brakeman 1.9.3 → 1.9.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +12 -0
- data/lib/brakeman/checks/base_check.rb +11 -3
- data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +54 -0
- data/lib/brakeman/checks/check_send.rb +0 -10
- data/lib/brakeman/checks/check_symbol_dos.rb +29 -0
- data/lib/brakeman/differ.rb +10 -1
- data/lib/brakeman/processors/alias_processor.rb +1 -15
- data/lib/brakeman/report.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +5 -1
- data/lib/ruby_parser/bm_sexp.rb +24 -0
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA512:
|
3
|
-
|
4
|
-
|
3
|
+
metadata.gz: b29913808e5de71c6f0e13ab91142f730fdce339829e8fbfc91deca3eb0ce95eb24ce2e58e9fe576f121bce7f63a2015aa84866ac2bb41d07a266081c8e76293
|
4
|
+
data.tar.gz: 81669ba7654b7ced4214430613064484ba5fc7ea6a331ee31dd8aeea294621fda75b23b3caee0d1effec0b3fd67c7f636ee5e0868e17d337b6ac4a180e305db6
|
5
5
|
SHA1:
|
6
|
-
|
7
|
-
|
6
|
+
metadata.gz: 1f0ed0d4abb525abf8c95b72133ea5c304325075
|
7
|
+
data.tar.gz: 48837c8bdab262f44bf27c8962e13d4c9808589d
|
data/CHANGES
CHANGED
@@ -1,3 +1,15 @@
|
|
1
|
+
# 1.9.4
|
2
|
+
|
3
|
+
* Add check for CVE-2013-1854
|
4
|
+
* Add check for CVE-2013-1855
|
5
|
+
* Add check for CVE-2013-1856
|
6
|
+
* Add check for CVE-2013-1857
|
7
|
+
* Fix `--compare` to work with older versions
|
8
|
+
* Add "no-referrer' to HTML report links
|
9
|
+
* Don't warn when invoking `send` on user input
|
10
|
+
* Slightly faster cloning of Sexps
|
11
|
+
* Detect another way to add `strong_parameters`
|
12
|
+
|
1
13
|
# 1.9.3
|
2
14
|
|
3
15
|
* Add render path to JSON report
|
@@ -211,11 +211,19 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
211
211
|
#ActiveRecord::Base in an initializer.
|
212
212
|
if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config[:gems][:strong_parameters]
|
213
213
|
matches = tracker.check_initializers([], :include)
|
214
|
+
forbidden_protection = Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
|
214
215
|
|
215
216
|
matches.each do |result|
|
216
|
-
call
|
217
|
-
|
218
|
-
|
217
|
+
if call? result.call and result.call.first_arg == forbidden_protection
|
218
|
+
@mass_assign_disabled = true
|
219
|
+
end
|
220
|
+
end
|
221
|
+
|
222
|
+
unless @mass_assign_disabled
|
223
|
+
matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
|
224
|
+
|
225
|
+
matches.each do |result|
|
226
|
+
if call? result.call and result.call.second_arg == forbidden_protection
|
219
227
|
@mass_assign_disabled = true
|
220
228
|
end
|
221
229
|
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for versions with JRuby XML parsing backend"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
return unless RUBY_PLATFORM == "java"
|
10
|
+
|
11
|
+
fix_version = case
|
12
|
+
when version_between?('3.0.0', '3.0.99')
|
13
|
+
'3.2.13'
|
14
|
+
when version_between?('3.1.0', '3.1.11')
|
15
|
+
'3.1.12'
|
16
|
+
when version_between?('3.2.0', '3.2.12')
|
17
|
+
'3.2.13'
|
18
|
+
else
|
19
|
+
return
|
20
|
+
end
|
21
|
+
|
22
|
+
#Check for workaround
|
23
|
+
tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
|
24
|
+
arg = result.call.first_arg
|
25
|
+
|
26
|
+
if string? arg and arg.value == "REXML"
|
27
|
+
return
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
warn :warning_type => "File Access",
|
32
|
+
:warning_code => :CVE_2013_1856,
|
33
|
+
:message => "Rails #{tracker.config[:rails_version]} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
|
34
|
+
:confidence => CONFIDENCE[:high],
|
35
|
+
:file => gemfile_or_environment,
|
36
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
#sanitize and sanitize_css are vulnerable:
|
4
|
+
#CVE-2013-1855 and CVE-2013-1857
|
5
|
+
class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
6
|
+
Brakeman::Checks.add self
|
7
|
+
|
8
|
+
@description = "Checks for versions with vulnerable sanitize and sanitize_css"
|
9
|
+
|
10
|
+
def run_check
|
11
|
+
@fix_version = case
|
12
|
+
when version_between?('2.0.0', '2.3.17')
|
13
|
+
'2.3.18'
|
14
|
+
when version_between?('3.0.0', '3.0.99')
|
15
|
+
'3.2.13'
|
16
|
+
when version_between?('3.1.0', '3.1.11')
|
17
|
+
'3.1.12'
|
18
|
+
when version_between?('3.2.0', '3.2.12')
|
19
|
+
'3.2.13'
|
20
|
+
else
|
21
|
+
return
|
22
|
+
end
|
23
|
+
|
24
|
+
check_cve_2013_1855
|
25
|
+
check_cve_2013_1857
|
26
|
+
end
|
27
|
+
|
28
|
+
def check_cve_2013_1855
|
29
|
+
check_for_cve :sanitize_css, :CVE_2013_1855, "https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"
|
30
|
+
end
|
31
|
+
|
32
|
+
def check_cve_2013_1857
|
33
|
+
check_for_cve :sanitize, :CVE_2013_1857, "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ"
|
34
|
+
end
|
35
|
+
|
36
|
+
def check_for_cve method, code, link
|
37
|
+
tracker.find_call(:target => false, :method => method).each do |result|
|
38
|
+
message = "Rails #{tracker.config[:rails_version]} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
|
39
|
+
|
40
|
+
if include_user_input? result[:call]
|
41
|
+
confidence = CONFIDENCE[:high]
|
42
|
+
else
|
43
|
+
confidence = CONFIDENCE[:medium]
|
44
|
+
end
|
45
|
+
|
46
|
+
warn :result => result,
|
47
|
+
:warning_type => "Cross Site Scripting",
|
48
|
+
:warning_code => code,
|
49
|
+
:message => message,
|
50
|
+
:confidence => CONFIDENCE[:high],
|
51
|
+
:link_path => link
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
@@ -28,15 +28,5 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
|
|
28
28
|
:user_input => input.match,
|
29
29
|
:confidence => CONFIDENCE[:high]
|
30
30
|
end
|
31
|
-
|
32
|
-
if input = has_immediate_user_input?(target)
|
33
|
-
warn :result => result,
|
34
|
-
:warning_type => "Dangerous Send",
|
35
|
-
:warning_code => :dangerous_send,
|
36
|
-
:message => "User defined target of method invocation",
|
37
|
-
:code => result[:call],
|
38
|
-
:user_input => input.match,
|
39
|
-
:confidence => CONFIDENCE[:med]
|
40
|
-
end
|
41
31
|
end
|
42
32
|
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for versions with ActiveRecord symbol denial of service"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
fix_version = case
|
10
|
+
when version_between?('2.0.0', '2.3.17')
|
11
|
+
'2.3.18'
|
12
|
+
when version_between?('3.1.0', '3.1.11')
|
13
|
+
'3.1.12'
|
14
|
+
when version_between?('3.2.0', '3.2.12')
|
15
|
+
'3.2.13'
|
16
|
+
else
|
17
|
+
return
|
18
|
+
end
|
19
|
+
|
20
|
+
unless active_record_models.empty?
|
21
|
+
warn :warning_type => "Denial of Service",
|
22
|
+
:warning_code => :CVE_2013_1854,
|
23
|
+
:message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
|
24
|
+
:confidence => CONFIDENCE[:med],
|
25
|
+
:file => gemfile_or_environment,
|
26
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
data/lib/brakeman/differ.rb
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
# an array of Brakeman::Warnings or plain hash representations.
|
3
3
|
class Brakeman::Differ
|
4
4
|
DEFAULT_HASH = {:new => [], :fixed => []}
|
5
|
+
OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
|
5
6
|
attr_reader :old_warnings, :new_warnings
|
6
7
|
|
7
8
|
def initialize new_warnings, old_warnings
|
@@ -52,6 +53,14 @@ class Brakeman::Differ
|
|
52
53
|
fixed_warning = fixed_warning.to_hash
|
53
54
|
end
|
54
55
|
|
55
|
-
new_warning[:fingerprint]
|
56
|
+
if new_warning[:fingerprint] and fixed_warning[:fingerprint]
|
57
|
+
new_warning[:fingerprint] == fixed_warning[:fingerprint]
|
58
|
+
else
|
59
|
+
OLD_WARNING_KEYS.each do |attr|
|
60
|
+
return false if new_warning[attr] != fixed_warning[attr]
|
61
|
+
end
|
62
|
+
|
63
|
+
true
|
64
|
+
end
|
56
65
|
end
|
57
66
|
end
|
@@ -63,7 +63,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
63
63
|
|
64
64
|
#Generic replace
|
65
65
|
if replacement = env[exp] and not duplicate? replacement
|
66
|
-
result =
|
66
|
+
result = replacement.deep_clone(exp.line)
|
67
67
|
else
|
68
68
|
result = exp
|
69
69
|
end
|
@@ -580,20 +580,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
580
580
|
meth_env
|
581
581
|
end
|
582
582
|
|
583
|
-
#Set line nunber for +exp+ and every Sexp it contains. Used when replacing
|
584
|
-
#expressions, so warnings indicate the correct line.
|
585
|
-
def set_line exp, line_number
|
586
|
-
if sexp? exp
|
587
|
-
exp.original_line(exp.original_line || exp.line)
|
588
|
-
exp.line line_number
|
589
|
-
exp.each do |e|
|
590
|
-
set_line e, line_number
|
591
|
-
end
|
592
|
-
end
|
593
|
-
|
594
|
-
exp
|
595
|
-
end
|
596
|
-
|
597
583
|
#Finds the inner most call target which is not the target of a call to <<
|
598
584
|
def find_push_target exp
|
599
585
|
if call? exp and exp.method == :<<
|
data/lib/brakeman/report.rb
CHANGED
@@ -639,7 +639,7 @@ HEADER
|
|
639
639
|
end
|
640
640
|
|
641
641
|
def with_link warning, message
|
642
|
-
"<a href=\"#{warning.link}\">#{message}</a>"
|
642
|
+
"<a rel=\"no-referrer\" href=\"#{warning.link}\">#{message}</a>"
|
643
643
|
end
|
644
644
|
|
645
645
|
#Generated tab-separated output suitable for the Jenkins Brakeman Plugin:
|
data/lib/brakeman/version.rb
CHANGED
@@ -54,7 +54,11 @@ module Brakeman::WarningCodes
|
|
54
54
|
:CVE_2013_0276 => 51,
|
55
55
|
:CVE_2013_0333 => 52,
|
56
56
|
:xss_content_tag => 53,
|
57
|
-
:mass_assign_without_protection => 54
|
57
|
+
:mass_assign_without_protection => 54,
|
58
|
+
:CVE_2013_1854 => 55,
|
59
|
+
:CVE_2013_1855 => 56,
|
60
|
+
:CVE_2013_1856 => 57,
|
61
|
+
:CVE_2013_1857 => 58,
|
58
62
|
}
|
59
63
|
|
60
64
|
def self.code name
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -14,6 +14,30 @@ class Sexp
|
|
14
14
|
raise NoMethodError.new("No method '#{name}' for Sexp", name, args)
|
15
15
|
end
|
16
16
|
|
17
|
+
#Create clone of Sexp and nested Sexps but not their non-Sexp contents.
|
18
|
+
#If a line number is provided, also sets line/original_line on all Sexps.
|
19
|
+
def deep_clone line = nil
|
20
|
+
s = Sexp.new
|
21
|
+
|
22
|
+
self.each do |e|
|
23
|
+
if e.is_a? Sexp
|
24
|
+
s << e.deep_clone(line)
|
25
|
+
else
|
26
|
+
s << e
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
if line
|
31
|
+
s.original_line(self.original_line || self.line)
|
32
|
+
s.line(line)
|
33
|
+
else
|
34
|
+
s.original_line(self.original_line)
|
35
|
+
s.line(self.line)
|
36
|
+
end
|
37
|
+
|
38
|
+
s
|
39
|
+
end
|
40
|
+
|
17
41
|
def paren
|
18
42
|
@paren ||= false
|
19
43
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.9.
|
4
|
+
version: 1.9.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
11
|
|
12
|
-
date: 2013-03-
|
12
|
+
date: 2013-03-19 00:00:00 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: ruby_parser
|
@@ -161,6 +161,8 @@ files:
|
|
161
161
|
- lib/brakeman/checks/check_mass_assignment.rb
|
162
162
|
- lib/brakeman/checks/check_link_to_href.rb
|
163
163
|
- lib/brakeman/checks/check_filter_skipping.rb
|
164
|
+
- lib/brakeman/checks/check_symbol_dos.rb
|
165
|
+
- lib/brakeman/checks/check_sanitize_methods.rb
|
164
166
|
- lib/brakeman/checks/check_file_access.rb
|
165
167
|
- lib/brakeman/checks/base_check.rb
|
166
168
|
- lib/brakeman/checks/check_validation_regex.rb
|
@@ -171,6 +173,7 @@ files:
|
|
171
173
|
- lib/brakeman/checks/check_json_parsing.rb
|
172
174
|
- lib/brakeman/checks/check_execute.rb
|
173
175
|
- lib/brakeman/checks/check_translate_bug.rb
|
176
|
+
- lib/brakeman/checks/check_jruby_xml.rb
|
174
177
|
- lib/brakeman/checks/check_default_routes.rb
|
175
178
|
- lib/brakeman/checks/check_yaml_load.rb
|
176
179
|
- lib/brakeman/checks/check_link_to.rb
|