brakeman 2.4.0 → 2.4.1

data/CHANGES

@@ -1,3 +1,9 @@
+# 2.4.1
+
+ * Add check for CVE-2014-0082
+ * Add check for CVE-2014-0081, replaces CVE-2013-6415
+ * Add check for CVE-2014-0080
+
 # 2.4.0 
 
  * Detect Rails LTS versions

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -3,53 +3,64 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Checks for number_to_currency XSS vulnerability in certain versions"
+  @description = "Checks for number helpers XSS vulnerabilities in certain versions"
 
   def run_check
-    return if lts_version? '2.3.18.6'
-
-    if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
-      check_number_to_currency_usage
+    if version_between? "2.0.0", "2.3.18" or
+      version_between? "3.0.0", "3.2.16" or
+      version_between? "4.0.0", "4.0.2"
 
+      check_number_helper_usage
       generic_warning unless @found_any
     end
   end
 
   def generic_warning
-    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number_to_currency (CVE-2013-6415). Upgrade to Rails version "
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version "
 
-    if version_between? "2.3.0", "3.2.15"
-      message << "3.2.16"
+    if version_between? "2.3.0", "3.2.16"
+      message << "3.2.17"
     else
-      message << "4.0.2"
+      message << "4.0.3"
     end
 
     warn :warning_type => "Cross Site Scripting",
-      :warning_code => :CVE_2013_6415,
+      :warning_code => :CVE_2014_0081,
       :message => message,
       :confidence => CONFIDENCE[:med],
       :file => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
   end
 
-  def check_number_to_currency_usage
-    tracker.find_call(:target => false, :method => :number_to_currency).each do |result|
+  def check_number_helper_usage
+    number_methods = [:number_to_currency, :number_to_percentage, :number_to_human] 
+    tracker.find_call(:target => false, :methods => number_methods).each do |result|
       arg = result[:call].second_arg
       next unless arg
 
-      if match = (has_immediate_user_input? arg or has_immediate_model? arg)
-        match = match.match if match.is_a? Match
-        @found_any = true
-        warn_on_number_to_currency result, match
+      if not check_helper_option(result, arg) and hash? arg
+        hash_iterate(arg) do |key, value|
+          break if check_helper_option(result, value)
+        end
       end
     end
   end
 
-  def warn_on_number_to_currency result, match
+  def check_helper_option result, exp
+    if match = (has_immediate_user_input? exp or has_immediate_model? exp)
+      match = match.match if match.is_a? Match
+      warn_on_number_helper result, match
+      @found_any = true
+    else
+      false
+    end
+  end
+
+  def warn_on_number_helper result, match
     warn :result => result,
       :warning_type => "Cross Site Scripting",
-      :warning_code => :CVE_2013_6415_call,
-      :message => "Currency value in number_to_currency is not safe in Rails #{@tracker.config[:rails_version]}",
+      :warning_code => :CVE_2014_0081_call,
+      :message => "Format options in #{result[:call].method} are not safe in Rails #{@tracker.config[:rails_version]}",
       :confidence => CONFIDENCE[:high],
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
       :user_input => match

data/lib/brakeman/checks/check_render_dos.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn about denial of service with render :text (CVE-2014-0082)"
+
+  def run_check
+    if version_between? "3.0.0", "3.0.20" or
+       version_between? "3.1.0", "3.1.12" or
+       version_between? "3.2.0", "3.2.16"
+
+      tracker.find_call(:target => nil, :method => :render).each do |result|
+        if text_render? result
+          warn_about_text_render
+          break
+        end
+      end
+    end
+  end
+
+  def text_render? result
+    node_type? result[:call], :render and
+    result[:call].render_type == :text
+  end
+
+  def warn_about_text_render
+    message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2014_0082,
+      :message => message,
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
+      :file => gemfile_or_environment
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -51,6 +51,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     Brakeman.debug "Processing possible SQL calls"
     calls.each { |call| process_result call }
+
+    check_CVE_2014_0080
   end
 
   #Find calls to named_scope() or scope() in models
@@ -638,6 +640,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  # TODO: Move all SQL CVE checks to separate class
+  def check_CVE_2014_0080
+    return unless version_between? "4.0.0", "4.0.2" and
+                  @tracker.config[:gems].include? :pg
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => :CVE_2014_0080,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+  end
+
   def upgrade_version? versions
     versions.each do |low, high, upgrade|
       return upgrade if version_between? low, high

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.4.0"
+  Version = "2.4.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -71,7 +71,11 @@ module Brakeman::WarningCodes
     :CVE_2013_6416_call => 68,
     :CVE_2013_6417 => 69,
     :mass_assign_permit! => 70,
-    :ssl_verification_bypass => 71
+    :ssl_verification_bypass => 71,
+    :CVE_2014_0080 => 72,
+    :CVE_2014_0081 => 73,
+    :CVE_2014_0081_call => 74,
+    :CVE_2014_0082 => 75,
   }
 
   def self.code name

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 31
+  hash: 29
   prerelease: 
   segments: 
   - 2
   - 4
-  - 0
-  version: 2.4.0
+  - 1
+  version: 2.4.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -36,7 +36,7 @@ cert_chain:
   bdw=
   -----END CERTIFICATE-----
 
-date: 2014-02-05 00:00:00 Z
+date: 2014-02-19 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -253,6 +253,7 @@ files:
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
 - lib/brakeman/checks/check_render.rb
+- lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb