brakeman 3.0.3 → 3.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e55f96d8f4f9e61787c157081f95ce9a7d184e28
-  data.tar.gz: b39b72c6ae5a2216355c6e894bffd4fb2728bc75
+  metadata.gz: 671edf90c9a6617a03edf1680468156fae6669c8
+  data.tar.gz: bcf565963e0fb72c20abcafd66354080ebba9f12
 SHA512:
-  metadata.gz: 29fdaef9d8895acd4ba3a375f3c0bf2f8347d68d0e635cdf9f5e8d3e8757d7595f48abaa33fcfee6d8603c5f805900c23b6f99435fa8c04c7d143dedbe319de5
-  data.tar.gz: f260fb5a25e2c72ef69dbdc2dc6bacc0b11e68810233c4f51e168af4264d4bfa8d958633a684f69a6c3fe4ceb3fcceefdc390f8b5339fc616b39f00d44a7a716
+  metadata.gz: 7b692920e4a22fd864319fb72c91aa4f44fb5c7d64744844f733ca242e927eb6c2495f6e66a901f6b7244830cdcb30dfb51b04a13fe17475c2ac66c74a40dd7d
+  data.tar.gz: a94d30896765f99e633b6be8e2897bee0046daf07135a6d2099a3e8476a8d925973278efc7266e1ed241a8d630f5002a60ee01de0c77c11d141859cba66a83bf

data/CHANGES

@@ -1,3 +1,10 @@
+# 3.0.4
+
+* Add check for CVE-2015-3226 (XSS via JSON keys)
+* Add check for CVE-2015-3227 (XML DoS)
+* Treat `<%==` as unescaped output
+* Update `ruby_parser` dependency to 3.7.0
+
 # 3.0.3
 
 * Ignore more Arel methods in SQL

data/README.md

@@ -1,4 +1,4 @@
-![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
+[![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
 [![Travis CI
 Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman)
@@ -9,55 +9,35 @@ Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://cod
 
 Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
 
-It works with Rails 2.x, 3.x, and 4.x.
-
-There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
-
-For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
-
-# Homepage/News
-
-Website: http://brakemanscanner.org/
-
-Twitter: http://twitter.com/brakeman
-
-Mailing list: brakeman@librelist.com
-
 # Installation
 
 Using RubyGems:
 
     gem install brakeman
 
-Using Bundler, add to development group in Gemfile and set to not be required automatically:
+Using Bundler:
 
     group :development do
       gem 'brakeman', :require => false
     end
 
-From source:
+# Usage
 
-    gem build brakeman.gemspec
-    gem install brakeman*.gem
+From a Rails application's root directory:
 
-## For Slim Users
+    brakeman
 
-[Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
+Outside of Rails root:
 
-| Ruby Version |       `Gemfile`       |              Command Line              |
-|--------------|-----------------------|----------------------------------------|
-| Ruby 1.8.7   | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
-| Ruby 1.9+    | `gem 'slim'`          | `$ gem install slim`                   |
+    brakeman /path/to/rails/application
 
-# Usage
+# Compatibility
 
-    brakeman [app_path]
-
-It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
+Brakeman works with Rails 2.x, 3.x, and 4.x.
 
 # Basic Options
 
-For a full list of options, use `brakeman --help` or see the OPTIONS.md file.
+For a full list of options, use `brakeman --help` or see the [OPTIONS.md](OPTIONS.md) file.
 
 To specify an output file for the results:
 
@@ -118,7 +98,7 @@ To create and manage this file, use:
 
 # Warning information
 
-See WARNING\_TYPES for more information on the warnings reported by this tool.
+See [WARNING\_TYPES](WARNING_TYPES) for more information on the warnings reported by this tool.
 
 # Warning context
 
@@ -150,6 +130,28 @@ The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.ym
 
 The `-c` option can be used to specify a configuration file to use.
 
+# For Slim Users
+
+[Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
+
+| Ruby Version |       `Gemfile`       |              Command Line              |
+|--------------|-----------------------|----------------------------------------|
+| Ruby 1.8.7   | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
+| Ruby 1.9+    | `gem 'slim'`          | `$ gem install slim`                   |
+
+# Continuous Integration
+
+There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
+
+For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
+
+# Building
+
+    git clone git://github.com/presidentbeef/brakeman.git
+    cd brakeman
+    gem build brakeman.gemspec
+    gem install brakeman*.gem
+
 # Who is Using Brakeman?
 
 * [Code Climate](https://codeclimate.com/)
@@ -160,6 +162,14 @@ The `-c` option can be used to specify a configuration file to use.
 
 [..and more!](http://brakemanscanner.org/brakeman_users)
 
+# Homepage/News
+
+Website: http://brakemanscanner.org/
+
+Twitter: http://twitter.com/brakeman
+
+Mailing list: brakeman@librelist.com
+
 # License
 
-see MIT-LICENSE
+see [MIT-LICENSE](MIT-LICENSE)

data/lib/brakeman/checks/check_json_encoding.rb

@@ -0,0 +1,47 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for missing JSON encoding (CVE-2015-3226)"
+
+  def run_check
+    if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
+      message = "Rails #{tracker.config[:rails_version]} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
+
+      if version_between? "4.1.0", "4.1.10"
+        message << "4.1.11"
+      else
+        message << "4.2.2"
+      end
+
+      if tracker.find_call(:methods => [:to_json, :encode]).any?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2015_3226,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
+    end
+  end
+
+  def has_workaround?
+    workaround = s(:module, :ActiveSupport,
+                   s(:module, :JSON,
+                     s(:module, :Encoding,
+                       s(:call, nil, :private),
+                       s(:class, :EscapedString, nil,
+                         s(:defn, :to_s,
+                           s(:args),
+                           s(:self))))))
+
+    tracker.initializers.any? do |name, initializer|
+      initializer == workaround
+    end
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -41,7 +41,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding possible SQL calls using constantized()"
     calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
 
-    connect_targets = active_record_models.keys + [nil, :"ActiveRecord::Base"]
+    connect_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
     calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
 
     Brakeman.debug "Finding calls to named_scope or scope"

data/lib/brakeman/checks/check_xml_dos.rb

@@ -0,0 +1,43 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for XML denial of service (CVE-2015-3227)"
+
+  def run_check
+    fix_version = case
+                  when version_between?("4.1.0", "4.1.10")
+                    "4.1.11"
+                  when version_between?("4.2.0", "4.2.1")
+                    "4.2.2"
+                  when version_between?("4.1.11", "4.1.99")
+                    return
+                  when version_between?("4.2.2", "9.9.9")
+                    return
+                  when has_workaround?
+                    return
+                  else
+                    "4.2.2"
+                  end
+
+    message = "Rails #{tracker.config[:rails_version]} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2015_3227,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "repos/canvas-lms/config/application.rb"
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
+      arg = match.call.first_arg
+      if string? arg
+        value = arg.value
+        value == 'Nokogiri' or value == 'LibXML'
+      end
+    end
+  end
+end

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -80,6 +80,11 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
 
         if arg.node_type == :str
           ignore
+        elsif exp.method == :safe_append=
+          s = Sexp.new :output, arg
+          s.line(exp.line)
+          @current_template[:outputs] << s
+          s
         else
           s = Sexp.new :escaped_output, arg
           s.line(exp.line)

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -152,6 +152,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def get_chain call
     if node_type? call, :call, :attrasgn
       get_chain(call.target) + [call.method]
+    elsif call.nil?
+      []
     else
       [get_target(call)]
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.0.3"
+  Version = "3.0.4"
 end

data/lib/brakeman/warning_codes.rb

@@ -88,6 +88,8 @@ module Brakeman::WarningCodes
     :cross_site_scripting_inline => 84,
     :CVE_2014_7829 => 85,
     :csrf_not_protected_by_raising_exception => 86,
+    :CVE_2015_3226 => 87,
+    :CVE_2015_3227 => 88,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.0.3
+  version: 3.0.4
 platform: ruby
 authors:
 - Justin Collins
@@ -30,7 +30,7 @@ cert_chain:
   bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
   mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
   -----END CERTIFICATE-----
-date: 2015-04-30 00:00:00.000000000 Z
+date: 2015-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -52,14 +52,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.6.2
+        version: 3.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.6.2
+        version: 3.7.0
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
@@ -215,6 +215,7 @@ files:
 - lib/brakeman/checks/check_header_dos.rb
 - lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
+- lib/brakeman/checks/check_json_encoding.rb
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
@@ -253,6 +254,7 @@ files:
 - lib/brakeman/checks/check_unscoped_find.rb
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
+- lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb