brakeman 3.1.0 → 3.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5db4cee0910ab76ab868345145436bbf8817ab04
-  data.tar.gz: 7633c66f5638aadb0ee5a1619755ee17e5a92ad0
+  metadata.gz: 7a5cc8e49df767622714791bc13b5d32717b23e9
+  data.tar.gz: 433d3fccd753f8f51795e34b2a7d1b6e54387023
 SHA512:
-  metadata.gz: 28a4089b017d8ee189a47b0597b18fa567637eb14d79caeea1beb1963ca17aa6761353d9ce557927516a5ec1d07b7e362c375b24e5893d84b1de5bc9041595cf
-  data.tar.gz: ea2a2b35fc4c7b6777cea07a9297bfcd32abe5ceaf476f7872efd845e8fcedb713ca91a128c31452ef148965945d1412d78c09c9c78cfe4e95aa24a5f07048c0
+  metadata.gz: 07264b78f6664f20e8a989998b1bac98d2235ab5324d69ba490ca0a49cafd7acf5f999f2a472eaa026a6dc0879059955302a08cb03338f5967acf13a6deebe5d
+  data.tar.gz: 0c591fe4bc92ec53608dd11dd62592f1ab3f37de5b65c8d76020f6412c19ff816d5f526a74ef4bfe4edabd197c39ababb8824739127c1b1f39db3a4c3a0d359b

data/CHANGES

@@ -1,3 +1,17 @@
+# 3.1.1
+
+* Add optional check for use of MD5 and SHA1
+* Avoid warning when linking to decorated models
+* Add check for user input in session keys
+* Fix chained assignment
+* Treat a.try(&:b) like a.b()
+* Consider j/escape_javascript safe inside HAML JavaScript blocks
+* Better HAML processing of find_and_preserve calls
+* Add more Arel methods to be ignored in SQL
+* Fix absolute paths for Windows (Cody Frederick)
+* Support newer terminal-table releases
+* Allow searching call index methods by regex (Alex Ianus)
+
 # 3.1.0
 
 * Add support for gems.rb/gems.locked

data/lib/brakeman/call_index.rb

@@ -98,9 +98,12 @@ class Brakeman::CallIndex
       @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
 
-      unless call[:target].is_a? Sexp
+      if not call[:target].is_a? Sexp
         @calls_by_target[call[:target]] ||= []
         @calls_by_target[call[:target]] << call
+      elsif call[:target].node_type == :params or call[:target].node_type == :session
+        @calls_by_target[call[:target].node_type] ||= []
+        @calls_by_target[call[:target].node_type] << call
       end
     end
   end
@@ -139,6 +142,8 @@ class Brakeman::CallIndex
   def calls_by_method method
     if method.is_a? Array
       calls_by_methods method
+    elsif method.is_a? Regexp
+      calls_by_methods_regex method
     else
       @calls_by_method[method.to_sym] || []
     end
@@ -155,6 +160,14 @@ class Brakeman::CallIndex
     calls
   end
 
+  def calls_by_methods_regex methods_regex
+    calls = []
+    @calls_by_method.each do |key, value|
+      calls.concat value if key.to_s.match methods_regex
+    end
+    calls
+  end
+
   def calls_with_no_target
     @calls_by_target[nil] || []
   end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -91,6 +91,15 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     end
   end
 
+  def ignore_call? target, method
+    decorated_model? method or super
+  end
+
+  def decorated_model? method
+    tracker.config.has_gem? :draper and
+      method == :decorate
+  end
+
   def ignored_method? target, method
     @ignore_methods.include? method or
       method.to_s =~ /_path$/ or

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -0,0 +1,36 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for user input in session keys"
+
+  def run_check
+    tracker.find_call(:method => :[]=, :target => :session).each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    index = result[:call].first_arg
+
+    if input = has_immediate_user_input?(index)
+      if params? index
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :result => result,
+        :warning_type => "Session Manipulation",
+        :warning_code => :session_key_manipulation,
+        :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
+        :code => result[:call],
+        :user_input => input.match,
+        :confidence => confidence
+    end
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -585,7 +585,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
-  AREL_METHODS = [:not, :and, :or, :exists, :join_sources, :arel_table, :gt, :lt, :on, :eq, :eq_any, :where]
+  AREL_METHODS = [:all, :and, :arel_table, :as, :eq, :eq_any, :exists, :group,
+                  :gt, :gteq, :having, :in, :join_sources, :limit, :lt, :lteq, :not,
+                  :not_eq, :on, :or, :order, :project, :skip, :take, :where, :with]
 
   def arel? exp
     call? exp and (AREL_METHODS.include? exp.method or arel? exp.target)

data/lib/brakeman/checks/check_weak_hash.rb

@@ -0,0 +1,152 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckWeakHash < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for use of weak hashes like MD5"
+
+  DIGEST_CALLS = [:base64digest, :digest, :hexdigest, :new]
+
+  def run_check
+    tracker.find_call(:targets => [:'Digest::MD5', :'Digest::SHA1', :'OpenSSL::Digest::MD5', :'OpenSSL::Digest::SHA1'], :nested => true).each do |result|
+      process_hash_result result
+    end
+
+    tracker.find_call(:target => :'Digest::HMAC', :methods => [:new, :hexdigest], :nested => true).each do |result|
+      process_hmac_result result
+    end
+
+    tracker.find_call(:targets => [:'OpenSSL::Digest::Digest', :'OpenSSL::Digest'], :method => :new).each do |result|
+      process_openssl_result result
+    end
+  end
+
+  def process_hash_result result
+    return if duplicate? result
+    add_result result
+
+    input = nil
+    call = result[:call]
+
+    if DIGEST_CALLS.include? call.method
+      if input = user_input_as_arg?(call)
+        input = input.match
+        confidence = CONFIDENCE[:high]
+      elsif input = hashing_password?(call)
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+
+    alg = case call.target.last
+          when :MD5
+           " (MD5)"
+           when :SHA1
+            " (SHA1)"
+          else
+            ""
+          end
+
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_digest,
+      :message => "Weak hashing algorithm#{alg} used",
+      :confidence => confidence,
+      :user_input => input
+  end
+
+  def process_hmac_result result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+
+    alg = case call.third_arg.last
+           when :MD5
+             'MD5'
+           when :SHA1
+             'SHA1'
+           else
+             return
+           end
+
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_hmac,
+      :message => "Weak hashing algorithm (#{alg}) used in HMAC",
+      :confidence => CONFIDENCE[:med]
+  end
+
+  def process_openssl_result result
+    return if duplicate? result
+    add_result result
+
+    arg = result[:call].first_arg
+
+    if string? arg
+      alg = arg.value.upcase
+
+      if alg == 'MD5' or alg == 'SHA1'
+        warn :result => result,
+          :warning_type => "Weak Hash",
+          :warning_code => :weak_hash_digest,
+          :message => "Weak hashing algorithm (#{alg}) used",
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+
+  def user_input_as_arg? call
+    call.each_arg do |arg|
+      if input = include_user_input?(arg)
+        return input
+      end
+    end
+
+    nil
+  end
+
+  def hashing_password? call
+    call.each_arg do |arg|
+      @has_password = false
+
+      process arg
+
+      if @has_password
+        return @has_password
+      end
+    end
+
+    nil
+  end
+
+  def process_call exp
+    if exp.method == :password
+      @has_password = exp
+    else
+      process_default exp
+    end
+
+    exp
+  end
+
+  def process_ivar exp
+    if exp.value == :@password
+      @has_password = exp
+    end
+
+    exp
+  end
+
+  def process_lvar exp
+    if exp.value == :password
+      @has_password = exp
+    end
+
+    exp
+  end
+end

data/lib/brakeman/processors/alias_processor.rb

@@ -274,6 +274,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  # Handles x = y = z = 1
+  def get_rhs exp
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :cvdecl, :cdecl
+      get_rhs(exp.rhs)
+    else
+      exp
+    end
+  end
+
   #Local assignment
   # x = 1
   def process_lasgn exp
@@ -285,9 +294,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     if self_assign
       # Skip branching
-      env[local] = exp.rhs
+      env[local] = get_rhs(exp)
     else
-      set_value local, exp.rhs
+      set_value local, get_rhs(exp)
     end
 
     exp
@@ -302,12 +311,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     if self_assign
       if env[ivar].nil? and @meth_env
-        @meth_env[ivar] = exp.rhs
+        @meth_env[ivar] = get_rhs(exp)
       else
-        env[ivar] = exp.rhs
+        env[ivar] = get_rhs(exp)
       end
     else
-      set_value ivar, exp.rhs
+      set_value ivar, get_rhs(exp)
     end
 
     exp
@@ -317,7 +326,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # $x = 1
   def process_gasgn exp
     match = Sexp.new(:gvar, exp.lhs)
-    value = exp.rhs = process(exp.rhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
     value.line = exp.line
 
     set_value match, value
@@ -329,7 +339,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # @@x = 1
   def process_cvdecl exp
     match = Sexp.new(:cvar, exp.lhs)
-    value = exp.rhs = process(exp.rhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
 
     set_value match, value
 
@@ -358,7 +369,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[tar_variable] = hash_insert target.deep_clone, index, value
       end
     elsif method.to_s[-1,1] == "="
-      value = exp.first_arg = process(index_arg)
+      exp.first_arg = process(index_arg)
+      value = get_rhs(exp)
       #This is what we'll replace with the value
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
@@ -478,7 +490,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       match = exp.lhs
     end
 
-    env[match] = exp.rhs
+    env[match] = get_rhs(exp)
 
     exp
   end
@@ -634,6 +646,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Change x.send(:y, 1) to x.y(1)
   def collapse_send_call exp, first_arg
+    # Handle try(&:id)
+    if node_type? first_arg, :block_pass
+      first_arg = first_arg[1]
+    end
+
     return unless symbol? first_arg or string? first_arg
     exp.method = first_arg.value.to_sym
     args = exp.args

data/lib/brakeman/processors/haml_template_processor.rb

@@ -4,7 +4,8 @@ require 'brakeman/processors/template_processor'
 class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
-  
+  JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
+
   #Processes call, looking for template output
   def process_call exp
     target = exp.target
@@ -36,20 +37,31 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
               if string? out
                 ignore
               else
-                case method.to_s
-                when "push_text"
-                  build_output_from_push_text(out)
-                when HAML_FORMAT_METHOD
-                  if $4 == "true"
-                    Sexp.new :format_escaped, out
-                  else
-                    Sexp.new :format, out
-                  end
-                else
-                  raise "Unrecognized action on _hamlout: #{method}"
-                end
-              end
+                r = case method.to_s
+                    when "push_text"
+                      build_output_from_push_text(out)
+                    when HAML_FORMAT_METHOD
+                      if $4 == "true"
+                        if string_interp? out
+                          build_output_from_push_text(out, :escaped_output)
+                        else
+                          Sexp.new :format_escaped, out
+                        end
+                      else
+                        if string_interp? out
+                          build_output_from_push_text(out)
+                        else
+                          Sexp.new :format, out
+                        end
+                      end
 
+                    else
+                      raise "Unrecognized action on _hamlout: #{method}"
+                    end
+
+                @javascript = false
+                r
+              end
             end
 
       res.line(exp.line)
@@ -75,6 +87,14 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       #Process call to render()
       exp.arglist = process exp.arglist
       make_render_in_view exp
+    elsif target == nil and method == :find_and_preserve
+      process exp.first_arg
+    elsif method == :render_with_options
+      if target == JAVASCRIPT_FILTER
+        @javascript = true
+      end
+
+      process exp.first_arg
     else
       exp.target = target
       exp.arglist = process exp.arglist
@@ -117,7 +137,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   #HAML likes to put interpolated values into _hamlout.push_text
   #but we want to handle those individually
-  def build_output_from_push_text exp
+  def build_output_from_push_text exp, default = :output
     if string_interp? exp
       exp.map! do |e|
         if sexp? e
@@ -125,7 +145,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
             e = e.value
           end
 
