brakeman 1.9.0 → 1.9.1

data/CHANGES

@@ -1,3 +1,15 @@
+# 1.9.1
+
+ * Update to RubyParser 3.1.1 (neersighted)
+ * Remove ActiveSupport dependency (Neil Matatall)
+ * Do not warn on arrays passed to `link_to` (Neil Matatall)
+ * Warn on secret tokens
+ * Warn on more mass assignment methods
+ * Add check for CVE-2012-5664
+ * Add check for CVE-2013-0155
+ * Add check for CVE-2013-0156
+ * Add check for unsafe `YAML.load`
+
 # 1.9.0
 
  * Update to RubyParser 3

data/lib/brakeman/checks/check_link_to_href.rb

@@ -65,6 +65,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       # Decided NOT warn on models.  polymorphic_path is called it a model is 
       # passed to link_to (which passes it to url_for)
 
+    elsif array? url_arg
+      # Just like models, polymorphic path/url is called if the argument is 
+      # an array      
+
     elsif hash? url_arg
 
       # url_for uses the key/values pretty carefully and I don't see a risk.

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -29,7 +29,13 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       :update_attributes!,
       :create,
       :create!,
-      :build]
+      :build,
+      :first_or_create,
+      :first_or_create!,
+      :first_or_initialize!,
+      :assign_attributes,
+      :update
+    ]
 
     Brakeman.debug "Processing possible mass assignment calls"
     calls.each do |result|
@@ -79,11 +85,16 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   #Want to ignore calls to Model.new that have no arguments
   def check_call call
     process_call_args call
-    first_arg = call.first_arg
 
-    if first_arg.nil? #empty new()
+    if call.method == :update
+      arg = call.second_arg
+    else
+      arg = call.first_arg
+    end
+
+    if arg.nil? #empty new()
       false
-    elsif hash? first_arg and not include_user_input? first_arg
+    elsif hash? arg and not include_user_input? arg
       false
     elsif all_literal_args? call
       false

data/lib/brakeman/checks/check_session_settings.rb

@@ -26,14 +26,27 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     if tracker.initializers["session_store.rb"]
       process tracker.initializers["session_store.rb"]
     end
+
+    if tracker.initializers["secret_token.rb"]
+      process tracker.initializers["secret_token.rb"]
+    end
   end
 
   #Looks for ActionController::Base.session = { ... }
   #in Rails 2.x apps
+  #
+  #and App::Application.config.secret_token =
+  #in Rails 3.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
       check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
     end
+
+    if tracker.options[:rails3] and settings_target?(exp.target) and
+      exp.method == :secret_token= and string? exp.first_arg
+
+      warn_about_secret_token exp, "#{tracker.options[:app_path]}/config/initializers/secret_token.rb"
+    end
       
     exp
   end
@@ -69,8 +82,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       end
 
       if value = hash_access(settings, :secret)
-        if string? value and value.value.length < 30
-          warn_about_secret_length value, file
+        if string? value
+          warn_about_secret_token value, file
         end
       end
     end
@@ -101,9 +114,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   end
 
-  def warn_about_secret_length value, file
+  def warn_about_secret_token value, file
     warn :warning_type => "Session Setting",
-      :message => "Session secret should be at least 30 characters long",
+      :message => "Session secret should not be included in version control",
       :confidence => CONFIDENCE[:high],
       :line => value.line,
       :file => file

data/lib/brakeman/checks/check_sql.rb

@@ -46,6 +46,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Checking version of Rails for CVE-2012-2695"
     check_rails_version_for_cve_2012_2695
 
+    Brakeman.debug "Checking version of Rails for CVE-2012-5664"
+    check_rails_version_for_cve_2012_5664
+
+    Brakeman.debug "Checking version of Rails for CVE-2013-0155"
+    check_rails_version_for_cve_2013_0155
+
     Brakeman.debug "Processing possible SQL calls"
     calls.each do |c|
       process_result c
@@ -121,6 +127,26 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def check_rails_version_for_cve_2012_5664
+    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.17") || version_between?("3.1.0", "3.1.8") || version_between?("3.2.0", "3.2.9")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.18, 3.1.9, and 3.2.10 contain a SQL Injection Vulnerability: CVE-2012-5664; Upgrade to 3.2.10, 3.1.9, 3.0.18',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+    end
+  end
+
+  def check_rails_version_for_cve_2013_0155
+    if version_between?("2.0.0", "2.3.15") || version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
+    end
+  end
+
   def process_scope_with_block model_name, args
     scope_name = args[1][1]
     block = args[-1][-1]

data/lib/brakeman/checks/check_yaml_load.rb

@@ -0,0 +1,51 @@
+require 'brakeman/checks/base_check'
+
+#YAML.load can be used for remote code execution
+class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for uses of YAML.load"
+
+  def run_check
+    tracker.find_call(:target => :YAML, :method => :load).each do |result|
+      check_yaml_load result
+    end
+  end
+
+  def check_yaml_load result
+    return if duplicate? result
+    add_result result
+
+    arg = result[:call].first_arg
+
+    if input = has_immediate_user_input?(arg)
+      confidence = CONFIDENCE[:high]
+    elsif input = include_user_input?(arg)
+      confidence = CONFIDENCE[:med]
+    end
+
+    if confidence
+      input_type = case input.type
+                   when :params
+                     "parameter value"
+                   when :cookies
+                     "cookies value"
+                   when :request
+                     "request value"
+                   when :model
+                     "model attribute"
+                   else
+                     "user input"
+                   end
+
+      message = "YAML.load called with #{input_type}"
+
+      warn :result => result,
+        :warning_type => "Remote Code Execution",
+        :message => message,
+        :user_input => input.match,
+        :confidence => confidence,
+        :link_path => "remote_code_execution_yaml_load"
+    end
+  end
+end

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -0,0 +1,118 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for YAML parsing vulnerabilities (CVE-2013-0156)"
+
+  def run_check
+    return unless version_between? "0.0.0", "2.3.14" or
+                  version_between? "3.0.0", "3.0.18" or
+                  version_between? "3.1.0", "3.1.9" or
+                  version_between? "3.2.0", "3.2.10"
+
+    unless disabled_xml_parser? or disabled_xml_dangerous_types?
+      new_version = if version_between? "0.0.0", "2.3.14"
+                      "2.3.15"
+                    elsif version_between? "3.0.0", "3.0.18"
+                      "3.0.19"
+                    elsif version_between? "3.1.0", "3.1.9"
+                      "3.1.10"
+                    elsif version_between? "3.2.0", "3.2.10"
+                      "3.2.11"
+                    end
+
+      message = "Rails #{tracker.config[:rails_version]} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+
+      warn :warning_type => "Remote Code Execution",
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+
+    #Warn if app accepts YAML
+    if version_between?("0.0.0", "2.3.14") and enabled_yaml_parser?
+      message = "Parsing YAML request parameters enables remote code execution: disable YAML parser"
+
+      warn :warning_type => "Remote Code Execution",
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+  end
+
+  def disabled_xml_parser?
+    if version_between? "0.0.0", "2.3.14"
+      #Look for ActionController::Base.param_parsers.delete(Mime::XML)
+      params_parser = s(:call,
+                        s(:colon2, s(:const, :ActionController), :Base),
+                        :param_parsers)
+
+      matches = tracker.check_initializers(params_parser, :delete)
+    else
+      #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
+      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+    end
+
+    unless matches.empty?
+      mime_xml = s(:colon2, s(:const, :Mime), :XML)
+
+      matches.each do |result|
+        if result.call.first_arg == mime_xml
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
+  #in Rails 2.x apps
+  def enabled_yaml_parser?
+    param_parsers = s(:call,
+                      s(:colon2, s(:const, :ActionController), :Base),
+                      :param_parsers)
+
+    matches = tracker.check_initializers(param_parsers, :[]=)
+
+    mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
+
+    matches.each do |result|
+      if result.call.first_arg == mime_yaml and
+        symbol? result.call.second_arg and
+        result.call.second_arg.value == :yaml
+
+        return true
+      end
+    end
+
+    false
+  end
+
+  def disabled_xml_dangerous_types?
+    if version_between? "0.0.0", "2.3.14"
+      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+    else
+      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+    end
+
+    symbols_off = false
+    yaml_off = false
+
+    matches.each do |result|
+      arg = result.call.first_arg
+
+      if string? arg
+        if arg.value == "yaml"
+          yaml_off = true
+        elsif arg.value == "symbol"
+          symbols_off = true
+        end
+      end
+    end
+
+    symbols_off and yaml_off
+  end
+end

data/lib/brakeman/processors/lib/find_call.rb

@@ -146,6 +146,8 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
       else
         false
       end
+    when Sexp
+      search_terms == item
     when Enumerable
       if search_terms.empty?
         item == nil

data/lib/brakeman/util.rb

@@ -1,5 +1,4 @@
 require 'set'
-require 'active_support/inflector'
 
 #This is a mixin containing utility methods.
 module Brakeman::Util
@@ -40,11 +39,12 @@ module Brakeman::Util
       downcase
   end
 
-  #Use ActiveSupport::Inflector to pluralize a word.
+  # stupid simple, used to delegate to ActiveSupport
   def pluralize word
-    ActiveSupport::Inflector.pluralize word
+    word + "s"
   end
 
+
   #Takes an Sexp like
   # (:hash, (:lit, :key), (:str, "value"))
   #and yields the key and value pairs to the given block.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.9.0"
+  Version = "1.9.1"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 51
+  hash: 49
   prerelease: 
   segments: 
   - 1
   - 9
-  - 0
-  version: 1.9.0
+  - 1
+  version: 1.9.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,56 +15,28 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-12-25 00:00:00 Z
+date: 2013-01-19 00:00:00 Z
 dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
-  type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: i18n
-  prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
-  type: :runtime
-  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 15
+        hash: 1
         segments: 
         - 3
-        - 0
-        - 4
-        version: 3.0.4
+        - 1
+        - 1
+        version: 3.1.1
   type: :runtime
-  version_requirements: *id003
+  version_requirements: *id001
 - !ruby/object:Gem::Dependency 
   name: ruby2ruby
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -75,11 +47,11 @@ dependencies:
         - 0
         version: "2.0"
   type: :runtime
-  version_requirements: *id004
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: terminal-table
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -90,11 +62,11 @@ dependencies:
         - 4
         version: "1.4"
   type: :runtime
-  version_requirements: *id005
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: fastercsv
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -105,11 +77,11 @@ dependencies:
         - 5
         version: "1.5"
   type: :runtime
-  version_requirements: *id006
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: highline
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -120,11 +92,11 @@ dependencies:
         - 6
         version: "1.6"
   type: :runtime
-  version_requirements: *id007
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: erubis
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -135,11 +107,11 @@ dependencies:
         - 6
         version: "2.6"
   type: :runtime
-  version_requirements: *id008
+  version_requirements: *id006
 - !ruby/object:Gem::Dependency 
   name: haml
   prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -150,11 +122,11 @@ dependencies:
         - 0
         version: "3.0"
   type: :runtime
-  version_requirements: *id009
+  version_requirements: *id007
 - !ruby/object:Gem::Dependency 
   name: sass
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
+  requirement: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -165,11 +137,11 @@ dependencies:
         - 0
         version: "3.0"
   type: :runtime
-  version_requirements: *id010
+  version_requirements: *id008
 - !ruby/object:Gem::Dependency 
   name: multi_json
   prerelease: false
-  requirement: &id011 !ruby/object:Gem::Requirement 
+  requirement: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -180,7 +152,7 @@ dependencies:
         - 3
         version: "1.3"
   type: :runtime
-  version_requirements: *id011
+  version_requirements: *id009
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
 executables: 
@@ -215,6 +187,7 @@ files:
 - lib/brakeman/checks/check_session_settings.rb
 - lib/brakeman/checks/check_model_attributes.rb
 - lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_yaml_parsing.rb
 - lib/brakeman/checks/check_skip_before_filter.rb
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_mail_to.rb
@@ -234,6 +207,7 @@ files:
 - lib/brakeman/checks/check_execute.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_yaml_load.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_send.rb