brakeman 5.2.2 → 5.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +17 -0
- data/bundle/load.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/History.rdoc +6 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb +7 -3
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/unique.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/COPYING +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/asciidoc.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/babel.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/bluecloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/builder.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/coffee.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb +11 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/creole.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/dummy.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erb.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubi.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubis.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/etanni.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/kramdown.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/less.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/liquid.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/livescript.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/mapping.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/markaby.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/maruku.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/nokogiri.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb +23 -15
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/plain.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/prawn.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/radius.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdiscount.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdoc.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb +5 -2
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb +23 -0
- data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb +78 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/sigil.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/string.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb +12 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/typescript.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/wikicloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/yajl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb +2 -1
- data/lib/brakeman/app_tree.rb +9 -1
- data/lib/brakeman/checks/check_basic_auth.rb +4 -2
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -4
- data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
- data/lib/brakeman/checks/check_create_with.rb +4 -2
- data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
- data/lib/brakeman/checks/check_default_routes.rb +6 -3
- data/lib/brakeman/checks/check_deserialize.rb +2 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
- data/lib/brakeman/checks/check_digest_dos.rb +2 -1
- data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
- data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
- data/lib/brakeman/checks/check_escape_function.rb +2 -1
- data/lib/brakeman/checks/check_evaluation.rb +2 -1
- data/lib/brakeman/checks/check_execute.rb +6 -3
- data/lib/brakeman/checks/check_file_access.rb +2 -1
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
- data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
- data/lib/brakeman/checks/check_force_ssl.rb +2 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
- data/lib/brakeman/checks/check_header_dos.rb +2 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
- data/lib/brakeman/checks/check_json_encoding.rb +2 -1
- data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
- data/lib/brakeman/checks/check_json_parsing.rb +4 -2
- data/lib/brakeman/checks/check_link_to.rb +2 -1
- data/lib/brakeman/checks/check_link_to_href.rb +4 -2
- data/lib/brakeman/checks/check_mail_to.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
- data/lib/brakeman/checks/check_model_attributes.rb +4 -2
- data/lib/brakeman/checks/check_model_serialize.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
- data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
- data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -1
- data/lib/brakeman/checks/check_regex_dos.rb +2 -1
- data/lib/brakeman/checks/check_render.rb +4 -2
- data/lib/brakeman/checks/check_render_dos.rb +2 -1
- data/lib/brakeman/checks/check_render_inline.rb +4 -2
- data/lib/brakeman/checks/check_response_splitting.rb +2 -1
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
- data/lib/brakeman/checks/check_route_dos.rb +2 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
- data/lib/brakeman/checks/check_secrets.rb +2 -1
- data/lib/brakeman/checks/check_select_tag.rb +2 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
- data/lib/brakeman/checks/check_send.rb +2 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_session_settings.rb +6 -3
- data/lib/brakeman/checks/check_simple_format.rb +4 -2
- data/lib/brakeman/checks/check_single_quotes.rb +2 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
- data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +4 -2
- data/lib/brakeman/checks/check_sql_cves.rb +4 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
- data/lib/brakeman/checks/check_strip_tags.rb +6 -3
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
- data/lib/brakeman/checks/check_template_injection.rb +2 -1
- data/lib/brakeman/checks/check_translate_bug.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
- data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -1
- data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
- data/lib/brakeman/checks/check_weak_hash.rb +6 -3
- data/lib/brakeman/checks/check_without_protection.rb +2 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
- data/lib/brakeman/checks/eol_check.rb +4 -2
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +24 -1
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/report_csv.rb +2 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_table.rb +5 -5
- data/lib/brakeman/report/report_text.rb +2 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +5 -2
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +53 -52
- data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/rst-pandoc.rb +0 -18
- data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/sass.rb +0 -52
@@ -0,0 +1,120 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for vunerable uses of sanitize (CVE-2022-32209)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
@specific_warning = false
|
10
|
+
|
11
|
+
@gem_version = tracker.config.gem_version :'rails-html-sanitizer'
|
12
|
+
if version_between? "0.0.0", "1.4.2", @gem_version
|
13
|
+
check_config
|
14
|
+
check_sanitize_calls
|
15
|
+
check_safe_list_allowed_tags
|
16
|
+
|
17
|
+
unless @specific_warning
|
18
|
+
# General warning about the vulnerable version
|
19
|
+
cve_warning
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def cve_warning confidence: :weak, result: nil
|
25
|
+
return if result and not original? result
|
26
|
+
|
27
|
+
message = msg(msg_version(@gem_version, 'rails-html-sanitizer'),
|
28
|
+
" is vulnerable to cross-site scripting when ",
|
29
|
+
msg_code('select'),
|
30
|
+
" and ",
|
31
|
+
msg_code("style"),
|
32
|
+
" tags are allowed ",
|
33
|
+
msg_cve("CVE-2022-32209")
|
34
|
+
)
|
35
|
+
|
36
|
+
unless result
|
37
|
+
message << ". Upgrade to 1.4.3 or newer"
|
38
|
+
end
|
39
|
+
|
40
|
+
warn :warning_type => "Cross-Site Scripting",
|
41
|
+
:warning_code => :CVE_2022_32209,
|
42
|
+
:message => message,
|
43
|
+
:confidence => confidence,
|
44
|
+
:gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
|
45
|
+
:link_path => "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
|
46
|
+
:cwe_id => [79],
|
47
|
+
:result => result
|
48
|
+
end
|
49
|
+
|
50
|
+
# Look for
|
51
|
+
# config.action_view.sanitized_allowed_tags = ["select", "style"]
|
52
|
+
def check_config
|
53
|
+
sanitizer_config = tracker.config.rails.dig(:action_view, :sanitized_allowed_tags)
|
54
|
+
|
55
|
+
if sanitizer_config and include_both_tags? sanitizer_config
|
56
|
+
@specific_warning = true
|
57
|
+
cve_warning confidence: :high
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
# Look for
|
62
|
+
# sanitize ..., tags: ["select", "style"]
|
63
|
+
# and
|
64
|
+
# Rails::Html::SafeListSanitizer.new.sanitize(..., tags: ["select", "style"])
|
65
|
+
def check_sanitize_calls
|
66
|
+
tracker.find_call(method: :sanitize, target: nil).each do |result|
|
67
|
+
check_tags_option result
|
68
|
+
end
|
69
|
+
|
70
|
+
tracker.find_call(method: :sanitize, target: :'Rails::Html::SafeListSanitizer.new').each do |result|
|
71
|
+
check_tags_option result
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
# Look for
|
76
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
|
77
|
+
def check_safe_list_allowed_tags
|
78
|
+
tracker.find_call(target: :'Rails::Html::SafeListSanitizer', method: :allowed_tags=).each do |result|
|
79
|
+
check_result result, result[:call].first_arg
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
private
|
84
|
+
|
85
|
+
def check_tags_option result
|
86
|
+
options = result[:call].last_arg
|
87
|
+
|
88
|
+
if options
|
89
|
+
check_result result, hash_access(options, :tags)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
def check_result result, arg
|
94
|
+
if include_both_tags? arg
|
95
|
+
@specific_warning = true
|
96
|
+
cve_warning confidence: :high, result: result
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def include_both_tags? exp
|
101
|
+
return unless sexp? exp
|
102
|
+
|
103
|
+
has_tag? exp, 'select' and
|
104
|
+
has_tag? exp, 'style'
|
105
|
+
end
|
106
|
+
|
107
|
+
def has_tag? exp, tag
|
108
|
+
tag_sym = tag.to_sym
|
109
|
+
|
110
|
+
exp.each_sexp do |e|
|
111
|
+
if string? e and e.value == tag
|
112
|
+
return true
|
113
|
+
elsif symbol? e and e.value == tag_sym
|
114
|
+
return true
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
118
|
+
false
|
119
|
+
end
|
120
|
+
end
|
@@ -51,7 +51,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
51
51
|
:warning_code => code,
|
52
52
|
:message => message,
|
53
53
|
:confidence => :high,
|
54
|
-
:link_path => link
|
54
|
+
:link_path => link,
|
55
|
+
:cwe_id => [79]
|
55
56
|
end
|
56
57
|
end
|
57
58
|
|
@@ -83,7 +84,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
83
84
|
:message => message,
|
84
85
|
:gem_info => gemfile_or_environment(:loofah),
|
85
86
|
:confidence => confidence,
|
86
|
-
:link_path => "https://github.com/flavorjones/loofah/issues/144"
|
87
|
+
:link_path => "https://github.com/flavorjones/loofah/issues/144",
|
88
|
+
:cwe_id => [79]
|
87
89
|
end
|
88
90
|
end
|
89
91
|
|
@@ -108,6 +110,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
108
110
|
:message => message,
|
109
111
|
:gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
|
110
112
|
:confidence => confidence,
|
111
|
-
:link_path => link
|
113
|
+
:link_path => link,
|
114
|
+
:cwe_id => [79]
|
112
115
|
end
|
113
116
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
|
|
27
27
|
:message => msg("Hardcoded value for ", msg_code(name), " in source code"),
|
28
28
|
:confidence => :medium,
|
29
29
|
:file => constant.file,
|
30
|
-
:line => constant.line
|
30
|
+
:line => constant.line,
|
31
|
+
:cwe_id => [798]
|
31
32
|
end
|
32
33
|
end
|
33
34
|
end
|
@@ -52,7 +52,8 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
|
|
52
52
|
:message => @message,
|
53
53
|
:confidence => :high,
|
54
54
|
:user_input => input,
|
55
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
|
55
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion",
|
56
|
+
:cwe_id => [79]
|
56
57
|
end
|
57
58
|
end
|
58
59
|
end
|
@@ -28,7 +28,8 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
|
|
28
28
|
:warning_code => :session_key_manipulation,
|
29
29
|
:message => msg(msg_input(input), " used as key in session hash"),
|
30
30
|
:user_input => input,
|
31
|
-
:confidence => confidence
|
31
|
+
:confidence => confidence,
|
32
|
+
:cwe_id => [20] # TODO: what cwe should this be? it seems like it's looking for authz bypass
|
32
33
|
end
|
33
34
|
end
|
34
35
|
end
|
@@ -142,7 +142,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
142
142
|
:message => "Session cookies should be set to HTTP only",
|
143
143
|
:confidence => :high,
|
144
144
|
:line => line,
|
145
|
-
:file => file
|
145
|
+
:file => file,
|
146
|
+
:cwe_id => [1004]
|
146
147
|
|
147
148
|
end
|
148
149
|
|
@@ -152,7 +153,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
152
153
|
:message => "Session secret should not be included in version control",
|
153
154
|
:confidence => :high,
|
154
155
|
:line => line,
|
155
|
-
:file => file
|
156
|
+
:file => file,
|
157
|
+
:cwe_id => [798]
|
156
158
|
end
|
157
159
|
|
158
160
|
def warn_about_secure_only line, file
|
@@ -161,7 +163,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
161
163
|
:message => "Session cookie should be set to secure only",
|
162
164
|
:confidence => :high,
|
163
165
|
:line => line,
|
164
|
-
:file => file
|
166
|
+
:file => file,
|
167
|
+
:cwe_id => [614]
|
165
168
|
end
|
166
169
|
|
167
170
|
def ignored? file
|
@@ -28,7 +28,8 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
|
|
28
28
|
:message => message,
|
29
29
|
:confidence => :medium,
|
30
30
|
:gem_info => gemfile_or_environment,
|
31
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
|
31
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
|
32
|
+
:cwe_id => [79]
|
32
33
|
end
|
33
34
|
|
34
35
|
def check_simple_format_usage
|
@@ -58,6 +59,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
|
|
58
59
|
:message => msg("Values passed to ", msg_code("simple_format"), " are not safe in ", msg_version(rails_version)),
|
59
60
|
:confidence => :high,
|
60
61
|
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
|
61
|
-
:user_input => match
|
62
|
+
:user_input => match,
|
63
|
+
:cwe_id => [79]
|
62
64
|
end
|
63
65
|
end
|
@@ -38,7 +38,8 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
|
|
38
38
|
:message => message,
|
39
39
|
:confidence => :medium,
|
40
40
|
:gem_info => gemfile_or_environment,
|
41
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
|
41
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion",
|
42
|
+
:cwe_id => [79]
|
42
43
|
end
|
43
44
|
|
44
45
|
#Process initializers to see if they use workaround
|
@@ -29,7 +29,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
29
29
|
:message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
|
30
30
|
:code => filter,
|
31
31
|
:confidence => :medium,
|
32
|
-
:file => controller.file
|
32
|
+
:file => controller.file,
|
33
|
+
:cwe_id => [352]
|
33
34
|
|
34
35
|
when :login_required, :authenticate_user!, :require_user
|
35
36
|
warn :controller => controller.name,
|
@@ -39,7 +40,8 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
39
40
|
:code => filter,
|
40
41
|
:confidence => :medium,
|
41
42
|
:link_path => "authentication_whitelist",
|
42
|
-
:file => controller.file
|
43
|
+
:file => controller.file,
|
44
|
+
:cwe_id => [287]
|
43
45
|
end
|
44
46
|
end
|
45
47
|
|
@@ -30,7 +30,8 @@ class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
|
|
30
30
|
:message => message,
|
31
31
|
:confidence => confidence,
|
32
32
|
:gem_info => gemfile_or_environment(:sprockets),
|
33
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
|
33
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
|
34
|
+
:cwe_id => [22, 200]
|
34
35
|
end
|
35
36
|
|
36
37
|
def has_workaround?
|
@@ -247,7 +247,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
247
247
|
:warning_code => :sql_injection,
|
248
248
|
:message => "Possible SQL injection",
|
249
249
|
:user_input => user_input,
|
250
|
-
:confidence => confidence
|
250
|
+
:confidence => confidence,
|
251
|
+
:cwe_id => [89]
|
251
252
|
end
|
252
253
|
|
253
254
|
if check_for_limit_or_offset_vulnerability call.last_arg
|
@@ -261,7 +262,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
261
262
|
:warning_type => "SQL Injection",
|
262
263
|
:warning_code => :sql_injection_limit_offset,
|
263
264
|
:message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
|
264
|
-
:confidence => confidence
|
265
|
+
:confidence => confidence,
|
266
|
+
:cwe_id => [89]
|
265
267
|
end
|
266
268
|
end
|
267
269
|
|
@@ -81,7 +81,8 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
|
|
81
81
|
:message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
|
82
82
|
:confidence => :high,
|
83
83
|
:gem_info => gemfile_or_environment,
|
84
|
-
:link_path => link
|
84
|
+
:link_path => link,
|
85
|
+
:cwe_id => [89]
|
85
86
|
end
|
86
87
|
|
87
88
|
def upgrade_version? versions
|
@@ -101,6 +102,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
|
|
101
102
|
:message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
|
102
103
|
:confidence => :high,
|
103
104
|
:gem_info => gemfile_or_environment(:pg),
|
104
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
|
105
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ",
|
106
|
+
:cwe_id => [89]
|
105
107
|
end
|
106
108
|
end
|
@@ -43,6 +43,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
|
|
43
43
|
:warning_type => "SSL Verification Bypass",
|
44
44
|
:warning_code => :ssl_verification_bypass,
|
45
45
|
:message => "SSL certificate verification was bypassed",
|
46
|
-
:confidence => :high
|
46
|
+
:confidence => :high,
|
47
|
+
:cwe_id => [295]
|
47
48
|
end
|
48
49
|
end
|
@@ -35,7 +35,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
35
35
|
:message => message,
|
36
36
|
:gem_info => gemfile_or_environment,
|
37
37
|
:confidence => :high,
|
38
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
|
38
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion",
|
39
|
+
:cwe_id => [79]
|
39
40
|
end
|
40
41
|
end
|
41
42
|
|
@@ -60,7 +61,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
60
61
|
:message => message,
|
61
62
|
:confidence => :high,
|
62
63
|
:gem_info => gemfile_or_environment,
|
63
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
|
64
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion",
|
65
|
+
:cwe_id => [79]
|
64
66
|
end
|
65
67
|
|
66
68
|
def cve_2015_7579
|
@@ -78,7 +80,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
|
|
78
80
|
:message => message,
|
79
81
|
:confidence => confidence,
|
80
82
|
:gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
|
81
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
|
83
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ",
|
84
|
+
:cwe_id => [79]
|
82
85
|
|
83
86
|
end
|
84
87
|
end
|
@@ -23,7 +23,8 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
|
|
23
23
|
:message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
|
24
24
|
:confidence => :medium,
|
25
25
|
:gem_info => gemfile_or_environment,
|
26
|
-
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
|
26
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ",
|
27
|
+
:cwe_id => [20]
|
27
28
|
end
|
28
29
|
end
|
29
30
|
end
|
@@ -26,7 +26,8 @@ class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
|
|
26
26
|
:warning_code => :erb_template_injection,
|
27
27
|
:message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
|
28
28
|
:user_input => input,
|
29
|
-
:confidence => :high
|
29
|
+
:confidence => :high,
|
30
|
+
:cwe_id => [1336]
|
30
31
|
end
|
31
32
|
end
|
32
33
|
end
|
@@ -33,7 +33,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
|
|
33
33
|
:message => message,
|
34
34
|
:confidence => confidence,
|
35
35
|
:gem_info => gemfile_or_environment,
|
36
|
-
:link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
|
36
|
+
:link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5",
|
37
|
+
:cwe_id => [79]
|
37
38
|
end
|
38
39
|
end
|
39
40
|
|
@@ -40,7 +40,8 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
|
|
40
40
|
:message => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
|
41
41
|
:code => result[:call],
|
42
42
|
:confidence => :weak,
|
43
|
-
:user_input => input
|
43
|
+
:user_input => input,
|
44
|
+
:cwe_id => [285]
|
44
45
|
end
|
45
46
|
|
46
47
|
def optional_belongs_to? exp
|
@@ -91,7 +91,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
|
|
91
91
|
:warning_code => :validation_regex,
|
92
92
|
:message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
|
93
93
|
:line => value.line,
|
94
|
-
:confidence => :high
|
94
|
+
:confidence => :high,
|
95
|
+
:cwe_id => [777]
|
95
96
|
end
|
96
97
|
end
|
97
98
|
|
@@ -53,7 +53,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
|
|
53
53
|
:warning_code => :weak_hash_digest,
|
54
54
|
:message => message,
|
55
55
|
:confidence => confidence,
|
56
|
-
:user_input => input
|
56
|
+
:user_input => input,
|
57
|
+
:cwe_id => [328]
|
57
58
|
end
|
58
59
|
|
59
60
|
def process_hmac_result result
|
@@ -74,7 +75,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
|
|
74
75
|
:warning_type => "Weak Hash",
|
75
76
|
:warning_code => :weak_hash_hmac,
|
76
77
|
:message => message,
|
77
|
-
:confidence => :medium
|
78
|
+
:confidence => :medium,
|
79
|
+
:cwe_id => [328]
|
78
80
|
end
|
79
81
|
|
80
82
|
def process_openssl_result result
|
@@ -90,7 +92,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
|
|
90
92
|
:warning_type => "Weak Hash",
|
91
93
|
:warning_code => :weak_hash_digest,
|
92
94
|
:message => msg("Weak hashing algorithm used: ", msg_lit(alg)),
|
93
|
-
:confidence => :medium
|
95
|
+
:confidence => :medium,
|
96
|
+
:cwe_id => [328]
|
94
97
|
end
|
95
98
|
end
|
96
99
|
end
|
@@ -30,7 +30,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
|
|
30
30
|
:message => message,
|
31
31
|
:confidence => :medium,
|
32
32
|
:gem_info => gemfile_or_environment,
|
33
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
|
33
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J",
|
34
|
+
:cwe_id => [125]
|
34
35
|
end
|
35
36
|
|
36
37
|
def has_workaround?
