brakeman 2.0.0 → 2.1.0

data/CHANGES

@@ -1,3 +1,23 @@
+# 2.1.0
+
+ * Support non-native line endings in Gemfile.lock (Paul Deardorff)
+ * Support for ignoring warnings
+ * Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
+ * Update to ruby_parser 3.2.2
+ * Add brakeman-min gemspec
+ * Load gem dependencies on-demand 
+ * Output JSON diff to file if -o option is used 
+ * Add check for authenticate_or_request_with_http_basic
+ * Refactor of SQL injection check code (Bart ten Brinke)
+ * Fix detection of duplicate XSS warnings
+ * Refactor reports into separate classes 
+ * Allow use of Slim 2.x (Ian Zabel) 
+ * Return error exit code when application path is not found
+ * Add `--branch-limit` option, limit to 5 by default
+ * Add more methods to check for command injection
+ * Fix output format detection to be more strict again
+ * Allow empty Brakeman configuration file
+
 # 2.0.0
   
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)

data/README.md

@@ -9,7 +9,7 @@ Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://cod
 
 Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
 
-It targets Rails versions 2.x and 3.x.
+It works with Rails 2.x, 3.x, and 4.x.
 
 There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
 
@@ -124,6 +124,11 @@ To compare results of a scan with a previous scan, use the JSON output option an
 
 This will output JSON with two lists: one of fixed warnings and one of new warnings.
 
+Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/brakeman.ignore`.
+To create and manage this file, use:
+
+    brakeman -I
+
 # Warning information
 
 See WARNING\_TYPES for more information on the warnings reported by this tool.

data/bin/brakeman

@@ -59,7 +59,16 @@ end
 begin
   if options[:previous_results_json]
     vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
-    puts MultiJson.dump(vulns, :pretty => true)
+
+    if options[:comparison_output_file]
+      File.open options[:comparison_output_file], "w" do |f|
+        f.puts MultiJson.dump(vulns, :pretty => true)
+      end
+
+      Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+    else
+      puts MultiJson.dump(vulns, :pretty => true)
+    end
 
     if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
       exit Brakeman::Warnings_Found_Exit_Code
@@ -69,10 +78,11 @@ begin
     tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
     #Return error code if --exit-on-warn is used and warnings were found
-    if options[:exit_on_warn] and not tracker.checks.all_warnings.empty?
+    if options[:exit_on_warn] and not tracker.warnings.empty?
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end
-rescue Brakeman::Scanner::NoApplication => e
+rescue Brakeman::NoApplication => e
   $stderr.puts e.message
+  exit 1
 end

data/lib/brakeman.rb

@@ -10,6 +10,7 @@ module Brakeman
 
   @debug = false
   @quiet = false
+  @loaded_dependencies = []
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -91,11 +92,17 @@ module Brakeman
     #Load configuration file
     if config = config_file(custom_location)
       options = YAML.load_file config
-      options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
-      
-      # notify if options[:quiet] and quiet is nil||false
-      notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
-      options
+
+      if options
+        options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
+
+        # notify if options[:quiet] and quiet is nil||false
+        notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
+        options
+      else
+        notify "[Notice] Empty configuration file: #{config}" unless quiet
+        {}
+      end
     else
       {}
     end
@@ -138,7 +145,12 @@ module Brakeman
     elsif options[:output_files]
       get_formats_from_output_files options[:output_files]
     else
-      return [:to_s]
+      begin
+        require 'terminal-table'
+        return [:to_s]
+      rescue LoadError
+        return [:to_json]
+      end
     end
   end
   
@@ -278,8 +290,11 @@ module Brakeman
     else
       notify "Runnning checks..."
     end
+
     tracker.run_checks
 
+    self.filter_warnings tracker, options
+
     if options[:output_files]
       notify "Generating report..."
 
@@ -296,7 +311,7 @@ module Brakeman
   def self.write_report_to_files tracker, output_files
     output_files.each_with_index do |output_file, idx|
       File.open output_file, "w" do |f|
-        f.write tracker.report.format(output_file)
+        f.write tracker.report.format(tracker.options[:output_formats][idx])
       end
       notify "Report saved in '#{output_file}'"
     end
@@ -360,6 +375,48 @@ module Brakeman
     Brakeman::Differ.new(new_results, previous_results).diff
   end
 
+  def self.load_dependency name
+    return if @loaded_dependencies.include? name
+
+    begin
+      require name
+    rescue LoadError => e
+      $stderr.puts e.message
+      $stderr.puts "Please install the appropriate dependency."
+      exit! -1
+    end
+  end
+
+  def self.filter_warnings tracker, options
+    require 'brakeman/report/ignore/config'
+
+    app_tree = Brakeman::AppTree.from_options(options)
+
+    if options[:ignore_file]
+      file = options[:ignore_file]
+    elsif app_tree.exists? "config/brakeman.ignore"
+      file = app_tree.expand_path("config/brakeman.ignore")
+    elsif not options[:interactive_ignore]
+      return
+    end
+
+    notify "Filtering warnings..."
+
+    if options[:interactive_ignore]
+      require 'brakeman/report/ignore/interactive'
+      config = InteractiveIgnorer.new(file, tracker.warnings).start
+    else
+      notify "[Notice] Using '#{file}' to filter warnings"
+      config = IgnoreConfig.new(file, tracker.warnings)
+      config.read_from_file
+      config.filter_ignored
+    end
+
+    tracker.ignored_filter = config
+  end
+
+  class DependencyError < RuntimeError; end
   class RakeInstallError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
+  class NoApplication < RuntimeError; end
 end

data/lib/brakeman/call_index.rb

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
 
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new { |h,k| h[k] = [] }
-    @calls_by_target = Hash.new { |h,k| h[k] = [] }
+    @calls_by_method = Hash.new
+    @calls_by_target = Hash.new
 
     index_calls calls
   end
@@ -95,9 +95,11 @@ class Brakeman::CallIndex
 
   def index_calls calls
     calls.each do |call|
+      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
 
       unless call[:target].is_a? Sexp
+        @calls_by_target[call[:target]] ||= []
         @calls_by_target[call[:target]] << call
       end
     end
@@ -138,7 +140,7 @@ class Brakeman::CallIndex
     if method.is_a? Array
       calls_by_methods method
     else
-      @calls_by_method[method.to_sym]
+      @calls_by_method[method.to_sym] || []
     end
   end
 
@@ -154,7 +156,7 @@ class Brakeman::CallIndex
   end
 
   def calls_with_no_target
-    @calls_by_target[nil]
+    @calls_by_target[nil] || []
   end
 
   def filter calls, key, value

data/lib/brakeman/checks/check_basic_auth.rb

@@ -12,6 +12,11 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   def run_check
     return if version_between? "0.0.0", "3.0.99"
 
+    check_basic_auth_filter
+    check_basic_auth_request
+  end
+
+  def check_basic_auth_filter
     controllers = tracker.controllers.select do |name, c|
       c[:options][:http_basic_authenticate_with]
     end
@@ -21,10 +26,10 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
         if pass = get_password(call) and string? pass
           warn :controller => name,
-              :warning_type => "Basic Auth", 
+              :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :code => call, 
+              :code => call,
               :confidence => 0,
               :file => controller[:file]
 
@@ -34,6 +39,46 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
     end
   end
 
+  # Look for
+  #  authenticate_or_request_with_http_basic do |username, password|
+  #    username == "foo" && password == "bar"
+  #  end
+  def check_basic_auth_request
+    tracker.find_call(:target => nil, :method => :authenticate_or_request_with_http_basic).each do |result|
+      if include_password_literal? result
+          warn :result => result,
+              :code => @include_password,
+              :warning_type => "Basic Auth",
+              :warning_code => :basic_auth_password,
+              :message => "Basic authentication password stored in source code",
+              :confidence => 0
+      end
+    end
+  end
+
+  # Check if the block of a result contains a comparison of password to string
+  def include_password_literal? result
+    @password_var = result[:block_args].last
+    @include_password = false
+    process result[:block]
+    @include_password
+  end
+
+  # Looks for :== calls on password var
+  def process_call exp
+    target = exp.target
+
+    if node_type?(target, :lvar) and
+      target.value == @password_var and
+      exp.method == :== and
+      string? exp.first_arg
+
+      @include_password = exp
+    end
+
+    exp
+  end
+
   def get_password call
     arg = call.first_arg
 

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -92,7 +92,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def check_for_immediate_xss exp
-    return if duplicate? exp
+    return :duplicate if duplicate? exp
 
     if exp.node_type == :output
       out = exp.value
@@ -120,7 +120,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
                end
 
       unless IGNORE_MODEL_METHODS.include? method
-        add_result out
+        add_result exp
 
         if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
           confidence = CONFIDENCE[:high]
@@ -229,16 +229,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     method = exp.method
 
     #Ignore safe items
-    if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
-      (@matched and @matched.type == :model and IGNORE_MODEL_METHODS.include? method) or
-      (target == HAML_HELPERS and method == :html_escape) or
-      ((target == URI or target == CGI) and method == :escape) or
-      (target == XML_HELPER and method == :escape_xml) or
-      (target == FORM_BUILDER and @ignore_methods.include? method) or
-      (target and @safe_input_attributes.include? method) or
-      (method.to_s[-1,1] == "?")
-
-      #exp[0] = :ignore #should not be necessary
+    if ignore_call? target, method
       @matched = false
     elsif sexp? target and model_name? target[1] #TODO: use method call?
       @matched = Match.new(:model, exp)
@@ -293,4 +284,51 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def raw_call? exp
     exp.value.node_type == :call and exp.value.method == :raw
   end
+
+  def ignore_call? target, method
+    ignored_method?(target, method) or
+    safe_input_attribute?(target, method) or
+    ignored_model_method?(method) or
+    form_builder_method?(target, method) or
+    haml_escaped?(target, method) or
+    boolean_method?(method) or
+    cgi_escaped?(target, method) or
+    xml_escaped?(target, method)
+  end
+
+  def ignored_model_method? method
+    @matched and
+    @matched.type == :model and
+    IGNORE_MODEL_METHODS.include? method
+  end
+
+  def ignored_method? target, method
+    target.nil? and
+    (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)
+  end
+
+  def cgi_escaped? target, method
+    method == :escape and
+    (target == URI or target == CGI)
+  end
+
+  def haml_escaped? target, method
+    method == :html_escape and target == HAML_HELPERS
+  end
+
+  def xml_escaped? target, method
+    method == :escape_xml and target == XML_HELPER
+  end
+
+  def form_builder_method? target, method
+    target == FORM_BUILDER and @ignore_methods.include? method
+  end
+
+  def safe_input_attribute? target, method
+    target and @safe_input_attributes.include? method
+  end
+
+  def boolean_method? method
+    method.to_s.end_with? "?"
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -19,7 +19,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     check_for_backticks tracker
 
     Brakeman.debug "Finding other system calls"
-    calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, nil], :methods => [:exec, :popen, :popen3, :syscall, :system]
+    calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
+      :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
+        :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e, 
+        :popen3, :spawn, :syscall, :system]
 
     Brakeman.debug "Processing system calls"
     calls.each do |result|

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -0,0 +1,48 @@
+require 'brakeman/checks/base_check'
+
+# Author: Paul Deardorff (themetric) 
+# Checks models to see if important foreign keys 
+# or attributes are exposed as attr_accessible when 
+# they probably shouldn't be. 
+
+class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+
+  SUSP_ATTRS = {
+    /admin/ => CONFIDENCE[:high], # Very dangerous unless some Rails authorization used 
+    /role/ => CONFIDENCE[:med],   
+    /banned/ => CONFIDENCE[:med], 
+    :account_id => CONFIDENCE[:high], 
+    /\S*_id(s?)\z/ => CONFIDENCE[:low] # All other foreign keys have weak/low confidence 
+  }
+
+  def run_check
+    check_models do |name, model|
+      accessible_attrs = model[:attr_accessible]
+      accessible_attrs.each do |attribute|
+        SUSP_ATTRS.each do |susp_attr, confidence|
+            if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute 
+              warn :model => name,    
+                :file => model[:file],                          
+                :warning_type => "Mass Assignment", 
+                :warning_code => :mass_assign_call,
+                :message => "Potentially dangerous attribute #{attribute} available for mass assignment.", 
+                :confidence => confidence 
+              break # Prevent from matching single attr multiple times
+            end 
+        end         
+      end 
+    end
+  end
+
+  def check_models
+    tracker.models.each do |name, model|
+      if !model[:attr_accessible].nil?
+        yield name, model
+      end
+    end
+  end
+ 
+end