RubyGems - brakeman - Versions diffs - 4.5.1 → 4.7.1 - Mend

@@ -27,7 +27,7 @@ class Brakeman::CallIndex
     if options[:chained]
       return find_chain options
     #Find by narrowest category
-    elsif target and method and target.is_a? Array and method.is_a? Array
+    elsif target.is_a? Array and method.is_a? Array
       if target.length > method.length
         calls = filter_by_target calls_by_methods(method), target
       else
@@ -35,6 +35,12 @@ class Brakeman::CallIndex
         calls = filter_by_method calls, method
       end
+    elsif target.is_a? Regexp and method
+      calls = filter_by_target(calls_by_method(method), target)
+    elsif method.is_a? Regexp and target
+      calls = filter_by_method(calls_by_target(target), method)
     #Find by target, then by methods, if provided
     elsif target
       calls = calls_by_target target
@@ -85,6 +91,16 @@ class Brakeman::CallIndex
     end
   end
+  def remove_indexes_by_file file
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          call[:location][:file] == file
+        end
+      end
+    end
+  end
   def index_calls calls
     calls.each do |call|
       @calls_by_method[call[:method]] ||= []
@@ -116,8 +132,11 @@ class Brakeman::CallIndex
   end
   def calls_by_target target
-    if target.is_a? Array
+    case target
+    when Array
       calls_by_targets target
+    when Regexp
+      calls_by_targets_regex target
     else
       @calls_by_target[target] || []
     end
@@ -133,10 +152,24 @@ class Brakeman::CallIndex
     calls
   end
+  def calls_by_targets_regex targets_regex
+    calls = []
+    @calls_by_target.each do |key, value|
+      case key
+      when String, Symbol
+        calls.concat value if key.match targets_regex
+      end
+    end
+    calls
+  end
   def calls_by_method method
-    if method.is_a? Array
+    case method
+    when Array
       calls_by_methods method
-    elsif method.is_a? Regexp
+    when Regexp
       calls_by_methods_regex method
     else
       @calls_by_method[method.to_sym] || []
@@ -156,26 +189,28 @@ class Brakeman::CallIndex
   def calls_by_methods_regex methods_regex
     calls = []
     @calls_by_method.each do |key, value|
-      calls.concat value if key.to_s.match methods_regex
+      calls.concat value if key.match methods_regex
     end
-    calls
-  end
-  def calls_with_no_target
-    @calls_by_target[nil]
+    calls
   end
   def filter calls, key, value
-    if value.is_a? Array
+    case value
+    when Array
       values = Set.new value
       calls.select do |call|
         values.include? call[key]
       end
-    elsif value.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[key].to_s.match value
+        case call[key]
+        when String, Symbol
+          call[key].match value
+        end
       end
     else
       calls.select do |call|
@@ -197,15 +232,19 @@ class Brakeman::CallIndex
   end
   def filter_by_chain calls, target
-    if target.is_a? Array
+    case target
+    when Array
       targets = Set.new target
       calls.select do |call|
         targets.include? call[:chain].first
       end
-    elsif target.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[:chain].first.to_s.match target
+        case call[:chain].first
+        when String, Symbol
+          call[:chain].first.match target
+        end
       end
     else
       calls.select do |call|

data/lib/brakeman/checks/base_check.rb CHANGED Viewed

@@ -39,24 +39,15 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = nil
     @mass_assign_disabled = nil
     @has_user_input = nil
+    @in_array = false
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
   #Add result to result list, which is used to check for duplicates
-  def add_result result, location = nil
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
-    location = location[:name] if location.is_a? Hash
-    location = location.name if location.is_a? Brakeman::Collection
-    location = location.to_sym
-    if result.is_a? Hash
-      line = result[:call].original_line || result[:call].line
-    elsif sexp? result
-      line = result.original_line || result.line
-    else
-      raise ArgumentError
-    end
+  def add_result result
+    location = get_location result
+    location, line = get_location result
     @results << [line, location, result]
   end
@@ -119,9 +110,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     exp
   end
+  def process_array exp
+    @in_array = true
+    process_default exp
+  ensure
+    @in_array = false
+  end
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    unless @string_interp # don't overwrite existing value
+    unless array_interp? exp or @string_interp # don't overwrite existing value
       @string_interp = Match.new(:interp, exp)
     end
@@ -130,6 +128,20 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   private
+  # Checking for
+  #
+  #   %W[#{a}]
+  #
+  # which will be parsed as
+  #
+  #    s(:array, s(:dstr, "", s(:evstr, s(:call, nil, :a))))
+  def array_interp? exp
+    @in_array and
+      string_interp? exp and
+      exp[1] == "".freeze and
+      exp.length == 3 # only one interpolated value
+  end
   def always_safe_method? meth
     @safe_input_attributes.include? meth or
       @comparison_ops.include? meth
@@ -170,8 +182,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @mass_assign_disabled = true
     else
       #Check for ActiveRecord::Base.send(:attr_accessible, nil)
-      tracker.check_initializers(:"ActiveRecord::Base", :attr_accessible).each do |result|
-        call = result.call
+      tracker.find_call(target: :"ActiveRecord::Base", method: :attr_accessible).each do |result|
+        call = result[:call]
         if call? call
           if call.first_arg == Sexp.new(:nil)
             @mass_assign_disabled = true
@@ -180,26 +193,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
       end
-      unless @mass_assign_disabled
-        tracker.check_initializers(:"ActiveRecord::Base", :send).each do |result|
-          call = result.call
-          if call? call
-            if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
-              @mass_assign_disabled = true
-              break
-            end
-          end
-        end
-      end
       unless @mass_assign_disabled
         #Check for
         #  class ActiveRecord::Base
         #    attr_accessible nil
         #  end
-        matches = tracker.check_initializers([], :attr_accessible)
-        matches.each do |result|
+        tracker.check_initializers([], :attr_accessible).each do |result|
           if result.module == "ActiveRecord" and result.result_class == :Base
             arg = result.call.first_arg
@@ -227,10 +226,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
       unless @mass_assign_disabled
-        matches = tracker.check_initializers(:"ActiveRecord::Base", [:send, :include])
-        matches.each do |result|
-          call = result.call
+        tracker.find_call(target: :"ActiveRecord::Base", method: [:send, :include]).each do |result|
+          call = result[:call]
           if call? call and (call.first_arg == forbidden_protection or call.second_arg == forbidden_protection)
             @mass_assign_disabled = true
           end
@@ -250,6 +247,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil
+    location, line = get_location result
+    @results.each do |r|
+      if r[0] == line and r[1] == location
+        if tracker.options[:combine_locations]
+          return true
+        elsif r[2] == result
+          return true
+        end
+      end
+    end
+    false
+  end
+  def get_location result
     if result.is_a? Hash
       line = result[:call].original_line || result[:call].line
     elsif sexp? result
@@ -258,23 +271,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template] || result[:location][:file].to_s
     location = location[:name] if location.is_a? Hash
     location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
-    @results.each do |r|
-      if r[0] == line and r[1] == location
-        if tracker.options[:combine_locations]
-          return true
-        elsif r[2] == result
-          return true
-        end
-      end
-    end
-    false
+    return location, line
   end
   #Checks if an expression contains string interpolation.

data/lib/brakeman/checks/check_cookie_serialization.rb ADDED Viewed

@@ -0,0 +1,22 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Check for use of Marshal for cookie serialization"
+  def run_check
+    tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
+      setting = result[:call].first_arg
+      if symbol? setting and [:marshal, :hybrid].include? setting.value
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :unsafe_cookie_serialization,
+          :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
+          :confidence => :medium,
+          :link_path => "unsafe_deserialization"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -287,7 +287,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def setup
     @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
+                           :field_field, :fields_for, :form_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
@@ -316,11 +316,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     end
     json_escape_on = false
-    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+    initializers = tracker.find_call(target: :ActiveSupport, method: :escape_html_entities_in_json=)
+    initializers.each {|result| json_escape_on = true?(result[:call].first_arg) }
     if tracker.config.escape_html_entities_in_json?
-        json_escape_on = true
+      json_escape_on = true
     elsif version_between? "4.0.0", "9.9.9"
       json_escape_on = true
     end

data/lib/brakeman/checks/check_deserialize.rb CHANGED Viewed

@@ -80,13 +80,10 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   def oj_safe_default?
     safe_default = false
-    # TODO: Can we just index initializers already??
-    if tracker.check_initializers(:Oj, :mimic_JSON).any?
+    if tracker.find_call(target: :Oj, method: :mimic_JSON).any?
       safe_default = true
-    end
-    if result = tracker.check_initializers(:Oj, :default_options=).first
-      options = result.call.first_arg
+    elsif result = tracker.find_call(target: :Oj, method: :default_options=).first
+      options = result[:call].first_arg
       if oj_safe_mode? options
         safe_default = true

data/lib/brakeman/checks/check_execute.rb CHANGED Viewed

@@ -21,6 +21,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   SHELL_ESCAPE_MODULE_METHODS = Set[:escape, :join, :shellescape, :shelljoin]
   SHELL_ESCAPE_MIXIN_METHODS = Set[:shellescape, :shelljoin]
+  # These are common shells that are known to allow the execution of commands
+  # via a -c flag. See dash_c_shell_command? for more info.
+  KNOWN_SHELL_COMMANDS = Set["sh", "bash", "ksh", "csh", "tcsh", "zsh"]
   SHELLWORDS = s(:const, :Shellwords)
   #Check models, controllers, and views for command injection.
@@ -42,6 +46,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
+  private
   #Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
@@ -54,7 +60,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         failure = include_user_input?(args) || dangerous_interp?(args)
       end
     when :system, :exec
-      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      # Normally, if we're in a `system` or `exec` call, we only are worried
+      # about shell injection when there's a single argument, because comma-
+      # separated arguments are always escaped by Ruby. However, an exception is
+      # when the first two arguments are something like "bash -c" because then
+      # the third argument is effectively the command being run and might be
+      # a malicious executable if it comes (partially or fully) from user input.
+      if dash_c_shell_command?(first_arg, call.second_arg)
+        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+      else
+        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      end
     else
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
@@ -77,6 +93,15 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
+  # @return [Boolean] true iff the command given by `first_arg`, `second_arg`
+  #   invokes a new shell process via `<shell_command> -c` (like `bash -c`)
+  def dash_c_shell_command?(first_arg, second_arg)
+    string?(first_arg) &&
+    KNOWN_SHELL_COMMANDS.include?(first_arg.value) &&
+    string?(second_arg) &&
+    second_arg.value == "-c"
+  end
   def check_open_calls
     tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
       if match = dangerous_open_arg?(result[:call].first_arg)