brakeman 4.5.0 → 4.5.1

data/lib/brakeman/checks/check_default_routes.rb

@@ -6,6 +6,11 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
 
   @description = "Checks for default routes"
 
+  def initialize *args
+    super
+    @actions_allowed_on_controller = nil
+  end
+
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check

data/lib/brakeman/checks/check_deserialize.rb

@@ -9,6 +9,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_yaml
     check_csv
     check_marshal
+    check_oj
   end
 
   def check_yaml
@@ -23,6 +24,26 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_methods :Marshal, :load, :restore
   end
 
+  def check_oj
+    check_methods :Oj, :object_load # Always unsafe, regardless of mode
+
+    unsafe_mode = :object
+    safe_default = oj_safe_default?
+
+    tracker.find_call(:target => :Oj, :method => :load).each do |result|
+      call = result[:call]
+      options = call.second_arg
+
+      if options and hash? options and mode = hash_access(options, :mode)
+        if symbol? mode and mode.value == unsafe_mode
+          check_deserialize result, :Oj
+        end
+      elsif not safe_default
+        check_deserialize result, :Oj
+      end
+    end
+  end
+
   def check_methods target, *methods
     tracker.find_call(:target => target, :methods => methods ).each do |result|
       check_deserialize result, target
@@ -53,4 +74,35 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
         :link_path => "unsafe_deserialization"
     end
   end
+
+  private
+
+  def oj_safe_default?
+    safe_default = false
+
+    # TODO: Can we just index initializers already??
+    if tracker.check_initializers(:Oj, :mimic_JSON).any?
+      safe_default = true
+    end
+
+    if result = tracker.check_initializers(:Oj, :default_options=).first
+      options = result.call.first_arg
+
+      if oj_safe_mode? options
+        safe_default = true
+      end
+    end
+
+    safe_default
+  end
+
+  def oj_safe_mode? options
+    if hash? options and mode = hash_access(options, :mode)
+      if symbol? mode and mode != :object
+        return true
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -43,6 +43,6 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
   end
 
   def potentially_dangerous? method_name
-    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+    method_name.match(/^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/)
   end
 end

data/lib/brakeman/checks/check_force_ssl.rb

@@ -0,0 +1,27 @@
+class Brakeman::CheckForceSSL < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Check that force_ssl setting is enabled in production"
+
+  def run_check
+    return if tracker.config.rails.empty? or tracker.config.rails_version.nil?
+    return if tracker.config.rails_version < "3.1.0"
+
+    force_ssl = tracker.config.rails[:force_ssl]
+
+    if false? force_ssl or force_ssl.nil?
+      line = if sexp? force_ssl
+               force_ssl.line
+             else
+               1
+             end
+
+      warn :warning_type => "Missing Encryption",
+        :warning_code => :force_ssl_disabled,
+        :message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
+        :confidence => :high,
+        :file => "config/environments/production.rb",
+        :line => line
+    end
+  end
+end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
 
+  def initialize *args
+    super
+    @uses_json_parse = nil
+  end
+
   def run_check
     check_cve_2013_0333
     check_cve_2013_0269

data/lib/brakeman/checks/check_link_to_href.rb

@@ -34,7 +34,12 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
-    url_arg = process call.second_arg
+
+    url_arg = if result[:block]
+                process call.first_arg
+              else
+                process call.second_arg
+              end
 
     if check_argument? url_arg
       url_arg = url_arg.first_arg

data/lib/brakeman/checks/check_mail_to.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0446,
         :message => message,
         :confidence => :high,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment, # Probably ignored now
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
 
         SUSP_ATTRS.each do |susp_attr, confidence|
           if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
-            warn :model => name,
+            warn :model => model,
               :file => model.file,
               :warning_type => "Mass Assignment",
               :warning_code => :dangerous_attr_accessible,

data/lib/brakeman/checks/check_model_attributes.rb

@@ -2,9 +2,6 @@ require 'brakeman/checks/base_check'
 
