brakeman 2.5.0 → 2.6.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NzVjZjYxZWMzOTRhYzI0YTA0M2ZlYjkxNDQyZjFkZTNlYzYxZTk4ZA==
+    MTMyMjhjZTg2NjUzNjM4Zjg4MjkxMDY3YjljM2RlMzYxNDE1MTcwMg==
   data.tar.gz: !binary |-
-    MjY3ZGNkNGJkYzZlOWJmNjI2MGVkMmYxNDMzMDVkOTBkMzZlN2JkYg==
+    ODU3OTE0NjFjODgzZWRlODMyZDViZTQwNjUzYTQ0MzNhZjEzNjMyYQ==
 SHA512:
   metadata.gz: !binary |-
-    YzZiNTlkMmU2OGRjOTdiZDA1ZWFhMmEwNzUyNzcwMmI5ZmNmOTRmOGRjMjc2
-    NTkzZTZmOTc0MzIyYTRjN2Y2ZDBjZjJiZDJlNmQ3NDhlM2E5YTZjNTA2ZDI1
-    MGM2NjNkY2YxYjNhZTVmNWJjZDZmNmE4ZGViNGJkNjc2ODdlNWU=
+    YTAzY2FlZWRiZTYwODMwZmQ5YmQ2YTI3M2VjMmJjMTM3Y2YxNDM5NDU3MDYw
+    ODJlMGNiYWM0ZDExYzU3NjI1NzY4ZWE2ZDg1MTQ2NzBiYTJkM2E4YzMwNWUw
+    OGVhYjU5ZDk0MzY4Njk2MzhmYzk0NGQ1YWEzNWFmMzUzMGY5MzA=
   data.tar.gz: !binary |-
-    MTY0ZjY2ZjIyM2VkMTUxYWNhZjFiOGI0YTAzNTUzODhjZTI5MjMyNmNkNGE5
-    MTI1ZmM2MGIwMTg3ZjJkNmFjZjY3Zjk5NzNlNTQzNjk2NTc1ZmNhNDU3Nzhl
-    NmI1NTBkZDAwNjkzNjFiMGRiMzg0ODRmMjA4MGZlN2VhOGEyM2I=
+    YmVmZTkxZTQxZDNmODJkNGMyYmE2NDdkNDI1Yjk1NmRlNjlhZGRmYjgzZjY0
+    NGVhZDYwZGM1MWQ5MGYxMDQ4MWNmNWIxOTkwMDgxNWI3YTIzYjQ0OTQ3ODZk
+    MmU2ZTI5YWE3YjQ2OTczMTg3M2NiZWUxYjIxMjhiZWM4NjhhMWY=

data/CHANGES

@@ -1,3 +1,17 @@
+# 2.6.0
+
+* Fix detection of `:host` setting in redirects with chained calls
+* Add check for CVE-2014-0130
+* Add `find_by`/`find_by!` to SQLi check for Rails 4
+* Parse most files upfront instead of on demand
+* Do not branch values for `+=`
+* Update to use RubyParser 3.5.0 (Patrick Toomey)
+* Improve default route detection in Rails 3/4 (Jeff Jarmoc)
+* Handle controllers and models split across files (Patrick Toomey)
+* Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn)
+* Ignore more model methods in redirects
+* Fix CheckRender with nested render calls
+
 # 2.5.0
 
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8

data/README.md

@@ -46,13 +46,15 @@ From source:
 
 It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
 
-# Options
+# Basic Options
+
+For a full list of options, use `brakeman --help` or see the OPTIONS.md file.
 
 To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json` and `csv`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, and `csv`.
 
 Multiple output files can be specified:
 
@@ -62,6 +64,8 @@ To suppress informational warnings and just output the report:
 
     brakeman -q
 
+Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
+
 To see all kinds of debugging information:
 
     brakeman -d
@@ -78,28 +82,6 @@ To do the opposite and only run a certain set of tests:
 
     brakeman -t SQL,ValidationRegex
 
-To indicate certain methods are "safe":
-
-    brakeman -s benign_method,totally_safe
-
-By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would cause a warning (Rails 2):
-
-    <%= some_method(:option => params[:input]) %>
-
-To only raise warnings only when untrusted data is being directly used:
-
-    brakeman -r
-
-By default, each check will be run in a separate thread. To disable this behavior:
-
-    brakeman -n
-
-Normally Brakeman will parse `routes.rb` and attempt to infer which controller methods are used as actions. However, this is not perfect (especially for Rails 3). To ignore the automatically inferred routes and assume all methods are actions:
-
-    brakeman -a
-
-Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
-
 If Brakeman is running a bit slow, try
 
     brakeman --faster
@@ -114,10 +96,6 @@ To skip certain files that Brakeman may have trouble parsing, use:
 
     brakeman --skip-files file1,file2,etc
 
-Brakeman will raise warnings on models that use `attr_protected`. To suppress these warnings:
-
-    brakeman --ignore-protected
-
 To compare results of a scan with a previous scan, use the JSON output option and then:
 
     brakeman --compare old_report.json

data/lib/brakeman/checks/base_check.rb

@@ -12,10 +12,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
 
   Match = Struct.new(:type, :match)
-  
+
   class << self
     attr_accessor :name
-  
+
     def inherited(subclass)
       subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
     end
@@ -177,8 +177,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
       @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9") and not tracker.config[:gems][:protected_attributes]
-      #May need to revisit dependng on what Rails 4 actually does/has
+    elsif version_between?("4.0.0", "4.9.9") && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
+            tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)))
+
       @mass_assign_disabled = true
     else
       #Check for ActiveRecord::Base.send(:attr_accessible, nil)

data/lib/brakeman/checks/check_basic_auth.rb

@@ -31,8 +31,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :message => "Basic authentication password stored in source code",
               :code => call,
               :confidence => 0,
-              :file => controller[:file]
-
+              :file => controller[:files].first
           break
         end
       end

data/lib/brakeman/checks/check_default_routes.rb

@@ -9,28 +9,78 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check
-    if tracker.routes[:allow_all_actions]
+    check_for_default_routes
+    check_for_action_globs
+    check_for_cve_2014_0130
+  end
+
+  def check_for_default_routes
+    if allow_all_actions?
       #Default routes are enabled globally
-      warn :warning_type => "Default Routes", 
+      warn :warning_type => "Default Routes",
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
-        :line => tracker.routes[:allow_all_actions].line, 
+        :line => tracker.routes[:allow_all_actions].line,
         :confidence => CONFIDENCE[:high],
         :file => "#{tracker.options[:app_path]}/config/routes.rb"
-    else #Report each controller separately
-      Brakeman.debug "Checking each controller for default routes"
-
-      tracker.routes.each do |name, actions|
-        if actions.is_a? Array and actions[0] == :allow_all_actions
-          warn :controller => name,
-            :warning_type => "Default Routes", 
-            :warning_code => :controller_default_routes,
-            :message => "Any public method in #{name} can be used as an action.",
-            :line => actions[1],
-            :confidence => CONFIDENCE[:med],
-            :file => "#{tracker.options[:app_path]}/config/routes.rb"
+    end
+  end
+
+  def check_for_action_globs
+    return if allow_all_actions?
+    Brakeman.debug "Checking each controller for default routes"
+
+    tracker.routes.each do |name, actions|
+      if actions.is_a? Array and actions[0] == :allow_all_actions
+        @actions_allowed_on_controller = true
+        if actions[1].is_a? Hash and actions[1][:allow_verb]
+          verb = actions[1][:allow_verb]
+        else
+          verb = "any"
         end
+        warn :controller => name,
+          :warning_type => "Default Routes",
+          :warning_code => :controller_default_routes,
+          :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
+          :line => actions[2],
+          :confidence => CONFIDENCE[:med],
+          :file => "#{tracker.options[:app_path]}/config/routes.rb"
       end
     end
   end
+
+  def check_for_cve_2014_0130
+    case
+    when lts_version?("2.3.18.9")
+      #TODO: Should support LTS 3.0.20 too
+      return
+    when version_between?("2.0.0", "2.3.18")
+      upgrade = "3.2.18"
+    when version_between?("3.0.0", "3.2.17")
+      upgrade = "3.2.18"
+    when version_between?("4.0.0", "4.0.4")
+      upgrade = "4.0.5"
+    when version_between?("4.1.0", "4.1.0")
+      upgrade = "4.1.1"
+    else
+      return
+    end
+
+    if allow_all_actions? or @actions_allowed_on_controller
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Remote Code Execution",
+      :warning_code => :CVE_2014_0130,
+      :message => "Rails #{tracker.config[:rails_version]} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
+      :confidence => confidence,
+      :file => "#{tracker.options[:app_path]}/config/routes.rb",
+      :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+  end
+
+  def allow_all_actions?
+    tracker.routes[:allow_all_actions]
+  end
 end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -25,8 +25,9 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
 
   def check_detailed_exceptions
     tracker.controllers.each do |name, controller|
-      controller[:public].each do |name, method|
-        body = method.body.last
+      controller[:public].each do |name, definition|
+        src = definition[:src]
+        body = src.body.last
         next unless body
 
         if name == :show_detailed_exceptions? and not safe? body
@@ -40,8 +41,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
                :warning_code => :detailed_exceptions,
                :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'",
                :confidence => confidence,
-               :code => method,
-               :file => controller[:file]
+               :code => src,
+               :file => definition[:file]
         end
       end
     end

data/lib/brakeman/checks/check_filter_skipping.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
 
   def uses_arbitrary_actions?
     tracker.routes.each do |name, actions|
-      if actions == :allow_all_actions
+      if actions.include? :allow_all_actions
         return true
       end
     end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -17,22 +17,22 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_disabled,
-        :message => "Forgery protection is disabled", 
+        :message => "Forgery protection is disabled",
         :confidence => CONFIDENCE[:high],
-        :file => app_controller[:file]
+        :file => app_controller[:files].first
 
     elsif app_controller and not app_controller[:options][:protect_from_forgery]
 
