brakeman 0.3.2 → 0.4.0

data/bin/brakeman

@@ -38,6 +38,10 @@ OptionParser.new do |opts|
     options[:ignore_model_output] = true
   end
 
+  opts.on "-e", "--escape-html", "Escape HTML by default" do
+    options[:escape_html] = true
+  end
+
   opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
     options[:check_arguments] = !option
   end

data/lib/checks/check_cross_site_scripting.rb

@@ -30,6 +30,8 @@ class CheckCrossSiteScripting < BaseCheck
 
   HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
 
+  XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
+
   URI = Sexp.new(:const, :URI)
 
   CGI = Sexp.new(:const, :CGI)
@@ -48,7 +50,7 @@ class CheckCrossSiteScripting < BaseCheck
       @current_template = template
 
       template[:outputs].each do |out|
-        type, match = has_immediate_user_input?(out[1])
+        type, match = (out[0] == :output and has_immediate_user_input?(out[1]))
         if type and not duplicate? out
             add_result out
             case type
@@ -102,6 +104,16 @@ class CheckCrossSiteScripting < BaseCheck
     process exp[1].dup
   end
 
+  #Look for calls to raw()
+  #Otherwise, ignore
+  def process_escaped_output exp
+    if exp[1].node_type == :call and exp[1][2] == :raw
+      process_output exp
+    else
+      exp
+    end
+  end
+
   #Check a call for user input
   #
   #
@@ -154,6 +166,7 @@ class CheckCrossSiteScripting < BaseCheck
       (@matched == :model and IGNORE_MODEL_METHODS.include? method) or
       (target == HAML_HELPERS and method == :html_escape) or
       ((target == URI or target == CGI) and method == :escape) or
+      (target == XML_HELPER and method == :escape_xml) or
       (target == FORM_BUILDER and IGNORE_METHODS.include? method) or
       (method.to_s[-1,1] == "?")
 
@@ -163,7 +176,6 @@ class CheckCrossSiteScripting < BaseCheck
 
       @matched = :model
     elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
-
       @matched = :params
     elsif @inspect_arguments
       process args

data/lib/processor.rb

@@ -50,6 +50,8 @@ class Processor
       result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
     when :haml
       result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+    when :erubis
+      result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
     else
       abort "Unknown template type: #{type} (#{name})"
     end

data/lib/processors/erubis_template_processor.rb

@@ -2,6 +2,7 @@ require 'processors/template_processor'
 
 #Processes ERB templates using Erubis instead of erb.
 class ErubisTemplateProcessor < TemplateProcessor
+
   
   #s(:call, TARGET, :method, s(:arglist))
   def process_call exp
@@ -10,10 +11,10 @@ class ErubisTemplateProcessor < TemplateProcessor
       target = process target
     end
     method = exp[2]
-    
+
     #_buf is the default output variable for Erubis
-    if target and target[1] == :_buf
-      if method == :<<
+    if target and (target[1] == :_buf or target[1] == :output_buffer)
+      if method == :<< or method == :safe_concat
         args = exp[3][1] = process(exp[3][1])
 
         if args.node_type == :call and args[2] == :to_s #just calling to_s on inner code 
@@ -59,4 +60,26 @@ class ErubisTemplateProcessor < TemplateProcessor
     block.line(exp.line)
     block
   end
+
+  #Look for assignments to output buffer
+  def process_attrasgn exp
+    if exp[1].node_type == :ivar and exp[1][1] == :@output_buffer
+      if exp[2] == :append= or exp[2] == :safe_append=
+        args = exp[3][1] = process(exp[3][1])
+
+        if args.node_type == :str
+          ignore
+        else
+          s = Sexp.new :escaped_output, args
+          s.line(exp.line)
+          @current_template[:outputs] << s
+          s
+        end
+      else
+        ignore
+      end
+    else
+      super
+    end
+  end
 end

data/lib/processors/output_processor.rb

@@ -153,6 +153,23 @@ class OutputProcessor < Ruby2Ruby
     out
   end
 
+def process_escaped_output exp
+    out = if exp[0].node_type == :str
+            ""
+          else
+            res = process exp[0]
+
+            if res == ""
+              ""
+            else
+              "[Escaped Output] #{res}"
+            end
+          end
+    exp.clear
+    out
+  end
+
+
   def process_format exp
     out = if exp[0].node_type == :str or exp[0].node_type == :ignore
             ""

data/lib/scanner.rb

@@ -17,6 +17,10 @@ class ScannerErubis < Erubis::Eruby
   include Erubis::NoTextEnhancer
 end
 
+class ErubisEscape < ScannerErubis
+  include Erubis::EscapeEnhancer
+end
+
 #Scans the Rails application.
 class Scanner
 
@@ -61,7 +65,9 @@ class Scanner
       @processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
     end
 
-    if File.exists? "#@path/vendor/plugins/rails_xss" or OPTIONS[:rails3]
+    if File.exists? "#@path/vendor/plugins/rails_xss" or 
+      OPTIONS[:rails3] or OPTIONS[:escape_html] or
+      (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
       tracker.config[:escape_html] = true
       warn "[Notice] Escaping HTML by default"
     end
@@ -143,8 +149,14 @@ class Scanner
       begin
         if type == :erb
           if tracker.config[:escape_html]
-            src = RailsXSSErubis.new(File.read(f)).src
+            type = :erubis
+            if OPTIONS[:rails3]
+              src = RailsXSSErubis.new(File.read(f)).src
+            else
+              src = ErubisEscape.new(File.read(f)).src
+            end
           elsif tracker.config[:erubis]
+            type = :erubis
             src = ScannerErubis.new(File.read(f)).src
           else
             src = ERB.new(File.read(f), nil, "-").src
@@ -200,34 +212,49 @@ class Scanner
   end
 end
 
-#This is from the rails_xss plugin,
-#except we don't care about plain text.
+#This is from Rails 3 version of the Erubis handler
 class RailsXSSErubis < ::Erubis::Eruby
   include Erubis::NoTextEnhancer
 
   #Initializes output buffer.
   def add_preamble(src)
-    src << "@output_buffer = ActionView::SafeBuffer.new;\n"
+    # src << "_buf = ActionView::SafeBuffer.new;\n"
   end
 
   #This does nothing.
   def add_text(src, text)
-    #    src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+    # src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
   end
 
-  #Add an expression to the output buffer _without_ escaping.
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
   def add_expr_literal(src, code)
-    src << '@output_buffer << ((' << code << ').to_s);'
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append= (' << code << ');'
+    end
+  end
+
+  def add_stmt(src, code)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append_if_string= ' << code
+    else
+      super
+    end
   end
 
-  #Add an expression to the output buffer after escaping it.
   def add_expr_escaped(src, code)
-    src << '@output_buffer << ' << escaped_expr(code) << ';'
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_append= " << code
+    else
+      src << "@output_buffer.safe_concat(" << code << ");"
+    end
   end
 
   #Add code to output buffer.
   def add_postamble(src)
-    src << '@output_buffer.to_s'
+    # src << '_buf.to_s'
   end
 end
 

data/lib/version.rb

@@ -1 +1 @@
-Version = "0.3.2"
+Version = "0.4.0"

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 3
-  - 2
-  version: 0.3.2
+  - 4
+  - 0
+  version: 0.4.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-12 00:00:00 -07:00
+date: 2011-05-18 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency