brakeman 3.0.5 → 3.1.0

data/lib/brakeman/checks/check_sql.rb

@@ -14,8 +14,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   @description = "Check for SQL injection"
 
   def run_check
-    @rails_version = tracker.config[:rails_version]
-
     @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
       :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
@@ -84,7 +82,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def ar_scope_calls(symbol_name = :named_scope, &block)
     return_array = []
     active_record_models.each do |name, model|
-      model_args = model[:options][symbol_name]
+      model_args = model.options[symbol_name]
       if model_args
         model_args.each do |args|
           yield name, args
@@ -257,7 +255,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     first_arg = arg[1]
 
     if node_type? arg, :arglist
-      if arg.length > 2 and node_type? first_arg, :string_interp, :dstr
+      if arg.length > 2 and string_interp? first_arg
         # Model.where("blah = ?", blah)
         return check_string_interp first_arg
       else
@@ -368,7 +366,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
-    if node_type? exp, :string_eval, :evstr
+    if node_type? exp, :evstr
       value = exp.value
     else
       value = exp
@@ -382,7 +380,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       case value.node_type
       when :or
         unsafe_string_interp?(value.lhs) || unsafe_string_interp?(value.rhs)
-      when :string_interp, :dstr
+      when :dstr
         if dangerous = check_string_interp(value)
           return dangerous
         end
@@ -421,7 +419,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       #
       #and check first value
       unsafe_sql? exp[1]
-    when :string_interp, :dstr
+    when :dstr
       check_string_interp exp
     when :hash
       check_hash_values exp unless ignore_hash
@@ -516,9 +514,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_interp_target_or_arg target, arg
-    if node_type? target, :string_interp, :dstr or
-      node_type? arg, :string_interp, :dstr
-
+    if string_interp? target or string_interp? arg
       check_string_arg target and
       check_string_arg arg
     end
@@ -529,7 +525,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       nil
     elsif string_building? exp
       check_for_string_building exp
-    elsif node_type? exp, :string_interp, :dstr
+    elsif string_interp? exp
       check_string_interp exp
     elsif call? exp and exp.method == :to_s
       check_string_arg exp.target
@@ -541,8 +537,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def string_building? exp
     return false unless call? exp and STRING_METHODS.include? exp.method
 
-    node_type? exp.target, :str, :dstr, :string_interp or
-    node_type? exp.first_arg, :str, :dstr, :string_interp or
+    node_type? exp.target, :str, :dstr or
+    node_type? exp.first_arg, :str, :dstr or
     string_building? exp.target or
     string_building? exp.first_arg
   end
@@ -614,7 +610,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #
   #http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
   def check_for_limit_or_offset_vulnerability options
-    return false if @rails_version.nil? or @rails_version >= "2.1.1" or not hash?(options)
+    return false if rails_version.nil? or rails_version >= "2.1.1" or not hash?(options)
 
     return true if hash_access(options, :limit) or hash_access(options, :offset)
 

data/lib/brakeman/checks/check_sql_cves.rb

@@ -48,7 +48,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       }
     end
 
-    if tracker.config[:gems][:pg]
+    if tracker.config.has_gem? :pg
       issues << {
         :cve => "CVE-2014-3482",
         :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
@@ -73,7 +73,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
 
     warn :warning_type => 'SQL Injection',
       :warning_code => code,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
       :confidence => CONFIDENCE[:high],
       :gem_info => gemfile_or_environment,
       :link_path => link
@@ -89,11 +89,11 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
 
   def check_cve_2014_0080
     return unless version_between? "4.0.0", "4.0.2" and
-                  @tracker.config[:gems].include? :pg
+                  @tracker.config.has_gem? :pg
 
     warn :warning_type => 'SQL Injection',
       :warning_code => :CVE_2014_0080,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
       :confidence => CONFIDENCE[:high],
       :gem_info => gemfile_or_environment(:pg),
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"

data/lib/brakeman/checks/check_ssl_verify.rb

@@ -11,21 +11,39 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
 
   def run_check
     check_open_ssl_verify_none
+    check_http_start
   end
 
   def check_open_ssl_verify_none
-    tracker.find_call(:method => :verify_mode=).each {|call| process_result(call)}
+    tracker.find_call(:method => :verify_mode=).each {|call| process_verify_mode_result(call) }
   end
 
-  def process_result(result)
-    return if duplicate?(result)
+  def process_verify_mode_result result
     if result[:call].last_arg == SSL_VERIFY_NONE
-      add_result result
-      warn :result => result,
-        :warning_type => "SSL Verification Bypass",
-        :warning_code => :ssl_verification_bypass,
-        :message => "SSL certificate verification was bypassed",
-        :confidence => CONFIDENCE[:high]
+      warn_about_ssl_verification_bypass result
     end
   end
+
+  def check_http_start
+    tracker.find_call(:target => :'Net::HTTP', :method => :start).each { |call| process_http_start_result call }
+  end
+
+  def process_http_start_result result
+    arg = result[:call].last_arg
+
+    if hash? arg and hash_access(arg, :verify_mode) == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+
+  def warn_about_ssl_verification_bypass result
+    return if duplicate?(result)
+    add_result result
+
+    warn :result => result,
+      :warning_type => "SSL Verification Bypass",
+      :warning_code => :ssl_verification_bypass,
+      :message => "SSL certificate verification was bypassed",
+      :confidence => CONFIDENCE[:high]
+  end
 end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
 
   def cve_2011_2931
     if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
-      if tracker.config[:rails_version] =~ /^3/
+      if rails_version =~ /^3/
         message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
       else
         message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
@@ -36,14 +36,14 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
 
   def cve_2012_3465
     case
-    when (version_between?('2.0.0', '2.3.14') and tracker.config[:escape_html])
+    when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
       message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
     when version_between?('3.0.10', '3.0.16')
-      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
     when version_between?('3.1.0', '3.1.7')
-      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
     when version_between?('3.2.0', '3.2.7')
-      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
     else
       return
     end

data/lib/brakeman/checks/check_symbol_dos_cve.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
     if fix_version && active_record_models.any?
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2013_1854,
-        :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :message => "Rails #{rails_version} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
         :confidence => CONFIDENCE[:med],
         :gem_info => gemfile_or_environment,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"

data/lib/brakeman/checks/check_translate_bug.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
 
   def run_check
     return if lts_version? '2.3.18.6'
-    if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
+    if (version_between?('2.3.0', '2.3.99') and tracker.config.escape_html?) or
         version_between?('3.0.0', '3.0.10') or
         version_between?('3.1.0', '3.1.1')
 
@@ -18,12 +18,11 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
         CONFIDENCE[:med]
       end
 
-      version = tracker.config[:rails_version]
       description = "have a vulnerability in the translate helper with keys ending in _html"
 
-      message = if version =~ /^3\.1/
+      message = if rails_version =~ /^3\.1/
         "Versions before 3.1.2 #{description}."
-      elsif version =~ /^3\.0/
+      elsif rails_version =~ /^3\.0/
         "Versions before 3.0.11 #{description}."
       else
         "Rails 2.3.x using the rails_xss plugin #{description}."

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     Brakeman.debug("Finding instances of #find on models with associations")
 
     associated_model_names = active_record_models.keys.select do |name|
-      active_record_models[name][:associations][:belongs_to]
+      active_record_models[name].associations[:belongs_to]
     end
 
     calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],

data/lib/brakeman/checks/check_validation_regex.rb

@@ -18,7 +18,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
   def run_check
     active_record_models.each do |name, model|
       @current_model = name
-      format_validations = model[:options][:validates_format_of]
+      format_validations = model.options[:validates_format_of]
 
       if format_validations
         format_validations.each do |v|
@@ -26,7 +26,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
         end
       end
 
-      validates = model[:options][:validates]
+      validates = model.options[:validates]
 
       if validates
         validates.each do |v|

data/lib/brakeman/checks/check_xml_dos.rb

@@ -6,7 +6,7 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   @description = "Checks for XML denial of service (CVE-2015-3227)"
 
   def run_check
-    version = tracker.config[:rails_version]
+    version = rails_version
 
     fix_version = case
                   when version_between?("2.0.0", "3.2.21")

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -22,7 +22,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
                       "3.2.11"
                     end
 
-      message = "Rails #{tracker.config[:rails_version]} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+      message = "Rails #{rails_version} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
 
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0156,

data/lib/brakeman/file_parser.rb

@@ -32,6 +32,7 @@ module Brakeman
 
     def parse_ruby input, path
       begin
+        Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path
       rescue Racc::ParseError => e
         @tracker.error e, "Could not parse #{path}"

data/lib/brakeman/parsers/template_parser.rb

@@ -16,6 +16,7 @@ module Brakeman
       type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
       type = :erb if type == :rhtml
       name = template_path_to_name path
+      Brakeman.debug "Parsing #{path}"
 
       begin
         src = case type
@@ -46,7 +47,7 @@ module Brakeman
     end
 
     def parse_erb text
-      if tracker.config[:escape_html]
+      if tracker.config.escape_html?
         if tracker.options[:rails3]
           require 'brakeman/parsers/rails3_erubis'
           Brakeman::Rails3Erubis.new(text).src
@@ -54,7 +55,7 @@ module Brakeman
           require 'brakeman/parsers/rails2_xss_plugin_erubis'
           Brakeman::Rails2XSSPluginErubis.new(text).src
         end
-      elsif tracker.config[:erubis]
+      elsif tracker.config.erubis?
         require 'brakeman/parsers/rails2_erubis'
         Brakeman::ScannerErubis.new(text).src
       else
@@ -66,8 +67,8 @@ module Brakeman
     end
 
     def erubis?
-      tracker.config[:escape_html] or
-      tracker.config[:erubis]
+      tracker.config.escape_html? or
+        tracker.config.erubis?
     end
 
     def parse_haml text
@@ -75,7 +76,7 @@ module Brakeman
       Brakeman.load_brakeman_dependency 'sass'
 
       Haml::Engine.new(text,
-                       :escape_html => !!tracker.config[:escape_html]).precompiled.gsub(/([^\\])\\n/, '\1')
+                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
     end
 
     def parse_slim text

data/lib/brakeman/processor.rb

@@ -27,8 +27,8 @@ module Brakeman
     end
 
     #Process Gemfile
-    def process_gems src, gem_lock = nil
-      GemProcessor.new(@tracker).process_gems src, gem_lock
+    def process_gems gem_files
+      GemProcessor.new(@tracker).process_gems gem_files
     end
 
     #Process route file source
@@ -47,8 +47,8 @@ module Brakeman
 
     #Process variable aliasing in controller source and save it in the
     #tracker.
-    def process_controller_alias name, src, only_method = nil
-      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src
+    def process_controller_alias name, src, only_method = nil, file = nil
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
     end
 
     #Process a model source
@@ -78,13 +78,13 @@ module Brakeman
         name = ("#{name}.#{called_from}").to_sym
       end
 
-      @tracker.templates[name][:src] = result
-      @tracker.templates[name][:type] = type
+      @tracker.templates[name].src = result
+      @tracker.templates[name].type = type
     end
 
     #Process any calls to render() within a template
     def process_template_alias template
-      TemplateAliasProcessor.new(@tracker, template).process_safely template[:src]
+      TemplateAliasProcessor.new(@tracker, template).process_safely template.src
     end
 
     #Process source for initializing files

data/lib/brakeman/processors/alias_processor.rb

@@ -9,7 +9,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::Util
 
-  attr_reader :result
+  attr_reader :result, :tracker
 
   #Returns a new AliasProcessor with an empty environment.
   #
@@ -74,9 +74,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result
   end
 
+  ARRAY_CONST = s(:const, :Array)
+  HASH_CONST = s(:const, :Hash)
+
   #Process a method call.
   def process_call exp
     target_var = exp.target
+    target_var &&= target_var.deep_clone
     exp = process_default exp
 
     #In case it is replaced with something else
@@ -95,6 +99,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if node_type? target, :or and [:+, :-, :*, :/].include? method
       res = process_or_simple_operation(exp)
       return res if res
+    elsif target == ARRAY_CONST and method == :new
+      return Sexp.new(:array, *exp.args)
+    elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
+      return Sexp.new(:hash)
     end
 
     #See if it is possible to simplify some basic cases
@@ -159,21 +167,36 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target.value << first_arg.value
         env[target_var] = target
         return target
+      elsif string? target and string_interp? first_arg
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        env[target_var] = exp
+      elsif string? first_arg and string_interp? target
+        if string? target.last
+          target.last.value << first_arg.value
+        elsif target.last.is_a? String
+          target.last << first_arg.value
+        else
+          target << first_arg
+        end
+        env[target_var] = target
+        return first_arg
       elsif array? target
         target << first_arg
         env[target_var] = target
         return target
       else
-        target = find_push_target exp
-        env[target] = exp unless target.nil? #Happens in TemplateAliasProcessor
+        target = find_push_target(target_var)
+        env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
     end
 
     exp
   end
 
-  def process_call_with_block exp
+  def process_iter exp
+    @exp_context.push exp
     exp[1] = process exp.block_call
+    @exp_context.pop
 
     env.scope do
       exp.block_args.each do |e|
@@ -207,8 +230,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
-  alias process_iter process_call_with_block
-
   #Process a new scope.
   def process_scope exp
     env.scope do
@@ -225,7 +246,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   #Process a method definition.
-  def process_methdef exp
+  def process_defn exp
     meth_env do
       exp.body = process_all! exp.body
     end
@@ -245,7 +266,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   #Process a method definition on self.
-  def process_selfdef exp
+  def process_defs exp
     env.scope do
       set_env_defaults
       exp.body = process_all! exp.body
@@ -253,9 +274,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
-  alias process_defn process_methdef
-  alias process_defs process_selfdef
-
   #Local assignment
   # x = 1
   def process_lasgn exp
@@ -821,7 +839,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def top_target exp, last = nil
     if call? exp
       top_target exp.target, exp
-    elsif node_type? exp, :iter, :call_with_block
+    elsif node_type? exp, :iter
       top_target exp.block_call, last
     else
       exp || last