brakeman 2.6.3 → 3.0.0

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
       :warning_code => :CVE_2014_0081,
       :message => message,
       :confidence => CONFIDENCE[:med],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
   end
 

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -27,7 +27,7 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
         :warning_code => :CVE_2011_2930,
         :message => message,
         :confidence => confidence,
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
     end
   end

data/lib/brakeman/checks/check_render.rb

@@ -36,13 +36,13 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
 
       if input = has_immediate_user_input?(view)
-        confidence = CONFIDENCE[:high]
-      elsif input = include_user_input?(view)
         if node_type? view, :string_interp, :dstr
           confidence = CONFIDENCE[:med]
         else
-          confidence = CONFIDENCE[:low]
+          confidence = CONFIDENCE[:high]
         end
+      elsif input = include_user_input?(view)
+        confidence = CONFIDENCE[:low]
       else
         return
       end

data/lib/brakeman/checks/check_render_dos.rb

@@ -32,6 +32,6 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => CONFIDENCE[:high],
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
-      :file => gemfile_or_environment
+      :gem_info => gemfile_or_environment
   end
 end

data/lib/brakeman/checks/check_render_inline.rb

@@ -0,0 +1,42 @@
+class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for cross site scripting in render calls"
+
+  def run_check
+    setup
+
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      check_render result
+    end
+  end
+
+  def check_render result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+
+    if node_type? call, :render and
+      (call.render_type == :text or call.render_type == :inline)
+
+      render_value = call[2]
+
+      if input = has_immediate_user_input?(render_value)
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :cross_site_scripting_inline,
+          :message => "Unescaped #{friendly_type_of input} rendered inline",
+          :code => input.match,
+          :confidence => CONFIDENCE[:high]
+      elsif input = has_immediate_model?(render_value)
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :warning_code => :cross_site_scripting_inline,
+          :message => "Unescaped model attribute rendered inline",
+          :code => input,
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_response_splitting.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
         :warning_code => :CVE_2011_3186,
         :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
     end
   end

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -26,6 +26,6 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
       :warning_code => :safe_buffer_vuln, 
       :message => message,
       :confidence => CONFIDENCE[:med],
-      :file => gemfile_or_environment
+      :gem_info => gemfile_or_environment
   end
 end

data/lib/brakeman/checks/check_simple_format.rb

@@ -22,7 +22,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
       :warning_code => :CVE_2013_6416,
       :message => message,
       :confidence => CONFIDENCE[:med],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
   end
 
@@ -53,7 +53,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
       :warning_code => :CVE_2013_6416_call,
       :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
       :user_input => match.match
   end

data/lib/brakeman/checks/check_single_quotes.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
       :warning_code => :CVE_2012_3464,
       :message => message,
       :confidence => CONFIDENCE[:med],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
   end
 

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
 
   def run_check
     tracker.controllers.each do |name, controller|
-      filter_skips = controller[:options].values_at(:skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback).compact.flatten(1)
+      filter_skips = controller[:options][:skip_filters]
 
       filter_skips.each do |filter|
         process_skip_filter filter, controller

data/lib/brakeman/checks/check_sql_cves.rb

@@ -75,7 +75,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       :warning_code => code,
       :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => link
   end
 
@@ -95,7 +95,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       :warning_code => :CVE_2014_0080,
       :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment(:pg),
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
   end
 end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -28,7 +28,7 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       warn :warning_type => "Cross Site Scripting",
         :warning_code => :CVE_2011_2931,
         :message => message,
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :confidence => CONFIDENCE[:high],
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
     end
@@ -52,7 +52,7 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       :warning_code => :CVE_2012_3465,
       :message => message,
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
   end
 

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -1,37 +1,16 @@
 require 'brakeman/checks/base_check'
 
 class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
-  Brakeman::Checks.add self
+  Brakeman::Checks.add_optional self
 
   UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
 
-  @description = "Checks for versions with ActiveRecord symbol denial of service, or code with a similar vulnerability"
+  @description = "Checks for symbol denial of service"
 
   def run_check
-    fix_version = case
-      when version_between?('2.0.0', '2.3.17')
-        '2.3.18'
-      when version_between?('3.1.0', '3.1.11')
-        '3.1.12'
-      when version_between?('3.2.0', '3.2.12')
-        '3.2.13'
-      else
-        nil
-      end
-
-    if fix_version && active_record_models.any?
-      warn :warning_type => "Denial of Service",
-        :warning_code => :CVE_2013_1854,
-        :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
-        :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
-        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
-    end
-
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)
     end
-
   end
 
   def check_unsafe_symbol_creation result

data/lib/brakeman/checks/check_symbol_dos_cve.rb

@@ -0,0 +1,30 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with ActiveRecord symbol denial of service vulnerability"
+
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        nil
+      end
+
+    if fix_version && active_record_models.any?
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_1854,
+        :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_translate_bug.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
         :warning_code => :translate_vuln,
         :message => message,
         :confidence => confidence,
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
     end
   end

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -28,7 +28,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :warning_code => :CVE_2013_0156,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
     end
 
@@ -40,7 +40,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :warning_code => :CVE_2013_0156,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
     end
   end

data/lib/brakeman/options.rb

@@ -80,6 +80,10 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
+        opts.on "--[no-]index-libs", "Add libraries to call index (default)" do |index|
+          options[:index_libs] = index
+        end
+
         opts.on "--interprocedural", "Process method calls to known methods" do
           options[:interprocedural] = true
         end
@@ -200,8 +204,8 @@ module Brakeman::Options
           options[:output_files].push(file)
         end
 
-        opts.on "--separate-models", "Warn on each model without attr_accessible" do
-          options[:collapse_mass_assignment] = false
+        opts.on "--[no-]separate-models", "Warn on each model without attr_accessible (Default)" do |separate|
+          options[:collapse_mass_assignment] = !separate
         end
 
         opts.on "--summary", "Only output summary of warnings" do

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -29,7 +29,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
     end
   end
 
-  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
 
   def add_expr_literal(src, code)
     if code =~ BLOCK_EXPR
@@ -43,7 +43,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
     if code =~ BLOCK_EXPR
       src << "@output_buffer.safe_append= " << code
     else
-      src << "@output_buffer.safe_concat(" << code << ");"
+      src << "@output_buffer.safe_append= (" << code << ");"
     end
   end
 

data/lib/brakeman/processors/alias_processor.rb

@@ -351,6 +351,33 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  # Multiple/parallel assignment:
+  #
+  # x, y = z, w
+  def process_masgn exp
+    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
+      return process_default(exp)
+    end
+
+    vars = exp[1].dup
+    vals = exp[2].dup
+
+    vars.shift
+    vals.shift
+
+    # Call each assignment as if it is normal
+    vars.each_with_index do |var, i|
+      val = vals[i]
+      if val
+        assign = var.dup
+        assign.rhs = val
+        process assign
+      end
+    end
+
+    exp
+  end
+
   #Merge values into hash when processing
   #
   # h.merge! :something => "value"
@@ -744,14 +771,40 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
-  #Return true if for x += blah or @x += blah
   def self_assign? var, value
+    self_assign_var?(var, value) or self_assign_target?(var, value)
+  end
+
+  #Return true if for x += blah or @x += blah
+  def self_assign_var? var, value
     call? value and
     value.method == :+ and
     node_type? value.target, :lvar, :ivar and
     value.target.value == var
   end
 
+  #Return true for x = x.blah
+  def self_assign_target? var, value
+    target = top_target(value)
+
+    if node_type? target, :lvar, :ivar
+      target = target.value
+    end
+
+    var == target
+  end
+
+  #Returns last non-nil target in a call chain
+  def top_target exp, last = nil
+    if call? exp
+      top_target exp.target, exp
+    elsif node_type? exp, :iter, :call_with_block
+      top_target exp.block_call, last
+    else
+      exp || last
+    end
+  end
+
   def value_from_if exp
     if block? exp.else_clause or block? exp.then_clause
       #If either clause is more than a single expression, just use entire

data/lib/brakeman/processors/base_processor.rb

@@ -20,14 +20,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     IGNORE
   end
 
-  def process_class exp
-    current_class = @current_class
-    @current_class = class_name exp[1]
-    process_all exp.body
-    @current_class = current_class
-    exp
-  end
-
   #Process a new scope. Removes expressions that are set to nil.
   def process_scope exp
     #NOPE?

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -222,6 +222,44 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
                    @tracker.libs[controller[:parent]]
     end
 
+    remove_skipped_filters filters, method, klass
+  end
+
+  def remove_skipped_filters filters, method, klass
+    controller = @tracker.controllers[klass]
+
+    while controller
+      filters = filters - get_skipped_filters(method, controller)
+
+      controller = @tracker.controllers[controller[:parent]] ||
+                   @tracker.libs[controller[:parent]]
+    end
+
+    filters
+  end
+
+  def get_skipped_filters method, controller
+    return [] unless controller[:options] and controller[:options][:skip_filters]
+
+    filters = []
+
+    if controller[:skip_filter_cache].nil?
+      controller[:skip_filter_cache] = controller[:options][:skip_filters].map do |filter|
+        before_filter_to_hash(filter.args)
+      end
+    end
+
+    controller[:skip_filter_cache].each do |f|
+      if f[:all] or
+        (f[:only] == method) or
+        (f[:only].is_a? Array and f[:only].include? method) or
+        (f[:except].is_a? Symbol and f[:except] != method) or
+        (f[:except].is_a? Array and not f[:except].include? method)
+
+        filters.concat f[:methods]
+      end
+    end
+
     filters
   end
 
@@ -235,7 +273,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       filter_cache = []
 
       controller[:options][:before_filters].each do |filter|
-        filter_cache << before_filter_to_hash(filter)
+        filter_cache << before_filter_to_hash(filter.args)
       end
 
       controller[:before_filter_cache] = filter_cache
@@ -319,7 +357,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
             @method_cache[method_name] = method
             return method
           end
-        end
+       end
 
         @method_cache[method_name] = find_method method_name, controller[:parent]
       else