 #Check if mass assignment is used with models
 #which inherit from ActiveRecord::Base.
-#
-#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
-#which do not use attr_accessible will be reported in a single warning
 class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
@@ -15,26 +12,19 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
-      no_accessible_names = []
-      protected_names = []
-
-      check_models do |name, model|
-        if model.attr_protected.nil?
-          no_accessible_names << name.to_s
-        elsif not tracker.options[:ignore_attr_protected]
-          protected_names << name.to_s
-        end
-      end
+      Brakeman.notify "[Notice] The `collapse_mass_assignment` option has been removed."
+    end
 
-      unless no_accessible_names.empty?
-        warn :model => no_accessible_names.sort.join(", "),
+    check_models do |name, model|
+      if model.attr_protected.nil?
+        warn :model => model,
+          :file => model.file,
+          :line => model.top_line,
           :warning_type => "Attribute Restriction",
           :warning_code => :no_attr_accessible,
           :message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
           :confidence => :high
-      end
-
-      unless protected_names.empty?
+      elsif not tracker.options[:ignore_attr_protected]
         message, confidence, link = check_for_attr_protected_bypass
 
         if link
@@ -43,41 +33,13 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           warning_code = :attr_protected_used
         end
 
-        warn :model => protected_names.sort.join(", "),
+        warn :model => model,
+          :file => model.file,
+          :line => model.attr_protected.first.line,
           :warning_type => "Attribute Restriction",
           :warning_code => warning_code,
           :message => message,
-          :confidence => confidence,
-          :link => link
-      end
-    else #Output one warning per model
-
-      check_models do |name, model|
-        if model.attr_protected.nil?
-          warn :model => name,
-            :file => model.file,
-            :line => model.top_line,
-            :warning_type => "Attribute Restriction",
-            :warning_code => :no_attr_accessible,
-            :message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
-            :confidence => :high
-        elsif not tracker.options[:ignore_attr_protected]
-          message, confidence, link = check_for_attr_protected_bypass
-
-          if link
-            warning_code = :CVE_2013_0276
-          else
-            warning_code = :attr_protected_used
-          end
-
-          warn :model => name,
-            :file => model.file,
-            :line => model.attr_protected.first.line,
-            :warning_type => "Attribute Restriction",
-            :warning_code => warning_code,
-            :message => message,
-            :confidence => confidence
-        end
+          :confidence => confidence
       end
     end
   end

data/lib/brakeman/checks/check_model_serialize.rb

@@ -54,7 +54,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         confidence = :high
       end
 
-      warn :model => model.name,
+      warn :model => model,
         :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0277,
         :message => msg("Serialized attributes are vulnerable in ", msg_version(rails_version), ", upgrade to ", msg_version(@upgrade_version), " or patch"),

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -22,17 +22,17 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
       if opts = model.options[:accepts_nested_attributes_for]
         opts.each do |args|
           if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
-            warn_about_nested_attributes name, model, args
+            warn_about_nested_attributes model, args
           end
         end
       end
     end
   end
 
-  def warn_about_nested_attributes name, model, args
+  def warn_about_nested_attributes model, args
     message = msg(msg_version(rails_version), " does not call ", msg_code(":reject_if"), " option when ", msg_code(":allow_destroy"), " is ", msg_code("false"), " ", msg_cve("CVE-2015-7577"))
 
-    warn :model => name,
+    warn :model => model,
       :warning_type => "Nested Attributes",
       :warning_code => :CVE_2015_7577,
       :message => message,

data/lib/brakeman/checks/check_secrets.rb

@@ -35,6 +35,6 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
 
   def looks_like_secret? name
     # REST_AUTH_SITE_KEY is the pepper in Devise
-    name.match /password|secret|(rest_auth_site|api)_key$/i
+    name.match(/password|secret|(rest_auth_site|api)_key$/i)
   end
 end

data/lib/brakeman/checks/check_session_settings.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def run_check
     settings = tracker.config.session_settings 
 
-    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
+    check_for_issues settings, @app_tree.file_path("config/environment.rb")
 
