brakeman 2.6.2 → 2.6.3

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NTdlNDlhNGRkMDhlNWQ5NGNlYWZlOWI2NTI5ZWI4NjBlZGU4YzBmNg==
+    NDU2OGUzNjFlZDYyMzU3NGNjODNhOGQxNzczYThmN2Y5NGUxZDYxOQ==
   data.tar.gz: !binary |-
-    YTliNDliZjhkYmZjNzNkNmY0M2QxY2UxOGNiMGQ3NTQ1YWVkMjg5ZA==
+    MzNiNzA0ZjBmNjZmOGNkOWYxNDgzMTg3YjY2MzIxYTlmNzIxODYzNA==
 SHA512:
   metadata.gz: !binary |-
-    NmU3Yzc2NmQxYTM2NzZlZDA2YWZmYjExYTczOTZkYjdiMmI2ZDFiN2FjNDUy
-    NjVmMjYyODk0ZmRhNmIxNzEzNTZmNjE1MmFjNjE2ZTA5N2VkZjEwNDA3OTQ3
-    OGE1YWQ4MjE5MzFhMzIxZGVjNjMyODc3NDgxY2IxYzhhOWRkMTM=
+    ZDUyOWJkNzA0NDUzZmZiNTBjZWJlZjZjZWIzYjI2MzJmMDk4NTk5NDBjNjZm
+    OGUxN2UyNGE3MTA5MDlkMjI2MDg1NjlmNzE1ZGIwZDYwOWExNzFkYzQ0MzBl
+    ZTExMjIyZGQ4YjRkZTMwMDk1NzAwMjg3Y2RiNGM3NWJiYzFjNWE=
   data.tar.gz: !binary |-
-    YjgwZmI1N2NiOGIxNGJiODgyZTU2NjJhZDRlN2QzOWZhN2JhZDU1NTE1ZGY2
-    ZTE2MDY1MDU3M2MzY2M0MzM1MTM5NWM4NmM3YjZiZDQzNjg4OGUyYTVlYjM3
-    N2E2MjI1MGViNjY3MjkwYzZiYWUyODYwZGYyMzljODkzZjExMmE=
+    YTFlM2JlMmJhN2E4OGJhNzU3N2QzNzcxYWFkMDhlZDhhNTMzM2EyMmI3MGVj
+    NjBhZGQyN2ViYTAzYzQzOTY3OTcxZGNkNWM3OTljY2YzM2NlYmVkNzRhZTk5
+    M2IzMDAwOGE4MzM1Y2U0ZTE4MjhkZDY4MzdkNzI3NzE2YWE1MjA=

data/CHANGES

@@ -1,3 +1,12 @@
+# 2.6.3
+
+* Whitelist `exists` arel method from SQL injection check
+* Avoid warning about Symbol DoS on safe parameters as method targets
+* Fix stack overflow in ProcessHelper#class_name
+* Add optional check for unscoped find queries (Ben Toews)
+* Add framework for optional checks
+* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
+
 # 2.6.2 
 
 * Add check for CVE-2014-3415

data/WARNING_TYPES

@@ -1,16 +1,16 @@
 This file describes the various warning types reported by this tool.
 
-# Cross Site Scripting
+# Attribute Restriction
 
-Cross site scripting warnings are raised when a parameter or model attribute is output through a view without being escaped.
+This warning comes up if a model does not limit what attributes can be set through mass assignment.
 
-See http://guides.rubyonrails.org/security.html#cross-site-scripting-xss for details.
+In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
 
-# SQL Injection
+Note that disabling mass assignment globally will suppress these warnings.
 
-String interpolation or concatenation has been detected in an SQL query. Use parameterized queries instead.
+# Authentication
 
-See http://guides.rubyonrails.org/security.html#sql-injection for details.
+# Basic Auth
 
 # Command Injection
 
@@ -18,21 +18,11 @@ Request parameters or string interpolation has been detected in a `system` call.
 
 See http://guides.rubyonrails.org/security.html#command-line-injection for details.
 
-# Mass Assignment
-
-Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
-
-Mass assignment can be disabled globally.
-
-Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
-
-# Attribute Restriction
-
-This warning comes up if a model does not limit what attributes can be set through mass assignment.
+# Cross Site Scripting
 
-In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
+Cross site scripting warnings are raised when a parameter or model attribute is output through a view without being escaped.
 
-Note that disabling mass assignment globally will suppress these warnings.
+See http://guides.rubyonrails.org/security.html#cross-site-scripting-xss for details.
 
 # Cross-Site Request Forgery
 
@@ -40,13 +30,9 @@ No call to `protect_from_forgery` was found in `ApplicationController`. This met
 
 See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf for details.
 
-# Redirect
+# Dangerous Eval
 
-Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
-
-This warning is shown when request parameters are used inside a call to `redirect_to`.
-
-See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
+# Dangerous Send
 
 # Default Routes
 
@@ -56,14 +42,54 @@ If this warning is reported for a particular controller, it means there is a rou
 
 Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
 
+# Denial of Service
+
+# Dynamic Render Path
+
+When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
+
+This warning is shown whenever the path to be rendered is not a static string or symbol.
+
+# File Access
+
 # Format Validation
 
 Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as `$` will only match up to a new line. This allows an attacker to put whatever malicious input they would like after a new line character.
 
 See http://guides.rubyonrails.org/security.html#regular-expressions for details.
 
-# Dynamic Render Path
+# Information Disclosure
 
-When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
+# Mail Link
 
-This warning is shown whenever the path to be rendered is not a static string or symbol.
+# Mass Assignment
+
+Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
+
+Mass assignment can be disabled globally.
+
+Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
+
+# Nested Attributes
+
+# Redirect
+
+Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
+
+This warning is shown when request parameters are used inside a call to `redirect_to`.
+
+See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
+
+# Remote Code Execution
+
+# Response Splitting
+
+# Session Setting
+
+# SQL Injection
+
+String interpolation or concatenation has been detected in an SQL query. Use parameterized queries instead.
+
+See http://guides.rubyonrails.org/security.html#sql-injection for details.
+
+# SSL Verification Bypass

data/bin/brakeman

@@ -16,7 +16,7 @@ rescue OptionParser::ParseError => e
 end
 
 #Exit early for these options
-if options[:list_checks]
+if options[:list_checks] or options[:list_optional_checks]
   Brakeman.list_checks options
   exit
 elsif options[:create_config]

data/lib/brakeman.rb

@@ -219,11 +219,18 @@ module Brakeman
 
     add_external_checks options
 
+    if options[:list_optional_checks]
+      $stderr.puts "Optional Checks:"
+      checks = Checks.optional_checks
+    else
+      $stderr.puts "Available Checks:"
+      checks = Checks.checks
+    end
+
     format_length = 30
 
-    $stderr.puts "Available Checks:"
     $stderr.puts "-" * format_length
-    Checks.checks.each do |check|
+    checks.each do |check|
       $stderr.printf("%-#{format_length}s%s\n", check.name, check.description)
     end
   end

data/lib/brakeman/checks.rb

@@ -8,6 +8,7 @@ require 'brakeman/differ'
 #All .rb files in checks/ will be loaded.
 class Brakeman::Checks
   @checks = []
+  @optional_checks = []
 
   attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
 
@@ -16,8 +17,17 @@ class Brakeman::Checks
     @checks << klass unless @checks.include? klass
   end
 
+  #Add an optional check
+  def self.add_optional klass
+    @optional_checks << klass unless @checks.include? klass
+  end
+
   def self.checks
-    @checks
+    @checks + @optional_checks
+  end
+
+  def self.optional_checks
+    @optional_checks
   end
 
   def self.initialize_checks check_directory = ""
@@ -94,7 +104,7 @@ class Brakeman::Checks
   def self.run_checks_sequential(app_tree, tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
 
-    @checks.each do |c|
+    self.checks_to_run(tracker).each do |c|
       check_name = get_check_name c
 
       #Run or don't run check based on options
@@ -131,7 +141,7 @@ class Brakeman::Checks
 
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
 
-    @checks.each do |c|
+    self.checks_to_run(tracker).each do |c|
       check_name = get_check_name c
 
       #Run or don't run check based on options
@@ -179,6 +189,14 @@ class Brakeman::Checks
   def self.get_check_name check_class
     check_class.to_s.split("::").last
   end
+
+  def self.checks_to_run tracker
+    if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+      @checks + @optional_checks
+    else
+      @checks
+    end
+  end
 end
 
 #Load all files in checks/ directory

data/lib/brakeman/checks/base_check.rb

@@ -139,13 +139,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   #Checks if the model inherits from parent,
-  def ancestor? model, parent
-    if model == nil
-      false
-    elsif model[:parent] == parent
+  def ancestor? model, parent, seen={}
+    return false unless model
+
+    seen[model[:name]] = true
+    if model[:parent] == parent || seen[model[:parent]]
       true
     elsif model[:parent]
-      ancestor? tracker.models[model[:parent]], parent
+      ancestor? tracker.models[model[:parent]], parent, seen
     else
       false
     end
@@ -156,11 +157,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   # go up the chain of parent classes to see if any have attr_accessible
-  def parent_classes_protected? model
+  def parent_classes_protected? model, seen={}
+    seen[model] = true
     if model[:attr_accessible] or model[:includes].include? :"ActiveModel::ForbiddenAttributesProtection"
       true
-    elsif parent = tracker.models[model[:parent]]
-      parent_classes_protected? parent
+    elsif parent = tracker.models[model[:parent]] and !seen[parent]
+      parent_classes_protected? parent, seen
     else
       false
     end

data/lib/brakeman/checks/check_sql.rb

@@ -549,7 +549,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql, :sanitize]
+    :to_sql, :sanitize, :exists]
 
   def safe_value? exp
     return true unless sexp? exp

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -68,11 +68,16 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   end
 
   def safe_parameter? input
-    return unless params? input
-
-    call? input and
-    input.method == :[] and
-    symbol? input.first_arg and
-    [:controller, :action].include? input.first_arg.value
+    if call? input
+      if node_type? input.target, :params
+        input.method == :[] and
+        symbol? input.first_arg and
+        [:controller, :action].include? input.first_arg.value
+      else
+        safe_parameter? input.target
+      end
+    else
+      false
+    end
   end
 end

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -0,0 +1,41 @@
+require 'brakeman/checks/base_check'
+
+# Checks for unscoped calls to models' #find and #find_by_id methods.
+class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Check for unscoped ActiveRecord queries"
+
+  def run_check
+    Brakeman.debug("Finding instances of #find on models with associations")
+
+    associated_model_names = active_record_models.keys.select do |name|
+      active_record_models[name][:associations][:belongs_to]
+    end
+
+    calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
+                              :targets => associated_model_names
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+
+    # Not interested unless argument is user controlled.
+    inputs = result[:call].args.map { |arg| include_user_input?(arg) }
+    return unless input = inputs.compact.first
+
+    add_result result
+
+    warn :result => result,
+      :warning_type => "Unscoped Find",
+      :warning_code => :unscoped_find,
+      :message      => "Unscoped call to #{result[:target]}##{result[:method]}",
+      :code         => result[:call],
+      :confidence   => CONFIDENCE[:low],
+      :user_input   => input.match
+  end
+end

data/lib/brakeman/options.rb

@@ -55,6 +55,10 @@ module Brakeman::Options
         opts.separator ""
         opts.separator "Scanning options:"
 
+        opts.on "-A", "--run-all-checks", "Run all default and optional checks" do
+          options[:run_all_checks] = true
+        end
+
         opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (default)" do |assume|
           options[:assume_all_routes] = assume
         end
@@ -245,6 +249,10 @@ module Brakeman::Options
           options[:list_checks] = true
         end
 
+        opts.on "--optional-checks", "List optional checks" do
+          options[:list_optional_checks] = true
+        end
+
         opts.on "--rake", "Create rake task to run Brakeman" do
           options[:install_rake_task] = true
         end

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -65,8 +65,6 @@ module Brakeman::ProcessorHelper
         "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
       when :colon3
         "::#{exp.value}".to_sym
-      when :call
-        process exp
       when :self
         @current_class || @current_module || nil
       else

data/lib/brakeman/processors/template_alias_processor.rb

@@ -32,7 +32,7 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Determine template name
   def template_name name
-    unless name.to_s.include? "/"
+    if !name.to_s.include?('/') && @template[:name].to_s.include?('/')
       name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
     end
     name

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.6.2"
+  Version = "2.6.3"
 end

data/lib/brakeman/warning_codes.rb

@@ -83,6 +83,7 @@ module Brakeman::WarningCodes
     :CVE_2014_3483 => 79,
     :CVE_2014_3514 => 80,
     :CVE_2014_3514_call => 81,
+    :unscoped_find => 82,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 2.6.2
+  version: 2.6.3
 platform: ruby
 authors:
 - Justin Collins
@@ -35,7 +35,7 @@ cert_chain:
   Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
   QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
   RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-date: 2014-08-18 00:00:00.000000000 Z
+date: 2014-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_parser
@@ -258,6 +258,7 @@ files:
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_unscoped_find.rb
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_yaml_parsing.rb