brakeman 3.0.2 → 3.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d05a06e338f3309b5430c67decda380b5bccd1e9
-  data.tar.gz: 79f70db112bdbcfa605b841f8375adeff1480220
+  metadata.gz: e55f96d8f4f9e61787c157081f95ce9a7d184e28
+  data.tar.gz: b39b72c6ae5a2216355c6e894bffd4fb2728bc75
 SHA512:
-  metadata.gz: 2b2d46615e3e2c2510db8d14eebea2c9da264eb2580e3307f2b7a176d4718447a637ba30898d009871df313dc775d9f0d0c0a17c8993db08b0cd1d947f8fb490
-  data.tar.gz: f046fd2458e86d5986149e3b6af15b611e992cae6c9cb5b65624a56ea1ead3faddc55b04e989f0060cf6445e1f1cf2b2a912dc00172faf207f3ea4a88bf7f6ab
+  metadata.gz: 29fdaef9d8895acd4ba3a375f3c0bf2f8347d68d0e635cdf9f5e8d3e8757d7595f48abaa33fcfee6d8603c5f805900c23b6f99435fa8c04c7d143dedbe319de5
+  data.tar.gz: f260fb5a25e2c72ef69dbdc2dc6bacc0b11e68810233c4f51e168af4264d4bfa8d958633a684f69a6c3fe4ceb3fcceefdc390f8b5339fc616b39f00d44a7a716

data/CHANGES

@@ -1,3 +1,14 @@
+# 3.0.3
+
+* Ignore more Arel methods in SQL
+* Warn about protect_from_forgery without exceptions (Neil Matatall)
+* Handle lambdas as filters
+* Ignore quoted_table_name in SQL (Gabriel Sobrinho)
+* Warn about RCE and file access with `open`
+* Handle array include? guard conditionals
+* Do not ignore targets of `to_s` in SQL
+* Add Rake task to exit with error code on warnings (masarakki)
+
 # 3.0.2
 
 * Alias process methods called in class scope on models

data/lib/brakeman/brakeman.rake

@@ -7,4 +7,11 @@ namespace :brakeman do
     files = args[:output_files].split(' ') if args[:output_files]
     Brakeman.run :app_path => ".", :output_files => files, :print_report => true
   end
+
+  desc "Check your code with Brakeman"
+  task :check do
+    require 'brakeman'
+    result = Brakeman.run app_path: '.', print_report: true
+    exit Brakeman::Warnings_Found_Exit_Code unless result.filtered_warnings.empty?
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -22,10 +22,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     Brakeman.debug "Finding system calls using ``"
     check_for_backticks tracker
 
+    check_open_calls
+
     Brakeman.debug "Finding other system calls"
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
       :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
-        :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e, 
+        :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
         :popen3, :spawn, :syscall, :system]
 
     Brakeman.debug "Processing system calls"
@@ -57,7 +59,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       end
 
       warn :result => result,
-        :warning_type => "Command Injection", 
+        :warning_type => "Command Injection",
         :warning_code => :command_injection,
         :message => "Possible command injection",
         :code => call,
@@ -66,6 +68,30 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  def check_open_calls
+    tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
+      if match = dangerous_open_arg?(result[:call].first_arg)
+        warn :result => result,
+          :warning_type => "Command Injection",
+          :warning_code => :command_injection,
+          :message => "Possible command injection in open()",
+          :user_input => match.match,
+          :confidence => CONFIDENCE[:high]
+      end
+    end
+  end
+
+  def dangerous_open_arg? exp
+    if node_type? exp, :string_interp, :dstr
+      # Check for input at start of string
+      exp[1] == "" and
+        node_type? exp[2], :evstr, :string_eval and
+        has_immediate_user_input? exp[2]
+    else
+      has_immediate_user_input? exp
+    end
+  end
+
   #Looks for calls using backticks such as
   #
   # `rm -rf #{params[:file]}`

data/lib/brakeman/checks/check_file_access.rb

@@ -12,6 +12,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :readlines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
 
     methods.concat tracker.find_call :target => :YAML, :methods => [:load_file, :parse_file]
+    methods.concat tracker.find_call :target => nil, :method => [:open]
 
     Brakeman.debug "Finding calls to load()"
     methods.concat tracker.find_call :target => false, :method => :load

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -52,6 +52,24 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :confidence => CONFIDENCE[:high],
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
+    elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller[:options][:protect_from_forgery]
+
+      unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
+          access_arg = hash_access(forgery_opts.first.first_arg, :with) and access_arg.value == :exception
+
+        args = {
+          :controller => :ApplicationController,
+          :warning_type => "Cross-Site Request Forgery",
+          :warning_code => :csrf_not_protected_by_raising_exception,
+          :message => "protect_from_forgery should be configured with 'with: :exception'",
+          :confidence => CONFIDENCE[:med],
+          :file => app_controller[:files].first
+        }
+
+        args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
+
+        warn args
+      end
     end
   end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -431,6 +431,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp or has_immediate_model? exp
           exp
+        elsif exp.method == :to_s
+          find_dangerous_value exp.target, ignore_hash
         else
           check_call exp
         end
@@ -545,11 +547,11 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     string_building? exp.first_arg
   end
 
-  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name, :to_i, :to_f,
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql, :sanitize, :exists, :primary_key, :table_name_prefix, :table_name_suffix]
+    :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]
 
   def safe_value? exp
     return true unless sexp? exp
@@ -563,6 +565,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       else
         IGNORE_METHODS_IN_SQL.include? exp.method or
         quote_call? exp or
+        arel? exp or
         exp.method.to_s.end_with? "_id"
       end
     when :if
@@ -586,6 +589,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  AREL_METHODS = [:not, :and, :or, :exists, :join_sources, :arel_table, :gt, :lt, :on, :eq, :eq_any, :where]
+
+  def arel? exp
+    call? exp and (AREL_METHODS.include? exp.method or arel? exp.target)
+  end
+
   #Check call for string building
   def check_call exp
     return unless call? exp

data/lib/brakeman/processors/alias_processor.rb

@@ -465,6 +465,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  # Check if exp is a call to Array#include? on an array literal
+  # that contains all literal values. For example:
+  #
+  #    [1, 2, "a"].include? x
+  #
+  def array_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -498,7 +511,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          exp[branch_index] = process_if_branch branch
+          if i == 0 and array_include_all_literals? condition
+            # If the condition is ["a", "b"].include? x
+            # set x to "a" inside the true branch
+            var = condition.first_arg
+            previous_value = env.current[var]
+            env.current[var] = condition.target[1]
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
+          else
+            exp[branch_index] = process_if_branch branch
+          end
           branch_scopes << env.current
           @branch_env = nil
         end

data/lib/brakeman/processors/controller_processor.rb

@@ -158,9 +158,17 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
         when :include
           @current_class[:includes] << class_name(first_arg) if @current_class
         when :before_filter, :append_before_filter, :before_action, :append_before_action
-          @current_class[:options][:before_filters] << exp
+          if node_type? exp.first_arg, :iter
+            add_lambda_filter exp
+          else
+            @current_class[:options][:before_filters] << exp
+          end
         when :prepend_before_filter, :prepend_before_action
-          @current_class[:options][:before_filters].unshift exp
+          if node_type? exp.first_arg, :iter
+            add_lambda_filter exp
+          else
+            @current_class[:options][:before_filters].unshift exp
+          end
         when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
           @current_class[:options][:skip_filters] << exp
         when :layout
@@ -311,4 +319,25 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     process before_filter_call
     exp
   end
+
+  def add_lambda_filter exp
+    # Convert into regular block call
+    e = exp.dup
+    lambda_node = e.delete_at(3)
+    result = Sexp.new(:iter, e).line(e.line)
+
+    # Add block arguments
+    if node_type? lambda_node[2], :args
+      result << lambda_node[2].last
+    else
+      result << s(:args)
+    end
+
+    # Add block contents
+    if sexp? lambda_node[3]
+      result << lambda_node[3]
+    end
+
+    add_fake_filter result
+  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.0.2"
+  Version = "3.0.3"
 end

data/lib/brakeman/warning_codes.rb

@@ -87,6 +87,7 @@ module Brakeman::WarningCodes
     :CVE_2011_2932 => 83,
     :cross_site_scripting_inline => 84,
     :CVE_2014_7829 => 85,
+    :csrf_not_protected_by_raising_exception => 86,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -29,6 +29,12 @@ class Brakeman::SexpProcessor
 
   attr_reader :env
 
+  # Cache process methods per class
+
+  def self.processors
+    @processors ||= {}
+  end
+
   ##
   # Creates a new SexpProcessor.  Use super to invoke this
   # initializer from SexpProcessor subclasses, then use the
@@ -37,15 +43,14 @@ class Brakeman::SexpProcessor
 
   def initialize
     @expected            = Sexp
-
-    # we do this on an instance basis so we can subclass it for
-    # different processors.
-    @processors = {}
+    @processors = self.class.processors
     @context    = []
 
-    public_methods.each do |name|
-      if name.to_s.start_with? "process_" then
-        @processors[name[8..-1].to_sym] = name.to_sym
+    if @processors.empty?
+      public_methods.each do |name|
+        if name.to_s.start_with? "process_" then
+          @processors[name[8..-1].to_sym] = name.to_sym
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 3.0.3
 platform: ruby
 authors:
 - Justin Collins
@@ -30,7 +30,7 @@ cert_chain:
   bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
   mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
   -----END CERTIFICATE-----
-date: 2015-03-09 00:00:00.000000000 Z
+date: 2015-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -345,7 +345,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.