     ["session_store.rb", "secret_token.rb"].each do |file|
       if tracker.initializers[file] and not ignored? file
@@ -42,13 +42,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
-      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_issues exp.first_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
       (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
-      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
+      warn_about_secret_token exp.line, @app_tree.file_path("config/initializers/secret_token.rb")
     end
 
     exp
@@ -58,7 +58,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
-      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+      check_for_rails3_issues exp.second_arg, @app_tree.file_path("config/initializers/session_store.rb")
     end
 
     exp
@@ -109,10 +109,10 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def check_secrets_yaml
-    secrets_file = "config/secrets.yml"
+    secrets_file = @app_tree.file_path("config/secrets.yml")
 
-    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
-      yaml = @app_tree.read secrets_file
+    if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
+      yaml = secrets_file.read
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
       begin
@@ -127,7 +127,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
         unless secret.include? "<%="
           line = yaml.lines.find_index { |l| l.include? secret } + 1
 
-          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
+          warn_about_secret_token line, @app_tree.file_path(secrets_file)
         end
       end
     end
@@ -163,9 +163,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   def ignored? file
     [".", "config", "config/initializers"].each do |dir|
-      ignore_file = "#{dir}/.gitignore"
+      ignore_file = @app_tree.file_path("#{dir}/.gitignore")
       if @app_tree.exists? ignore_file
-        input = @app_tree.read(ignore_file)
+        input = ignore_file.read 
 
         return true if input.include? file
       end

data/lib/brakeman/checks/check_simple_format.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
 
   @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
 
+  def initialize *args
+    super
+    @found_any = false
+  end
+
   def run_check
     if version_between? "4.0.0", "4.0.1"
       @inspect_arguments = true

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
-        :link => "authentication_whitelist",
+        :link_path => "authentication_whitelist",
         :file => controller.file
     end
   end

data/lib/brakeman/checks/check_sql.rb

@@ -21,7 +21,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! << :not if tracker.options[:rails4]
+    @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
+    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -71,23 +72,23 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls = []
 
     if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |name, args|
+      ar_scope_calls(:named_scope) do |model, args|
         call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, name, :named_scope)
+        scope_calls << scope_call_hash(call, model, :named_scope)
       end
     elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |name, args|
+      ar_scope_calls(:scope) do |model, args|
         second_arg = args[2]
         next unless sexp? second_arg
 
         if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(name, args)
+          process_scope_with_block(model, args)
         elsif call? second_arg
           call = second_arg
-          scope_calls << scope_call_hash(call, name, call.method)
+          scope_calls << scope_call_hash(call, model, call.method)
         else
           call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, name, :scope)
+          scope_calls << scope_call_hash(call, model, :scope)
         end
       end
     end
@@ -96,37 +97,34 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def ar_scope_calls(symbol_name = :named_scope, &block)
-    return_array = []
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
         model_args.each do |args|
-          yield name, args
-          return_array << [name, args]
+          yield model, args
         end
       end
     end
-    return_array
   end
 
-  def scope_call_hash(call, name, method)
-    { :call => call, :location => { :type => :class, :class => name }, :method => :named_scope }
+  def scope_call_hash(call, model, method)
+    { :call => call, :location => { :type => :class, :class => model.name, :file => model.file }, :method => :named_scope }
   end
 
 
-  def process_scope_with_block model_name, args
+  def process_scope_with_block model, args
     scope_name = args[1][1]
     block = args[-1][-1]
 
     # Search lambda for calls to query methods
     if block.node_type == :block
       find_calls = Brakeman::FindAllCalls.new(tracker)
-      find_calls.process_source(block, :class => model_name, :method => scope_name)
+      find_calls.process_source(block, :class => model.name, :method => scope_name, :file => model.file)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
     elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
-         :location => { :type => :class, :class => model_name, :method => scope_name }
+          :location => { :type => :class, :class => model.name, :method => scope_name, :file => model.file }
 
         block = block.target
       end
@@ -187,7 +185,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :not
+                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist