RubyGems - brakeman - Versions diffs - 4.5.1 → 4.7.1 - Mend

brakeman 4.5.1 → 4.7.1

Files changed (417) hide show

data/lib/brakeman/checks/check_file_access.rb CHANGED Viewed

@@ -32,7 +32,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     file_name = call.first_arg
-    return if called_on_tempfile?(file_name)
+    return if called_on_tempfile?(file_name) || sanitized?(file_name)
     if match = has_immediate_user_input?(file_name)
       confidence = :high
@@ -71,6 +71,12 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     call?(file_name) && file_name.target == s(:const, :Tempfile)
   end
+  def sanitized? file
+    call?(file) &&
+      call?(file.target) &&
+      class_name(file.target.target) == :"ActiveStorage::Filename"
+  end
   def temp_file_method? exp
     if call? exp
       return true if exp.call_chain.include? :tempfile

data/lib/brakeman/checks/check_header_dos.rb CHANGED Viewed

@@ -25,7 +25,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
   end
   def has_workaround?
-    tracker.check_initializers(:ActiveSupport, :on_load).any? and
-    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+    tracker.find_call(target: :ActiveSupport, method: :on_load).any? and
+      tracker.find_call(target: :"ActionView::LookupContext::DetailsKey", method: :class_eval).any?
   end
 end

data/lib/brakeman/checks/check_i18n_xss.rb CHANGED Viewed

@@ -41,8 +41,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   end
   def has_workaround?
-    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
-      match.last.first_arg == s(:lit, :MissingTranslation)
+    tracker.find_call(target: :I18n, method: :const_defined?, chained: true).any? do |match|
+      match[:call].first_arg == s(:lit, :MissingTranslation)
     end
   end
 end

data/lib/brakeman/checks/check_jruby_xml.rb CHANGED Viewed

@@ -20,8 +20,8 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       end
     #Check for workaround
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
-      arg = result.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=, chained: true).each do |result|
+      arg = result[:call].first_arg
       return if string? arg and arg.value == "REXML"
     end

data/lib/brakeman/checks/check_json_parsing.rb CHANGED Viewed

@@ -44,13 +44,13 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`
   def uses_gem_backend?
-    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+    matches = tracker.find_call(target: :'ActiveSupport::JSON', method: :backend=, chained: true)
     unless matches.empty?
       json_gem = s(:str, "JSONGem")
       matches.each do |result|
-        if result.call.first_arg == json_gem
+        if result[:call].first_arg == json_gem
           return true
         end
       end

data/lib/brakeman/checks/check_mime_type_dos.rb CHANGED Viewed

@@ -30,8 +30,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
   end
   def has_workaround?
-    tracker.check_initializers(:Mime, :const_set).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :Mime, method: :const_set).any? do |match|
+      arg = match[:call].first_arg
       symbol? arg and arg.value == :LOOKUP
     end

data/lib/brakeman/checks/check_nested_attributes_bypass.rb CHANGED Viewed

@@ -53,6 +53,6 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
   end
   def workaround?
-    tracker.check_initializers([], :will_be_destroyed?).any?
+    tracker.find_call(method: :will_be_destroyed?).any?
   end
 end

data/lib/brakeman/checks/check_reverse_tabnabbing.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+  @description = "Checks for reverse tabnabbing cases on 'link_to' calls"
+  def run_check
+    calls = tracker.find_call :methods => :link_to
+    calls.each do |call|
+      process_result call
+    end
+  end
+  def process_result result
+    return unless original? result and result[:call].last_arg
+    html_opts = result[:call].last_arg
+    return unless hash? html_opts
+    target = hash_access html_opts, :target
+    unless target &&
+          (string?(target) && target.value == "_blank" ||
+          symbol?(target) && target.value == :_blank)
+      return
+    end
+    target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
+    # `url_for` and `_path` calls lead to urls on to the same origin.
+    # That means that an adversary would need to run javascript on
+    # the victim application's domain. If that is the case, the adversary
+    # already has the ability to redirect the victim user anywhere.
+    # Also statically provided URLs (interpolated or otherwise) are also
+    # ignored as they produce many false positives.
+    return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)
+    rel = hash_access html_opts, :rel
+    confidence = :medium
+    if rel && string?(rel) then
+      rel_opt = rel.value
+      return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")
+      if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
+        confidence = :weak
+      end
+    end
+    warn :result => result,
+      :warning_type => "Reverse Tabnabbing",
+      :warning_code => :reverse_tabnabbing,
+      :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferrer"'),
+                      ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
+      :confidence => confidence,
+      :user_input => rel
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb CHANGED Viewed

@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.2.1")
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -90,7 +90,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
-    loofah_version and loofah_version < "2.1.2"
+    loofah_version and loofah_version < "2.2.1"
   end
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_session_settings.rb CHANGED Viewed

@@ -21,8 +21,11 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     check_for_issues settings, @app_tree.file_path("config/environment.rb")
-    ["session_store.rb", "secret_token.rb"].each do |file|
-      if tracker.initializers[file] and not ignored? file
+    session_store = @app_tree.file_path("config/initializers/session_store.rb")
+    secret_token = @app_tree.file_path("config/initializers/secret_token.rb")
+    [session_store, secret_token].each do |file|
+      if tracker.initializers[file] and not ignored? file.basename
         process tracker.initializers[file]
       end
     end

data/lib/brakeman/checks/check_xml_dos.rb CHANGED Viewed

@@ -34,8 +34,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   end
   def has_workaround?
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=).any? do |match|
+      arg = match[:call].first_arg
       if string? arg
         value = arg.value
         value == 'Nokogiri' or value == 'LibXML'

data/lib/brakeman/checks/check_yaml_parsing.rb CHANGED Viewed

@@ -48,21 +48,17 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
       #Look for ActionController::Base.param_parsers.delete(Mime::XML)
-      params_parser = s(:call,
-                        s(:colon2, s(:const, :ActionController), :Base),
-                        :param_parsers)
-      matches = tracker.check_initializers(params_parser, :delete)
+      matches = tracker.find_call(target: :"ActionController::Base.param_parsers", method: :delete)
     else
       #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+      matches = tracker.find_call(target: :"ActionDispatch::ParamsParser::DEFAULT_PARSERS", method: :delete)
     end
     unless matches.empty?
       mime_xml = s(:colon2, s(:const, :Mime), :XML)
       matches.each do |result|
-        if result.call.first_arg == mime_xml
+        if result[:call].first_arg == mime_xml
           return true
         end
       end
@@ -74,18 +70,14 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
   #in Rails 2.x apps
   def enabled_yaml_parser?
-    param_parsers = s(:call,
-                      s(:colon2, s(:const, :ActionController), :Base),
-                      :param_parsers)
-    matches = tracker.check_initializers(param_parsers, :[]=)
+    matches = tracker.find_call(target: :'ActionController::Base.param_parsers', method: :[]=)
     mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
     matches.each do |result|
-      if result.call.first_arg == mime_yaml and
-        symbol? result.call.second_arg and
-        result.call.second_arg.value == :yaml
+      if result[:call].first_arg == mime_yaml and
+        symbol? result[:call].second_arg and
+        result[:call].second_arg.value == :yaml
         return true
       end
@@ -96,16 +88,16 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_dangerous_types?
     if version_between? "0.0.0", "2.3.14"
-      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", method: :delete)
     else
-      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::XmlMini::PARSING", method: :delete)
     end
     symbols_off = false
     yaml_off = false
     matches.each do |result|
-      arg = result.call.first_arg
+      arg = result[:call].first_arg
       if string? arg
         if arg.value == "yaml"

data/lib/brakeman/differ.rb CHANGED Viewed

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
     warnings
   end
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-      true
+      warning[:fingerprint]
     end
   end
 end

data/lib/brakeman/file_parser.rb CHANGED Viewed

@@ -33,17 +33,13 @@ module Brakeman
       end
     end
-    def parse_ruby input, path, parser = RubyParser.new
+    def parse_ruby input, path
       begin
         Brakeman.debug "Parsing #{path}"
-        parser.parse input, path, @timeout
+        RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        if parser.class == RubyParser
-          return parse_ruby(input, path, RubyParser.latest)
-        else
-          @tracker.error e, "Could not parse #{path}"
-          nil
-        end
+        @tracker.error e, "Could not parse #{path}"
+        nil
       rescue Timeout::Error => e
         @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
         nil

data/lib/brakeman/file_path.rb CHANGED Viewed

@@ -35,6 +35,11 @@ module Brakeman
       @relative = relative_path
     end
+    # Just the file name, no path
+    def basename
+      @basename ||= File.basename(self.relative)
+    end
     # Read file from absolute path.
     def read
       File.read self.absolute
@@ -67,5 +72,14 @@ module Brakeman
     def to_s
       self.to_str
     end
+    def hash
+      @hash ||= [@absolute, @relative].hash
+    end
+    def eql? rhs
+      @absolute == rhs.absolute and
+        @relative == rhs.relative
+    end
   end
 end

data/lib/brakeman/parsers/haml_embedded.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Brakeman
   module FakeHamlFilter
-    # Copied from Haml - force delayed compilation
+    # Copied from Haml 4 - force delayed compilation
     def compile(compiler, text)
       filter = self
       compiler.instance_eval do

data/lib/brakeman/parsers/template_parser.rb CHANGED Viewed

@@ -79,7 +79,9 @@ module Brakeman
       Haml::Engine.new(text,
                        :filename => path,
-                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+                       :escape_html => tracker.config.escape_html?,
+                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                      ).precompiled.gsub(/([^\\])\\n/, '\1')
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil

data/lib/brakeman/processor.rb CHANGED Viewed

@@ -90,7 +90,7 @@ module Brakeman
     def process_initializer file_name, src
       res = BaseProcessor.new(@tracker).process_file src, file_name
       res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
-      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+      @tracker.initializers[file_name] = res
     end
     #Process source for a library file

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -249,6 +249,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
         env[target_var] = target
         return first_arg
+      elsif new_string? target
+        env[target_var] = first_arg
+        return first_arg
       elsif array? target
         target << first_arg
         env[target_var] = target
@@ -265,6 +268,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       unless target.nil?
         exp = target
       end
+    when :dup
+      unless target.nil?
+        exp = target
+      end
     when :join
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
@@ -602,7 +609,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if node_type? exp, :hash
       if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
         kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
-        exp = Sexp.new.concat(rest).line(exp)
+        exp = Sexp.new.concat(rest).line(exp.line)
         kwsplats.each do |e|
           exp = process_hash_merge! exp, e.value
@@ -1194,6 +1201,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     call? exp and exp.method == :raise
   end
+  STRING_NEW = s(:call, s(:const, :String), :new)
+  # String.new ?
+  def new_string? exp
+    exp == STRING_NEW
+  end
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same