brakeman 5.2.2 → 5.3.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (153) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +17 -0
  3. data/bundle/load.rb +2 -2
  4. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/History.rdoc +6 -0
  5. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/Manifest.txt +0 -0
  6. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/README.rdoc +0 -0
  7. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/composite_sexp_processor.rb +0 -0
  8. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb +7 -3
  9. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp.rb +0 -0
  10. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb +0 -0
  11. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_processor.rb +1 -1
  12. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb +0 -0
  13. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/unique.rb +0 -0
  14. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/COPYING +0 -0
  15. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/asciidoc.rb +0 -0
  16. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/babel.rb +0 -0
  17. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/bluecloth.rb +0 -0
  18. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/builder.rb +0 -0
  19. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/coffee.rb +0 -0
  20. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb +11 -1
  21. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/creole.rb +0 -0
  22. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb +1 -1
  23. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/dummy.rb +0 -0
  24. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erb.rb +0 -0
  25. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubi.rb +0 -0
  26. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubis.rb +0 -0
  27. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/etanni.rb +0 -0
  28. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/haml.rb +0 -0
  29. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/kramdown.rb +0 -0
  30. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/less.rb +0 -0
  31. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/liquid.rb +0 -0
  32. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/livescript.rb +0 -0
  33. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/mapping.rb +0 -0
  34. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/markaby.rb +0 -0
  35. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/maruku.rb +0 -0
  36. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/nokogiri.rb +0 -0
  37. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb +23 -15
  38. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/plain.rb +0 -0
  39. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/prawn.rb +0 -0
  40. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/radius.rb +0 -0
  41. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdiscount.rb +0 -0
  42. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdoc.rb +0 -0
  43. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb +5 -2
  44. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcloth.rb +0 -0
  45. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb +23 -0
  46. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb +78 -0
  47. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/sigil.rb +0 -0
  48. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/string.rb +0 -0
  49. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb +12 -1
  50. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/typescript.rb +0 -0
  51. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/wikicloth.rb +0 -0
  52. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/yajl.rb +0 -0
  53. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb +2 -1
  54. data/lib/brakeman/app_tree.rb +9 -1
  55. data/lib/brakeman/checks/check_basic_auth.rb +4 -2
  56. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
  57. data/lib/brakeman/checks/check_content_tag.rb +8 -4
  58. data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
  59. data/lib/brakeman/checks/check_create_with.rb +4 -2
  60. data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
  61. data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
  62. data/lib/brakeman/checks/check_default_routes.rb +6 -3
  63. data/lib/brakeman/checks/check_deserialize.rb +2 -1
  64. data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
  65. data/lib/brakeman/checks/check_digest_dos.rb +2 -1
  66. data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
  67. data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
  68. data/lib/brakeman/checks/check_escape_function.rb +2 -1
  69. data/lib/brakeman/checks/check_evaluation.rb +2 -1
  70. data/lib/brakeman/checks/check_execute.rb +6 -3
  71. data/lib/brakeman/checks/check_file_access.rb +2 -1
  72. data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
  73. data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
  74. data/lib/brakeman/checks/check_force_ssl.rb +2 -1
  75. data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
  76. data/lib/brakeman/checks/check_header_dos.rb +2 -1
  77. data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
  78. data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
  79. data/lib/brakeman/checks/check_json_encoding.rb +2 -1
  80. data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
  81. data/lib/brakeman/checks/check_json_parsing.rb +4 -2
  82. data/lib/brakeman/checks/check_link_to.rb +2 -1
  83. data/lib/brakeman/checks/check_link_to_href.rb +4 -2
  84. data/lib/brakeman/checks/check_mail_to.rb +2 -1
  85. data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
  86. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
  87. data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
  88. data/lib/brakeman/checks/check_model_attributes.rb +4 -2
  89. data/lib/brakeman/checks/check_model_serialize.rb +2 -1
  90. data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
  91. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
  92. data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
  93. data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
  94. data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
  95. data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
  96. data/lib/brakeman/checks/check_redirect.rb +2 -1
  97. data/lib/brakeman/checks/check_regex_dos.rb +2 -1
  98. data/lib/brakeman/checks/check_render.rb +4 -2
  99. data/lib/brakeman/checks/check_render_dos.rb +2 -1
  100. data/lib/brakeman/checks/check_render_inline.rb +4 -2
  101. data/lib/brakeman/checks/check_response_splitting.rb +2 -1
  102. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
  103. data/lib/brakeman/checks/check_route_dos.rb +2 -1
  104. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
  105. data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
  106. data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
  107. data/lib/brakeman/checks/check_secrets.rb +2 -1
  108. data/lib/brakeman/checks/check_select_tag.rb +2 -1
  109. data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
  110. data/lib/brakeman/checks/check_send.rb +2 -1
  111. data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
  112. data/lib/brakeman/checks/check_session_settings.rb +6 -3
  113. data/lib/brakeman/checks/check_simple_format.rb +4 -2
  114. data/lib/brakeman/checks/check_single_quotes.rb +2 -1
  115. data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
  116. data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
  117. data/lib/brakeman/checks/check_sql.rb +4 -2
  118. data/lib/brakeman/checks/check_sql_cves.rb +4 -2
  119. data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
  120. data/lib/brakeman/checks/check_strip_tags.rb +6 -3
  121. data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
  122. data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
  123. data/lib/brakeman/checks/check_template_injection.rb +2 -1
  124. data/lib/brakeman/checks/check_translate_bug.rb +2 -1
  125. data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -1
  126. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
  127. data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
  128. data/lib/brakeman/checks/check_validation_regex.rb +2 -1
  129. data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
  130. data/lib/brakeman/checks/check_weak_hash.rb +6 -3
  131. data/lib/brakeman/checks/check_without_protection.rb +2 -1
  132. data/lib/brakeman/checks/check_xml_dos.rb +2 -1
  133. data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
  134. data/lib/brakeman/checks/eol_check.rb +4 -2
  135. data/lib/brakeman/options.rb +1 -1
  136. data/lib/brakeman/processors/alias_processor.rb +24 -1
  137. data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
  138. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  139. data/lib/brakeman/report/report_csv.rb +2 -0
  140. data/lib/brakeman/report/report_junit.rb +2 -2
  141. data/lib/brakeman/report/report_table.rb +5 -5
  142. data/lib/brakeman/report/report_text.rb +2 -0
  143. data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
  144. data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
  145. data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
  146. data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
  147. data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
  148. data/lib/brakeman/version.rb +1 -1
  149. data/lib/brakeman/warning.rb +5 -2
  150. data/lib/brakeman/warning_codes.rb +1 -0
  151. metadata +53 -52
  152. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/rst-pandoc.rb +0 -18
  153. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/sass.rb +0 -52
@@ -0,0 +1,120 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Checks for vunerable uses of sanitize (CVE-2022-32209)"
7
+
8
+ def run_check
9
+ @specific_warning = false
10
+
11
+ @gem_version = tracker.config.gem_version :'rails-html-sanitizer'
12
+ if version_between? "0.0.0", "1.4.2", @gem_version
13
+ check_config
14
+ check_sanitize_calls
15
+ check_safe_list_allowed_tags
16
+
17
+ unless @specific_warning
18
+ # General warning about the vulnerable version
19
+ cve_warning
20
+ end
21
+ end
22
+ end
23
+
24
+ def cve_warning confidence: :weak, result: nil
25
+ return if result and not original? result
26
+
27
+ message = msg(msg_version(@gem_version, 'rails-html-sanitizer'),
28
+ " is vulnerable to cross-site scripting when ",
29
+ msg_code('select'),
30
+ " and ",
31
+ msg_code("style"),
32
+ " tags are allowed ",
33
+ msg_cve("CVE-2022-32209")
34
+ )
35
+
36
+ unless result
37
+ message << ". Upgrade to 1.4.3 or newer"
38
+ end
39
+
40
+ warn :warning_type => "Cross-Site Scripting",
41
+ :warning_code => :CVE_2022_32209,
42
+ :message => message,
43
+ :confidence => confidence,
44
+ :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
45
+ :link_path => "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
46
+ :cwe_id => [79],
47
+ :result => result
48
+ end
49
+
50
+ # Look for
51
+ # config.action_view.sanitized_allowed_tags = ["select", "style"]
52
+ def check_config
53
+ sanitizer_config = tracker.config.rails.dig(:action_view, :sanitized_allowed_tags)
54
+
55
+ if sanitizer_config and include_both_tags? sanitizer_config
56
+ @specific_warning = true
57
+ cve_warning confidence: :high
58
+ end
59
+ end
60
+
61
+ # Look for
62
+ # sanitize ..., tags: ["select", "style"]
63
+ # and
64
+ # Rails::Html::SafeListSanitizer.new.sanitize(..., tags: ["select", "style"])
65
+ def check_sanitize_calls
66
+ tracker.find_call(method: :sanitize, target: nil).each do |result|
67
+ check_tags_option result
68
+ end
69
+
70
+ tracker.find_call(method: :sanitize, target: :'Rails::Html::SafeListSanitizer.new').each do |result|
71
+ check_tags_option result
72
+ end
73
+ end
74
+
75
+ # Look for
76
+ # Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
77
+ def check_safe_list_allowed_tags
78
+ tracker.find_call(target: :'Rails::Html::SafeListSanitizer', method: :allowed_tags=).each do |result|
79
+ check_result result, result[:call].first_arg
80
+ end
81
+ end
82
+
83
+ private
84
+
85
+ def check_tags_option result
86
+ options = result[:call].last_arg
87
+
88
+ if options
89
+ check_result result, hash_access(options, :tags)
90
+ end
91
+ end
92
+
93
+ def check_result result, arg
94
+ if include_both_tags? arg
95
+ @specific_warning = true
96
+ cve_warning confidence: :high, result: result
97
+ end
98
+ end
99
+
100
+ def include_both_tags? exp
101
+ return unless sexp? exp
102
+
103
+ has_tag? exp, 'select' and
104
+ has_tag? exp, 'style'
105
+ end
106
+
107
+ def has_tag? exp, tag
108
+ tag_sym = tag.to_sym
109
+
110
+ exp.each_sexp do |e|
111
+ if string? e and e.value == tag
112
+ return true
113
+ elsif symbol? e and e.value == tag_sym
114
+ return true
115
+ end
116
+ end
117
+
118
+ false
119
+ end
120
+ end
@@ -51,7 +51,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
51
51
  :warning_code => code,
52
52
  :message => message,
53
53
  :confidence => :high,
54
- :link_path => link
54
+ :link_path => link,
55
+ :cwe_id => [79]
55
56
  end
56
57
  end
57
58
 
@@ -83,7 +84,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
83
84
  :message => message,
84
85
  :gem_info => gemfile_or_environment(:loofah),
85
86
  :confidence => confidence,
86
- :link_path => "https://github.com/flavorjones/loofah/issues/144"
87
+ :link_path => "https://github.com/flavorjones/loofah/issues/144",
88
+ :cwe_id => [79]
87
89
  end
88
90
  end
89
91
 
@@ -108,6 +110,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
108
110
  :message => message,
109
111
  :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
110
112
  :confidence => confidence,
111
- :link_path => link
113
+ :link_path => link,
114
+ :cwe_id => [79]
112
115
  end
113
116
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
27
27
  :message => msg("Hardcoded value for ", msg_code(name), " in source code"),
28
28
  :confidence => :medium,
29
29
  :file => constant.file,
30
- :line => constant.line
30
+ :line => constant.line,
31
+ :cwe_id => [798]
31
32
  end
32
33
  end
33
34
  end
@@ -52,7 +52,8 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
52
52
  :message => @message,
53
53
  :confidence => :high,
54
54
  :user_input => input,
55
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
55
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion",
56
+ :cwe_id => [79]
56
57
  end
57
58
  end
58
59
  end
@@ -54,7 +54,8 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
54
54
  :warning_code => :select_options_vuln,
55
55
  :result => result,
56
56
  :message => @message,
57
- :confidence => confidence
57
+ :confidence => confidence,
58
+ :cwe_id => [79]
58
59
  end
59
60
  end
60
61
  end
@@ -29,7 +29,8 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
29
29
  :warning_code => :dangerous_send,
30
30
  :message => "User controlled method execution",
31
31
  :user_input => input,
32
- :confidence => :high
32
+ :confidence => :high,
33
+ :cwe_id => [77]
33
34
  end
34
35
  end
35
36
 
@@ -28,7 +28,8 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
28
28
  :warning_code => :session_key_manipulation,
29
29
  :message => msg(msg_input(input), " used as key in session hash"),
30
30
  :user_input => input,
31
- :confidence => confidence
31
+ :confidence => confidence,
32
+ :cwe_id => [20] # TODO: what cwe should this be? it seems like it's looking for authz bypass
32
33
  end
33
34
  end
34
35
  end
@@ -142,7 +142,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
142
142
  :message => "Session cookies should be set to HTTP only",
143
143
  :confidence => :high,
144
144
  :line => line,
145
- :file => file
145
+ :file => file,
146
+ :cwe_id => [1004]
146
147
 
147
148
  end
148
149
 
@@ -152,7 +153,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
152
153
  :message => "Session secret should not be included in version control",
153
154
  :confidence => :high,
154
155
  :line => line,
155
- :file => file
156
+ :file => file,
157
+ :cwe_id => [798]
156
158
  end
157
159
 
158
160
  def warn_about_secure_only line, file
@@ -161,7 +163,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
161
163
  :message => "Session cookie should be set to secure only",
162
164
  :confidence => :high,
163
165
  :line => line,
164
- :file => file
166
+ :file => file,
167
+ :cwe_id => [614]
165
168
  end
166
169
 
167
170
  def ignored? file
@@ -28,7 +28,8 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
28
28
  :message => message,
29
29
  :confidence => :medium,
30
30
  :gem_info => gemfile_or_environment,
31
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
31
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
32
+ :cwe_id => [79]
32
33
  end
33
34
 
34
35
  def check_simple_format_usage
@@ -58,6 +59,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
58
59
  :message => msg("Values passed to ", msg_code("simple_format"), " are not safe in ", msg_version(rails_version)),
59
60
  :confidence => :high,
60
61
  :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
61
- :user_input => match
62
+ :user_input => match,
63
+ :cwe_id => [79]
62
64
  end
63
65
  end
@@ -38,7 +38,8 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
38
38
  :message => message,
39
39
  :confidence => :medium,
40
40
  :gem_info => gemfile_or_environment,
41
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
41
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion",
42
+ :cwe_id => [79]
42
43
  end
43
44
 
44
45
  #Process initializers to see if they use workaround
@@ -29,7 +29,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
29
29
  :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
30
30
  :code => filter,
31
31
  :confidence => :medium,
32
- :file => controller.file
32
+ :file => controller.file,
33
+ :cwe_id => [352]
33
34
 
34
35
  when :login_required, :authenticate_user!, :require_user
35
36
  warn :controller => controller.name,
@@ -39,7 +40,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
39
40
  :code => filter,
40
41
  :confidence => :medium,
41
42
  :link_path => "authentication_whitelist",
42
- :file => controller.file
43
+ :file => controller.file,
44
+ :cwe_id => [287]
43
45
  end
44
46
  end
45
47
 
@@ -30,7 +30,8 @@ class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
30
30
  :message => message,
31
31
  :confidence => confidence,
32
32
  :gem_info => gemfile_or_environment(:sprockets),
33
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
33
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
34
+ :cwe_id => [22, 200]
34
35
  end
35
36
 
36
37
  def has_workaround?
@@ -247,7 +247,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
247
247
  :warning_code => :sql_injection,
248
248
  :message => "Possible SQL injection",
249
249
  :user_input => user_input,
250
- :confidence => confidence
250
+ :confidence => confidence,
251
+ :cwe_id => [89]
251
252
  end
252
253
 
253
254
  if check_for_limit_or_offset_vulnerability call.last_arg
@@ -261,7 +262,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
261
262
  :warning_type => "SQL Injection",
262
263
  :warning_code => :sql_injection_limit_offset,
263
264
  :message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
264
- :confidence => confidence
265
+ :confidence => confidence,
266
+ :cwe_id => [89]
265
267
  end
266
268
  end
267
269
 
@@ -81,7 +81,8 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
81
81
  :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
82
82
  :confidence => :high,
83
83
  :gem_info => gemfile_or_environment,
84
- :link_path => link
84
+ :link_path => link,
85
+ :cwe_id => [89]
85
86
  end
86
87
 
87
88
  def upgrade_version? versions
@@ -101,6 +102,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
101
102
  :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
102
103
  :confidence => :high,
103
104
  :gem_info => gemfile_or_environment(:pg),
104
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
105
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ",
106
+ :cwe_id => [89]
105
107
  end
106
108
  end
@@ -43,6 +43,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
43
43
  :warning_type => "SSL Verification Bypass",
44
44
  :warning_code => :ssl_verification_bypass,
45
45
  :message => "SSL certificate verification was bypassed",
46
- :confidence => :high
46
+ :confidence => :high,
47
+ :cwe_id => [295]
47
48
  end
48
49
  end
@@ -35,7 +35,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
35
35
  :message => message,
36
36
  :gem_info => gemfile_or_environment,
37
37
  :confidence => :high,
38
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
38
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion",
39
+ :cwe_id => [79]
39
40
  end
40
41
  end
41
42
 
@@ -60,7 +61,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
60
61
  :message => message,
61
62
  :confidence => :high,
62
63
  :gem_info => gemfile_or_environment,
63
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
64
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion",
65
+ :cwe_id => [79]
64
66
  end
65
67
 
66
68
  def cve_2015_7579
@@ -78,7 +80,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
78
80
  :message => message,
79
81
  :confidence => confidence,
80
82
  :gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
81
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
83
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ",
84
+ :cwe_id => [79]
82
85
 
83
86
  end
84
87
  end
@@ -45,7 +45,8 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
45
45
  :warning_code => :unsafe_symbol_creation,
46
46
  :message => message,
47
47
  :user_input => input,
48
- :confidence => confidence
48
+ :confidence => confidence,
49
+ :cwe_id => [20]
49
50
  end
50
51
  end
51
52
 
@@ -23,7 +23,8 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
23
23
  :message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
24
24
  :confidence => :medium,
25
25
  :gem_info => gemfile_or_environment,
26
- :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
26
+ :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ",
27
+ :cwe_id => [20]
27
28
  end
28
29
  end
29
30
  end
@@ -26,7 +26,8 @@ class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
26
26
  :warning_code => :erb_template_injection,
27
27
  :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
28
28
  :user_input => input,
29
- :confidence => :high
29
+ :confidence => :high,
30
+ :cwe_id => [1336]
30
31
  end
31
32
  end
32
33
  end
@@ -33,7 +33,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
33
33
  :message => message,
34
34
  :confidence => confidence,
35
35
  :gem_info => gemfile_or_environment,
36
- :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
36
+ :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5",
37
+ :cwe_id => [79]
37
38
  end
38
39
  end
39
40
 
@@ -49,7 +49,8 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
49
49
  :warning_code => :unsafe_constantize,
50
50
  :message => message,
51
51
  :user_input => input,
52
- :confidence => confidence
52
+ :confidence => confidence,
53
+ :cwe_id => [470]
53
54
  end
54
55
  end
55
56
  end
@@ -63,6 +63,7 @@ class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
63
63
  :warning_code => :unsafe_method_reflection,
64
64
  :message => message,
65
65
  :user_input => input,
66
- :confidence => confidence
66
+ :confidence => confidence,
67
+ :cwe_id => [470]
67
68
  end
68
69
  end
@@ -40,7 +40,8 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
40
40
  :message => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
41
41
  :code => result[:call],
42
42
  :confidence => :weak,
43
- :user_input => input
43
+ :user_input => input,
44
+ :cwe_id => [285]
44
45
  end
45
46
 
46
47
  def optional_belongs_to? exp
@@ -91,7 +91,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
91
91
  :warning_code => :validation_regex,
92
92
  :message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
93
93
  :line => value.line,
94
- :confidence => :high
94
+ :confidence => :high,
95
+ :cwe_id => [777]
95
96
  end
96
97
  end
97
98
 
@@ -70,6 +70,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
70
70
  :message => message,
71
71
  :code => code,
72
72
  :user_input => result[:call],
73
- :confidence => confidence
73
+ :confidence => confidence,
74
+ :cwe_id => [352]
74
75
  end
75
76
  end
@@ -53,7 +53,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
53
53
  :warning_code => :weak_hash_digest,
54
54
  :message => message,
55
55
  :confidence => confidence,
56
- :user_input => input
56
+ :user_input => input,
57
+ :cwe_id => [328]
57
58
  end
58
59
 
59
60
  def process_hmac_result result
@@ -74,7 +75,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
74
75
  :warning_type => "Weak Hash",
75
76
  :warning_code => :weak_hash_hmac,
76
77
  :message => message,
77
- :confidence => :medium
78
+ :confidence => :medium,
79
+ :cwe_id => [328]
78
80
  end
79
81
 
80
82
  def process_openssl_result result
@@ -90,7 +92,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
90
92
  :warning_type => "Weak Hash",
91
93
  :warning_code => :weak_hash_digest,
92
94
  :message => msg("Weak hashing algorithm used: ", msg_lit(alg)),
93
- :confidence => :medium
95
+ :confidence => :medium,
96
+ :cwe_id => [328]
94
97
  end
95
98
  end
96
99
  end
@@ -55,7 +55,8 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
55
55
  :message => "Unprotected mass assignment",
56
56
  :code => call,
57
57
  :user_input => input,
58
- :confidence => confidence
58
+ :confidence => confidence,
59
+ :cwe_id => [915]
59
60
 
60
61
  end
61
62
  end
@@ -30,7 +30,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
30
30
  :message => message,
31
31
  :confidence => :medium,
32
32
  :gem_info => gemfile_or_environment,
33
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
33
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J",
34
+ :cwe_id => [125]
34
35
  end
35
36
 
36
37
  def has_workaround?
@@ -29,7 +29,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
29
29
  :message => message,
30
30
  :confidence => :high,
31
31
  :gem_info => gemfile_or_environment,
32
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
32
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
33
+ :cwe_id => [20]
33
34
  end
34
35
 
35
36
  #Warn if app accepts YAML
@@ -41,7 +42,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
41
42
  :message => message,
42
43
  :confidence => :high,
43
44
  :gem_info => gemfile_or_environment,
44
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
45
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
46
+ :cwe_id => [20]
45
47
  end
46
48
  end
47
49
 
@@ -34,7 +34,8 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
34
34
  warning_code: :"pending_eol_#{library}",
35
35
  message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
36
36
  confidence: confidence,
37
- gem_info: gemfile_or_environment
37
+ gem_info: gemfile_or_environment,
38
+ :cwe_id => [1104]
38
39
  end
39
40
 
40
41
  def warn_about_unsupported_version library, eol_date, version
@@ -42,6 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
42
43
  warning_code: :"eol_#{library}",
43
44
  message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
44
45
  confidence: :high,
45
- gem_info: gemfile_or_environment
46
+ gem_info: gemfile_or_environment,
47
+ :cwe_id => [1104]
46
48
  end
47
49
  end
@@ -323,7 +323,7 @@ module Brakeman::Options
323
323
  end
324
324
 
325
325
  opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
326
- valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
326
+ valid_options = [:category, :category_id, :check, :code, :confidence, :cwe, :file, :fingerprint, :line, :link, :message, :render_path]
327
327
 
328
328
  options[:text_fields] = format.map(&:to_sym)
329
329
 
@@ -703,7 +703,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
703
703
  end
704
704
  end
705
705
 
706
- exp
706
+ # Return early unless there might be short-hand syntax,
707
+ # since handling it is kind of expensive.
708
+ return exp unless exp.any? { |e| e.nil? }
709
+
710
+ # Need to handle short-hand hash syntax
711
+ new_hash = [:hash]
712
+ hash_iterate(exp) do |key, value|
713
+ # e.g. { a: }
714
+ if value.nil? and symbol? key
715
+ # Only handling local variables for now, not calls
716
+ lvar = s(:lvar, key.value)
717
+ if var_value = env[lvar]
718
+ new_hash << key << var_value.deep_clone(key.line || 0)
719
+ else
720
+ # If the value is unknown, assume it was a call
721
+ # and set the value to a call
722
+ new_hash.concat << key << s(:call, nil, key.value).line(key.line || 0)
723
+ end
724
+ else
725
+ new_hash.concat << key << value
726
+ end
727
+ end
728
+
729
+ Sexp.from_array(new_hash).line(exp.line || 0)
707
730
  end
708
731
 
709
732
  #Merge values into hash when processing
@@ -233,6 +233,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
233
233
 
234
234
  unless @in_target
235
235
  @full_call = call_hash
236
+ call_hash[:full_call] = call_hash
236
237
  end
237
238
 
238
239
  # Process up the call chain
@@ -88,10 +88,10 @@ module Brakeman
88
88
 
89
89
  m.choice "i"
90
90
  m.choice "n"
91
- m.choice "k"
91
+ m.choice "s"
92
92
  m.choice "u"
93
93
  m.choice "a"
94
- m.choice "s"
94
+ m.choice "k"
95
95
  m.choice "q"
96
96
  m.choice "?" do
97
97
  show_help
@@ -5,6 +5,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
5
5
  headers = [
6
6
  "Confidence",
7
7
  "Warning Type",
8
+ "CWE",
8
9
  "File",
9
10
  "Line",
10
11
  "Message",
@@ -35,6 +36,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
35
36
  [
36
37
  warning.confidence_name,
37
38
  warning.warning_type,
39
+ warning.cwe_id.first,
38
40
  warning_file(warning),
39
41
  warning.line,
40
42
  warning.message,