|
@@ -29,7 +29,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
|
|
29
29
|
:message => message,
|
30
30
|
:confidence => :high,
|
31
31
|
:gem_info => gemfile_or_environment,
|
32
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
|
32
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
|
33
|
+
:cwe_id => [20]
|
33
34
|
end
|
34
35
|
|
35
36
|
#Warn if app accepts YAML
|
@@ -41,7 +42,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
|
|
41
42
|
:message => message,
|
42
43
|
:confidence => :high,
|
43
44
|
:gem_info => gemfile_or_environment,
|
44
|
-
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
|
45
|
+
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
|
46
|
+
:cwe_id => [20]
|
45
47
|
end
|
46
48
|
end
|
47
49
|
|
@@ -34,7 +34,8 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
|
|
34
34
|
warning_code: :"pending_eol_#{library}",
|
35
35
|
message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
|
36
36
|
confidence: confidence,
|
37
|
-
gem_info: gemfile_or_environment
|
37
|
+
gem_info: gemfile_or_environment,
|
38
|
+
:cwe_id => [1104]
|
38
39
|
end
|
39
40
|
|
40
41
|
def warn_about_unsupported_version library, eol_date, version
|
@@ -42,6 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
|
|
42
43
|
warning_code: :"eol_#{library}",
|
43
44
|
message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
|
44
45
|
confidence: :high,
|
45
|
-
gem_info: gemfile_or_environment
|
46
|
+
gem_info: gemfile_or_environment,
|
47
|
+
:cwe_id => [1104]
|
46
48
|
end
|
47
49
|
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -323,7 +323,7 @@ module Brakeman::Options
|
|
323
323
|
end
|
324
324
|
|
325
325
|
opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
|
326
|
-
valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
|
326
|
+
valid_options = [:category, :category_id, :check, :code, :confidence, :cwe, :file, :fingerprint, :line, :link, :message, :render_path]
|
327
327
|
|
328
328
|
options[:text_fields] = format.map(&:to_sym)
|
329
329
|
|
@@ -703,7 +703,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
703
703
|
end
|
704
704
|
end
|
705
705
|
|
706
|
-
|
706
|
+
# Return early unless there might be short-hand syntax,
|
707
|
+
# since handling it is kind of expensive.
|
708
|
+
return exp unless exp.any? { |e| e.nil? }
|
709
|
+
|
710
|
+
# Need to handle short-hand hash syntax
|
711
|
+
new_hash = [:hash]
|
712
|
+
hash_iterate(exp) do |key, value|
|
713
|
+
# e.g. { a: }
|
714
|
+
if value.nil? and symbol? key
|
715
|
+
# Only handling local variables for now, not calls
|
716
|
+
lvar = s(:lvar, key.value)
|
717
|
+
if var_value = env[lvar]
|
718
|
+
new_hash << key << var_value.deep_clone(key.line || 0)
|
719
|
+
else
|
720
|
+
# If the value is unknown, assume it was a call
|
721
|
+
# and set the value to a call
|
722
|
+
new_hash.concat << key << s(:call, nil, key.value).line(key.line || 0)
|
723
|
+
end
|
724
|
+
else
|
725
|
+
new_hash.concat << key << value
|
726
|
+
end
|
727
|
+
end
|
728
|
+
|
729
|
+
Sexp.from_array(new_hash).line(exp.line || 0)
|
707
730
|
end
|
708
731
|
|
709
732
|
#Merge values into hash when processing
|
@@ -5,6 +5,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
|
|
5
5
|
headers = [
|
6
6
|
"Confidence",
|
7
7
|
"Warning Type",
|
8
|
+
"CWE",
|
8
9
|
"File",
|
9
10
|
"Line",
|
10
11
|
"Message",
|
@@ -35,6 +36,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
|
|
35
36
|
[
|
36
37
|
warning.confidence_name,
|
37
38
|
warning.warning_type,
|
39
|
+
warning.cwe_id.first,
|
38
40
|
warning_file(warning),
|
39
41
|
warning.line,
|
40
42
|
warning.message,
|