-      warn :controller => :ApplicationController, 
-        :warning_type => "Cross-Site Request Forgery", 
+      warn :controller => :ApplicationController,
+        :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_missing,
-        :message => "'protect_from_forgery' should be called in ApplicationController", 
+        :message => "'protect_from_forgery' should be called in ApplicationController",
         :confidence => CONFIDENCE[:high],
-        :file => app_controller[:file]
+        :file => app_controller[:files].first
 
     elsif version_between? "2.1.0", "2.3.10"
-      
-      warn :controller => :ApplicationController, 
+
+      warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
@@ -42,7 +42,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
 
     elsif version_between? "3.0.0", "3.0.3"
 
-      warn :controller => :ApplicationController, 
+      warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
         SUSP_ATTRS.each do |susp_attr, confidence|
           if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
             warn :model => name,
-              :file => model[:file],
+              :file => model[:files].first,
               :warning_type => "Mass Assignment",
               :warning_code => :dangerous_attr_accessible,
               :message => "Potentially dangerous attribute available for mass assignment",

data/lib/brakeman/checks/check_model_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 #Check if mass assignment is used with models
 #which inherit from ActiveRecord::Base.
 #
-#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models 
+#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
 #which do not use attr_accessible will be reported in a single warning
 class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -55,7 +55,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
       check_models do |name, model|
         if model[:options][:attr_protected].nil?
           warn :model => name,
-            :file => model[:file],
+            :file => model[:files].first,
             :warning_type => "Attribute Restriction",
             :warning_code => :no_attr_accessible,
             :message => "Mass assignment is not restricted using attr_accessible",
@@ -70,7 +70,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           end
 
           warn :model => name,
-            :file => model[:file],
+            :file => model[:files].first,
             :line => model[:options][:attr_protected].first.line,
             :warning_type => "Attribute Restriction",
             :warning_code => warning_code,

data/lib/brakeman/checks/check_model_serialize.rb

@@ -60,7 +60,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
         :confidence => confidence,
         :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
-        :file => model[:file]
+        :file => model[:files].first
     end
   end
 end

data/lib/brakeman/checks/check_redirect.rb

@@ -19,6 +19,10 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
       @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
     end
 
+    if version_between? "4.0.0", "9.9.9"
+      @model_find_calls.merge [:find_by, :find_by!, :take]
+    end
+
     @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
       process_result res
     end
@@ -33,7 +37,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     if method == :redirect_to and
         not only_path?(call) and
-        not explicit_host?(call) and
+        not explicit_host?(call.first_arg) and
         res = include_user_input?(call)
 
       add_result result
@@ -113,11 +117,21 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     false
   end
 
-  def explicit_host? call
-    arg = call.first_arg
+  def explicit_host? arg
+    return unless sexp? arg
+
+    if hash? arg
+      if value = hash_access(arg, :host)
+        return !has_immediate_user_input?(value)
+      end
+    elsif call? arg
+      target = arg.target
 
-    if hash? arg and value = hash_access(arg, :host)
-      return !has_immediate_user_input?(value)
+      if hash? target and value = hash_access(target, :host)
+        return !has_immediate_user_input?(value)
+      elsif call? arg
+        return explicit_host? target
+      end
     end
 
     false
@@ -142,7 +156,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if node_type? exp, :or
       model_instance? exp.lhs or model_instance? exp.rhs
     elsif call? exp
-      if model_name? exp.target or friendly_model? exp.target and
+      if model_target? exp and
         (@model_find_calls.include? exp.method or exp.method.to_s.match(/^find_by_/))
         true
       else
@@ -151,6 +165,13 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     end
   end
 
+  def model_target? exp
+    return false unless call? exp
+    model_name? exp.target or
+    friendly_model? exp.target or
+    model_target? exp.target
+  end
+
   #Returns true if exp is (probably) a friendly model instance
   #using the FriendlyId gem
   def friendly_model? exp

data/lib/brakeman/checks/check_render.rb

@@ -8,11 +8,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
   def run_check
     tracker.find_call(:target => nil, :method => :render).each do |result|
-      process_render result
+      process_render_result result
     end
   end
 
-  def process_render result
+  def process_render_result result
     return unless node_type? result[:call], :render
 
     case result[:call].render_type