brakeman 0.5.2 → 0.6.0

data/README.md

@@ -4,6 +4,8 @@ Brakeman is a static analysis tool which checks Ruby on Rails applications for s
 
 It targets Rails versions > 2.0 with experimental support for Rails 3.x
 
+There is also a [plugin available](https://github.com/presidentbeef/brakeman-jenkins-plugin) for Jenkins/Hudson.
+
 # Installation
 
 Using RubyGems:
@@ -19,7 +21,7 @@ From source:
 
     brakeman [app_path]
 
-It is simplest to run brakeman from the root directory of the Rails application. A path may also be supplied.
+It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
 
 # Options
 

data/lib/checks/base_check.rb

@@ -172,7 +172,9 @@ class BaseCheck < SexpProcessor
   #(either :params or :cookies) and the second element is the matching 
   #expression
   def has_immediate_user_input? exp
-    if params? exp
+    if exp.nil?
+      return false
+    elsif params? exp
       return :params, exp
     elsif cookies? exp
       return :cookies, exp
@@ -180,7 +182,7 @@ class BaseCheck < SexpProcessor
       if sexp? exp[1]
         if ALL_PARAMETERS.include? exp[1] or params? exp[1]
           return :params, exp
-        elsif exp[1] == COOKIES
+        elsif exp[1] == COOKIES or cookies? exp[1]
           return :cookies, exp
         else
           false

data/lib/checks/check_cross_site_scripting.rb

@@ -22,8 +22,12 @@ class CheckCrossSiteScripting < BaseCheck
                            :fields_for, :label, :text_area, :text_field, :hidden_field, :check_box,
                            :field_field]) 
 
+  #Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
 
+  #Methods known to not escape their input
+  KNOWN_DANGEROUS = Set.new([:auto_link, :truncate, :concat])
+
   MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
 
   IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
@@ -50,47 +54,7 @@ class CheckCrossSiteScripting < BaseCheck
       @current_template = template
 
       template[:outputs].each do |out|
-        type, match = (out[0] == :output and has_immediate_user_input?(out[1]))
-        if type and not duplicate? out
-            add_result out
-            case type
-            when :params
-              message = "Unescaped parameter value"
-            when :cookies
-              message = "Unescaped cookie value"
-            else
-              message = "Unescaped user input value"
-            end
-
-            warn :template => @current_template, 
-              :warning_type => "Cross Site Scripting",
-              :message => message,
-              :line => match.line,
-              :code => match,
-              :confidence => CONFIDENCE[:high]
-
-        elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(out[1])
-          method = match[2]
-
-          unless duplicate? out or IGNORE_MODEL_METHODS.include? method
-            add_result out
-
-            if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-              confidence = CONFIDENCE[:high]
-            else
-              confidence = CONFIDENCE[:med]
-            end
-
-            code = find_chain out, match
-            warn :template => @current_template,
-              :warning_type => "Cross Site Scripting", 
-              :message => "Unescaped model attribute",
-              :line => code.line,
-              :code => code,
-              :confidence => confidence
-          end
-
-        else
+        unless check_for_immediate_xss out
           @matched = false
           @mark = false
           process out
@@ -99,6 +63,59 @@ class CheckCrossSiteScripting < BaseCheck
     end
   end
 
+  def check_for_immediate_xss exp
+    if exp[0] == :output
+      out = exp[1]
+    elsif exp[0] == :escaped_output and raw_call? exp
+      out = exp[1][3][1]
+    end
+
+    type, match = has_immediate_user_input? out
+
+    if type and not duplicate? exp
+      add_result exp
+      case type
+      when :params
+        message = "Unescaped parameter value"
+      when :cookies
+        message = "Unescaped cookie value"
+      else
+        message = "Unescaped user input value"
+      end
+
+      warn :template => @current_template, 
+        :warning_type => "Cross Site Scripting",
+        :message => message,
+        :line => match.line,
+        :code => match,
+        :confidence => CONFIDENCE[:high]
+
+    elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(out)
+      method = match[2]
+
+      unless duplicate? out or IGNORE_MODEL_METHODS.include? method
+        add_result out
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        code = find_chain out, match
+        warn :template => @current_template,
+          :warning_type => "Cross Site Scripting", 
+          :message => "Unescaped model attribute",
+          :line => code.line,
+          :code => code,
+          :confidence => confidence
+      end
+
+    else
+      false
+    end
+  end
+
   #Process an output Sexp
   def process_output exp
     process exp[1].dup
@@ -107,11 +124,12 @@ class CheckCrossSiteScripting < BaseCheck
   #Look for calls to raw()
   #Otherwise, ignore
   def process_escaped_output exp
-    if exp[1].node_type == :call and exp[1][2] == :raw
-      process_output exp
-    else
-      exp
+    unless check_for_immediate_xss exp
+      if raw_call? exp
+        process exp[1][3][1]
+      end
     end
+    exp
   end
 
   #Check a call for user input
@@ -137,12 +155,18 @@ class CheckCrossSiteScripting < BaseCheck
       if message and not duplicate? exp
         add_result exp
 
+        if exp[1].nil? and KNOWN_DANGEROUS.include? exp[2]
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:low]
+        end
+
         warn :template => @current_template, 
           :warning_type => "Cross Site Scripting", 
           :message => message,
           :line => exp.line,
           :code => exp,
-          :confidence => CONFIDENCE[:low]
+          :confidence => confidence
       end
 
       @mark = @matched = false
@@ -221,6 +245,10 @@ class CheckCrossSiteScripting < BaseCheck
     end
     exp
   end
+
+  def raw_call? exp
+    exp[1].node_type == :call and exp[1][2] == :raw
+  end
 end
 
 #This _only_ checks calls to link_to
@@ -316,7 +344,6 @@ class CheckLinkTo < CheckCrossSiteScripting
     exp
   end
 
-
   def actually_process_call exp
     return if @matched
 

data/lib/checks/check_file_access.rb

@@ -6,7 +6,9 @@ class CheckFileAccess < BaseCheck
   Checks.add self
 
   def run_check
-    methods = tracker.find_call [[:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], []], [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+    methods = tracker.find_call [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+
+    methods.concat tracker.find_call [], [:load]
 
     methods.concat tracker.find_call(:FileUtils, nil)
 

data/lib/checks/check_forgery_setting.rb

@@ -28,14 +28,14 @@ class CheckForgerySetting < BaseCheck
       
       warn :controller => :ApplicationController, 
         :warning_type => "Cross-Site Request Forgery",
-        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches",
+        :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
         :confidence => CONFIDENCE[:high]
 
     elsif version_between? "3.0.0", "3.0.3"
 
       warn :controller => :ApplicationController, 
         :warning_type => "Cross-Site Request Forgery",
-        :message => "CSRF protection is flawed in #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4",
+        :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
         :confidence => CONFIDENCE[:high]
     end
   end

data/lib/processors/erubis_template_processor.rb

@@ -61,7 +61,9 @@ class ErubisTemplateProcessor < TemplateProcessor
     block
   end
 
-  #Look for assignments to output buffer
+  #Look for assignments to output buffer that look like this:
+  #  @output_buffer.append = some_output
+  #  @output_buffer.safe_append = some_output
   def process_attrasgn exp
     if exp[1].node_type == :ivar and exp[1][1] == :@output_buffer
       if exp[2] == :append= or exp[2] == :safe_append=
@@ -76,7 +78,7 @@ class ErubisTemplateProcessor < TemplateProcessor
           s
         end
       else
-        ignore
+        super
       end
     else
       super

data/lib/processors/output_processor.rb

@@ -153,7 +153,7 @@ class OutputProcessor < Ruby2Ruby
     out
   end
 
-def process_escaped_output exp
+  def process_escaped_output exp
     out = if exp[0].node_type == :str
             ""
           else

data/lib/processors/template_processor.rb

@@ -52,4 +52,8 @@ class TemplateProcessor < BaseProcessor
     @current_template[:outputs] << exp
     exp
   end
+
+  def process_escaped_output exp
+    process_output exp
+  end
 end

data/lib/report.rb

@@ -274,7 +274,9 @@ class Report
     end
 
     res = generate_errors
-    out << "<h2>Errors</h2>" << res.to_html if res
+    if res
+        out << "<div onClick=\"toggle('errors_table');\">  <h2>Exceptions raised during the analysis (click to see them)</h2 ></div> <div id='errors_table' style='display:none'>" << res.to_html<< '</div>'
+    end
 
     res = generate_warnings
     out << "<h2>Security Warnings</h2>" << res.to_html if res

data/lib/scanner.rb

@@ -28,7 +28,7 @@ class Scanner
   #Pass in path to the root of the Rails application
   def initialize path
     @path = path
-    @app_path = path + "/app/"
+    @app_path = File.join(path, "app")
     @processor = Processor.new
   end
 
@@ -82,7 +82,7 @@ class Scanner
       begin
         @processor.process_initializer(f, RubyParser.new.parse(File.read(f)))
       rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}"
+        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
       end
@@ -97,7 +97,7 @@ class Scanner
       begin
         @processor.process_lib RubyParser.new.parse(File.read(f)), f
       rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}"
+        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
       end
@@ -110,6 +110,8 @@ class Scanner
   def process_routes
     if File.exists? "#@path/config/routes.rb"
       @processor.process_routes RubyParser.new.parse(File.read("#@path/config/routes.rb"))
+    else
+      warn "[Notice] No route information found"
     end
   end
 
@@ -121,7 +123,7 @@ class Scanner
       begin
         @processor.process_controller(RubyParser.new.parse(File.read(f)), f)
       rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}"
+        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
       end
@@ -224,9 +226,11 @@ class RailsXSSErubis < ::Erubis::Eruby
   end
 
   def add_text(src, text)
-    if text.include? "\n"
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
       lines = text.split("\n")
-      if text.match /\n\z/
+      if text.match(/\n\z/)
         lines.each do |line|
           src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
         end

data/lib/tracker.rb

@@ -38,6 +38,7 @@ class Tracker
     @errors = []
     @libs = {}
     @checks = nil
+    @processed = nil
     @template_cache = Set.new
   end
 

data/lib/version.rb

@@ -1 +1 @@
-Version = "0.5.2"
+Version = "0.6.0"

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 5
-  - 2
-  version: 0.5.2
+  - 6
+  - 0
+  version: 0.6.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-29 00:00:00 -07:00
+date: 2011-07-20 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency