brakeman 3.0.5 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 15522576649f902090b9d006ffe66b063172eccb
-  data.tar.gz: 5028884d1539437c9571894dcf1ee8d580f60996
+  metadata.gz: 5db4cee0910ab76ab868345145436bbf8817ab04
+  data.tar.gz: 7633c66f5638aadb0ee5a1619755ee17e5a92ad0
 SHA512:
-  metadata.gz: 15ca6f4ad8ea0b91ca498a862638864e76de75633c96175229f2d3314304797d24addb57eaac7a137bc729fc8477694565caea013ad0dfceb61048e077d9150f
-  data.tar.gz: 963b6eed256fec2b7407b60918673117a40f2d504379107c4f597e8e482b84ca8bf7967fbcbdff0de417de0594398e16f6eaed16e7c0fd6ba83d8394d89025e3
+  metadata.gz: 28a4089b017d8ee189a47b0597b18fa567637eb14d79caeea1beb1963ca17aa6761353d9ce557927516a5ec1d07b7e362c375b24e5893d84b1de5bc9041595cf
+  data.tar.gz: ea2a2b35fc4c7b6777cea07a9297bfcd32abe5ceaf476f7872efd845e8fcedb713ca91a128c31452ef148965945d1412d78c09c9c78cfe4e95aa24a5f07048c0

data/CHANGES

@@ -1,3 +1,22 @@
+# 3.1.0
+
+* Add support for gems.rb/gems.locked
+* Update render path information in JSON reports
+* Remove renaming of several Sexp nodes
+* Convert YAML config keys to symbols (Karl Glaser)
+* Use railties version if rails gem is missing (Lucas Mazza)
+* Warn about unverified SSL mode in Net::HTTP.start
+* Add Model, Controller, Template, Config classes internally
+* Report file being parsed in debug output
+* Update dependencies to Ruby 1.8 incompatible versions
+* Treat Array.new and Hash.new as arrays/hashes
+* Fix handling of string concatenation with existing string
+* Treat html_safe like raw()
+* Fix low confidence XSS warning code
+* Avoid warning on path creation methods in link_to
+* Expand safe methods to match methods with targets
+* Avoid duplicate eval() warnings
+
 # 3.0.5
 
 * Fix check for CVE-2015-3227

data/README.md

@@ -1,9 +1,8 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
-[![Travis CI
-Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman)
-[![Code
-Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://codeclimate.com/github/presidentbeef/brakeman)
+[![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
+[![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
+[![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
 
 # Brakeman
 
@@ -130,15 +129,6 @@ The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.ym
 
 The `-c` option can be used to specify a configuration file to use.
 
-# For Slim Users
-
-[Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
-
-| Ruby Version |       `Gemfile`       |              Command Line              |
-|--------------|-----------------------|----------------------------------------|
-| Ruby 1.8.7   | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
-| Ruby 1.9+    | `gem 'slim'`          | `$ gem install slim`                   |
-
 # Continuous Integration
 
 There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.

data/lib/brakeman.rb

@@ -99,6 +99,9 @@ module Brakeman
 
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
+        
+        # After parsing the yaml config file for options, convert any string keys into symbols.
+        options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
         # notify if options[:quiet] and quiet is nil||false
         notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)

data/lib/brakeman/checks/base_check.rb

@@ -39,8 +39,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Add result to result list, which is used to check for duplicates
   def add_result result, location = nil
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
     location = location[:name] if location.is_a? Hash
+    location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
 
     if result.is_a? Hash
@@ -115,7 +116,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   #Does not actually process string interpolation, but notes that it occurred.
-  def process_string_interp exp
+  def process_dstr exp
     @string_interp = Match.new(:interp, exp)
     process_default exp
   end
@@ -138,36 +139,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     Brakeman::OutputProcessor.new.format(exp).gsub(/\r|\n/, "")
   end
 
-  #Checks if the model inherits from parent,
-  def ancestor? model, parent, seen={}
-    return false unless model
-
-    seen[model[:name]] = true
-    if model[:parent] == parent || seen[model[:parent]]
-      true
-    elsif model[:parent]
-      ancestor? tracker.models[model[:parent]], parent, seen
-    else
-      false
-    end
-  end
-
-  def unprotected_model? model
-    model[:attr_accessible].nil? and !parent_classes_protected?(model) and ancestor?(model, :"ActiveRecord::Base")
-  end
-
-  # go up the chain of parent classes to see if any have attr_accessible
-  def parent_classes_protected? model, seen={}
-    seen[model] = true
-    if model[:attr_accessible] or model[:includes].include? :"ActiveModel::ForbiddenAttributesProtection"
-      true
-    elsif parent = tracker.models[model[:parent]] and !seen[parent]
-      parent_classes_protected? parent, seen
-    else
-      false
-    end
-  end
-
   #Checks if mass assignment is disabled globally in an initializer.
   def mass_assign_disabled?
     return @mass_assign_disabled unless @mass_assign_disabled.nil?
@@ -175,12 +146,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = false
 
     if version_between?("3.1.0", "3.9.9") and
-      tracker.config[:rails][:active_record] and
-      tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
+      tracker.config.whitelist_attributes?
 
       @mass_assign_disabled = true
-    elsif tracker.options[:rails4] && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
-            tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)))
+    elsif tracker.options[:rails4] && (!tracker.config.has_gem?(:protected_attributes) || tracker.config.whitelist_attributes?)
 
       @mass_assign_disabled = true
     else
@@ -231,7 +200,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     #gem and still using hack above, so this is a separate check for
     #including ActiveModel::ForbiddenAttributesProtection in
     #ActiveRecord::Base in an initializer.
-    if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config[:gems][:strong_parameters]
+    if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config.has_gem? :strong_parameters
       matches = tracker.check_initializers([], :include)
       forbidden_protection = Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
 
@@ -267,9 +236,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
 
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
 
     location = location[:name] if location.is_a? Hash
+    location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
 
     @results.each do |r|
@@ -328,7 +298,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp, :dstr
+      when :dstr
         exp.each do |e|
           if sexp? e
             match = has_immediate_user_input?(e)
@@ -336,7 +306,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
           end
         end
         false
-      when :string_eval, :evstr
+      when :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -390,14 +360,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp, :dstr
+      when :dstr
         exp.each do |e|
           if sexp? e and match = has_immediate_model?(e, out)
             return match
           end
         end
         false
-      when :string_eval, :evstr
+      when :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -456,7 +426,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #
   #If the Rails version is unknown, returns false.
   def version_between? low_version, high_version, current_version = nil
-    current_version ||= tracker.config[:rails_version]
+    current_version ||= rails_version
     return false unless current_version
 
     version = current_version.split(".").map! { |n| n.to_i }
@@ -483,15 +453,17 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def lts_version? version
-    tracker.config[:gems][:'railslts-version'] and
-    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version'][:version]
+    tracker.config.has_gem? :'railslts-version' and
+    version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config[:gems][gem_name]
+    if gem_name and info = tracker.config.get_gem(gem_name)
       info
     elsif @app_tree.exists?("Gemfile")
       "Gemfile"
+    elsif @app_tree.exists?("gems.rb")
+      "gems.rb"
     else
       "config/environment.rb"
     end
@@ -507,7 +479,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = {}
 
     tracker.models.each do |name, model|
-      if ancestor? model, :"ActiveRecord::Base"
+      if model.ancestor? :"ActiveRecord::Base"
         @active_record_models[name] = model
       end
     end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -18,11 +18,11 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   def check_basic_auth_filter
     controllers = tracker.controllers.select do |name, c|
-      c[:options][:http_basic_authenticate_with]
+      c.options[:http_basic_authenticate_with]
     end
 
     Hash[controllers].each do |name, controller|
-      controller[:options][:http_basic_authenticate_with].each do |call|
+      controller.options[:http_basic_authenticate_with].each do |call|
 
         if pass = get_password(call) and string? pass
           warn :controller => name,
@@ -31,7 +31,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :message => "Basic authentication password stored in source code",
               :code => call,
               :confidence => 0,
-              :file => controller[:files].first
+              :file => controller.file
           break
         end
       end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -42,7 +42,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
       @current_template = template
 
-      template[:outputs].each do |out|
+      template.each_output do |out|
         unless check_for_immediate_xss out
           @matched = false
           @mark = false
@@ -57,10 +57,16 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     if exp.node_type == :output
       out = exp.value
-    elsif exp.node_type == :escaped_output and raw_call? exp
-      out = exp.value.first_arg
+    elsif exp.node_type == :escaped_output
+      if raw_call? exp
+        out = exp.value.first_arg
+      elsif html_safe_call? exp
+        out = exp.value.target
+      end
     end
 
+    return if call? out and ignore_call? out.target, out.method
+
     if input = has_immediate_user_input?(out)
       add_result exp
 
@@ -141,8 +147,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   #Otherwise, ignore
   def process_escaped_output exp
     unless check_for_immediate_xss exp
-      if raw_call? exp and not duplicate? exp
-        process exp.value.first_arg
+      if not duplicate? exp
+        if raw_call? exp
+          process exp.value.first_arg
+        elsif html_safe_call? exp
+          process exp.value.target
+        end
       end
     end
     exp
@@ -171,11 +181,14 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           add_result exp
 
           link_path = "cross_site_scripting"
+          warning_code = :cross_site_scripting
+
           if @known_dangerous.include? exp.method
             confidence = CONFIDENCE[:high]
             if exp.method == :to_json
               message += " in JSON hash"
               link_path += "_to_json"
+              warning_code = :xss_to_json
             end
           else
             confidence = CONFIDENCE[:low]
@@ -183,7 +196,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
           warn :template => @current_template,
             :warning_type => "Cross Site Scripting",
-            :warning_code => :xss_to_json,
+            :warning_code => warning_code,
             :message => message,
             :code => exp,
             :user_input => @matched.match,
@@ -239,7 +252,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   #Process as default
-  def process_string_interp exp
+  def process_dstr exp
     process_default exp
   end
 
@@ -301,9 +314,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
     initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
-    if tracker.config[:rails][:active_support] and
-      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
-
+    if tracker.config.escape_html_entities_in_json? 
         json_escape_on = true
     elsif version_between? "4.0.0", "5.0.0"
       json_escape_on = true
@@ -322,6 +333,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp.value.node_type == :call and exp.value.method == :raw
   end
 
+  def html_safe_call? exp
+    exp.value.node_type == :call and exp.value.method == :html_safe
+  end
+
   def ignore_call? target, method
     ignored_method?(target, method) or
     safe_input_attribute?(target, method) or
@@ -340,8 +355,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def ignored_method? target, method
-    target.nil? and
-    (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)
+    @ignore_methods.include? method or method.to_s =~ IGNORE_LIKE
   end
 
   def cgi_escaped? target, method

data/lib/brakeman/checks/check_default_routes.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
 
     warn :warning_type => "Remote Code Execution",
       :warning_code => :CVE_2014_0130,
-      :message => "Rails #{tracker.config[:rails_version]} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
+      :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
       :confidence => confidence,
       :file => "#{tracker.app_path}/config/routes.rb",
       :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   end
 
   def check_local_request_config
-    if true? tracker.config[:rails][:consider_all_requests_local]
+    if true? tracker.config.rails[:consider_all_requests_local]
       warn :warning_type => "Information Disclosure",
            :warning_code => :local_request_config,
            :message => "Detailed exceptions are enabled in production",
@@ -25,7 +25,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
 
   def check_detailed_exceptions
     tracker.controllers.each do |name, controller|
-      controller[:public].each do |name, definition|
+      controller.methods_public.each do |name, definition|
         src = definition[:src]
         body = src.body.last
         next unless body

data/lib/brakeman/checks/check_evaluation.rb

@@ -20,6 +20,9 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Warns if eval includes user input
   def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
     if input = include_user_input?(result[:call].arglist)
       warn :result => result,
         :warning_type => "Dangerous Eval",

data/lib/brakeman/checks/check_execute.rb

@@ -82,10 +82,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   end
 
   def dangerous_open_arg? exp
-    if node_type? exp, :string_interp, :dstr
+    if string_interp? exp
       # Check for input at start of string
       exp[1] == "" and
-        node_type? exp[2], :evstr, :string_eval and
+        node_type? exp[2], :evstr and
         has_immediate_user_input? exp[2]
     else
       has_immediate_user_input? exp
@@ -137,7 +137,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         e = e.target
       end
 
-      if node_type? e, :or, :evstr, :string_eval, :string_interp
+      if node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
         end

data/lib/brakeman/checks/check_file_disclosure.rb

@@ -22,7 +22,7 @@ class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
     if fix_version and serves_static_assets?
       warn :warning_type => "File Access",
         :warning_code => :CVE_2014_7829,
-        :message => "Rails #{tracker.config[:rails_version]} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
+        :message => "Rails #{rails_version} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
         :confidence => CONFIDENCE[:high],
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
@@ -30,6 +30,6 @@ class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
   end
 
   def serves_static_assets?
-    true? tracker.config[:rails][:serve_static_assets]
+    true? tracker.config.rails[:serve_static_assets]
   end
 end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -11,34 +11,31 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
 
   def run_check
     app_controller = tracker.controllers[:ApplicationController]
+    return unless app_controller and app_controller.ancestor? :"ActionController::Base"
 
-    return unless ancestor? app_controller, :"ActionController::Base"
-
-    if tracker.config[:rails][:action_controller] and
-      tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
-
+    if tracker.config.allow_forgery_protection? 
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_disabled,
         :message => "Forgery protection is disabled",
         :confidence => CONFIDENCE[:high],
-        :file => app_controller[:files].first
+        :file => app_controller.file
 
-    elsif app_controller and not app_controller[:options][:protect_from_forgery]
+    elsif app_controller and not app_controller.protect_from_forgery?
 
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_missing,
         :message => "'protect_from_forgery' should be called in ApplicationController",
         :confidence => CONFIDENCE[:high],
-        :file => app_controller[:files].first
+        :file => app_controller.file
 
     elsif version_between? "2.1.0", "2.3.10"
 
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :CVE_2011_0447,
-        :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
+        :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
@@ -48,11 +45,11 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :CVE_2011_0447,
-        :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
+        :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
-    elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller[:options][:protect_from_forgery]
+    elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller.options[:protect_from_forgery]
 
       unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
           access_arg = hash_access(forgery_opts.first.first_arg, :with) and access_arg.value == :exception
@@ -63,7 +60,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
           :warning_code => :csrf_not_protected_by_raising_exception,
           :message => "protect_from_forgery should be configured with 'with: :exception'",
           :confidence => CONFIDENCE[:med],
-          :file => app_controller[:files].first
+          :file => app_controller.file
         }
 
         args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)