brakeman 0.6.1 → 0.7.0

data/lib/checks/check_escape_function.rb

@@ -0,0 +1,17 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for versions with vulnerable html escape method
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
+class CheckEscapeFunction < BaseCheck
+  Checks.add self
+
+  def run_check
+    if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
+
+      warn :warning_type => 'Cross Site Scripting',
+        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8. Upgrade or apply patches as needed.',
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+end

data/lib/checks/check_filter_skipping.rb

@@ -0,0 +1,27 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for filter skipping vulnerability
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
+class CheckFilterSkipping < BaseCheck
+  Checks.add self
+
+  def run_check
+    if version_between?('3.0.0', '3.0.9') and uses_arbitrary_actions?
+
+      warn :warning_type => "Default Routes",
+        :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed. Upgrade or apply patches as needed.",
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  def uses_arbitrary_actions?
+    tracker.routes.each do |name, actions|
+      if actions == :allow_all_actions
+        return true
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_quote_table_name.rb

@@ -0,0 +1,34 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
+class CheckQuoteTableName < BaseCheck
+  Checks.add self
+
+  def run_check
+    if (version_between?('2.0.0', '2.3.13') or 
+        version_between?('3.0.0', '3.0.9'))
+
+      if uses_quote_table_name?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      if tracker.config[:rails_version] =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in quote_table_name. Upgrade or apply patches as needed."
+      else
+        message = "Versions before 2.3.14 have a vulnerability in quote_table_name. Upgrade or apply patches as needed."
+      end
+
+      warn :warning_type => "SQL Injection",
+        :message => message,
+        :confidence => confidence
+    end
+  end
+
+  def uses_quote_table_name?
+    not tracker.find_call([], :quote_table_name).empty?
+  end
+end

data/lib/checks/check_response_splitting.rb

@@ -0,0 +1,18 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Warn about response splitting in Rails versions before 2.3.13
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
+class CheckResponseSplitting < BaseCheck
+  Checks.add self
+
+  def run_check
+    if version_between?('2.3.0', '2.3.13')
+
+      warn :warning_type => "Response Splitting",
+        :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers. Upgrade or apply patches as needed.",
+        :confidence => CONFIDENCE[:med]
+
+    end
+  end
+end

data/lib/checks/check_strip_tags.rb

@@ -0,0 +1,28 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#Checks for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+class CheckStripTags < BaseCheck
+  Checks.add self
+
+  def run_check
+    if (version_between?('2.0.0', '2.3.12') or 
+        version_between?('3.0.0', '3.0.9')) and uses_strip_tags?
+
+      if tracker.config[:rails_version] =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in strip_tags. Upgrade or apply patches as needed."
+      else
+        message = "Versions before 2.3.13 have a vulnerability in strip_tags. Upgrade or apply patches as needed."
+      end
+
+      warn :warning_type => "Cross Site Scripting",
+        :message => message,
+        :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  def uses_strip_tags?
+    not tracker.find_call([], :strip_tags).empty?
+  end
+end

data/lib/processor.rb

@@ -22,6 +22,11 @@ class Processor
     ConfigProcessor.new(@tracker).process_config src
   end
 
+  #Process Gemfile
+  def process_gems src, gem_lock = nil
+    GemProcessor.new(@tracker).process_gems src, gem_lock
+  end
+
   #Process route file source
   def process_routes src
     RoutesProcessor.new(@tracker).process_routes src

data/lib/processors/gem_processor.rb

@@ -0,0 +1,36 @@
+#Processes Gemfile.lock
+class GemProcessor < BaseProcessor
+  def initialize *args
+    super
+
+    @tracker.config[:gems] ||= {}
+  end
+
+  def process_gems src, gem_lock = nil
+    process src
+
+    if gem_lock
+      get_rails_version gem_lock
+    elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
+      @tracker.config[:rails_version] = $1
+    end
+  end
+
+  def process_call exp
+    if exp[1] == nil and exp[2] == :gem
+      args = exp[3][1..-1]
+
+      if sexp? args[1]
+        @tracker.config[:gems][args[0][1].to_sym] = args[1][1]
+      end
+    end
+
+    exp
+  end
+
+  def get_rails_version gem_lock
+    if gem_lock =~ /\srails \((\d+.\d+.\d+)\)$/
+      @tracker.config[:rails_version] = $1
+    end
+  end
+end

data/lib/processors/lib/processor_helper.rb

@@ -16,6 +16,8 @@ module ProcessorHelper
       case exp.node_type
       when :const
         exp[1]
+      when :lvar
+        exp[1].to_sym
       when :colon2
         "#{class_name(exp[1])}::#{exp[2]}".to_sym
       when :colon3

data/lib/processors/lib/rails3_route_processor.rb

@@ -87,17 +87,39 @@ class RoutesProcessor < BaseProcessor
   def process_match exp
     args = exp[3][1..-1]
 
-    hash_iterate args[0] do |k, v|
-      if string? k and string? v
-        controller, action = extract_action v[1]
+    #Check if there is an unrestricted action parameter
+    action_variable = false
+
+    if string? args[0]
+      matcher = args[0][1]
+
+      if matcher == ':controller(/:action(/:id(.:format)))' or
+        matcher.include? ':controller' and matcher.include? ':action' #Default routes
+        @tracker.routes[:allow_all_actions] = args[0]
+        return exp
+      elsif matcher.include? ':action'
+        action_variable = true
+      end
+    end
 
-        self.current_controller = controller
-        @tracker.routes[@current_controller] << action.to_sym if action
-      elsif symbol? k and k[1] == :action
-        @tracker.routes[@current_controller] << v[1].to_sym
+    if hash? args[-1]
+      hash_iterate args[-1] do |k, v|
+        if string? k and string? v
+          controller, action = extract_action v[1]
+
+          self.current_controller = controller
+          @tracker.routes[@current_controller] << action.to_sym if action
+        elsif symbol? k and k[1] == :action
+          @tracker.routes[@current_controller] << v[1].to_sym
+          action_variable = false
+        end
       end
     end
 
+    if action_variable
+      @tracker.routes[@current_controller] = :allow_all_actions
+    end
+
     exp
   end
 

data/lib/report.rb

@@ -636,7 +636,7 @@ class Report
 
       checks.send(meth).map do |w|
         line = w.line || 0
-        w.warning_type.gsub! /[^\w\s]/, ' '
+        w.warning_type.gsub!(/[^\w\s]/, ' ')
         "#{file_for w}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 

data/lib/scanner.rb

@@ -41,6 +41,8 @@ class Scanner
   def process
     warn "Processing configuration..."
     process_config
+    warn "Processing gems..."
+    process_gems
     warn "Processing initializers..."
     process_initializers
     warn "Processing libs..."
@@ -74,6 +76,17 @@ class Scanner
     end
   end
 
+  #Process Gemfile
+  def process_gems
+    if File.exists? "#@path/Gemfile"
+      if File.exists? "#@path/Gemfile.lock"
+        @processor.process_gems(RubyParser.new.parse(File.read("#@path/Gemfile")), File.read("#@path/Gemfile.lock"))
+      else
+        @processor.process_gems(RubyParser.new.parse(File.read("#@path/Gemfile")))
+      end
+    end
+  end
+
   #Process all the .rb files in config/initializers/
   #
   #Adds parsed information to tracker.initializers

data/lib/version.rb

@@ -1 +1 @@
-Version = "0.6.1"
+Version = "0.7.0"

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 6
-  - 1
-  version: 0.6.1
+  - 7
+  - 0
+  version: 0.7.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-07-29 00:00:00 -07:00
+date: 2011-08-17 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -105,6 +105,7 @@ files:
 - FEATURES
 - README.md
 - lib/warning.rb
+- lib/processors/gem_processor.rb
 - lib/processors/params_processor.rb
 - lib/processors/controller_alias_processor.rb
 - lib/processors/base_processor.rb
@@ -130,17 +131,22 @@ files:
 - lib/checks/check_send_file.rb
 - lib/checks/check_session_settings.rb
 - lib/checks/check_nested_attributes.rb
+- lib/checks/check_strip_tags.rb
 - lib/checks/check_sql.rb
 - lib/checks/check_mass_assignment.rb
+- lib/checks/check_escape_function.rb
 - lib/checks/check_cross_site_scripting.rb
 - lib/checks/check_model_attributes.rb
 - lib/checks/check_default_routes.rb
 - lib/checks/check_evaluation.rb
+- lib/checks/check_quote_table_name.rb
 - lib/checks/check_validation_regex.rb
 - lib/checks/check_execute.rb
+- lib/checks/check_filter_skipping.rb
 - lib/checks/check_mail_to.rb
 - lib/checks/base_check.rb
 - lib/checks/check_file_access.rb
+- lib/checks/check_response_splitting.rb
 - lib/checks/check_redirect.rb
 - lib/checks/check_forgery_setting.rb
 - lib/checks/check_render.rb