brakeman 0.1.1 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/bin/brakeman +3 -9
- data/lib/checks/base_check.rb +15 -0
- data/lib/checks/check_cross_site_scripting.rb +1 -1
- data/lib/checks/check_forgery_setting.rb +18 -1
- data/lib/checks/check_mail_to.rb +48 -0
- data/lib/checks/check_nested_attributes.rb +34 -0
- data/lib/version.rb +1 -0
- metadata +9 -14
data/bin/brakeman
CHANGED
@@ -3,8 +3,9 @@ require "optparse"
|
|
3
3
|
require 'set'
|
4
4
|
require 'yaml'
|
5
5
|
|
6
|
+
$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
|
6
7
|
|
7
|
-
|
8
|
+
require 'version'
|
8
9
|
|
9
10
|
trap("INT") do
|
10
11
|
$stderr.puts "\nInterrupted - exiting."
|
@@ -242,14 +243,7 @@ warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one
|
|
242
243
|
begin
|
243
244
|
require 'scanner'
|
244
245
|
rescue LoadError
|
245
|
-
|
246
|
-
$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
|
247
|
-
|
248
|
-
begin
|
249
|
-
require 'scanner'
|
250
|
-
rescue LoadError
|
251
|
-
abort "Cannot find lib/ directory."
|
252
|
-
end
|
246
|
+
abort "Cannot find lib/ directory."
|
253
247
|
end
|
254
248
|
|
255
249
|
#Start scanning
|
data/lib/checks/base_check.rb
CHANGED
@@ -335,4 +335,19 @@ class BaseCheck < SexpProcessor
|
|
335
335
|
|
336
336
|
false
|
337
337
|
end
|
338
|
+
|
339
|
+
#Returns true if low_version <= RAILS_VERSION <= high_version
|
340
|
+
def version_between? low_version, high_version
|
341
|
+
version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
|
342
|
+
low_version = low_version.split(".").map! { |n| n.to_i }
|
343
|
+
high_version = high_version.split(".").map! { |n| n.to_i }
|
344
|
+
|
345
|
+
version.each_with_index do |n, i|
|
346
|
+
if n < low_version[i] or n > high_version[i]
|
347
|
+
return false
|
348
|
+
end
|
349
|
+
end
|
350
|
+
|
351
|
+
return true
|
352
|
+
end
|
338
353
|
end
|
@@ -1,6 +1,9 @@
|
|
1
1
|
require 'checks/base_check'
|
2
2
|
|
3
|
-
#Checks that +protect_from_forgery+ is set in the ApplicationController
|
3
|
+
#Checks that +protect_from_forgery+ is set in the ApplicationController.
|
4
|
+
#
|
5
|
+
#Also warns for CSRF weakness in certain versions of Rails:
|
6
|
+
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
|
4
7
|
class CheckForgerySetting < BaseCheck
|
5
8
|
Checks.add self
|
6
9
|
|
@@ -20,6 +23,20 @@ class CheckForgerySetting < BaseCheck
|
|
20
23
|
:warning_type => "Cross-Site Request Forgery",
|
21
24
|
:message => "'protect_from_forgery' should be called in ApplicationController",
|
22
25
|
:confidence => CONFIDENCE[:high]
|
26
|
+
|
27
|
+
elsif version_between? "2.1.0", "2.3.10"
|
28
|
+
|
29
|
+
warn :controller => :ApplicationController,
|
30
|
+
:warning_type => "Cross-Site Request Forgery",
|
31
|
+
:message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches",
|
32
|
+
:confidence => CONFIDENCE[:high]
|
33
|
+
|
34
|
+
elsif version_between? "3.0.0", "3.0.3"
|
35
|
+
|
36
|
+
warn :controller => :ApplicationController,
|
37
|
+
:warning_type => "Cross-Site Request Forgery",
|
38
|
+
:message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4",
|
39
|
+
:confidence => CONFIDENCE[:high]
|
23
40
|
end
|
24
41
|
end
|
25
42
|
end
|
@@ -0,0 +1,48 @@
|
|
1
|
+
require 'checks/base_check'
|
2
|
+
require 'processors/lib/find_call'
|
3
|
+
|
4
|
+
#Check for cross site scripting vulnerability in mail_to :encode => :javascript
|
5
|
+
#with certain versions of Rails (< 2.3.11 or < 3.0.4).
|
6
|
+
#
|
7
|
+
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
|
8
|
+
class CheckMailTo < BaseCheck
|
9
|
+
Checks.add self
|
10
|
+
|
11
|
+
def run_check
|
12
|
+
if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
|
13
|
+
message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
|
14
|
+
|
15
|
+
if version_between? "2.3.0", "2.3.10"
|
16
|
+
message << "2.3.11"
|
17
|
+
else
|
18
|
+
message << "3.0.4"
|
19
|
+
end
|
20
|
+
|
21
|
+
warn :result => result,
|
22
|
+
:warning_type => "Mail Link",
|
23
|
+
:message => message,
|
24
|
+
:confidence => CONFIDENCE[:high]
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
#Check for javascript encoding of mail_to address
|
29
|
+
# mail_to email, name, :encode => :javascript
|
30
|
+
def mail_to_javascript?
|
31
|
+
tracker.find_call([], :mail_to).each do |result|
|
32
|
+
call = result[-1]
|
33
|
+
args = call[-1]
|
34
|
+
|
35
|
+
args.each do |arg|
|
36
|
+
if hash? arg
|
37
|
+
hash_iterate arg do |k, v|
|
38
|
+
if symbol? v and v[-1] == :javascript
|
39
|
+
return result
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
false
|
47
|
+
end
|
48
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
require 'checks/base_check'
|
2
|
+
require 'processors/lib/find_call'
|
3
|
+
|
4
|
+
#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
|
5
|
+
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
|
6
|
+
class CheckNestedAttributes < BaseCheck
|
7
|
+
Checks.add self
|
8
|
+
|
9
|
+
def run_check
|
10
|
+
version = tracker.config[:rails_version]
|
11
|
+
|
12
|
+
if (version == "2.3.9" or version == "3.0.0") and uses_nested_attributes?
|
13
|
+
message = "Vulnerability in nested attributes (CVE-2010-3933). Upgrade to Rails version "
|
14
|
+
|
15
|
+
if version == "2.3.9"
|
16
|
+
message << "2.3.10"
|
17
|
+
else
|
18
|
+
message << "3.0.1"
|
19
|
+
end
|
20
|
+
|
21
|
+
warn :warning_type => "Nested Attributes",
|
22
|
+
:message => message,
|
23
|
+
:confidence => CONFIDENCE[:high]
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
def uses_nested_attributes?
|
28
|
+
tracker.models.each do |name, model|
|
29
|
+
return true if model[:options][:accepts_nested_attributes_for]
|
30
|
+
end
|
31
|
+
|
32
|
+
false
|
33
|
+
end
|
34
|
+
end
|
data/lib/version.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
Version = "0.2.0"
|
metadata
CHANGED
@@ -1,13 +1,12 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
|
5
|
-
prerelease:
|
4
|
+
prerelease: false
|
6
5
|
segments:
|
7
6
|
- 0
|
8
|
-
-
|
9
|
-
-
|
10
|
-
version: 0.
|
7
|
+
- 2
|
8
|
+
- 0
|
9
|
+
version: 0.2.0
|
11
10
|
platform: ruby
|
12
11
|
authors:
|
13
12
|
- Justin Collins
|
@@ -15,7 +14,7 @@ autorequire:
|
|
15
14
|
bindir: bin
|
16
15
|
cert_chain: []
|
17
16
|
|
18
|
-
date: 2011-
|
17
|
+
date: 2011-02-16 00:00:00 -08:00
|
19
18
|
default_executable:
|
20
19
|
dependencies:
|
21
20
|
- !ruby/object:Gem::Dependency
|
@@ -26,7 +25,6 @@ dependencies:
|
|
26
25
|
requirements:
|
27
26
|
- - ~>
|
28
27
|
- !ruby/object:Gem::Version
|
29
|
-
hash: 7
|
30
28
|
segments:
|
31
29
|
- 2
|
32
30
|
- 2
|
@@ -41,7 +39,6 @@ dependencies:
|
|
41
39
|
requirements:
|
42
40
|
- - ~>
|
43
41
|
- !ruby/object:Gem::Version
|
44
|
-
hash: 23
|
45
42
|
segments:
|
46
43
|
- 1
|
47
44
|
- 2
|
@@ -57,7 +54,6 @@ dependencies:
|
|
57
54
|
requirements:
|
58
55
|
- - ~>
|
59
56
|
- !ruby/object:Gem::Version
|
60
|
-
hash: 9
|
61
57
|
segments:
|
62
58
|
- 1
|
63
59
|
- 6
|
@@ -73,7 +69,6 @@ dependencies:
|
|
73
69
|
requirements:
|
74
70
|
- - ~>
|
75
71
|
- !ruby/object:Gem::Version
|
76
|
-
hash: 29
|
77
72
|
segments:
|
78
73
|
- 2
|
79
74
|
- 6
|
@@ -89,7 +84,6 @@ dependencies:
|
|
89
84
|
requirements:
|
90
85
|
- - ~>
|
91
86
|
- !ruby/object:Gem::Version
|
92
|
-
hash: 31
|
93
87
|
segments:
|
94
88
|
- 3
|
95
89
|
- 0
|
@@ -137,6 +131,7 @@ files:
|
|
137
131
|
- lib/checks/check_execute.rb
|
138
132
|
- lib/checks/check_mass_assignment.rb
|
139
133
|
- lib/checks/check_sql.rb
|
134
|
+
- lib/checks/check_mail_to.rb
|
140
135
|
- lib/checks/check_validation_regex.rb
|
141
136
|
- lib/checks/check_cross_site_scripting.rb
|
142
137
|
- lib/checks/check_redirect.rb
|
@@ -144,12 +139,14 @@ files:
|
|
144
139
|
- lib/checks/check_forgery_setting.rb
|
145
140
|
- lib/checks/base_check.rb
|
146
141
|
- lib/checks/check_model_attributes.rb
|
142
|
+
- lib/checks/check_nested_attributes.rb
|
147
143
|
- lib/checks/check_evaluation.rb
|
148
144
|
- lib/checks/check_file_access.rb
|
149
145
|
- lib/processor.rb
|
150
146
|
- lib/scanner.rb
|
151
147
|
- lib/tracker.rb
|
152
148
|
- lib/checks.rb
|
149
|
+
- lib/version.rb
|
153
150
|
- lib/warning.rb
|
154
151
|
- lib/format/style.css
|
155
152
|
has_rdoc: true
|
@@ -166,7 +163,6 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
166
163
|
requirements:
|
167
164
|
- - ">="
|
168
165
|
- !ruby/object:Gem::Version
|
169
|
-
hash: 3
|
170
166
|
segments:
|
171
167
|
- 0
|
172
168
|
version: "0"
|
@@ -175,14 +171,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
175
171
|
requirements:
|
176
172
|
- - ">="
|
177
173
|
- !ruby/object:Gem::Version
|
178
|
-
hash: 3
|
179
174
|
segments:
|
180
175
|
- 0
|
181
176
|
version: "0"
|
182
177
|
requirements: []
|
183
178
|
|
184
179
|
rubyforge_project:
|
185
|
-
rubygems_version: 1.
|
180
|
+
rubygems_version: 1.3.7
|
186
181
|
signing_key:
|
187
182
|
specification_version: 3
|
188
183
|
summary: Security vulnerability scanner for Ruby on Rails.
|