brakeman 1.6.2 → 1.7.0

data/lib/brakeman/checks.rb

@@ -97,7 +97,12 @@ class Brakeman::Checks
         Brakeman.notify " - #{check_name}"
 
         check = c.new(tracker)
-        check.run_check
+
+        begin
+          check.run_check
+        rescue Exception => e
+          tracker.error e
+        end
 
         check.warnings.each do |w|
           check_runner.add_warning w
@@ -115,6 +120,7 @@ class Brakeman::Checks
   #Run checks in parallel threads
   def self.run_checks_parallel tracker
     threads = []
+    error_mutex = Mutex.new
     
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
 
@@ -128,14 +134,17 @@ class Brakeman::Checks
         Brakeman.notify " - #{check_name}"
 
         threads << Thread.new do
+          check = c.new(tracker)
+
           begin
-            check = c.new(tracker)
             check.run_check
-            check.warnings
           rescue Exception => e
-            Brakeman.notify "[#{check_name}] #{e}"
-            []
+            error_mutex.synchronize do
+              tracker.error e
+            end
           end
+
+          check.warnings
         end
 
         #Maintain list of which checks were run

data/lib/brakeman/checks/base_check.rb

@@ -1,11 +1,10 @@
-require 'sexp_processor'
 require 'brakeman/processors/output_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/warning'
 require 'brakeman/util'
 
 #Basis of vulnerability checks.
-class Brakeman::BaseCheck < SexpProcessor
+class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::Util
   attr_reader :tracker, :warnings
@@ -24,11 +23,6 @@ class Brakeman::BaseCheck < SexpProcessor
     @current_set = nil
     @current_template = @current_module = @current_class = @current_method = nil
     @mass_assign_disabled = nil
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
   end
 
   #Add result to result list, which is used to check for duplicates
@@ -154,6 +148,7 @@ class Brakeman::BaseCheck < SexpProcessor
     @mass_assign_disabled = false
 
     if version_between?("3.1.0", "4.0.0") and 
+      tracker.config[:rails] and
       tracker.config[:rails][:active_record] and 
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
@@ -301,6 +296,9 @@ class Brakeman::BaseCheck < SexpProcessor
       when :if
         (sexp? exp[2] and has_immediate_user_input? exp[2]) or 
         (sexp? exp[3] and has_immediate_user_input? exp[3])
+      when :or
+        has_immediate_user_input? exp[1] or
+        has_immediate_user_input? exp[2]
       else
         false
       end
@@ -456,4 +454,18 @@ class Brakeman::BaseCheck < SexpProcessor
   def self.description
     @description
   end
+
+  def active_record_models
+    return @active_record_models if @active_record_models
+
+    @active_record_models = {}
+
+    tracker.models.each do |name, model|
+      if ancestor? model, :"ActiveRecord::Base"
+        @active_record_models[name] = model
+      end
+    end
+
+    @active_record_models
+  end
 end

data/lib/brakeman/checks/check_digest_dos.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for digest authentication DoS vulnerability"
+
+  def run_check
+    message = "Vulnerability in digest authentication (CVE-2012-3424). Upgrade to Rails version "
+
+    if version_between? "3.0.0", "3.0.15"
+      message << "3.0.16"
+    elsif version_between? "3.1.0", "3.1.6"
+      message << "3.1.7"
+    elsif version_between? "3.2.0", "3.2.5"
+      message << "3.2.7"
+    else
+      return
+    end
+
+    if with_http_digest?
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:low]
+    end
+
+    warn :warning_type => "Denial of Service",
+      :message => message,
+      :confidence => confidence,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
+      :file => gemfile_or_environment
+  end
+
+  def with_http_digest?
+    not tracker.find_call(:target => false, :method => [:authenticate_or_request_with_http_digest, :authenticate_with_http_digest]).empty?
+  end
+end

data/lib/brakeman/checks/check_escape_function.rb

@@ -13,7 +13,8 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
       warn :warning_type => 'Cross Site Scripting',
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end
   end
 end

data/lib/brakeman/checks/check_file_access.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
 
   def run_check
     Brakeman.debug "Finding possible file access"
-    methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+    methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :readlines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
 
     Brakeman.debug "Finding calls to load()"
     methods.concat tracker.find_call :target => false, :method => :load
@@ -24,32 +24,49 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
   end
 
   def process_result result
+    return if duplicate? result
+    add_result result
     call = result[:call]
-
     file_name = call[3][1]
 
-    if input = include_user_input?(file_name)
-      unless duplicate? result
-        add_result result
-
-        case input.type
-        when :params
-          message = "Parameter"
-        when :cookies
-          message = "Cookie"
-        else
-          message = "User input"
-        end
-
-        message << " value used in file name"
-
-        warn :result => result,
-          :warning_type => "File Access",
-          :message => message, 
-          :confidence => CONFIDENCE[:high],
-          :code => call,
-          :user_input => input.match
+    if match = has_immediate_user_input?(file_name)
+      confidence = CONFIDENCE[:high]
+    elsif match = has_immediate_model?(file_name)
+      match = Match.new(:model, match)
+      confidence = CONFIDENCE[:med]
+    elsif tracker.options[:check_arguments] and
+      match = include_user_input?(file_name)
+
+      #Check for string building in file name
+      if call?(file_name) and (file_name[2] == :+ or file_name[2] == :<<)
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
       end
     end
+
+    if match
+      case match.type
+      when :params
+        message = "Parameter"
+      when :cookies
+        message = "Cookie"
+      when :request
+        message = "Request"
+      when :model
+        message = "Model attribute"
+      else
+        message = "User input"
+      end
+
+      message << " value used in file name"
+
+      warn :result => result,
+        :warning_type => "File Access",
+        :message => message,
+        :confidence => confidence,
+        :code => call,
+        :user_input => match.match
+    end
   end
 end

data/lib/brakeman/checks/check_filter_skipping.rb

@@ -13,7 +13,8 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
       warn :warning_type => "Default Routes",
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
     end
   end
 

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -11,11 +11,12 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
 
   def run_check
     app_controller = tracker.controllers[:ApplicationController]
-    if tracker.config[:rails][:action_controller] and
+    if tracker.config[:rails] and
+      tracker.config[:rails][:action_controller] and
       tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
 
       warn :controller => :ApplicationController,
-        :warning_type => "Cross Site Request Forgery",
+        :warning_type => "Cross-Site Request Forgery",
         :message => "Forgery protection is disabled", 
         :confidence => CONFIDENCE[:high]
 
@@ -32,7 +33,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_type => "Cross-Site Request Forgery",
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
 
     elsif version_between? "3.0.0", "3.0.3"
 
@@ -40,7 +42,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_type => "Cross-Site Request Forgery",
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
     end
   end
 end

data/lib/brakeman/checks/check_link_to.rb

@@ -76,7 +76,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         :warning_type => "Cross Site Scripting", 
         :message => message,
         :user_input => input.match,
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :link_path => "link_to"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       method = match[2]
@@ -94,7 +95,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
           :warning_type => "Cross Site Scripting", 
           :message => "Unescaped model attribute in link_to",
           :user_input => match,
-          :confidence => confidence
+          :confidence => confidence,
+          :link_path => "link_to"
       end
 
     elsif @matched
@@ -111,7 +113,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
           :warning_type => "Cross Site Scripting", 
           :message => message,
           :user_input => @matched.match,
-          :confidence => CONFIDENCE[:med]
+          :confidence => CONFIDENCE[:med],
+          :link_path => "link_to"
       end
     end
   end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -57,7 +57,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
           :warning_type => "Cross Site Scripting", 
           :message => message,
           :user_input => input.match,
-          :confidence => CONFIDENCE[:high]
+          :confidence => CONFIDENCE[:high],
+          :link_path => "link_to_href"
       end
     elsif has_immediate_model? url_arg
 
@@ -84,7 +85,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
           :warning_type => "Cross Site Scripting", 
           :message => message,
           :user_input => @matched.match,
-          :confidence => CONFIDENCE[:med]
+          :confidence => CONFIDENCE[:med],
+          :link_path => "link_to_href"
       end
     end
   end

data/lib/brakeman/checks/check_nested_attributes.rb

@@ -22,12 +22,13 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
       warn :warning_type => "Nested Attributes",
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
     end
   end
 
   def uses_nested_attributes?
-    tracker.models.each do |name, model|
+    active_record_models.each do |name, model|
       return true if model[:options][:accepts_nested_attributes_for]
     end
 

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -26,7 +26,8 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
       warn :warning_type => "SQL Injection",
         :message => message,
         :confidence => confidence,
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
     end
   end
 

data/lib/brakeman/checks/check_response_splitting.rb

@@ -13,7 +13,8 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
       warn :warning_type => "Response Splitting",
         :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
     end
   end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     Brakeman.debug "Finding possible SQL calls on models"
-    calls = tracker.find_call :targets => tracker.models.keys,
+    calls = tracker.find_call :targets => active_record_models.keys,
       :methods => @sql_targets,
       :chained => true
 
@@ -57,7 +57,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls = []
 
     if version_between? "2.1.0", "3.0.9"
-      tracker.models.each do |name, model|
+      active_record_models.each do |name, model|
         if model[:options][:named_scope]
           model[:options][:named_scope].each do |args|
             call = Sexp.new(:call, nil, :named_scope, args).line(args.line)
@@ -66,7 +66,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         end
        end
     elsif version_between? "3.1.0", "3.9.9"
-      tracker.models.each do |name, model|
+      active_record_models.each do |name, model|
         if model[:options][:scope]
           model[:options][:scope].each do |args|
             second_arg = args[2]
@@ -94,7 +94,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
     end
   end
 
@@ -103,7 +104,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Injection Vulnerability: CVE-2012-2661; Upgrade to 3.2.5, 3.1.5, 3.0.13',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
     end
   end
 
@@ -112,7 +114,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
     end
   end
 
@@ -270,7 +273,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     if node_type? arg, :arglist
       if arg.length > 2 and node_type? arg[1], :string_interp, :dstr
         # Model.where("blah = ?", blah)
-        return string_interp arg[1]
+        return check_string_interp arg[1]
       else
         arg = arg[1]
       end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -20,7 +20,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       warn :warning_type => "Cross Site Scripting",
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
     end
   end
 

data/lib/brakeman/checks/check_validation_regex.rb

@@ -15,7 +15,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
   WITH = Sexp.new(:lit, :with)
 
   def run_check
-    tracker.models.each do |name, model|
+    active_record_models.each do |name, model|
       @current_model = name
       format_validations = model[:options][:validates_format_of]
       if format_validations