrade_version? versions
+    return unless upgrade_version
+
+    code = cve.tr('-', '_').to_sym
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => code,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => link
+  end
+
+  def upgrade_version? versions
+    versions.each do |low, high, upgrade|
+      return upgrade if version_between? low, high
+    end
+
+    false
+  end
+
+  def check_cve_2014_0080
+    return unless version_between? "4.0.0", "4.0.2" and
+                  @tracker.config[:gems].include? :pg
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => :CVE_2014_0080,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+  end
+end