brakeman 1.6.1 → 1.6.2

data/bin/brakeman

@@ -53,7 +53,7 @@ trap("INT") do
 end
 
 if options[:previous_results_json]
-  vulns = Brakeman.compare options
+  vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
   puts JSON.pretty_generate(vulns)
 else
   #Run scan and output a report

data/lib/brakeman/checks/check_redirect.rb

@@ -13,6 +13,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def run_check
     Brakeman.debug "Finding calls to redirect_to()"
 
+    @model_find_calls = Set[:all, :find, :find_by_sql, :first, :last, :new]
+
+    if tracker.options[:rails3]
+      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
+    end
+
     @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
       process_result res
     end
@@ -50,20 +56,19 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def include_user_input? call
     Brakeman.debug "Checking if call includes user input"
 
-    if tracker.options[:ignore_redirect_to_model] and call? call[3][1] and 
-      call[3][1][2] == :new and call[3][1][1]
+    args = call[3]
 
-      begin
-        target = class_name call[3][1][1]
-        if @tracker.models.include? target
-          return false
-        end
-      rescue
-      end
+    if tracker.options[:ignore_redirect_to_model] and call? args[1] and
+      (@model_find_calls.include? args[1][2] or args[1][2].to_s.match(/^find_by_/)) and
+      model_name? args[1][1]
+
+      return false
     end
 
-    call[3].each do |arg|
-      if call? arg 
+    args.each do |arg|
+      if res = has_immediate_model?(arg)
+        return Match.new(:immediate, res)
+      elsif call? arg
         if request_value? arg
           return Match.new(:immediate, arg)
         elsif request_value? arg[1]

data/lib/brakeman/checks/check_sql.rb

@@ -37,6 +37,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
+    Brakeman.debug "Checking version of Rails for CVE-2012-2660"
+    check_rails_version_for_cve_2012_2660
+
+    Brakeman.debug "Checking version of Rails for CVE-2012-2661"
+    check_rails_version_for_cve_2012_2661
+
+    Brakeman.debug "Checking version of Rails for CVE-2012-2695"
+    check_rails_version_for_cve_2012_2695
+
     Brakeman.debug "Processing possible SQL calls"
     calls.each do |c|
       process_result c
@@ -80,6 +89,33 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls
   end
 
+  def check_rails_version_for_cve_2012_2660
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
+  def check_rails_version_for_cve_2012_2661
+    if version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Injection Vulnerability: CVE-2012-2661; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
+  def check_rails_version_for_cve_2012_2695
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
   def process_scope_with_block model_name, args
     scope_name = args[1][1]
     block = args[-1][-1]

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -219,17 +219,25 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Returns an array of filter names
   def get_before_filters method, controller
+    return [] unless controller[:options] and controller[:options][:before_filters]
+
     filters = []
-    return filters unless controller[:options]
-    filter_list = controller[:options][:before_filters]
-    return filters unless filter_list
 
-    filter_list.each do |filter|
-      f = before_filter_to_hash filter
+    if controller[:before_filter_cache].nil?
+      filter_cache = []
+
+      controller[:options][:before_filters].each do |filter|
+        filter_cache << before_filter_to_hash(filter)
+      end
+
+      controller[:before_filter_cache] = filter_cache
+    end
+
+    controller[:before_filter_cache].each do |f|
       if f[:all] or 
         (f[:only] == method) or
         (f[:only].is_a? Array and f[:only].include? method) or 
-        (f[:except] == method) or
+        (f[:except].is_a? Symbol and f[:except] != method) or
         (f[:except].is_a? Array and not f[:except].include? method)
 
         filters.concat f[:methods]
@@ -254,7 +262,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     filter[:methods] = [args[0][1]]
 
     args[1..-1].each do |a|
-      filter[:methods] << a[1] unless a.node_type == :hash
+      filter[:methods] << a[1] if a.node_type == :lit
     end
 
     if args[-1].node_type == :hash

data/lib/brakeman/scanner.rb

@@ -19,7 +19,7 @@ begin
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
-  exit
+  exit -1
 end
 
 #Scans the Rails application.

data/lib/brakeman/util.rb

@@ -11,6 +11,8 @@ module Brakeman::Util
 
   REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :request_parameters, Sexp.new(:arglist))
 
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :parameters, Sexp.new(:arglist))
+
   REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :env, Sexp.new(:arglist))
 
   PARAMETERS = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
@@ -19,7 +21,7 @@ module Brakeman::Util
 
   SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
 
-  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS]
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.6.1"
+  Version = "1.6.2"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 13
+  hash: 11
   prerelease: 
   segments: 
   - 1
   - 6
-  - 1
-  version: 1.6.1
+  - 2
+  version: 1.6.2
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-05-23 00:00:00 Z
+date: 2012-06-13 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -202,7 +202,6 @@ files:
 - lib/brakeman/warning.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/processors/gem_processor.rb
-- lib/brakeman/processors/params_processor.rb
 - lib/brakeman/processors/controller_alias_processor.rb
 - lib/brakeman/processors/base_processor.rb
 - lib/brakeman/processors/controller_processor.rb

data/lib/brakeman/processors/params_processor.rb

@@ -1,76 +0,0 @@
-require 'sexp_processor'
-require 'set'
-
-#Looks for request parameters. Not used currently.
-class Brakeman::ParamsProcessor < SexpProcessor
-  attr_reader :result
-
-  def initialize
-    super()
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
-    @result = []
-    @matched = false
-    @mark = false
-    @watch_nodes = Set[:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn]
-    @params = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
-  end
-
-  def process_default exp
-    if @watch_nodes.include?(exp.node_type) and not @mark
-      @mark = true
-      @matched = false
-      process_these exp[1..-1]
-      if @matched
-        @result << exp
-        @matched = false
-      end
-      @mark = false
-    else
-      process_these exp[1..-1]
-    end
-
-    exp
-  end
-
-  def process_these exp
-    exp.each do |e|
-      if sexp? e and not e.empty?
-        process e
-      end
-    end
-  end
-
-  def process_call exp
-    if @mark
-      actually_process_call exp
-    else
-      @mark = true
-      actually_process_call exp
-      if @matched
-        @result << exp
-      end
-      @mark = @matched = false
-    end
-      
-    exp
-  end 
-
-  def actually_process_call exp
-    process exp[1]
-    process exp[3]
-    if exp[1] == @params or exp == @params
-      @matched = true
-    end
-  end
-
-  #Don't really care about condition
-  def process_if exp
-    process_these exp[2..-1]
-    exp
-  end
-
-end