brakeman 3.7.2 → 4.0.0

data/lib/brakeman/checks/check_default_routes.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
         :line => tracker.routes[:allow_all_actions].line,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :file => "#{tracker.app_path}/config/routes.rb"
     end
   end
@@ -43,7 +43,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
           :warning_code => :controller_default_routes,
           :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
           :line => actions[2],
-          :confidence => CONFIDENCE[:med],
+          :confidence => :medium,
           :file => "#{tracker.app_path}/config/routes.rb"
       end
     end
@@ -67,9 +67,9 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
     end
 
     if allow_all_actions? or @actions_allowed_on_controller
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     warn :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_deserialize.rb

@@ -36,9 +36,9 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     method = result[:call].method
 
     if input = has_immediate_user_input?(arg)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = include_user_input?(arg)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     if confidence

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -18,13 +18,13 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
       warn :warning_type => "Information Disclosure",
            :warning_code => :local_request_config,
            :message => "Detailed exceptions are enabled in production",
-           :confidence => CONFIDENCE[:high],
+           :confidence => :high,
            :file => "config/environments/production.rb"
     end
   end
 
   def check_detailed_exceptions
-    tracker.controllers.each do |name, controller|
+    tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
         src = definition[:src]
         body = src.body.last
@@ -32,9 +32,9 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
 
         if method_name == :show_detailed_exceptions? and not safe? body
           if true? body
-            confidence = CONFIDENCE[:high]
+            confidence = :high
           else
-            confidence = CONFIDENCE[:med]
+            confidence = :medium
           end
 
           warn :warning_type => "Information Disclosure",

data/lib/brakeman/checks/check_digest_dos.rb

@@ -19,9 +19,9 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
     end
 
     if with_http_digest?
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:low]
+      confidence = :weak
     end
 
     warn :warning_type => "Denial of Service",

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
             :warning_type => "SQL Injection",
             :warning_code => :sql_injection_dynamic_finder,
             :message => "MySQL integer conversion may cause 0 to match any string",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :user_input => arg
 
           break

data/lib/brakeman/checks/check_escape_function.rb

@@ -10,10 +10,10 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
   def run_check
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
 
-      warn :warning_type => 'Cross Site Scripting',
+      warn :warning_type => 'Cross-Site Scripting',
         :warning_code => :CVE_2011_2932,
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end

data/lib/brakeman/checks/check_evaluation.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :message => "User input in eval",
         :code => result[:call],
         :user_input => input,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
     end
   end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -56,9 +56,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     if failure and original? result
 
       if failure.type == :interp #Not from user input
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       else
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       end
 
       warn :result => result,
@@ -79,7 +79,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
           :warning_code => :command_injection,
           :message => "Possible command injection in open()",
           :user_input => match,
-          :confidence => CONFIDENCE[:high]
+          :confidence => :high
       end
     end
   end
@@ -111,9 +111,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     exp = result[:call]
 
     if input = include_user_input?(exp)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = dangerous?(exp)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     else
       return
     end

data/lib/brakeman/checks/check_file_access.rb

@@ -32,18 +32,18 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     file_name = call.first_arg
 
     if match = has_immediate_user_input?(file_name)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif match = has_immediate_model?(file_name)
       match = Match.new(:model, match)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     elsif tracker.options[:check_arguments] and
       match = include_user_input?(file_name)
 
       #Check for string building in file name
       if call?(file_name) and (file_name.method == :+ or file_name.method == :<<)
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       end
     end
 

data/lib/brakeman/checks/check_file_disclosure.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Checks for versions with file existence disclosure vulnerability"
+  @description = 'Checks for versions with file existence disclosure vulnerability'
 
   def run_check
     fix_version = case
@@ -23,7 +23,7 @@ class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
       warn :warning_type => "File Access",
         :warning_code => :CVE_2014_7829,
         :message => "Rails #{rails_version} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
     end

data/lib/brakeman/checks/check_filter_skipping.rb

@@ -13,14 +13,14 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
       warn :warning_type => "Default Routes",
         :warning_code => :CVE_2011_2929,
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
     end
   end
 
   def uses_arbitrary_actions?
-    tracker.routes.each do |name, actions|
+    tracker.routes.each do |_name, actions|
       if actions.include? :allow_all_actions
         return true
       end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
             :warning_type => "Cross-Site Request Forgery",
             :warning_code => :csrf_not_protected_by_raising_exception,
             :message => "protect_from_forgery should be configured with 'with: :exception'",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :file => controller.file
           }
 
@@ -50,7 +50,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
     opts = {
       :controller => :ApplicationController,
       :warning_type => "Cross-Site Request Forgery",
-      :confidence => CONFIDENCE[:high]
+      :confidence => :high
     }.merge opts
 
     warn opts

data/lib/brakeman/checks/check_header_dos.rb

@@ -18,7 +18,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2013_6414,
         :message => message,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
     end

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -18,10 +18,10 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
         return
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2013_4491,
         :message => message,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment(:i18n),
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
     end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -23,15 +23,13 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
     tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
       arg = result.call.first_arg
 
-      if string? arg and arg.value == "REXML"
-        return
-      end
+      return if string? arg and arg.value == "REXML"
     end
 
     warn :warning_type => "File Access",
       :warning_code => :CVE_2013_1856,
       :message => "Rails #{rails_version} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :gem_info => gemfile_or_environment,
       :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
   end

data/lib/brakeman/checks/check_json_encoding.rb

@@ -16,12 +16,12 @@ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
       end
 
       if tracker.find_call(:methods => [:to_json, :encode]).any?
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2015_3226,
         :message => message,
         :confidence => confidence,
@@ -40,7 +40,7 @@ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
                            s(:args),
                            s(:self))))))
 
-    tracker.initializers.any? do |name, initializer|
+    tracker.initializers.any? do |_name, initializer|
       initializer == workaround
     end
   end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0333,
         :message => message,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gem_info,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
     end
@@ -71,11 +71,11 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
               (version >= "1.5.5" and version < "1.6.0")
 
     warning_type = "Denial of Service"
-    confidence = CONFIDENCE[:med]
+    confidence = :medium
     message = "#{name} gem version #{version} has a symbol creation vulnerablity: upgrade to "
 
     if version >= "1.7.0"
-      confidence = CONFIDENCE[:high]
+      confidence = :high
       warning_type = "Remote Code Execution"
       message = "#{name} gem version #{version} has a remote code vulnerablity: upgrade to 1.7.7"
     elsif version >= "1.6.0"
@@ -83,12 +83,12 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     elsif version >= "1.5.0"
       message << "1.5.5"
     else
-      confidence = CONFIDENCE[:low]
+      confidence = :weak
       message << "1.5.5"
     end
 
-    if confidence == CONFIDENCE[:med] and uses_json_parse?
-      confidence = CONFIDENCE[:high]
+    if confidence == :medium and uses_json_parse?
+      confidence = :high
     end
 
     warn :warning_type => warning_type,

data/lib/brakeman/checks/check_link_to.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     message = "Unescaped #{friendly_type_of input} in link_to"
 
-    warn_xss(result, message, input, CONFIDENCE[:high])
+    warn_xss(result, message, input, :high)
   end
 
   # Check if we should warn about the specified method
@@ -81,8 +81,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     method = match.method
     return false if IGNORE_MODEL_METHODS.include? method
 
-    confidence = CONFIDENCE[:med]
-    confidence = CONFIDENCE[:high] if likely_model_attribute? match
+    confidence = :medium
+    confidence = :high if likely_model_attribute? match
     warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
   end
 
@@ -93,14 +93,14 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     message = "Unescaped #{friendly_type_of matched} in link_to"
 
-    warn_xss(result, message, @matched, CONFIDENCE[:med])
+    warn_xss(result, message, @matched, :medium)
   end
 
   # Create a warn for this xss
   def warn_xss(result, message, user_input, confidence)
     add_result(result)
     warn :result => result,
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :warning_code => :xss_link_to,
       :message => message,
       :user_input => user_input,

data/lib/brakeman/checks/check_link_to_href.rb

@@ -36,7 +36,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @matched = false
     url_arg = process call.second_arg
 
-    if call? url_arg and url_arg.method == :url_for
+    if check_argument? url_arg
       url_arg = url_arg.first_arg
     end
 
@@ -48,47 +48,53 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match
         add_result result
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_link_to_href,
           :message => message,
           :user_input => input,
-          :confidence => CONFIDENCE[:high],
+          :confidence => :high,
           :link_path => "link_to_href"
       end
-    elsif has_immediate_model? url_arg or model_find_call? url_arg
+    elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg)
+      return if ignore_model_call? url_arg, input or duplicate? result
+      add_result result
+
+      message = "Potentially unsafe model attribute in link_to href"
+
+      warn :result => result,
+        :warning_type => "Cross-Site Scripting",
+        :warning_code => :xss_link_to_href,
+        :message => message,
+        :user_input => input,
+        :confidence => :weak,
+        :link_path => "link_to_href"
+    end
+  end
 
-      # Decided NOT warn on models.  polymorphic_path is called it a model is
-      # passed to link_to (which passes it to url_for)
+  def check_argument? url_arg
+    return unless call? url_arg
 
-    elsif array? url_arg
-      # Just like models, polymorphic path/url is called if the argument is
-      # an array
+    target = url_arg.target
+    method = url_arg.method
 
-    elsif hash? url_arg
+    method == :url_for or
+      method == :h or
+      cgi_escaped? target, method
+  end
 
-      # url_for uses the key/values pretty carefully and I don't see a risk.
-      # IF you have default routes AND you accept user input for :controller
-      # and :only_path, then MAYBE you could trigger a javascript:/data:
-      # attack.
+  def ignore_model_call? url_arg, exp
+    return true unless call? exp
 
-    elsif @matched
-      if @matched.type == :model and not tracker.options[:ignore_model_output]
-        message = "Unsafe model attribute in link_to href"
-      elsif @matched.type == :params and not call_on_params? @matched.match
-        message = "Unsafe parameter value in link_to href"
-      end
+    target = exp.target
+    method = exp.method
 
-      if message and not duplicate? result and not ignore_interpolation? url_arg, @matched.match
-        add_result result
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :warning_code => :xss_link_to_href,
-          :message => message,
-          :user_input => @matched,
-          :confidence => CONFIDENCE[:med],
-          :link_path => "link_to_href"
-      end
-    end
+    return true unless model_find_call? target
+
+    return true unless method.to_s =~ /url|uri|link|page|site/
+
+    ignore_call? target, method or
+      IGNORE_MODEL_METHODS.include? method or
+      ignore_interpolation? url_arg, exp
   end
 
   #Ignore situations where the href is an interpolated string