brakeman 1.4.0 → 1.5.0

data/README.md

@@ -140,6 +140,7 @@ The `-c` option can be used to specify a configuration file to use.
 The MIT License
 
 Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
+Copyright (c) 2012, Twitter, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/lib/brakeman.rb

@@ -138,6 +138,8 @@ module Brakeman
         :to_pdf
       when :tabs, :to_tabs
         :to_tabs
+      when :json, :to_json
+        :to_json
       else
         :to_s
       end
@@ -151,6 +153,8 @@ module Brakeman
         :to_pdf
       when /\.tabs$/i
         :to_tabs
+      when /\.json$/i
+        :to_json
       else
         :to_s
       end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -17,9 +17,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   @description = "Checks for unescaped output in views"
 
   #Model methods which are known to be harmless
-  IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
+  IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
 
-  MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
+  MODEL_METHODS = Set[:all, :find, :first, :last, :new]
 
   IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
 
@@ -35,18 +35,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Run check
   def run_check 
-    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button, :select,
+                           :link_to, :mail_to, :radio_button,
                            :submit_tag, :text_area, :text_field,
                            :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] ).merge tracker.options[:safe_methods]
+                           :will_paginate].merge tracker.options[:safe_methods]
 
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
 
-    @known_dangerous = Set.new([:truncate, :concat])
+    @known_dangerous = Set[:truncate, :concat]
 
     if version_between? "2.0.0", "3.0.5"
       @known_dangerous << :auto_link
@@ -54,6 +54,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
 
+    if tracker.config[:rails3]
+      @ignore_methods << :select
+    end
+
     tracker.each_template do |name, template|
       @current_template = template
       template[:outputs].each do |out|

data/lib/brakeman/checks/check_link_to.rb

@@ -12,13 +12,13 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   def run_check
     return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
 
-    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
                            :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] ).merge tracker.options[:safe_methods]
+                           :will_paginate].merge tracker.options[:safe_methods]
 
     @known_dangerous = []
     #Ideally, I think this should also check to see if people are setting

data/lib/brakeman/checks/check_link_to_href.rb

@@ -12,13 +12,13 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
   @description = "Checks to see if values used for hrefs are sanitized using a :url_safe_method to protect against javascript:/data: XSS"
 
   def run_check
-    @ignore_methods = Set.new([:button_to, :check_box,
+    @ignore_methods = Set[:button_to, :check_box,
                            :field_field, :fields_for, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
                            :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] ).merge(tracker.options[:url_safe_methods] || [])
+                           :will_paginate].merge(tracker.options[:url_safe_methods] || [])
 
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -85,7 +85,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     end
   end
 
-  LITERALS = Set.new([:lit, :true, :false, :nil, :string]) 
+  LITERALS = Set[:lit, :true, :false, :nil, :string]
 
   def all_literals? args
     args.all? do |arg|

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -0,0 +1,30 @@
+require 'brakeman/checks/base_check'
+
+#Check for unsafe manipulation of strings
+#Right now this is just a version check for
+#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
+class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for Rails versions with SafeBuffer bug"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+
+    warn :warning_type => "Cross Site Scripting",
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -0,0 +1,55 @@
+require 'brakeman/checks/base_check'
+
+#Checks for select() helper vulnerability in some versions of Rails 3
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+
+    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
+
+    calls = tracker.find_call(:target => nil, :method => :select).select do |result|
+      result[:location][0] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    args = result[:call][3]
+
+    #Check for user input in options parameter
+    if sexp? args[3] and include_user_input? args[3]
+      add_result result
+
+      if node_type? args[3], :string_interp, :dstr
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :template => result[:location][1],
+          :warning_type => "Cross Site Scripting",
+          :result => result,
+          :message => @message,
+          :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -0,0 +1,51 @@
+require 'brakeman/checks/base_check'
+
+#At the moment, this looks for
+#
+#  skip_before_filter :verify_authenticity_token, :except => [...]
+#
+#which is essentially a blacklist approach (no actions are checked EXCEPT the
+#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#the check)
+class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn when skipping CSRF check by default"
+
+  def run_check
+    tracker.controllers.each do |name, controller|
+      if filter_skips = (controller[:options][:skip_before_filter] or controller[:options][:skip_filter])
+        filter_skips.each do |filter|
+          process_skip_filter filter, controller
+        end
+      end
+    end
+  end
+
+  def process_skip_filter filter, controller
+    if skip_verify_except? filter
+      warn :class => controller[:name],
+        :warning_type => "Cross-Site Request Forgery",
+        :message => "Use whitelist (:only => [..]) when skipping CSRF check",
+        :line => filter.line,
+        :code => filter,
+        :confidence => CONFIDENCE[:med]
+    end
+  end
+
+  def skip_verify_except? filter
+    return false unless call? filter
+
+    args = filter[3]
+
+    if symbol? args[1] and args[1][1] == :verify_authenticity_token and hash? args.last
+      hash_iterate args.last do |k, v|
+        if symbol? k and k[1] == :except
+          return true
+        end
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -16,22 +16,22 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def run_check
     @rails_version = tracker.config[:rails_version]
 
-    Brakeman.debug "Finding possible SQL calls on models"
     if tracker.options[:rails3]
-      calls = tracker.find_call :targets => tracker.models.keys,
-        :methods => /^(find.*|first|last|all|where|order|group|having)$/,
-        :chained => true
+      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
     else
-      calls = tracker.find_call :targets => tracker.models.keys,
-        :methods => /^(find.*|first|last|all)$/,
-        :chained => true
+      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
     end
 
+    Brakeman.debug "Finding possible SQL calls on models"
+    calls = tracker.find_call :targets => tracker.models.keys,
+      :methods => @sql_targets,
+      :chained => true
+
     Brakeman.debug "Finding possible SQL calls with no target"
-    calls.concat tracker.find_call(:target => nil, :method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/)
+    calls.concat tracker.find_call(:target => nil, :method => @sql_targets)
 
     Brakeman.debug "Finding possible SQL calls using constantized()"
-    calls.concat tracker.find_call(:method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/).select { |result| constantize_call? result }
+    calls.concat tracker.find_call(:method => @sql_targets).select { |result| constantize_call? result }
 
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
@@ -90,8 +90,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls.process_source block, model_name, scope_name
 
       find_calls.calls.each do |call|
-        if call[:method].to_s =~ /^(find.*|first|last|all|where|order|group|having)$/
-          puts "Looks like #{call.inspect}"
+        if call[:method].to_s =~ @sql_targets
           process_result call
         end
       end

data/lib/brakeman/options.rb

@@ -129,7 +129,7 @@ module Brakeman::Options
 
         opts.on "-f", 
           "--format TYPE", 
-          [:pdf, :text, :html, :csv, :tabs], 
+          [:pdf, :text, :html, :csv, :tabs, :json],
           "Specify output format. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -30,9 +30,8 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   def process_call exp
     target = exp[1]
 
-    if target == map or target == nested
+    if target == map or (not target.nil? and target == nested)
       process_map exp
-
     else
       process_default exp
     end
@@ -193,7 +192,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     #This -seems- redundant, but people might connect actions
     #to a controller which already allows them all
     return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
-  
+
     exp[-1].each_with_index do |e,i|
       if symbol? e and e[1] == :action
         @tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym

data/lib/brakeman/processors/lib/route_helper.rb

@@ -23,12 +23,19 @@ module Brakeman::RouteHelper
 
   #Add default routes
   def add_resources_routes
-    @tracker.routes[@current_controller].merge [:index, :new, :create, :show, :edit, :update, :destroy]
-  end
+    existing_routes = @tracker.routes[@current_controller]
 
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:index, :new, :create, :show, :edit, :update, :destroy]
+    end
+  end
 
   #Add default routes minus :index
   def add_resource_routes
-    @tracker.routes[@current_controller].merge [:new, :create, :show, :edit, :update, :destroy]
+    existing_routes = @tracker.routes[@current_controller]
+
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:new, :create, :show, :edit, :update, :destroy]
+    end
   end
 end

data/lib/brakeman/processors/params_processor.rb

@@ -15,7 +15,7 @@ class Brakeman::ParamsProcessor < SexpProcessor
     @result = []
     @matched = false
     @mark = false
-    @watch_nodes = Set.new([:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn])
+    @watch_nodes = Set[:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn]
     @params = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
   end
 

data/lib/brakeman/processors/template_alias_processor.rb

@@ -7,7 +7,7 @@ require 'brakeman/processors/lib/render_helper'
 class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   include Brakeman::RenderHelper
 
-  FORM_METHODS = Set.new([:form_for, :remote_form_for, :form_remote_for])
+  FORM_METHODS = Set[:form_for, :remote_form_for, :form_remote_for]
 
   def initialize tracker, template
     super()

data/lib/brakeman/util.rb

@@ -19,7 +19,7 @@ module Brakeman::Util
 
   SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
 
-  ALL_PARAMETERS = Set.new([PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS])
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS]
 
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.4.0"
+  Version = "1.5.0"
 end

metadata

@@ -1,101 +1,134 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: brakeman
-version: !ruby/object:Gem::Version
-  version: 1.4.0
+version: !ruby/object:Gem::Version 
+  hash: 3
   prerelease: 
+  segments: 
+  - 1
+  - 5
+  - 0
+  version: 1.5.0
 platform: ruby
-authors:
+authors: 
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-02-24 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2012-03-02 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: activesupport
-  requirement: &78318730 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *78318730
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: i18n
-  requirement: &78318500 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *78318500
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: ruby2ruby
-  requirement: &78318250 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
+        version: "1.2"
   type: :runtime
-  prerelease: false
-  version_requirements: *78318250
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
   name: ruport
-  requirement: &78318000 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.6'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 1
+        - 6
+        version: "1.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *78318000
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
   name: erubis
-  requirement: &78317770 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.6'
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 2
+        - 6
+        version: "2.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *78317770
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
   name: haml
-  requirement: &78317540 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *78317540
-- !ruby/object:Gem::Dependency
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
   name: sass
-  requirement: &78317310 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *78317310
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications
-  via static analysis.
+  version_requirements: *id007
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
-executables:
+executables: 
 - brakeman
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -137,6 +170,7 @@ files:
 - lib/brakeman/checks/check_session_settings.rb
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_strip_tags.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sql.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_mass_assignment.rb
@@ -144,6 +178,7 @@ files:
 - lib/brakeman/checks/check_cross_site_scripting.rb
 - lib/brakeman/checks/check_model_attributes.rb
 - lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_validation_regex.rb
@@ -152,6 +187,7 @@ files:
 - lib/brakeman/checks/check_filter_skipping.rb
 - lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_response_splitting.rb
@@ -172,26 +208,36 @@ files:
 - lib/brakeman/format/style.css
 homepage: http://brakemanscanner.org
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
+