brakeman 3.0.5 → 3.1.0

data/lib/brakeman/checks/check_header_dos.rb

@@ -7,7 +7,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
 
   def run_check
     if (version_between? "3.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
-      message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version "
+      message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version "
 
       if version_between? "3.0.0", "3.2.15"
         message << "3.2.16"

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -7,8 +7,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
 
   def run_check
     if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
-      message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
-      i18n_gem = tracker.config[:gems][:i18n][:version] if tracker.config[:gems][:i18n]
+      message = "Rails #{rails_version} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
+      i18n_gem = tracker.config.gem_version :i18n
 
       if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
         message << "3.2.16 or i18n 0.5.1"

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
 
     warn :warning_type => "File Access",
       :warning_code => :CVE_2013_1856,
-      :message => "Rails #{tracker.config[:rails_version]} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
+      :message => "Rails #{rails_version} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
       :confidence => CONFIDENCE[:high],
       :gem_info => gemfile_or_environment,
       :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"

data/lib/brakeman/checks/check_json_encoding.rb

@@ -7,7 +7,7 @@ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
 
   def run_check
     if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
-      message = "Rails #{tracker.config[:rails_version]} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
+      message = "Rails #{rails_version} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
 
       if version_between? "4.1.0", "4.1.10"
         message << "4.1.11"

data/lib/brakeman/checks/check_json_parsing.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
                       "3.0.20"
                     end
 
-      message = "Rails #{tracker.config[:rails_version]} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
+      message = "Rails #{rails_version} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
       if uses_yajl?
         gem_info = gemfile_or_environment(:yajl)
       else
@@ -38,7 +38,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   #Check if `yajl` is included in Gemfile
   def uses_yajl?
-    tracker.config[:gems][:yajl]
+    tracker.config.has_gem? :yajl
   end
 
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`
@@ -60,7 +60,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   def check_cve_2013_0269
     [:json, :json_pure].each do |name|
-      gem_hash = tracker.config[:gems][name] if tracker.config[:gems]
+      gem_hash = tracker.config.get_gem name
       check_json_version name, gem_hash[:version] if gem_hash and gem_hash[:version]
     end
   end

data/lib/brakeman/checks/check_link_to.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   @description = "Checks for XSS in link_to in versions before 3.0"
 
   def run_check
-    return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
+    return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?
 
     @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,

data/lib/brakeman/checks/check_link_to_href.rb

@@ -15,7 +15,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @ignore_methods = Set[:button_to, :check_box,
                            :field_field, :fields_for, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :mail_to, :radio_button, :select,
+                           :mail_to, :polymorphic_url, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
                            :text_field_tag, :url_encode, :url_for,
                            :will_paginate].merge(tracker.options[:url_safe_methods] || [])
@@ -38,8 +38,9 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
 
     #Ignore situations where the href is an interpolated string
     #with something before the user input
-    return if node_type?(url_arg, :string_interp) && !url_arg[1].chomp.empty?
+    return if string_interp?(url_arg) && !url_arg[1].chomp.empty?
 
+    return if call? url_arg and ignore_call? url_arg.target, url_arg.method
 
     if input = has_immediate_user_input?(url_arg)
       message = "Unsafe #{friendly_type_of input} in link_to href"
@@ -89,4 +90,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       end
     end
   end
+
+  def ignored_method? target, method
+    @ignore_methods.include? method or
+      method.to_s =~ /_path$/ or
+      (target.nil? and method.to_s =~ /_url$/)
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -19,7 +19,10 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     models = []
     tracker.models.each do |name, m|
-      if unprotected_model? m
+      if m.is_a? Hash
+        p m
+      end
+      if m.unprotected_model?
         models << name
       end
     end
@@ -62,7 +65,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
       model = tracker.models[res[:chain].first]
 
-      attr_protected = (model and model[:options][:attr_protected])
+      attr_protected = (model and model.attr_protected)
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -20,13 +20,13 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
 
   def run_check
     check_models do |name, model|
-      model[:attr_accessible].each do |attribute|
+      model.attr_accessible.each do |attribute|
         next if role_limited? model, attribute
 
