brakeman 0.1.1 → 0.2.0

data/bin/brakeman

@@ -3,8 +3,9 @@ require "optparse"
 require 'set'
 require 'yaml'
 
+$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
-Version = "0.1.0"
+require 'version'
 
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
@@ -242,14 +243,7 @@ warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one
 begin
   require 'scanner'
 rescue LoadError
-  #Try to find lib directory locally
-  $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
-
-  begin
-    require 'scanner'
-  rescue LoadError
-    abort "Cannot find lib/ directory."
-  end
+  abort "Cannot find lib/ directory."
 end
 
 #Start scanning

data/lib/checks/base_check.rb

@@ -335,4 +335,19 @@ class BaseCheck < SexpProcessor
 
     false
   end
+
+  #Returns true if low_version <= RAILS_VERSION <= high_version
+  def version_between? low_version, high_version
+    version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
+    low_version = low_version.split(".").map! { |n| n.to_i }
+    high_version = high_version.split(".").map! { |n| n.to_i }
+
+    version.each_with_index do |n, i|
+      if n < low_version[i] or n > high_version[i]
+        return false
+      end
+    end
+
+    return true
+  end
 end

data/lib/checks/check_cross_site_scripting.rb

@@ -99,7 +99,7 @@ class CheckCrossSiteScripting < BaseCheck
 
   #Process an output Sexp
   def process_output exp
-    process exp[1]
+    process exp[1].dup
   end
 
   #Check a call for user input

data/lib/checks/check_forgery_setting.rb

@@ -1,6 +1,9 @@
 require 'checks/base_check'
 
-#Checks that +protect_from_forgery+ is set in the ApplicationController
+#Checks that +protect_from_forgery+ is set in the ApplicationController.
+#
+#Also warns for CSRF weakness in certain versions of Rails:
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
 class CheckForgerySetting < BaseCheck
   Checks.add self
 
@@ -20,6 +23,20 @@ class CheckForgerySetting < BaseCheck
         :warning_type => "Cross-Site Request Forgery", 
         :message => "'protect_from_forgery' should be called in ApplicationController", 
         :confidence => CONFIDENCE[:high]
+
+    elsif version_between? "2.1.0", "2.3.10"
+      
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery",
+        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches",
+        :confidence => CONFIDENCE[:high]
+
+    elsif version_between? "3.0.0", "3.0.3"
+
+      warn :controller => :ApplicationController, 
+        :warning_type => "Cross-Site Request Forgery",
+        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4",
+        :confidence => CONFIDENCE[:high]
     end
   end
 end

data/lib/checks/check_mail_to.rb

@@ -0,0 +1,48 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for cross site scripting vulnerability in mail_to :encode => :javascript
+#with certain versions of Rails (< 2.3.11 or < 3.0.4).
+#
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+class CheckMailTo < BaseCheck
+  Checks.add self
+
+  def run_check
+    if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
+      message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
+
+      if version_between? "2.3.0", "2.3.10"
+        message << "2.3.11"
+      else
+        message << "3.0.4"
+      end
+
+      warn :result => result,
+        :warning_type => "Mail Link",
+        :message => message,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  #Check for javascript encoding of mail_to address
+  #    mail_to email, name, :encode => :javascript
+  def mail_to_javascript?
+    tracker.find_call([], :mail_to).each do |result|
+      call = result[-1]
+      args = call[-1]
+
+      args.each do |arg|
+        if hash? arg
+          hash_iterate arg do |k, v|
+            if symbol? v and v[-1] == :javascript
+              return result
+            end
+          end
+        end
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_nested_attributes.rb

@@ -0,0 +1,34 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
+class CheckNestedAttributes < BaseCheck
+  Checks.add self
+
+  def run_check
+    version = tracker.config[:rails_version]
+
+    if (version == "2.3.9" or version == "3.0.0") and uses_nested_attributes?
+      message = "Vulnerability in nested attributes (CVE-2010-3933). Upgrade to Rails version "
+
+      if version == "2.3.9"
+        message << "2.3.10"
+      else
+        message << "3.0.1"
+      end
+
+      warn :warning_type => "Nested Attributes",
+        :message => message,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  def uses_nested_attributes?
+    tracker.models.each do |name, model|
+      return true if model[:options][:accepts_nested_attributes_for]
+    end
+
+    false
+  end
+end

data/lib/version.rb

@@ -0,0 +1 @@
+Version = "0.2.0"

metadata

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 25
-  prerelease: 
+  prerelease: false
   segments: 
   - 0
-  - 1
-  - 1
-  version: 0.1.1
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-24 00:00:00 -08:00
+date: 2011-02-16 00:00:00 -08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -26,7 +25,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 7
         segments: 
         - 2
         - 2
@@ -41,7 +39,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 23
         segments: 
         - 1
         - 2
@@ -57,7 +54,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 9
         segments: 
         - 1
         - 6
@@ -73,7 +69,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 29
         segments: 
         - 2
         - 6
@@ -89,7 +84,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 31
         segments: 
         - 3
         - 0
@@ -137,6 +131,7 @@ files:
 - lib/checks/check_execute.rb
 - lib/checks/check_mass_assignment.rb
 - lib/checks/check_sql.rb
+- lib/checks/check_mail_to.rb
 - lib/checks/check_validation_regex.rb
 - lib/checks/check_cross_site_scripting.rb
 - lib/checks/check_redirect.rb
@@ -144,12 +139,14 @@ files:
 - lib/checks/check_forgery_setting.rb
 - lib/checks/base_check.rb
 - lib/checks/check_model_attributes.rb
+- lib/checks/check_nested_attributes.rb
 - lib/checks/check_evaluation.rb
 - lib/checks/check_file_access.rb
 - lib/processor.rb
 - lib/scanner.rb
 - lib/tracker.rb
 - lib/checks.rb
+- lib/version.rb
 - lib/warning.rb
 - lib/format/style.css
 has_rdoc: true
@@ -166,7 +163,6 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
@@ -175,14 +171,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.4.1
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.