brakeman 1.9.1 → 1.9.2

data/CHANGES

@@ -1,3 +1,14 @@
+# 1.9.2
+
+ * Add check for CVE-2013-0269
+ * Add check for CVE-2013-0276
+ * Add check for CVE-2013-0277
+ * Add check for CVE-2013-0333
+ * Check for more send-like methods
+ * Check for more SQL injection locations
+ * Check for more dangerous YAML methods
+ * Support MultiJSON 1.2 for Rails 3.0 and 3.1
+
 # 1.9.1
 
  * Update to RubyParser 3.1.1 (neersighted)

data/lib/brakeman/checks/base_check.rb

@@ -23,7 +23,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @string_interp = false
     @current_set = nil
     @current_template = @current_module = @current_class = @current_method = nil
+    @active_record_models = nil
     @mass_assign_disabled = nil
+    @has_user_input = nil
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table]
   end
 

data/lib/brakeman/checks/check_content_tag.rb

@@ -32,6 +32,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
+    @mark = nil
 
     Brakeman.debug "Checking for XSS in content_tag"
     methods.each do |call|
@@ -158,7 +159,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :user_input => @matched.match,
         :confidence => CONFIDENCE[:med],
         :link_path => "content_tag"
-      end
+    end
   end
 
   def process_call exp

data/lib/brakeman/checks/check_json_parsing.rb

@@ -0,0 +1,100 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
+
+  def run_check
+    check_cve_2013_0333
+    check_cve_2013_0269
+  end
+
+  def check_cve_2013_0333
+    return unless version_between? "0.0.0", "2.3.15" or version_between? "3.0.0", "3.0.19"
+
+    unless uses_yajl? or uses_gem_backend?
+      new_version = if version_between? "0.0.0", "2.3.14"
+                      "2.3.16"
+                    elsif version_between? "3.0.0", "3.0.19"
+                      "3.0.20"
+                    end
+
+      message = "Rails #{tracker.config[:rails_version]} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
+
+      warn :warning_type => "Remote Code Execution",
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
+    end
+  end
+
+  #Check if `yajl` is included in Gemfile
+  def uses_yajl?
+    tracker.config[:gems] and tracker.config[:gems][:yajl]
+  end
+
+  #Check for `ActiveSupport::JSON.backend = "JSONGem"`
+  def uses_gem_backend?
+    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+
+    unless matches.empty?
+      json_gem = s(:str, "JSONGem")
+
+      matches.each do |result|
+        if result.call.first_arg == json_gem
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  def check_cve_2013_0269
+    [:json, :json_pure].each do |name|
+      version = tracker.config[:gems] && tracker.config[:gems][name]
+      check_json_version name, version if version
+    end
+  end
+
+  def check_json_version name, version
+    return if version >= "1.7.7" or
+              (version >= "1.6.8" and version < "1.7.0") or
+              (version >= "1.5.5" and version < "1.6.0")
+
+    warning_type = "Denial of Service"
+    confidence = CONFIDENCE[:med]
+    message = "#{name} gem version #{version} has a symbol creation vulnerablity: upgrade to "
+
+    if version >= "1.7.0"
+      confidence = CONFIDENCE[:high]
+      warning_type = "Remote Code Execution"
+      message = "#{name} gem version #{version} has a remote code vulnerablity: upgrade to 1.7.7"
+    elsif version >= "1.6.0"
+      message << "1.6.8"
+    elsif version >= "1.5.0"
+      message << "1.5.5"
+    else
+      confidence = CONFIDENCE[:low]
+      message << "1.5.5"
+    end
+
+    if confidence == CONFIDENCE[:med] and uses_json_parse?
+      confidence = CONFIDENCE[:high]
+    end
+
+    warn :warning_type => warning_type,
+      :message => message,
+      :confidence => confidence,
+      :file => gemfile_or_environment,
+      :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
+  end
+
+  def uses_json_parse?
+    return @uses_json_parse unless @uses_json_parse.nil?
+
+    not tracker.find_call(:target => :JSON, :method => :parse).empty?
+  end
+end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -34,10 +34,13 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
       end
 
       unless protected_names.empty?
+        message, confidence, link = check_for_attr_protected_bypass
+
         warn :model => protected_names.sort.join(", "),
           :warning_type => "Attribute Restriction",
-          :message => "attr_accessible is recommended over attr_protected",
-          :confidence => CONFIDENCE[:low]
+          :message => message,
+          :confidence => confidence,
+          :link => link
       end
     else #Output one warning per model
 
@@ -49,12 +52,14 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
             :message => "Mass assignment is not restricted using attr_accessible",
             :confidence => CONFIDENCE[:high]
         elsif not tracker.options[:ignore_attr_protected]
+          message, confidence, link = check_for_attr_protected_bypass
+
           warn :model => name,
             :file => model[:file],
             :line => model[:options][:attr_protected].first.line,
             :warning_type => "Attribute Restriction",
-            :message => "attr_accessible is recommended over attr_protected",
-            :confidence => CONFIDENCE[:low]
+            :message => message,
+            :confidence => confidence
         end
       end
     end
@@ -67,4 +72,31 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
       end
     end
   end
+
+  def check_for_attr_protected_bypass
+    upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      when version_between?("3.1.0", "3.1.10")
+                        "3.1.11"
+                      when version_between?("3.2.0", "3.2.11")
+                        "3.2.12"
+                      else
+                        nil
+                      end
+
+    if upgrade_version
+      message = "attr_protected is bypassable in #{tracker.config[:rails_version]}, use attr_accessible or upgrade to #{upgrade_version}"
+      confidence = CONFIDENCE[:high]
+      link = "https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion"
+    else
+      message = "attr_accessible is recommended over attr_protected"
+      confidence = CONFIDENCE[:med]
+      link = nil
+    end
+
+    return message, confidence, link
+  end
 end

data/lib/brakeman/checks/check_model_serialize.rb

@@ -0,0 +1,64 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Report uses of serialize in versions vulnerable to CVE-2013-0277"
+
+  def run_check
+    @upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      else
+                        nil
+                      end
+
+    return unless @upgrade_version
+
+    tracker.models.each do |name, model|
+      check_for_serialize model
+    end
+  end
+
+  #High confidence warning on serialized, unprotected attributes.
+  #Medium confidence warning for serialized, protected attributes.
+  def check_for_serialize model
+    if serialized_attrs = model[:options] && model[:options][:serialize]
+      attrs = Set.new
+
+      serialized_attrs.each do |arglist|
+        arglist.each do |arg|
+          attrs << arg if symbol? arg
+        end
+      end
+
+      if unsafe_attrs = model[:attr_accessible]
+        attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
+      elsif protected_attrs = model[:options][:attr_protected]
+        safe_attrs = Set.new
+
+        protected_attrs.each do |arglist|
+          arglist.each do |arg|
+            safe_attrs << arg if symbol? arg
+          end
+        end
+
+        attrs.delete_if { |attr| safe_attrs.include? attr }
+      end
+
+      if attrs.empty?
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:high]
+      end
+
+      warn :model => model[:name],
+        :warning_type => "Remote Code Execution",
+        :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
+        :confidence => confidence,
+        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion"
+    end
+  end
+end

data/lib/brakeman/checks/check_send.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
 
   def run_check
     Brakeman.debug("Finding instances of #send")
-    calls = tracker.find_call :method => :send
+    calls = tracker.find_call :methods => [:send, :try, :__send__, :public_send]
 
     calls.each do |call|
       process_result call

data/lib/brakeman/checks/check_sql.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @rails_version = tracker.config[:rails_version]
 
     @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
-      :find, :find_by_sql, :first, :last, :maximum, :minimum, :sum]
+      :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
 
     if tracker.options[:rails3]
       @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
@@ -138,9 +138,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2013_0155
-    if version_between?("2.0.0", "2.3.15") || version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
+    if version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
+      message = 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19'
+    elsif version_between?("2.0.0", "2.3.15")
+      message = "Rails #{@rails_version} contains a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 2.3.16"
+    end
+
+    if message
       warn :warning_type => 'SQL Injection',
-        :message => 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19',
+        :message => message,
         :confidence => CONFIDENCE[:high],
         :file => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
@@ -229,6 +235,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         unsafe_sql? call.first_arg
                       when :lock
                         check_lock_arguments call.first_arg
+                      when :pluck
+                        unsafe_sql? call.first_arg
+                      when :update_all
+                        check_update_all_arguments call.args
                       else
                         Brakeman.debug "Unhandled SQL method: #{method}"
                       end
@@ -372,6 +382,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def check_update_all_arguments args
+    args.each do |arg|
+      res = unsafe_sql? arg
+      return res if res
+    end
+
+    nil
+  end
+
   #Model#lock essentially only cares about strings. But those strings can be
   #any SQL fragment. This does not apply to all databases. (For those who do not
   #support it, the lock method does nothing).

data/lib/brakeman/checks/check_yaml_load.rb

@@ -7,7 +7,9 @@ class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
   @description = "Checks for uses of YAML.load"
 
   def run_check
-    tracker.find_call(:target => :YAML, :method => :load).each do |result|
+    yaml_methods = [:load, :load_documents, :load_stream, :parse_documents, :parse_stream]
+
+    tracker.find_call(:target => :YAML, :methods => yaml_methods ).each do |result|
       check_yaml_load result
     end
   end
@@ -17,6 +19,7 @@ class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
     add_result result
 
     arg = result[:call].first_arg
+    method = result[:call].method
 
     if input = has_immediate_user_input?(arg)
       confidence = CONFIDENCE[:high]
@@ -38,7 +41,7 @@ class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
                      "user input"
                    end
 
-      message = "YAML.load called with #{input_type}"
+      message = "YAML.#{method} called with #{input_type}"
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -38,6 +38,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
       warn :warning_type => "Remote Code Execution",
         :message => message,
         :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
     end
   end

data/lib/brakeman/processors/gem_processor.rb

@@ -14,6 +14,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
 
     if gem_lock
       get_rails_version gem_lock
+      get_json_version gem_lock
     elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
       @tracker.config[:rails_version] = $1
     end
@@ -40,9 +41,18 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
     exp
   end
 
+  #Need to implement generic gem version check
+  def get_version name, gem_lock
+    match = gem_lock.match(/\s#{name} \((\d+.\d+.\d+.*)\)$/)
+    match[1] if match
+  end
+
   def get_rails_version gem_lock
-    if gem_lock =~ /\srails \((\d+.\d+.\d+.*)\)$/
-      @tracker.config[:rails_version] = $1
-    end
+    @tracker.config[:rails_version] = get_version("rails", gem_lock)
+  end
+
+  def get_json_version gem_lock
+    @tracker.config[:gems][:json] = get_version("json", gem_lock)
+    @tracker.config[:gems][:json_pure] = get_version("json_pure", gem_lock)
   end
 end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -13,7 +13,7 @@ module Brakeman::RenderHelper
     when :default
       begin
         process_template template_name, exp[3]
-      rescue ArgumentError => e
+      rescue ArgumentError
         Brakeman.debug "Problem processing render: #{exp}"
       end
     when :partial, :layout

data/lib/brakeman/report.rb

@@ -18,8 +18,26 @@ else
   # CSV is now FasterCSV in ruby 1.9
 end
 
+#MultiJson interface changed in 1.3.0, but need
+#to support older MultiJson for Rails 3.1.
+if MultiJson.respond_to? :default_adapter
+  mj_engine = MultiJson.default_adapter
+else
+  mj_engine = MultiJson.default_engine
+
+  module MultiJson
+    def self.dump *args
+      encode *args
+    end
+
+    def self.load *args
+      decode *args
+    end
+  end
+end
+
 #This is so OkJson will work with symbol values
-if MultiJson.default_adapter == :ok_json
+if mj_engine == :ok_json
   class Symbol
     def to_json
       self.to_s.inspect
@@ -694,11 +712,13 @@ HEADER
       :brakeman_version => Brakeman::Version
     }
 
-    MultiJson.dump({
+    report_info = {
       :scan_info => scan_info,
       :warnings => warnings,
       :errors => errors
-    }, :pretty => true)
+    }
+
+    MultiJson.dump(report_info, :pretty => true)
   end
 
   def all_warnings

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.9.1"
+  Version = "1.9.2"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 49
+  hash: 55
   prerelease: 
   segments: 
   - 1
   - 9
-  - 1
-  version: 1.9.1
+  - 2
+  version: 1.9.2
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-19 00:00:00 Z
+date: 2013-02-14 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -146,11 +146,11 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 9
+        hash: 11
         segments: 
         - 1
-        - 3
-        version: "1.3"
+        - 2
+        version: "1.2"
   type: :runtime
   version_requirements: *id009
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
@@ -181,6 +181,7 @@ files:
 - lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/checks/check_model_serialize.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_forgery_setting.rb
@@ -204,6 +205,7 @@ files:
 - lib/brakeman/checks/check_digest_dos.rb
 - lib/brakeman/checks/check_render.rb
 - lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_execute.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_default_routes.rb