brakeman 2.6.3 → 3.0.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NDU2OGUzNjFlZDYyMzU3NGNjODNhOGQxNzczYThmN2Y5NGUxZDYxOQ==
-  data.tar.gz: !binary |-
-    MzNiNzA0ZjBmNjZmOGNkOWYxNDgzMTg3YjY2MzIxYTlmNzIxODYzNA==
+SHA1:
+  metadata.gz: 8e036c60e03551ca1b437c9c0ba69ba388ec0bf1
+  data.tar.gz: 1b2cd12bd7417aa8409dc36d978d40557363c6d6
 SHA512:
-  metadata.gz: !binary |-
-    ZDUyOWJkNzA0NDUzZmZiNTBjZWJlZjZjZWIzYjI2MzJmMDk4NTk5NDBjNjZm
-    OGUxN2UyNGE3MTA5MDlkMjI2MDg1NjlmNzE1ZGIwZDYwOWExNzFkYzQ0MzBl
-    ZTExMjIyZGQ4YjRkZTMwMDk1NzAwMjg3Y2RiNGM3NWJiYzFjNWE=
-  data.tar.gz: !binary |-
-    YTFlM2JlMmJhN2E4OGJhNzU3N2QzNzcxYWFkMDhlZDhhNTMzM2EyMmI3MGVj
-    NjBhZGQyN2ViYTAzYzQzOTY3OTcxZGNkNWM3OTljY2YzM2NlYmVkNzRhZTk5
-    M2IzMDAwOGE4MzM1Y2U0ZTE4MjhkZDY4MzdkNzI3NzE2YWE1MjA=
+  metadata.gz: cf9478f1fa9747f397f1c614ee4058f1de4b0c99dc0c444d2ac169ec0d1aa5adf895ea0e804761d148cd7779fcb2f1a9fd6bc1dec73c99beaf005aa5c45ad1c7
+  data.tar.gz: 4b71efa6cf9e69e771d4698364d4ec2a7b19c05a1f3d24d8cd72a9e8e8bcb384143c5e06f8b7865d66bfa96ef52ae8a0dc7e302ddd7a65cdb15c8f0ffa21ee7b

data/CHANGES

@@ -1,3 +1,22 @@
+# 3.0.0
+
+* Add check for CVE-2014-7829
+* Add check for cross site scripting via inline renders
+* Fix formatting of command interpolation
+* Local variables are no longer formatted as `(local var)`
+* Actually skip skipped before filters
+* `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip)
+* Fix parsing of `<%==` in ERB
+* Sort warnings by fingerprint in JSON report (Jeff Yip)
+* Handle symmetric multiple assignment
+* Do not branch for self attribute assignment `x = x.y`
+* Fix CVE for CVE-2011-2932
+* Remove "fake filters" from warning fingerpints
+* Index calls in `lib/` files
+* Move Symbol DoS to optional checks
+* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
+* Change `--separate-models` to be the default
+
 # 2.6.3
 
 * Whitelist `exists` arel method from SQL injection check

data/bin/brakeman

@@ -70,7 +70,7 @@ begin
       puts MultiJson.dump(vulns, :pretty => true)
     end
 
-    if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
+    if options[:exit_on_warn] && vulns[:new].count > 0
       exit Brakeman::Warnings_Found_Exit_Code
     end
   else

data/lib/brakeman.rb

@@ -19,7 +19,7 @@ module Brakeman
   #  * :app_path - path to root of Rails app (required)
   #  * :assume_all_routes - assume all methods are routes (default: true)
   #  * :check_arguments - check arguments of methods (default: true)
-  #  * :collapse_mass_assignment - report unprotected models in single warning (default: true)
+  #  * :collapse_mass_assignment - report unprotected models in single warning (default: false)
   #  * :combine_locations - combine warning locations (default: true)
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
@@ -28,6 +28,7 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
+  #  * :index_libs - add libraries to call index (default: true)
   #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
@@ -122,10 +123,11 @@ module Brakeman
       :safe_methods => Set.new,
       :min_confidence => 2,
       :combine_locations => true,
-      :collapse_mass_assignment => true,
+      :collapse_mass_assignment => false,
       :highlight_user_input => true,
       :ignore_redirect_to_model => true,
       :ignore_model_output => false,
+      :index_libs => true,
       :message_limit => 100,
       :parallel_checks => true,
       :relative_path => false,

data/lib/brakeman/app_tree.rb

@@ -71,7 +71,7 @@ module Brakeman
     end
 
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" }
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" }
     end
 
   private

data/lib/brakeman/checks/base_check.rb

@@ -328,7 +328,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp
+      when :string_interp, :dstr
         exp.each do |e|
           if sexp? e
             match = has_immediate_user_input?(e)
@@ -336,7 +336,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
           end
         end
         false
-      when :string_eval
+      when :string_eval, :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -390,14 +390,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp
+      when :string_interp, :dstr
         exp.each do |e|
           if sexp? e and match = has_immediate_model?(e, out)
             return match
           end
         end
         false
-      when :string_eval
+      when :string_eval, :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -484,11 +484,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   def lts_version? version
     tracker.config[:gems][:'railslts-version'] and
-    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
+    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version'][:version]
   end
 
-  def gemfile_or_environment
-    if @app_tree.exists?("Gemfile")
+  def gemfile_or_environment gem_name = :rails
+    if gem_name and info = tracker.config[:gems][gem_name]
+      info
+    elsif @app_tree.exists?("Gemfile")
       "Gemfile"
     else
       "config/environment.rb"

data/lib/brakeman/checks/check_create_with.rb

@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
       warn :warning_type => "Mass Assignment",
         :warning_code => :CVE_2014_3514,
         :message => @message,
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :confidence => CONFIDENCE[:med],
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -35,48 +35,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Run check
   def run_check
-    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
-                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button, :select,
-                           :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
-                           :will_paginate].merge tracker.options[:safe_methods]
-
-    @models = tracker.models.keys
-    @inspect_arguments = tracker.options[:check_arguments]
-
-    @known_dangerous = Set[:truncate, :concat]
-
-    if version_between? "2.0.0", "3.0.5"
-      @known_dangerous << :auto_link
-    elsif version_between? "3.0.6", "3.0.99"
-      @ignore_methods << :auto_link
-    end
-
-    if version_between? "2.0.0", "2.3.14"
-      @known_dangerous << :strip_tags
-    end
-
-    json_escape_on = false
-    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
-
-    if tracker.config[:rails][:active_support] and
-      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
-
-        json_escape_on = true
-    elsif version_between? "4.0.0", "5.0.0"
-      json_escape_on = true
-    end
-
-    if !json_escape_on or version_between? "0.0.0", "2.0.99"
-      @known_dangerous << :to_json
-      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
-    else
-      @safe_input_attributes << :to_json
-      Brakeman.debug("Automatic to_json escaping is enabled.")
-    end
+    setup
 
     tracker.each_template do |name, template|
       Brakeman.debug "Checking #{name} for XSS"
@@ -301,6 +260,51 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp
   end
 
+  def setup
+    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+
+    @known_dangerous = Set[:truncate, :concat]
+
+    if version_between? "2.0.0", "3.0.5"
+      @known_dangerous << :auto_link
+    elsif version_between? "3.0.6", "3.0.99"
+      @ignore_methods << :auto_link
+    end
+
+    if version_between? "2.0.0", "2.3.14"
+      @known_dangerous << :strip_tags
+    end
+
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+
+    if tracker.config[:rails][:active_support] and
+      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
+
+        json_escape_on = true
+    elsif version_between? "4.0.0", "5.0.0"
+      json_escape_on = true
+    end
+
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
+    else
+      @safe_input_attributes << :to_json
+      Brakeman.debug("Automatic to_json escaping is enabled.")
+    end
+  end
+
   def raw_call? exp
     exp.value.node_type == :call and exp.value.method == :raw
   end

data/lib/brakeman/checks/check_digest_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => confidence,
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
-      :file => gemfile_or_environment
+      :gem_info => gemfile_or_environment
   end
 
   def with_http_digest?

data/lib/brakeman/checks/check_escape_function.rb

@@ -11,10 +11,10 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
 
       warn :warning_type => 'Cross Site Scripting',
-        :warning_code => :CVE_2011_2931,
-        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
+        :warning_code => :CVE_2011_2932,
+        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end
   end

data/lib/brakeman/checks/check_file_disclosure.rb

@@ -0,0 +1,35 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with file existence disclosure vulnerability"
+
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.18')
+        '3.2.21'
+      when version_between?('3.0.0', '3.2.20')
+        '3.2.21'
+      when version_between?('4.0.0', '4.0.11')
+        '4.0.12'
+      when version_between?('4.1.0', '4.1.7')
+        '4.1.8'
+      else
+        nil
+      end
+
+    if fix_version and serves_static_assets?
+      warn :warning_type => "File Access",
+        :warning_code => :CVE_2014_7829,
+        :message => "Rails #{tracker.config[:rails_version]} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
+    end
+  end
+
+  def serves_static_assets?
+    true? tracker.config[:rails][:serve_static_assets]
+  end
+end

data/lib/brakeman/checks/check_filter_skipping.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
         :warning_code => :CVE_2011_2929,
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
     end
   end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -37,7 +37,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
 
     elsif version_between? "3.0.0", "3.0.3"
@@ -47,7 +47,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
     end
   end

data/lib/brakeman/checks/check_header_dos.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
         :warning_code => :CVE_2013_6414,
         :message => message,
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
     end
   end

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -8,8 +8,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   def run_check
     if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
       message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
-
-      i18n_gem = tracker.config[:gems][:i18n]
+      i18n_gem = tracker.config[:gems][:i18n][:version] if tracker.config[:gems][:i18n]
 
       if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
         message << "3.2.16 or i18n 0.5.1"
@@ -23,7 +22,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
         :warning_code => :CVE_2013_4491,
         :message => message,
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment(:i18n),
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
     end
   end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       :warning_code => :CVE_2013_1856,
       :message => "Rails #{tracker.config[:rails_version]} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
   end
 end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -21,12 +21,17 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
                     end
 
       message = "Rails #{tracker.config[:rails_version]} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
+      if uses_yajl?
+        gem_info = gemfile_or_environment(:yajl)
+      else
+        gem_info = gemfile_or_environment
+      end
 
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0333,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gem_info,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
     end
   end
@@ -55,8 +60,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   def check_cve_2013_0269
     [:json, :json_pure].each do |name|
-      version = tracker.config[:gems] && tracker.config[:gems][name]
-      check_json_version name, version if version
+      gem_hash = tracker.config[:gems][name] if tracker.config[:gems]
+      check_json_version name, gem_hash[:version] if gem_hash and gem_hash[:version]
     end
   end
 
@@ -90,7 +95,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
       :warning_code => :CVE_2013_0269,
       :message => message,
       :confidence => confidence,
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment(name),
       :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
   end
 

data/lib/brakeman/checks/check_mail_to.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0446,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end

data/lib/brakeman/checks/check_nested_attributes.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
         :warning_code => :CVE_2010_3933,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
     end
   end