brakeman 2.6.2 → 2.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +9 -0
- data/WARNING_TYPES +54 -28
- data/bin/brakeman +1 -1
- data/lib/brakeman.rb +9 -2
- data/lib/brakeman/checks.rb +21 -3
- data/lib/brakeman/checks/base_check.rb +10 -8
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/checks/check_symbol_dos.rb +11 -6
- data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
- data/lib/brakeman/options.rb +8 -0
- data/lib/brakeman/processors/lib/processor_helper.rb +0 -2
- data/lib/brakeman/processors/template_alias_processor.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +3 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
NDU2OGUzNjFlZDYyMzU3NGNjODNhOGQxNzczYThmN2Y5NGUxZDYxOQ==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
MzNiNzA0ZjBmNjZmOGNkOWYxNDgzMTg3YjY2MzIxYTlmNzIxODYzNA==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
ZDUyOWJkNzA0NDUzZmZiNTBjZWJlZjZjZWIzYjI2MzJmMDk4NTk5NDBjNjZm
|
10
|
+
OGUxN2UyNGE3MTA5MDlkMjI2MDg1NjlmNzE1ZGIwZDYwOWExNzFkYzQ0MzBl
|
11
|
+
ZTExMjIyZGQ4YjRkZTMwMDk1NzAwMjg3Y2RiNGM3NWJiYzFjNWE=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
YTFlM2JlMmJhN2E4OGJhNzU3N2QzNzcxYWFkMDhlZDhhNTMzM2EyMmI3MGVj
|
14
|
+
NjBhZGQyN2ViYTAzYzQzOTY3OTcxZGNkNWM3OTljY2YzM2NlYmVkNzRhZTk5
|
15
|
+
M2IzMDAwOGE4MzM1Y2U0ZTE4MjhkZDY4MzdkNzI3NzE2YWE1MjA=
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGES
CHANGED
@@ -1,3 +1,12 @@
|
|
1
|
+
# 2.6.3
|
2
|
+
|
3
|
+
* Whitelist `exists` arel method from SQL injection check
|
4
|
+
* Avoid warning about Symbol DoS on safe parameters as method targets
|
5
|
+
* Fix stack overflow in ProcessHelper#class_name
|
6
|
+
* Add optional check for unscoped find queries (Ben Toews)
|
7
|
+
* Add framework for optional checks
|
8
|
+
* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
|
9
|
+
|
1
10
|
# 2.6.2
|
2
11
|
|
3
12
|
* Add check for CVE-2014-3415
|
data/WARNING_TYPES
CHANGED
@@ -1,16 +1,16 @@
|
|
1
1
|
This file describes the various warning types reported by this tool.
|
2
2
|
|
3
|
-
#
|
3
|
+
# Attribute Restriction
|
4
4
|
|
5
|
-
|
5
|
+
This warning comes up if a model does not limit what attributes can be set through mass assignment.
|
6
6
|
|
7
|
-
|
7
|
+
In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
|
8
8
|
|
9
|
-
|
9
|
+
Note that disabling mass assignment globally will suppress these warnings.
|
10
10
|
|
11
|
-
|
11
|
+
# Authentication
|
12
12
|
|
13
|
-
|
13
|
+
# Basic Auth
|
14
14
|
|
15
15
|
# Command Injection
|
16
16
|
|
@@ -18,21 +18,11 @@ Request parameters or string interpolation has been detected in a `system` call.
|
|
18
18
|
|
19
19
|
See http://guides.rubyonrails.org/security.html#command-line-injection for details.
|
20
20
|
|
21
|
-
#
|
22
|
-
|
23
|
-
Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
|
24
|
-
|
25
|
-
Mass assignment can be disabled globally.
|
26
|
-
|
27
|
-
Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
|
28
|
-
|
29
|
-
# Attribute Restriction
|
30
|
-
|
31
|
-
This warning comes up if a model does not limit what attributes can be set through mass assignment.
|
21
|
+
# Cross Site Scripting
|
32
22
|
|
33
|
-
|
23
|
+
Cross site scripting warnings are raised when a parameter or model attribute is output through a view without being escaped.
|
34
24
|
|
35
|
-
|
25
|
+
See http://guides.rubyonrails.org/security.html#cross-site-scripting-xss for details.
|
36
26
|
|
37
27
|
# Cross-Site Request Forgery
|
38
28
|
|
@@ -40,13 +30,9 @@ No call to `protect_from_forgery` was found in `ApplicationController`. This met
|
|
40
30
|
|
41
31
|
See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf for details.
|
42
32
|
|
43
|
-
#
|
33
|
+
# Dangerous Eval
|
44
34
|
|
45
|
-
|
46
|
-
|
47
|
-
This warning is shown when request parameters are used inside a call to `redirect_to`.
|
48
|
-
|
49
|
-
See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
|
35
|
+
# Dangerous Send
|
50
36
|
|
51
37
|
# Default Routes
|
52
38
|
|
@@ -56,14 +42,54 @@ If this warning is reported for a particular controller, it means there is a rou
|
|
56
42
|
|
57
43
|
Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
|
58
44
|
|
45
|
+
# Denial of Service
|
46
|
+
|
47
|
+
# Dynamic Render Path
|
48
|
+
|
49
|
+
When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
|
50
|
+
|
51
|
+
This warning is shown whenever the path to be rendered is not a static string or symbol.
|
52
|
+
|
53
|
+
# File Access
|
54
|
+
|
59
55
|
# Format Validation
|
60
56
|
|
61
57
|
Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as `$` will only match up to a new line. This allows an attacker to put whatever malicious input they would like after a new line character.
|
62
58
|
|
63
59
|
See http://guides.rubyonrails.org/security.html#regular-expressions for details.
|
64
60
|
|
65
|
-
#
|
61
|
+
# Information Disclosure
|
66
62
|
|
67
|
-
|
63
|
+
# Mail Link
|
68
64
|
|
69
|
-
|
65
|
+
# Mass Assignment
|
66
|
+
|
67
|
+
Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
|
68
|
+
|
69
|
+
Mass assignment can be disabled globally.
|
70
|
+
|
71
|
+
Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
|
72
|
+
|
73
|
+
# Nested Attributes
|
74
|
+
|
75
|
+
# Redirect
|
76
|
+
|
77
|
+
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
|
78
|
+
|
79
|
+
This warning is shown when request parameters are used inside a call to `redirect_to`.
|
80
|
+
|
81
|
+
See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
|
82
|
+
|
83
|
+
# Remote Code Execution
|
84
|
+
|
85
|
+
# Response Splitting
|
86
|
+
|
87
|
+
# Session Setting
|
88
|
+
|
89
|
+
# SQL Injection
|
90
|
+
|
91
|
+
String interpolation or concatenation has been detected in an SQL query. Use parameterized queries instead.
|
92
|
+
|
93
|
+
See http://guides.rubyonrails.org/security.html#sql-injection for details.
|
94
|
+
|
95
|
+
# SSL Verification Bypass
|
data/bin/brakeman
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -219,11 +219,18 @@ module Brakeman
|
|
219
219
|
|
220
220
|
add_external_checks options
|
221
221
|
|
222
|
+
if options[:list_optional_checks]
|
223
|
+
$stderr.puts "Optional Checks:"
|
224
|
+
checks = Checks.optional_checks
|
225
|
+
else
|
226
|
+
$stderr.puts "Available Checks:"
|
227
|
+
checks = Checks.checks
|
228
|
+
end
|
229
|
+
|
222
230
|
format_length = 30
|
223
231
|
|
224
|
-
$stderr.puts "Available Checks:"
|
225
232
|
$stderr.puts "-" * format_length
|
226
|
-
|
233
|
+
checks.each do |check|
|
227
234
|
$stderr.printf("%-#{format_length}s%s\n", check.name, check.description)
|
228
235
|
end
|
229
236
|
end
|
data/lib/brakeman/checks.rb
CHANGED
@@ -8,6 +8,7 @@ require 'brakeman/differ'
|
|
8
8
|
#All .rb files in checks/ will be loaded.
|
9
9
|
class Brakeman::Checks
|
10
10
|
@checks = []
|
11
|
+
@optional_checks = []
|
11
12
|
|
12
13
|
attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
|
13
14
|
|
@@ -16,8 +17,17 @@ class Brakeman::Checks
|
|
16
17
|
@checks << klass unless @checks.include? klass
|
17
18
|
end
|
18
19
|
|
20
|
+
#Add an optional check
|
21
|
+
def self.add_optional klass
|
22
|
+
@optional_checks << klass unless @checks.include? klass
|
23
|
+
end
|
24
|
+
|
19
25
|
def self.checks
|
20
|
-
@checks
|
26
|
+
@checks + @optional_checks
|
27
|
+
end
|
28
|
+
|
29
|
+
def self.optional_checks
|
30
|
+
@optional_checks
|
21
31
|
end
|
22
32
|
|
23
33
|
def self.initialize_checks check_directory = ""
|
@@ -94,7 +104,7 @@ class Brakeman::Checks
|
|
94
104
|
def self.run_checks_sequential(app_tree, tracker)
|
95
105
|
check_runner = self.new :min_confidence => tracker.options[:min_confidence]
|
96
106
|
|
97
|
-
|
107
|
+
self.checks_to_run(tracker).each do |c|
|
98
108
|
check_name = get_check_name c
|
99
109
|
|
100
110
|
#Run or don't run check based on options
|
@@ -131,7 +141,7 @@ class Brakeman::Checks
|
|
131
141
|
|
132
142
|
check_runner = self.new :min_confidence => tracker.options[:min_confidence]
|
133
143
|
|
134
|
-
|
144
|
+
self.checks_to_run(tracker).each do |c|
|
135
145
|
check_name = get_check_name c
|
136
146
|
|
137
147
|
#Run or don't run check based on options
|
@@ -179,6 +189,14 @@ class Brakeman::Checks
|
|
179
189
|
def self.get_check_name check_class
|
180
190
|
check_class.to_s.split("::").last
|
181
191
|
end
|
192
|
+
|
193
|
+
def self.checks_to_run tracker
|
194
|
+
if tracker.options[:run_all_checks] or tracker.options[:run_checks]
|
195
|
+
@checks + @optional_checks
|
196
|
+
else
|
197
|
+
@checks
|
198
|
+
end
|
199
|
+
end
|
182
200
|
end
|
183
201
|
|
184
202
|
#Load all files in checks/ directory
|
@@ -139,13 +139,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
139
139
|
end
|
140
140
|
|
141
141
|
#Checks if the model inherits from parent,
|
142
|
-
def ancestor? model, parent
|
143
|
-
|
144
|
-
|
145
|
-
|
142
|
+
def ancestor? model, parent, seen={}
|
143
|
+
return false unless model
|
144
|
+
|
145
|
+
seen[model[:name]] = true
|
146
|
+
if model[:parent] == parent || seen[model[:parent]]
|
146
147
|
true
|
147
148
|
elsif model[:parent]
|
148
|
-
ancestor? tracker.models[model[:parent]], parent
|
149
|
+
ancestor? tracker.models[model[:parent]], parent, seen
|
149
150
|
else
|
150
151
|
false
|
151
152
|
end
|
@@ -156,11 +157,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
156
157
|
end
|
157
158
|
|
158
159
|
# go up the chain of parent classes to see if any have attr_accessible
|
159
|
-
def parent_classes_protected? model
|
160
|
+
def parent_classes_protected? model, seen={}
|
161
|
+
seen[model] = true
|
160
162
|
if model[:attr_accessible] or model[:includes].include? :"ActiveModel::ForbiddenAttributesProtection"
|
161
163
|
true
|
162
|
-
elsif parent = tracker.models[model[:parent]]
|
163
|
-
parent_classes_protected? parent
|
164
|
+
elsif parent = tracker.models[model[:parent]] and !seen[parent]
|
165
|
+
parent_classes_protected? parent, seen
|
164
166
|
else
|
165
167
|
false
|
166
168
|
end
|
@@ -549,7 +549,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
549
549
|
:sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
|
550
550
|
:sanitize_sql_for_conditions, :sanitize_sql_hash,
|
551
551
|
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
552
|
-
:to_sql, :sanitize]
|
552
|
+
:to_sql, :sanitize, :exists]
|
553
553
|
|
554
554
|
def safe_value? exp
|
555
555
|
return true unless sexp? exp
|
@@ -68,11 +68,16 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
|
68
68
|
end
|
69
69
|
|
70
70
|
def safe_parameter? input
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
71
|
+
if call? input
|
72
|
+
if node_type? input.target, :params
|
73
|
+
input.method == :[] and
|
74
|
+
symbol? input.first_arg and
|
75
|
+
[:controller, :action].include? input.first_arg.value
|
76
|
+
else
|
77
|
+
safe_parameter? input.target
|
78
|
+
end
|
79
|
+
else
|
80
|
+
false
|
81
|
+
end
|
77
82
|
end
|
78
83
|
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
# Checks for unscoped calls to models' #find and #find_by_id methods.
|
4
|
+
class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
|
5
|
+
Brakeman::Checks.add_optional self
|
6
|
+
|
7
|
+
@description = "Check for unscoped ActiveRecord queries"
|
8
|
+
|
9
|
+
def run_check
|
10
|
+
Brakeman.debug("Finding instances of #find on models with associations")
|
11
|
+
|
12
|
+
associated_model_names = active_record_models.keys.select do |name|
|
13
|
+
active_record_models[name][:associations][:belongs_to]
|
14
|
+
end
|
15
|
+
|
16
|
+
calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
|
17
|
+
:targets => associated_model_names
|
18
|
+
|
19
|
+
calls.each do |call|
|
20
|
+
process_result call
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def process_result result
|
25
|
+
return if duplicate? result or result[:call].original_line
|
26
|
+
|
27
|
+
# Not interested unless argument is user controlled.
|
28
|
+
inputs = result[:call].args.map { |arg| include_user_input?(arg) }
|
29
|
+
return unless input = inputs.compact.first
|
30
|
+
|
31
|
+
add_result result
|
32
|
+
|
33
|
+
warn :result => result,
|
34
|
+
:warning_type => "Unscoped Find",
|
35
|
+
:warning_code => :unscoped_find,
|
36
|
+
:message => "Unscoped call to #{result[:target]}##{result[:method]}",
|
37
|
+
:code => result[:call],
|
38
|
+
:confidence => CONFIDENCE[:low],
|
39
|
+
:user_input => input.match
|
40
|
+
end
|
41
|
+
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -55,6 +55,10 @@ module Brakeman::Options
|
|
55
55
|
opts.separator ""
|
56
56
|
opts.separator "Scanning options:"
|
57
57
|
|
58
|
+
opts.on "-A", "--run-all-checks", "Run all default and optional checks" do
|
59
|
+
options[:run_all_checks] = true
|
60
|
+
end
|
61
|
+
|
58
62
|
opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (default)" do |assume|
|
59
63
|
options[:assume_all_routes] = assume
|
60
64
|
end
|
@@ -245,6 +249,10 @@ module Brakeman::Options
|
|
245
249
|
options[:list_checks] = true
|
246
250
|
end
|
247
251
|
|
252
|
+
opts.on "--optional-checks", "List optional checks" do
|
253
|
+
options[:list_optional_checks] = true
|
254
|
+
end
|
255
|
+
|
248
256
|
opts.on "--rake", "Create rake task to run Brakeman" do
|
249
257
|
options[:install_rake_task] = true
|
250
258
|
end
|
@@ -32,7 +32,7 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
32
32
|
|
33
33
|
#Determine template name
|
34
34
|
def template_name name
|
35
|
-
|
35
|
+
if !name.to_s.include?('/') && @template[:name].to_s.include?('/')
|
36
36
|
name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
|
37
37
|
end
|
38
38
|
name
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.6.
|
4
|
+
version: 2.6.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -35,7 +35,7 @@ cert_chain:
|
|
35
35
|
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
36
36
|
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
37
37
|
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
38
|
-
date: 2014-
|
38
|
+
date: 2014-10-14 00:00:00.000000000 Z
|
39
39
|
dependencies:
|
40
40
|
- !ruby/object:Gem::Dependency
|
41
41
|
name: ruby_parser
|
@@ -258,6 +258,7 @@ files:
|
|
258
258
|
- lib/brakeman/checks/check_symbol_dos.rb
|
259
259
|
- lib/brakeman/checks/check_translate_bug.rb
|
260
260
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
261
|
+
- lib/brakeman/checks/check_unscoped_find.rb
|
261
262
|
- lib/brakeman/checks/check_validation_regex.rb
|
262
263
|
- lib/brakeman/checks/check_without_protection.rb
|
263
264
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
metadata.gz.sig
CHANGED
Binary file
|