brakeman 1.9.3 → 1.9.4

checksums.yaml

@@ -1,7 +1,7 @@
 --- 
 SHA512: 
-  data.tar.gz: 957ae180d1a90244c7a6ce075c6453b9cbff5e2c9be1dd3504c87c0fc30aaa1de9fab3ca841714ac759cc9a301fe3546cb634b16d96507c5e4abbd4966ed949a
-  metadata.gz: 7e9d7f6e4d410fee09a739fb37508988401c6e5ee976ffdf542d2048df3366b2f2874f8e5bbd739181a8a5f64b93e4153db12c0fd4678b5140903a337197e945
+  metadata.gz: b29913808e5de71c6f0e13ab91142f730fdce339829e8fbfc91deca3eb0ce95eb24ce2e58e9fe576f121bce7f63a2015aa84866ac2bb41d07a266081c8e76293
+  data.tar.gz: 81669ba7654b7ced4214430613064484ba5fc7ea6a331ee31dd8aeea294621fda75b23b3caee0d1effec0b3fd67c7f636ee5e0868e17d337b6ac4a180e305db6
 SHA1: 
-  data.tar.gz: a7db08aa0eeedcfc56a2d282f5fd27dd0a2444a7
-  metadata.gz: 553b8352332aa17f233cb13368bfd85a2a2ff9f8
+  metadata.gz: 1f0ed0d4abb525abf8c95b72133ea5c304325075
+  data.tar.gz: 48837c8bdab262f44bf27c8962e13d4c9808589d

data/CHANGES

@@ -1,3 +1,15 @@
+# 1.9.4
+ 
+ * Add check for CVE-2013-1854
+ * Add check for CVE-2013-1855
+ * Add check for CVE-2013-1856
+ * Add check for CVE-2013-1857
+ * Fix `--compare` to work with older versions
+ * Add "no-referrer' to HTML report links
+ * Don't warn when invoking `send` on user input
+ * Slightly faster cloning of Sexps
+ * Detect another way to add `strong_parameters`
+
 # 1.9.3
  
  * Add render path to JSON report

data/lib/brakeman/checks/base_check.rb

@@ -211,11 +211,19 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     #ActiveRecord::Base in an initializer.
     if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config[:gems][:strong_parameters]
       matches = tracker.check_initializers([], :include)
+      forbidden_protection = Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
 
       matches.each do |result|
-        call = result.call
-        if call? call
-          if call.first_arg == Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
+        if call? result.call and result.call.first_arg == forbidden_protection
+          @mass_assign_disabled = true
+        end
+      end
+
+      unless @mass_assign_disabled
+        matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
+
+        matches.each do |result|
+          if call? result.call and result.call.second_arg == forbidden_protection
             @mass_assign_disabled = true
           end
         end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with JRuby XML parsing backend"
+
+  def run_check
+    return unless RUBY_PLATFORM == "java"
+
+    fix_version = case
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        return
+      end
+
+    #Check for workaround
+    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
+      arg = result.call.first_arg
+
+      if string? arg and arg.value == "REXML"
+        return
+      end
+    end
+
+    warn :warning_type => "File Access",
+      :warning_code => :CVE_2013_1856,
+      :message => "Rails #{tracker.config[:rails_version]} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+#sanitize and sanitize_css are vulnerable:
+#CVE-2013-1855 and CVE-2013-1857
+class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with vulnerable sanitize and sanitize_css"
+
+  def run_check
+    @fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        return
+      end
+
+    check_cve_2013_1855
+    check_cve_2013_1857
+  end
+
+  def check_cve_2013_1855
+    check_for_cve :sanitize_css, :CVE_2013_1855, "https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"
+  end
+
+  def check_cve_2013_1857
+    check_for_cve :sanitize, :CVE_2013_1857, "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ"
+  end
+
+  def check_for_cve method, code, link
+    tracker.find_call(:target => false, :method => method).each do |result|
+      message = "Rails #{tracker.config[:rails_version]} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+
+      if include_user_input? result[:call]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:medium]
+      end
+
+      warn :result => result,
+        :warning_type => "Cross Site Scripting",
+        :warning_code => code,
+        :message => message,
+        :confidence => CONFIDENCE[:high],
+        :link_path => link
+    end
+  end
+end

data/lib/brakeman/checks/check_send.rb

@@ -28,15 +28,5 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :user_input => input.match,
         :confidence => CONFIDENCE[:high]
     end
-
-    if input = has_immediate_user_input?(target)
-      warn :result => result,
-        :warning_type => "Dangerous Send",
-        :warning_code => :dangerous_send,
-        :message => "User defined target of method invocation",
-        :code => result[:call],
-        :user_input => input.match,
-        :confidence => CONFIDENCE[:med]
-    end
   end
 end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -0,0 +1,29 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with ActiveRecord symbol denial of service" 
+
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        return
+      end
+
+    unless active_record_models.empty?
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_1854,
+        :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment,
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
+    end
+  end
+end

data/lib/brakeman/differ.rb

@@ -2,6 +2,7 @@
 # an array of Brakeman::Warnings or plain hash representations.  
 class Brakeman::Differ
   DEFAULT_HASH = {:new => [], :fixed => []}
+  OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
   attr_reader :old_warnings, :new_warnings
 
   def initialize new_warnings, old_warnings
@@ -52,6 +53,14 @@ class Brakeman::Differ
       fixed_warning = fixed_warning.to_hash
     end
 
-    new_warning[:fingerprint] == fixed_warning[:fingerprint]
+    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
+      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+    else
+     OLD_WARNING_KEYS.each do |attr|
+        return false if new_warning[attr] != fixed_warning[attr]
+      end
+
+      true
+    end
   end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -63,7 +63,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     #Generic replace
     if replacement = env[exp] and not duplicate? replacement
-      result = set_line replacement.deep_clone, exp.line
+      result = replacement.deep_clone(exp.line)
     else
       result = exp
     end
@@ -580,20 +580,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     meth_env
   end
 
-  #Set line nunber for +exp+ and every Sexp it contains. Used when replacing
-  #expressions, so warnings indicate the correct line.
-  def set_line exp, line_number
-    if sexp? exp
-      exp.original_line(exp.original_line || exp.line)
-      exp.line line_number
-      exp.each do |e|
-        set_line e, line_number
-      end
-    end
-
-    exp
-  end
-
   #Finds the inner most call target which is not the target of a call to <<
   def find_push_target exp
     if call? exp and exp.method == :<<

data/lib/brakeman/report.rb

@@ -639,7 +639,7 @@ HEADER
   end
 
   def with_link warning, message
-    "<a href=\"#{warning.link}\">#{message}</a>"
+    "<a rel=\"no-referrer\" href=\"#{warning.link}\">#{message}</a>"
   end
 
   #Generated tab-separated output suitable for the Jenkins Brakeman Plugin:

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.9.3"
+  Version = "1.9.4"
 end

data/lib/brakeman/warning_codes.rb

@@ -54,7 +54,11 @@ module Brakeman::WarningCodes
     :CVE_2013_0276 => 51,
     :CVE_2013_0333 => 52,
     :xss_content_tag => 53,
-    :mass_assign_without_protection => 54
+    :mass_assign_without_protection => 54,
+    :CVE_2013_1854 => 55,
+    :CVE_2013_1855 => 56,
+    :CVE_2013_1856 => 57,
+    :CVE_2013_1857 => 58,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -14,6 +14,30 @@ class Sexp
     raise NoMethodError.new("No method '#{name}' for Sexp", name, args)
   end
 
+  #Create clone of Sexp and nested Sexps but not their non-Sexp contents.
+  #If a line number is provided, also sets line/original_line on all Sexps.
+  def deep_clone line = nil
+    s = Sexp.new
+
+    self.each do |e|
+      if e.is_a? Sexp
+        s << e.deep_clone(line)
+      else
+        s << e
+      end
+    end
+
+    if line
+      s.original_line(self.original_line || self.line)
+      s.line(line)
+    else
+      s.original_line(self.original_line)
+      s.line(self.line)
+    end
+
+    s
+  end
+
   def paren
     @paren ||= false
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  version: 1.9.3
+  version: 1.9.4
 platform: ruby
 authors: 
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-03-01 00:00:00 Z
+date: 2013-03-19 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -161,6 +161,8 @@ files:
 - lib/brakeman/checks/check_mass_assignment.rb
 - lib/brakeman/checks/check_link_to_href.rb
 - lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_sanitize_methods.rb
 - lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_validation_regex.rb
@@ -171,6 +173,7 @@ files:
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_execute.rb
 - lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_yaml_load.rb
 - lib/brakeman/checks/check_link_to.rb