brakeman 2.4.0 → 2.4.1
Sign up to get free protection for your applications and to get access to all the features.
- data.tar.gz.sig +0 -0
- data/CHANGES +6 -0
- data/lib/brakeman/checks/check_number_to_currency.rb +30 -19
- data/lib/brakeman/checks/check_render_dos.rb +37 -0
- data/lib/brakeman/checks/check_sql.rb +15 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +5 -1
- metadata +5 -4
- metadata.gz.sig +0 -0
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGES
CHANGED
@@ -3,53 +3,64 @@ require 'brakeman/checks/base_check'
|
|
3
3
|
class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
4
4
|
Brakeman::Checks.add self
|
5
5
|
|
6
|
-
@description = "Checks for
|
6
|
+
@description = "Checks for number helpers XSS vulnerabilities in certain versions"
|
7
7
|
|
8
8
|
def run_check
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
check_number_to_currency_usage
|
9
|
+
if version_between? "2.0.0", "2.3.18" or
|
10
|
+
version_between? "3.0.0", "3.2.16" or
|
11
|
+
version_between? "4.0.0", "4.0.2"
|
13
12
|
|
13
|
+
check_number_helper_usage
|
14
14
|
generic_warning unless @found_any
|
15
15
|
end
|
16
16
|
end
|
17
17
|
|
18
18
|
def generic_warning
|
19
|
-
message = "Rails #{tracker.config[:rails_version]} has a vulnerability in
|
19
|
+
message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version "
|
20
20
|
|
21
|
-
if version_between? "2.3.0", "3.2.
|
22
|
-
message << "3.2.
|
21
|
+
if version_between? "2.3.0", "3.2.16"
|
22
|
+
message << "3.2.17"
|
23
23
|
else
|
24
|
-
message << "4.0.
|
24
|
+
message << "4.0.3"
|
25
25
|
end
|
26
26
|
|
27
27
|
warn :warning_type => "Cross Site Scripting",
|
28
|
-
:warning_code => :
|
28
|
+
:warning_code => :CVE_2014_0081,
|
29
29
|
:message => message,
|
30
30
|
:confidence => CONFIDENCE[:med],
|
31
31
|
:file => gemfile_or_environment,
|
32
32
|
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
|
33
33
|
end
|
34
34
|
|
35
|
-
def
|
36
|
-
|
35
|
+
def check_number_helper_usage
|
36
|
+
number_methods = [:number_to_currency, :number_to_percentage, :number_to_human]
|
37
|
+
tracker.find_call(:target => false, :methods => number_methods).each do |result|
|
37
38
|
arg = result[:call].second_arg
|
38
39
|
next unless arg
|
39
40
|
|
40
|
-
if
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
if not check_helper_option(result, arg) and hash? arg
|
42
|
+
hash_iterate(arg) do |key, value|
|
43
|
+
break if check_helper_option(result, value)
|
44
|
+
end
|
44
45
|
end
|
45
46
|
end
|
46
47
|
end
|
47
48
|
|
48
|
-
def
|
49
|
+
def check_helper_option result, exp
|
50
|
+
if match = (has_immediate_user_input? exp or has_immediate_model? exp)
|
51
|
+
match = match.match if match.is_a? Match
|
52
|
+
warn_on_number_helper result, match
|
53
|
+
@found_any = true
|
54
|
+
else
|
55
|
+
false
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
def warn_on_number_helper result, match
|
49
60
|
warn :result => result,
|
50
61
|
:warning_type => "Cross Site Scripting",
|
51
|
-
:warning_code => :
|
52
|
-
:message => "
|
62
|
+
:warning_code => :CVE_2014_0081_call,
|
63
|
+
:message => "Format options in #{result[:call].method} are not safe in Rails #{@tracker.config[:rails_version]}",
|
53
64
|
:confidence => CONFIDENCE[:high],
|
54
65
|
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
|
55
66
|
:user_input => match
|
@@ -0,0 +1,37 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Warn about denial of service with render :text (CVE-2014-0082)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
if version_between? "3.0.0", "3.0.20" or
|
10
|
+
version_between? "3.1.0", "3.1.12" or
|
11
|
+
version_between? "3.2.0", "3.2.16"
|
12
|
+
|
13
|
+
tracker.find_call(:target => nil, :method => :render).each do |result|
|
14
|
+
if text_render? result
|
15
|
+
warn_about_text_render
|
16
|
+
break
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def text_render? result
|
23
|
+
node_type? result[:call], :render and
|
24
|
+
result[:call].render_type == :text
|
25
|
+
end
|
26
|
+
|
27
|
+
def warn_about_text_render
|
28
|
+
message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
|
29
|
+
|
30
|
+
warn :warning_type => "Denial of Service",
|
31
|
+
:warning_code => :CVE_2014_0082,
|
32
|
+
:message => message,
|
33
|
+
:confidence => CONFIDENCE[:high],
|
34
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
|
35
|
+
:file => gemfile_or_environment
|
36
|
+
end
|
37
|
+
end
|
@@ -51,6 +51,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
51
51
|
|
52
52
|
Brakeman.debug "Processing possible SQL calls"
|
53
53
|
calls.each { |call| process_result call }
|
54
|
+
|
55
|
+
check_CVE_2014_0080
|
54
56
|
end
|
55
57
|
|
56
58
|
#Find calls to named_scope() or scope() in models
|
@@ -638,6 +640,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
638
640
|
end
|
639
641
|
end
|
640
642
|
|
643
|
+
# TODO: Move all SQL CVE checks to separate class
|
644
|
+
def check_CVE_2014_0080
|
645
|
+
return unless version_between? "4.0.0", "4.0.2" and
|
646
|
+
@tracker.config[:gems].include? :pg
|
647
|
+
|
648
|
+
warn :warning_type => 'SQL Injection',
|
649
|
+
:warning_code => :CVE_2014_0080,
|
650
|
+
:message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
|
651
|
+
:confidence => CONFIDENCE[:high],
|
652
|
+
:file => gemfile_or_environment,
|
653
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
|
654
|
+
end
|
655
|
+
|
641
656
|
def upgrade_version? versions
|
642
657
|
versions.each do |low, high, upgrade|
|
643
658
|
return upgrade if version_between? low, high
|
data/lib/brakeman/version.rb
CHANGED
@@ -71,7 +71,11 @@ module Brakeman::WarningCodes
|
|
71
71
|
:CVE_2013_6416_call => 68,
|
72
72
|
:CVE_2013_6417 => 69,
|
73
73
|
:mass_assign_permit! => 70,
|
74
|
-
:ssl_verification_bypass => 71
|
74
|
+
:ssl_verification_bypass => 71,
|
75
|
+
:CVE_2014_0080 => 72,
|
76
|
+
:CVE_2014_0081 => 73,
|
77
|
+
:CVE_2014_0081_call => 74,
|
78
|
+
:CVE_2014_0082 => 75,
|
75
79
|
}
|
76
80
|
|
77
81
|
def self.code name
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 29
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 2
|
8
8
|
- 4
|
9
|
-
-
|
10
|
-
version: 2.4.
|
9
|
+
- 1
|
10
|
+
version: 2.4.1
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Justin Collins
|
@@ -36,7 +36,7 @@ cert_chain:
|
|
36
36
|
bdw=
|
37
37
|
-----END CERTIFICATE-----
|
38
38
|
|
39
|
-
date: 2014-02-
|
39
|
+
date: 2014-02-19 00:00:00 Z
|
40
40
|
dependencies:
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: ruby_parser
|
@@ -253,6 +253,7 @@ files:
|
|
253
253
|
- lib/brakeman/checks/check_quote_table_name.rb
|
254
254
|
- lib/brakeman/checks/check_redirect.rb
|
255
255
|
- lib/brakeman/checks/check_render.rb
|
256
|
+
- lib/brakeman/checks/check_render_dos.rb
|
256
257
|
- lib/brakeman/checks/check_response_splitting.rb
|
257
258
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
258
259
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
metadata.gz.sig
CHANGED
Binary file
|