-          get_pushed_value e
+          get_pushed_value e, default
         else
           e
         end
@@ -134,9 +154,9 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   end
 
   #Gets outputs from values interpolated into _hamlout.push_text
-  def get_pushed_value exp
+  def get_pushed_value exp, default = :output
     return exp unless sexp? exp
-    
+
     case exp.node_type
     when :format
       exp.node_type = :output
@@ -153,8 +173,10 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     else
       if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
         s = Sexp.new(:escaped_output, exp.first_arg)
+      elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
+        s = Sexp.new(:escaped_output, exp.first_arg)
       else
-        s = Sexp.new(:output, exp)
+        s = Sexp.new(default, exp)
       end
 
       s.line(exp.line)

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -59,32 +59,4 @@ module Brakeman::ProcessorHelper
 
     exp
   end
-
-  #Returns a class name as a Symbol.
-  #If class name cannot be determined, returns _exp_.
-  def class_name exp
-    case exp
-    when Sexp
-      case exp.node_type
-      when :const
-        exp.value
-      when :lvar
-        exp.value.to_sym
-      when :colon2
-        "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
-      when :colon3
-        "::#{exp.value}".to_sym
-      when :self
-        @current_class || @current_module || nil
-      else
-        exp
-      end
-    when Symbol
-      exp
-    when nil
-      nil
-    else
-      exp
-    end
-  end
 end

data/lib/brakeman/util.rb

@@ -45,6 +45,33 @@ module Brakeman::Util
     word + "s"
   end
 
+  #Returns a class name as a Symbol.
+  #If class name cannot be determined, returns _exp_.
+  def class_name exp
+    case exp
+    when Sexp
+      case exp.node_type
+      when :const
+        exp.value
+      when :lvar
+        exp.value.to_sym
+      when :colon2
+        "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
+      when :colon3
+        "::#{exp.value}".to_sym
+      when :self
+        @current_class || @current_module || nil
+      else
+        exp
+      end
+    when Symbol
+      exp
+    when nil
+      nil
+    else
+      exp
+    end
+  end
 
   #Takes an Sexp like
   # (:hash, (:lit, :key), (:str, "value"))
@@ -384,8 +411,9 @@ module Brakeman::Util
   end
 
   def relative_path file
-    if file and not file.empty? and file.start_with? '/'
-      Pathname.new(file).relative_path_from(Pathname.new(@tracker.app_path)).to_s
+    pname = Pathname.new file
+    if file and not file.empty? and pname.absolute?
+      pname.relative_path_from(Pathname.new(@tracker.app_path)).to_s
     else
       file
     end
@@ -434,7 +462,12 @@ module Brakeman::Util
     return "" unless table
 
     Brakeman.load_brakeman_dependency 'terminal-table'
-    output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
+    headings = table.headings
+    if headings.is_a? Array
+      headings = headings.first
+    end
+
+    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
     table.rows.each do |row|
       output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.0"
+  Version = "3.1.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -90,6 +90,9 @@ module Brakeman::WarningCodes
     :csrf_not_protected_by_raising_exception => 86,
     :CVE_2015_3226 => 87,
     :CVE_2015_3227 => 88,
+    :session_key_manipulation => 89,
+    :weak_hash_digest => 90,
+    :weak_hash_hmac => 91,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.1.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-08-31 00:00:00.000000000 Z
+date: 2015-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -65,14 +65,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.5
+        version: '1.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.5
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: fastercsv
   requirement: !ruby/object:Gem::Requirement
@@ -244,6 +244,7 @@ files:
 - lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_send.rb
 - lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_session_manipulation.rb
 - lib/brakeman/checks/check_session_settings.rb
 - lib/brakeman/checks/check_simple_format.rb
 - lib/brakeman/checks/check_single_quotes.rb
@@ -258,6 +259,7 @@ files:
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb
 - lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_weak_hash.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb