brakeman 3.0.3 → 3.0.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e55f96d8f4f9e61787c157081f95ce9a7d184e28
4
- data.tar.gz: b39b72c6ae5a2216355c6e894bffd4fb2728bc75
3
+ metadata.gz: 671edf90c9a6617a03edf1680468156fae6669c8
4
+ data.tar.gz: bcf565963e0fb72c20abcafd66354080ebba9f12
5
5
  SHA512:
6
- metadata.gz: 29fdaef9d8895acd4ba3a375f3c0bf2f8347d68d0e635cdf9f5e8d3e8757d7595f48abaa33fcfee6d8603c5f805900c23b6f99435fa8c04c7d143dedbe319de5
7
- data.tar.gz: f260fb5a25e2c72ef69dbdc2dc6bacc0b11e68810233c4f51e168af4264d4bfa8d958633a684f69a6c3fe4ceb3fcceefdc390f8b5339fc616b39f00d44a7a716
6
+ metadata.gz: 7b692920e4a22fd864319fb72c91aa4f44fb5c7d64744844f733ca242e927eb6c2495f6e66a901f6b7244830cdcb30dfb51b04a13fe17475c2ac66c74a40dd7d
7
+ data.tar.gz: a94d30896765f99e633b6be8e2897bee0046daf07135a6d2099a3e8476a8d925973278efc7266e1ed241a8d630f5002a60ee01de0c77c11d141859cba66a83bf
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/CHANGES CHANGED
@@ -1,3 +1,10 @@
1
+ # 3.0.4
2
+
3
+ * Add check for CVE-2015-3226 (XSS via JSON keys)
4
+ * Add check for CVE-2015-3227 (XML DoS)
5
+ * Treat `<%==` as unescaped output
6
+ * Update `ruby_parser` dependency to 3.7.0
7
+
1
8
  # 3.0.3
2
9
 
3
10
  * Ignore more Arel methods in SQL
data/README.md CHANGED
@@ -1,4 +1,4 @@
1
- ![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
1
+ [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
2
2
 
3
3
  [![Travis CI
4
4
  Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman)
@@ -9,55 +9,35 @@ Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://cod
9
9
 
10
10
  Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
11
11
 
12
- It works with Rails 2.x, 3.x, and 4.x.
13
-
14
- There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
15
-
16
- For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
17
-
18
- # Homepage/News
19
-
20
- Website: http://brakemanscanner.org/
21
-
22
- Twitter: http://twitter.com/brakeman
23
-
24
- Mailing list: brakeman@librelist.com
25
-
26
12
  # Installation
27
13
 
28
14
  Using RubyGems:
29
15
 
30
16
  gem install brakeman
31
17
 
32
- Using Bundler, add to development group in Gemfile and set to not be required automatically:
18
+ Using Bundler:
33
19
 
34
20
  group :development do
35
21
  gem 'brakeman', :require => false
36
22
  end
37
23
 
38
- From source:
24
+ # Usage
39
25
 
40
- gem build brakeman.gemspec
41
- gem install brakeman*.gem
26
+ From a Rails application's root directory:
42
27
 
43
- ## For Slim Users
28
+ brakeman
44
29
 
45
- [Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
30
+ Outside of Rails root:
46
31
 
47
- | Ruby Version | `Gemfile` | Command Line |
48
- |--------------|-----------------------|----------------------------------------|
49
- | Ruby 1.8.7 | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
50
- | Ruby 1.9+ | `gem 'slim'` | `$ gem install slim` |
32
+ brakeman /path/to/rails/application
51
33
 
52
- # Usage
34
+ # Compatibility
53
35
 
54
- brakeman [app_path]
55
-
56
- It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
36
+ Brakeman works with Rails 2.x, 3.x, and 4.x.
57
37
 
58
38
  # Basic Options
59
39
 
60
- For a full list of options, use `brakeman --help` or see the OPTIONS.md file.
40
+ For a full list of options, use `brakeman --help` or see the [OPTIONS.md](OPTIONS.md) file.
61
41
 
62
42
  To specify an output file for the results:
63
43
 
@@ -118,7 +98,7 @@ To create and manage this file, use:
118
98
 
119
99
  # Warning information
120
100
 
121
- See WARNING\_TYPES for more information on the warnings reported by this tool.
101
+ See [WARNING\_TYPES](WARNING_TYPES) for more information on the warnings reported by this tool.
122
102
 
123
103
  # Warning context
124
104
 
@@ -150,6 +130,28 @@ The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.ym
150
130
 
151
131
  The `-c` option can be used to specify a configuration file to use.
152
132
 
133
+ # For Slim Users
134
+
135
+ [Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
136
+
137
+ | Ruby Version | `Gemfile` | Command Line |
138
+ |--------------|-----------------------|----------------------------------------|
139
+ | Ruby 1.8.7 | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
140
+ | Ruby 1.9+ | `gem 'slim'` | `$ gem install slim` |
141
+
142
+ # Continuous Integration
143
+
144
+ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
145
+
146
+ For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
147
+
148
+ # Building
149
+
150
+ git clone git://github.com/presidentbeef/brakeman.git
151
+ cd brakeman
152
+ gem build brakeman.gemspec
153
+ gem install brakeman*.gem
154
+
153
155
  # Who is Using Brakeman?
154
156
 
155
157
  * [Code Climate](https://codeclimate.com/)
@@ -160,6 +162,14 @@ The `-c` option can be used to specify a configuration file to use.
160
162
 
161
163
  [..and more!](http://brakemanscanner.org/brakeman_users)
162
164
 
165
+ # Homepage/News
166
+
167
+ Website: http://brakemanscanner.org/
168
+
169
+ Twitter: http://twitter.com/brakeman
170
+
171
+ Mailing list: brakeman@librelist.com
172
+
163
173
  # License
164
174
 
165
- see MIT-LICENSE
175
+ see [MIT-LICENSE](MIT-LICENSE)
@@ -0,0 +1,47 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Checks for missing JSON encoding (CVE-2015-3226)"
7
+
8
+ def run_check
9
+ if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
10
+ message = "Rails #{tracker.config[:rails_version]} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
11
+
12
+ if version_between? "4.1.0", "4.1.10"
13
+ message << "4.1.11"
14
+ else
15
+ message << "4.2.2"
16
+ end
17
+
18
+ if tracker.find_call(:methods => [:to_json, :encode]).any?
19
+ confidence = CONFIDENCE[:high]
20
+ else
21
+ confidence = CONFIDENCE[:med]
22
+ end
23
+
24
+ warn :warning_type => "Cross Site Scripting",
25
+ :warning_code => :CVE_2015_3226,
26
+ :message => message,
27
+ :confidence => confidence,
28
+ :gem_info => gemfile_or_environment,
29
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
30
+ end
31
+ end
32
+
33
+ def has_workaround?
34
+ workaround = s(:module, :ActiveSupport,
35
+ s(:module, :JSON,
36
+ s(:module, :Encoding,
37
+ s(:call, nil, :private),
38
+ s(:class, :EscapedString, nil,
39
+ s(:defn, :to_s,
40
+ s(:args),
41
+ s(:self))))))
42
+
43
+ tracker.initializers.any? do |name, initializer|
44
+ initializer == workaround
45
+ end
46
+ end
47
+ end
@@ -41,7 +41,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
41
41
  Brakeman.debug "Finding possible SQL calls using constantized()"
42
42
  calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
43
43
 
44
- connect_targets = active_record_models.keys + [nil, :"ActiveRecord::Base"]
44
+ connect_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
45
45
  calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
46
46
 
47
47
  Brakeman.debug "Finding calls to named_scope or scope"
@@ -0,0 +1,43 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
4
+ Brakeman::Checks.add self
5
+
6
+ @description = "Checks for XML denial of service (CVE-2015-3227)"
7
+
8
+ def run_check
9
+ fix_version = case
10
+ when version_between?("4.1.0", "4.1.10")
11
+ "4.1.11"
12
+ when version_between?("4.2.0", "4.2.1")
13
+ "4.2.2"
14
+ when version_between?("4.1.11", "4.1.99")
15
+ return
16
+ when version_between?("4.2.2", "9.9.9")
17
+ return
18
+ when has_workaround?
19
+ return
20
+ else
21
+ "4.2.2"
22
+ end
23
+
24
+ message = "Rails #{tracker.config[:rails_version]} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
25
+
26
+ warn :warning_type => "Denial of Service",
27
+ :warning_code => :CVE_2015_3227,
28
+ :message => message,
29
+ :confidence => CONFIDENCE[:med],
30
+ :gem_info => gemfile_or_environment,
31
+ :link_path => "repos/canvas-lms/config/application.rb"
32
+ end
33
+
34
+ def has_workaround?
35
+ tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
36
+ arg = match.call.first_arg
37
+ if string? arg
38
+ value = arg.value
39
+ value == 'Nokogiri' or value == 'LibXML'
40
+ end
41
+ end
42
+ end
43
+ end
@@ -80,6 +80,11 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
80
80
 
81
81
  if arg.node_type == :str
82
82
  ignore
83
+ elsif exp.method == :safe_append=
84
+ s = Sexp.new :output, arg
85
+ s.line(exp.line)
86
+ @current_template[:outputs] << s
87
+ s
83
88
  else
84
89
  s = Sexp.new :escaped_output, arg
85
90
  s.line(exp.line)
@@ -152,6 +152,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
152
152
  def get_chain call
153
153
  if node_type? call, :call, :attrasgn
154
154
  get_chain(call.target) + [call.method]
155
+ elsif call.nil?
156
+ []
155
157
  else
156
158
  [get_target(call)]
157
159
  end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "3.0.3"
2
+ Version = "3.0.4"
3
3
  end
@@ -88,6 +88,8 @@ module Brakeman::WarningCodes
88
88
  :cross_site_scripting_inline => 84,
89
89
  :CVE_2014_7829 => 85,
90
90
  :csrf_not_protected_by_raising_exception => 86,
91
+ :CVE_2015_3226 => 87,
92
+ :CVE_2015_3227 => 88,
91
93
  }
92
94
 
93
95
  def self.code name
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -30,7 +30,7 @@ cert_chain:
30
30
  bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
31
31
  mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
32
32
  -----END CERTIFICATE-----
33
- date: 2015-04-30 00:00:00.000000000 Z
33
+ date: 2015-06-18 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: test-unit
@@ -52,14 +52,14 @@ dependencies:
52
52
  requirements:
53
53
  - - "~>"
54
54
  - !ruby/object:Gem::Version
55
- version: 3.6.2
55
+ version: 3.7.0
56
56
  type: :runtime
57
57
  prerelease: false
58
58
  version_requirements: !ruby/object:Gem::Requirement
59
59
  requirements:
60
60
  - - "~>"
61
61
  - !ruby/object:Gem::Version
62
- version: 3.6.2
62
+ version: 3.7.0
63
63
  - !ruby/object:Gem::Dependency
64
64
  name: ruby2ruby
65
65
  requirement: !ruby/object:Gem::Requirement
@@ -215,6 +215,7 @@ files:
215
215
  - lib/brakeman/checks/check_header_dos.rb
216
216
  - lib/brakeman/checks/check_i18n_xss.rb
217
217
  - lib/brakeman/checks/check_jruby_xml.rb
218
+ - lib/brakeman/checks/check_json_encoding.rb
218
219
  - lib/brakeman/checks/check_json_parsing.rb
219
220
  - lib/brakeman/checks/check_link_to.rb
220
221
  - lib/brakeman/checks/check_link_to_href.rb
@@ -253,6 +254,7 @@ files:
253
254
  - lib/brakeman/checks/check_unscoped_find.rb
254
255
  - lib/brakeman/checks/check_validation_regex.rb
255
256
  - lib/brakeman/checks/check_without_protection.rb
257
+ - lib/brakeman/checks/check_xml_dos.rb
256
258
  - lib/brakeman/checks/check_yaml_parsing.rb
257
259
  - lib/brakeman/differ.rb
258
260
  - lib/brakeman/file_parser.rb
metadata.gz.sig CHANGED
Binary file