brakeman 1.7.1 → 1.8.0

data/bin/brakeman

@@ -55,6 +55,9 @@ end
 if options[:previous_results_json]
   vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
   puts JSON.pretty_generate(vulns)
+  if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
+    exit Brakeman::Warnings_Found_Exit_Code
+  end
 else
   #Run scan and output a report
   tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])

data/lib/brakeman.rb

@@ -39,6 +39,7 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_checks - checks not to run (run all if not specified)
+  #  * :relative_path - show relative path of each file(default: false)
   #  * :summary_only - only output summary section of report 
   #                    (does not apply to tabs format)
   #
@@ -119,6 +120,7 @@ module Brakeman
       :ignore_model_output => false,
       :message_limit => 100,
       :parallel_checks => true,
+      :relative_path => false,
       :quiet => true,
       :report_progress => true,
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 

data/lib/brakeman/brakeman.rake

@@ -1,9 +1,10 @@
 namespace :brakeman do
 
   desc "Run Brakeman"
-  task :run, :output_file do |t, args|
+  task :run, :output_files do |t, args|
     require 'brakeman'
-    
-    Brakeman.run :app_path => ".", :output_file => args[:output_file], :print_report => true
+
+    files = args[:output_files].split(' ') if args[:output_files]
+    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
   end
 end

data/lib/brakeman/checks/base_check.rb

@@ -58,16 +58,18 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Process calls and check if they include user input
   def process_call exp
-    process exp[1] if sexp? exp[1]
-    process exp[3]
+    process exp.target if sexp? exp.target
+    process_all exp.args
 
-    if params? exp[1]
+    target = exp.target
+
+    if params? target
       @has_user_input = Match.new(:params, exp)
-    elsif cookies? exp[1]
+    elsif cookies? target
       @has_user_input = Match.new(:cookies, exp)
-    elsif request_env? exp[1]
+    elsif request_env? target
       @has_user_input = Match.new(:request, exp)
-    elsif sexp? exp[1] and model_name? exp[1][1]
+    elsif sexp? target and model_name? target[1]
       @has_user_input = Match.new(:model, exp)
     end
 
@@ -77,11 +79,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def process_if exp
     #This is to ignore user input in condition
     current_user_input = @has_user_input
-    process exp[1]
+    process exp.condition
     @has_user_input = current_user_input
 
-    process exp[2] if sexp? exp[2]
-    process exp[3] if sexp? exp[3]
+    process exp.then_clause if sexp? exp.then_clause
+    process exp.else_clause if sexp? exp.else_clause
 
     exp
   end
@@ -258,11 +260,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     elsif cookies? exp
       return Match.new(:cookies, exp)
     elsif call? exp
-      if params? exp[1]
+      if params? exp.target
         return Match.new(:params, exp)
-      elsif cookies? exp[1]
+      elsif cookies? exp.target
         return Match.new(:cookies, exp)
-      elsif request_env? exp[1]
+      elsif request_env? exp.target
         return Match.new(:request, exp)
       else
         false
@@ -278,27 +280,25 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
         false
       when :string_eval
-        if sexp? exp[1]
-          if exp[1].node_type == :rlist
-            exp[1].each do |e|
-              if sexp? e
-                match = has_immediate_user_input?(e)
-                return match if match
-              end
+        if sexp? exp.value
+          if exp.value.node_type == :rlist
+            exp.value.each_sexp do |e|
+              match = has_immediate_user_input?(e)
+              return match if match
             end
             false
           else
-            has_immediate_user_input? exp[1]
+            has_immediate_user_input? exp.value
           end
         end
       when :format
-        has_immediate_user_input? exp[1]
+        has_immediate_user_input? exp.value
       when :if
-        (sexp? exp[2] and has_immediate_user_input? exp[2]) or 
-        (sexp? exp[3] and has_immediate_user_input? exp[3])
+        (sexp? exp.then_clause and has_immediate_user_input? exp.then_clause) or
+        (sexp? exp.else_clause and has_immediate_user_input? exp.else_clause)
       when :or
-        has_immediate_user_input? exp[1] or
-        has_immediate_user_input? exp[2]
+        has_immediate_user_input? exp.lhs or
+        has_immediate_user_input? exp.rhs
       else
         false
       end
@@ -311,12 +311,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     out = exp if out.nil?
 
     if sexp? exp and exp.node_type == :output
-      exp = exp[1]
+      exp = exp.value
     end
 
     if call? exp
-      target = exp[1]
-      method = exp[2]
+      target = exp.target
+      method = exp.method
 
       if call? target and not method.to_s[-1,1] == "?"
         has_immediate_model? target, out
@@ -335,23 +335,26 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
         false
       when :string_eval
-        if sexp? exp[1]
-          if exp[1].node_type == :rlist
-            exp[1].each do |e|
-              if sexp? e and match = has_immediate_model?(e, out)
+        if sexp? exp.value
+          if exp.value.node_type == :rlist
+            exp.value.each_sexp do |e|
+              if match = has_immediate_model?(e, out)
                 return match
               end
             end
             false
           else
-            has_immediate_model? exp[1], out
+            has_immediate_model? exp.value, out
           end
         end
       when :format
-        has_immediate_model? exp[1], out
+        has_immediate_model? exp.value, out
       when :if
-        ((sexp? exp[2] and has_immediate_model? exp[2], out) or 
-         (sexp? exp[3] and has_immediate_model? exp[3], out))
+        ((sexp? exp.then_clause and has_immediate_model? exp.then_clause, out) or
+         (sexp? exp.else_clause and has_immediate_model? exp.else_clause, out))
+      when :or
+        has_immediate_model? exp.lhs or
+        has_immediate_model? exp.rhs
       else
         false
       end
@@ -387,7 +390,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     case exp.node_type
     when :output, :format
-      find_chain exp[1], target
+      find_chain exp.value, target
     when :call
       if exp == target or include_target? exp, target
         return exp 

data/lib/brakeman/checks/check_basic_auth.rb

@@ -33,10 +33,10 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   end
 
   def get_password call
-    args = call[3][1]
+    arg = call.first_arg
 
-    return false if args.nil? or not hash? args
+    return false if arg.nil? or not hash? arg
 
-    hash_access(args, :password)
+    hash_access(arg, :password)
   end
 end

data/lib/brakeman/checks/check_content_tag.rb

@@ -0,0 +1,179 @@
+require 'brakeman/checks/check_cross_site_scripting'
+
+#Checks for unescaped values in `content_tag`
+#
+#    content_tag :tag, body
+#                       ^-- Unescaped in Rails 2.x
+#
+#    content_tag, :tag, body, attribute => value
+#                                ^-- Unescaped in all versions
+#
+#    content_tag, :tag, body, attribute => value
+#                                            ^
+#                                            |
+#            Escaped by default, can be explicitly escaped
+#            or not by passing in (true|false) as fourth argument
+class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for XSS in calls to content_tag"
+
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @known_dangerous = []
+    methods = tracker.find_call :target => false, :method => :content_tag
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    Brakeman.debug "Checking for XSS in content_tag"
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    call = result[:call] = result[:call].dup
+
+    args = call.arglist 
+
+    tag_name = args[1]
+    content = args[2]
+    attributes = args[3]
+    escape_attr = args[4]
+
+    @matched = false
+
+    #Silly, but still dangerous if someone uses user input in the tag type
+    check_argument result, tag_name
+
+    #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
+    unless @matched or (tracker.options[:rails3] and not raw? content)
+      check_argument result, content
+    end
+
+    #Attribute keys are never escaped, so check them for user input
+    if not @matched and hash? attributes and not request_value? attributes
+      hash_iterate(attributes) do |k, v|
+        check_argument result, k
+        return if @matched
+      end
+    end
+
+    #By default, content_tag escapes attribute values passed in as a hash.
+    #But this behavior can be disabled. So only check attributes hash
+    #if they are explicitly not escaped.
+    if not @matched and attributes and false? escape_attr
+      if request_value? attributes or not hash? attributes
+        check_argument result, attributes
+      else #check hash values
+        hash_iterate(attributes) do |k, v|
+          check_argument result, v
+          return if @matched
+        end
+      end
+    end
+  end
+
+  def check_argument result, exp
+    #Check contents of raw() calls directly
+    if call? exp and exp.method == :raw
+      arg = process exp.first_arg
+    else
+      arg = process exp
+    end
+
+    if input = has_immediate_user_input?(arg)
+      case input.type
+      when :params
+        message = "Unescaped parameter value in content_tag"
+      when :cookies
+        message = "Unescaped cookie value in content_tag"
+      else
+        message = "Unescaped user input value in content_tag"
+      end
+
+      add_result result
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting", 
+        :message => message,
+        :user_input => input.match,
+        :confidence => CONFIDENCE[:high],
+        :link_path => "content_tag"
+
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
+      method = match[2]
+
+      unless IGNORE_MODEL_METHODS.include? method
+        add_result result
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :message => "Unescaped model attribute in content_tag",
+          :user_input => match,
+          :confidence => confidence,
+          :link_path => "content_tag"
+      end
+
+    elsif @matched
+      message = "Unescaped "
+
+      case @matched.type
+      when :model
+        return if tracker.options[:ignore_model_output]
+        message << "model attribute"
+      when :params
+        message << "parameter"
+      when :cookies
+        message << "cookie"
+      when :session
+        message << "session"
+      else
+        message << "user input"
+      end
+
+      message << " value in content_tag"
+
+      add_result result
+
+      warn :result => result, 
+        :warning_type => "Cross Site Scripting", 
+        :message => message,
+        :user_input => @matched.match,
+        :confidence => CONFIDENCE[:med],
+        :link_path => "content_tag"
+      end
+  end
+
+  def process_call exp
+    if @mark
+      actually_process_call exp
+    else
+      @mark = true
+      actually_process_call exp
+      @mark = false
+    end
+
+    exp
+  end
+
+  def raw? exp
+    call? exp and exp.method == :raw
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
 
   #Run check
-  def run_check 
+  def run_check
     @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
@@ -58,6 +58,16 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @known_dangerous << :strip_tags
     end
 
+    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    json_escape_on = matches.detect {|result| true? result[-1].first_arg}
+
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
+    else
+      Brakeman.debug("Automatic to_json escaping is enabled.")
+    end
+
     tracker.each_template do |name, template|
       @current_template = template
       template[:outputs].each do |out|
@@ -77,10 +87,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def check_for_immediate_xss exp
     return if duplicate? exp
 
-    if exp[0] == :output
-      out = exp[1]
-    elsif exp[0] == :escaped_output and raw_call? exp
-      out = exp[1][3][1]
+    if exp.node_type == :output
+      out = exp.value
+    elsif exp.node_type == :escaped_output and raw_call? exp
+      out = exp.value.first_arg
     end
 
     if input = has_immediate_user_input?(out)
@@ -115,12 +125,20 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           confidence = CONFIDENCE[:med]
         end
 
+        message = "Unescaped model attribute"
+        link_path = "cross_site_scripting"
+        if node_type?(out, :call, :attrasgn) && out.method == :to_json
+          message += " in JSON hash" 
+          link_path += "_to_json"
+        end
+
         code = find_chain out, match
         warn :template => @current_template,
           :warning_type => "Cross Site Scripting", 
-          :message => "Unescaped model attribute",
+          :message => message,
           :code => code,
-          :confidence => confidence
+          :confidence => confidence,
+          :link_path => link_path
       end
 
     else
@@ -130,15 +148,15 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Process an output Sexp
   def process_output exp
-    process exp[1].dup
+    process exp.value.dup
   end
 
   #Look for calls to raw()
   #Otherwise, ignore
   def process_escaped_output exp
     unless check_for_immediate_xss exp
-      if raw_call? exp
-        process exp[1][3][1]
+      if raw_call? exp and not duplicate? exp
+        process exp.value.first_arg
       end
     end
     exp
@@ -173,8 +191,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         if message and not duplicate? exp
           add_result exp
 
-          if exp[1].nil? and @known_dangerous.include? exp[2]
+          link_path = "cross_site_scripting"
+          if @known_dangerous.include? exp.method
             confidence = CONFIDENCE[:high]
+            if exp.method == :to_json
+              message += " in JSON hash"
+              link_path += "_to_json"
+            end
           else
             confidence = CONFIDENCE[:low]
           end
@@ -184,7 +207,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
             :message => message,
             :code => exp,
             :user_input => @matched.match,
-            :confidence => confidence
+            :confidence => confidence,
+            :link_path => link_path
         end
       end
 
@@ -196,13 +220,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   def actually_process_call exp
     return if @matched
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
 
-    method = exp[2]
-    args = exp[3]
+    method = exp.method
+    args = exp.arglist
 
     #Ignore safe items
     if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
@@ -215,7 +239,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
       #exp[0] = :ignore #should not be necessary
       @matched = false
-    elsif sexp? exp[1] and model_name? exp[1][1]
+    elsif sexp? target and model_name? target[1]
       @matched = Match.new(:model, exp)
     elsif cookies? exp
       @matched = Match.new(:cookies, exp)
@@ -267,6 +291,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def raw_call? exp
-    exp[1].node_type == :call and exp[1][2] == :raw
+    exp.value.node_type == :call and exp.value.method == :raw
   end
 end