         SUSP_ATTRS.each do |susp_attr, confidence|
           if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
             warn :model => name,
-              :file => model[:files].first,
+              :file => model.file,
               :warning_type => "Mass Assignment",
               :warning_code => :dangerous_attr_accessible,
               :message => "Potentially dangerous attribute available for mass assignment",
@@ -40,14 +40,14 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   end
 
   def role_limited? model, attribute
-    role_accessible = model[:options][:role_accessible]
+    role_accessible = model.role_accessible
     return if role_accessible.nil?
     role_accessible.include? attribute
   end
 
   def check_models
     tracker.models.each do |name, model|
-      if !model[:attr_accessible].nil?
+      if !model.attr_accessible.nil?
         yield name, model
       end
     end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
       protected_names = []
 
       check_models do |name, model|
-        if model[:options][:attr_protected].nil?
+        if model.attr_protected.nil?
           no_accessible_names << name.to_s
         elsif not tracker.options[:ignore_attr_protected]
           protected_names << name.to_s
@@ -53,9 +53,9 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
     else #Output one warning per model
 
       check_models do |name, model|
-        if model[:options][:attr_protected].nil?
+        if model.attr_protected.nil?
           warn :model => name,
-            :file => model[:files].first,
+            :file => model.file,
             :warning_type => "Attribute Restriction",
             :warning_code => :no_attr_accessible,
             :message => "Mass assignment is not restricted using attr_accessible",
@@ -70,8 +70,8 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           end
 
           warn :model => name,
-            :file => model[:files].first,
-            :line => model[:options][:attr_protected].first.line,
+            :file => model.file,
+            :line => model.attr_protected.first.line,
             :warning_type => "Attribute Restriction",
             :warning_code => warning_code,
             :message => message,
@@ -83,7 +83,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
   def check_models
     tracker.models.each do |name, model|
-      if unprotected_model? model
+      if model.unprotected_model?
         yield name, model
       end
     end
@@ -104,7 +104,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
                       end
 
     if upgrade_version
-      message = "attr_protected is bypassable in #{tracker.config[:rails_version]}, use attr_accessible or upgrade to #{upgrade_version}"
+      message = "attr_protected is bypassable in #{rails_version}, use attr_accessible or upgrade to #{upgrade_version}"
       confidence = CONFIDENCE[:high]
       link = "https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion"
     else

data/lib/brakeman/checks/check_model_serialize.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
   #High confidence warning on serialized, unprotected attributes.
   #Medium confidence warning for serialized, protected attributes.
   def check_for_serialize model
-    if serialized_attrs = model[:options] && model[:options][:serialize]
+    if serialized_attrs = model.options[:serialize]
       attrs = Set.new
 
       serialized_attrs.each do |arglist|
@@ -34,9 +34,9 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         end
       end
 
-      if unsafe_attrs = model[:attr_accessible]
+      if unsafe_attrs = model.attr_accessible
         attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
-      elsif protected_attrs = model[:options][:attr_protected]
+      elsif protected_attrs = model.attr_protected
         safe_attrs = Set.new
 
         protected_attrs.each do |arglist|
@@ -54,13 +54,13 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         confidence = CONFIDENCE[:high]
       end
 
-      warn :model => model[:name],
+      warn :model => model.name,
         :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0277,
-        :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
+        :message => "Serialized attributes are vulnerable in Rails #{rails_version}, upgrade to #{@upgrade_version} or patch.",
         :confidence => confidence,
         :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
-        :file => model[:files].first
+        :file => model.file
     end
   end
 end

data/lib/brakeman/checks/check_nested_attributes.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
   @description = "Checks for nested attributes vulnerability in Rails 2.3.9 and 3.0.0"
 
   def run_check
-    version = tracker.config[:rails_version]
+    version = rails_version
 
     if (version == "2.3.9" or version == "3.0.0") and uses_nested_attributes?
       message = "Vulnerability in nested attributes (CVE-2010-3933). Upgrade to Rails version "
@@ -30,7 +30,7 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
 
   def uses_nested_attributes?
     active_record_models.each do |name, model|
-      return true if model[:options][:accepts_nested_attributes_for]
+      return true if model.options[:accepts_nested_attributes_for]
     end
 
     false

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -18,7 +18,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
   end
 
   def generic_warning
-    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version "
+    message = "Rails #{rails_version} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version "
 
     if version_between? "2.3.0", "3.2.16"
       message << "3.2.17"
@@ -62,7 +62,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Cross Site Scripting",
       :warning_code => :CVE_2014_0081_call,
-      :message => "Format options in #{result[:call].method} are not safe in Rails #{@tracker.config[:rails_version]}",
+      :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}",
       :confidence => CONFIDENCE[:high],
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
       :user_input => match

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
         confidence = CONFIDENCE[:med]
       end
 
-      if tracker.config[:rails_version] =~ /^3/
+      if rails_version =~ /^3/
         message = "Versions before 3.0.10 have a vulnerability in quote_table_name: CVE-2011-2930"
       else
         message = "Versions before 2.3.14 have a vulnerability in quote_table_name: CVE-2011-2930"

data/lib/brakeman/checks/check_redirect.rb

@@ -184,7 +184,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if node_type? exp, :or
       decorated_model? exp.lhs or decorated_model? exp.rhs
     else
-      tracker.config[:gems][:draper] and
+      tracker.config.has_gem? :draper and
       call? exp and
       node_type?(exp.target, :const) and
       exp.target.value.to_s.match(/Decorator$/) and
@@ -204,14 +204,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     return false unless model
 
-    model[:associations].each do |name, args|
-      args.each do |arg|
-        if symbol? arg and arg.value == meth
-          return true
-        end
-      end
-    end
-
-    false
+    model.association? meth
   end
 end

data/lib/brakeman/checks/check_render.rb

@@ -36,7 +36,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
 
       if input = has_immediate_user_input?(view)
-        if node_type? view, :string_interp, :dstr
+        if string_interp? view
           confidence = CONFIDENCE[:med]
         else
           confidence = CONFIDENCE[:high]

data/lib/brakeman/checks/check_render_dos.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
   end
 
   def warn_about_text_render
-    message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+    message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
 
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2014_0082,

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
       return
     end
 
-    message = "Rails #{tracker.config[:rails_version]} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+    message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
 
     warn :warning_type => "Cross Site Scripting",
       :warning_code => :safe_buffer_vuln, 

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
       next if duplicate? result
       add_result result
 
-      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+      message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
 
       if include_user_input? result[:call]
         confidence = CONFIDENCE[:high]

data/lib/brakeman/checks/check_select_tag.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
 
     @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
 
-    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select_tag is vulnerable (CVE-2012-3463)"
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select_tag is vulnerable (CVE-2012-3463)"
 
     calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
       result[:location][:type] == :template

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       return
     end
 
-    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select() helper is vulnerable"
 
     calls = tracker.find_call(:target => nil, :method => :select).select do |result|
       result[:location][:type] == :template
@@ -43,7 +43,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
     if sexp? third_arg and include_user_input? third_arg
       add_result result
 
-      if node_type? third_arg, :string_interp, :dstr
+      if string_interp? third_arg
         confidence = CONFIDENCE[:med]
       else
         confidence = CONFIDENCE[:low]

data/lib/brakeman/checks/check_session_settings.rb

@@ -17,8 +17,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def run_check
-    settings = tracker.config[:rails][:action_controller] &&
-               tracker.config[:rails][:action_controller][:session]
+    settings = tracker.config.session_settings 
 
     check_for_issues settings, "#{tracker.app_path}/config/environment.rb"
 

data/lib/brakeman/checks/check_simple_format.rb

@@ -16,7 +16,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
   end
 
   def generic_warning
-    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+    message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
 
     warn :warning_type => "Cross Site Scripting",
       :warning_code => :CVE_2013_6416,
@@ -51,7 +51,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
     warn :result => result,
       :warning_type => "Cross Site Scripting",
       :warning_code => :CVE_2013_6416_call,
-      :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
+      :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
       :confidence => CONFIDENCE[:high],
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
       :user_input => match.match

data/lib/brakeman/checks/check_single_quotes.rb

@@ -20,11 +20,11 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
     when version_between?('2.0.0', '2.3.14')
       message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
     when version_between?('3.0.0', '3.0.16')
-      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
     when version_between?('3.1.0', '3.1.7')
-      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
     when version_between?('3.2.0', '3.2.7')
-      message = "Rails #{tracker.config[:rails_version]} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
     else
       return
     end

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -14,9 +14,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
 
   def run_check
     tracker.controllers.each do |name, controller|
-      filter_skips = controller[:options][:skip_filters]
-
-      filter_skips.each do |filter|
+      controller.skip_filters.each do |filter|
         process_skip_filter filter, controller
       end
     end
@@ -25,23 +23,23 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   def process_skip_filter filter, controller
     case skip_except_value filter
     when :verify_authenticity_token
-      warn :class => controller[:name], #ugh this should be a controller warning, too
+      warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
         :message => "Use whitelist (:only => [..]) when skipping CSRF check",
         :code => filter,
         :confidence => CONFIDENCE[:med],
-        :file => controller[:files].first
+        :file => controller.file
 
     when :login_required, :authenticate_user!, :require_user
-      warn :controller => controller[:name],
+      warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
         :message => "Use whitelist (:only => [..]) when skipping authentication",
         :code => filter,
         :confidence => CONFIDENCE[:med],
         :link => "authentication_whitelist",
-        :file => controller[:files].first
+        :file => controller.file
     end
   end