brakeman 3.1.1 → 3.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7a5cc8e49df767622714791bc13b5d32717b23e9
-  data.tar.gz: 433d3fccd753f8f51795e34b2a7d1b6e54387023
+  metadata.gz: 4d7d20b349b33016522595eb63c5ef4cc0e257fa
+  data.tar.gz: 9dd081fae534c5ffb2f42f63178cdba9b912a27d
 SHA512:
-  metadata.gz: 07264b78f6664f20e8a989998b1bac98d2235ab5324d69ba490ca0a49cafd7acf5f999f2a472eaa026a6dc0879059955302a08cb03338f5967acf13a6deebe5d
-  data.tar.gz: 0c591fe4bc92ec53608dd11dd62592f1ab3f37de5b65c8d76020f6412c19ff816d5f526a74ef4bfe4edabd197c39ababb8824739127c1b1f39db3a4c3a0d359b
+  metadata.gz: 889ad360ae4655bfff280157ca45ff548945fa8f3cf6f6d03333f0e04ac107d3489015cd0d837ecb0b0f8ea55fd985243f7d57e87d99d15c0ca76f8d0647ac81
+  data.tar.gz: a45beea309a50f727dc2a3d25628b89f5344126d8fc5231ca219fab4e4d601dbaee871bc8008aad006895a221415715ea5b5063bc00c01dedcb65ab012fb14b1

data/CHANGES

@@ -1,3 +1,21 @@
+# 3.1.2
+
+* Treat `current_user` like a model
+* Set user input value for inline renders
+* Avoid warning on inline renders with safe content types
+* Handle empty interpolation in HAML filters
+* Ignore filters that are not method names
+* Avoid warning about model find/find_by* in hrefs
+* Use SafeYAML to load configuration files
+* Warn on SQL query keys, not values in hashes
+* Allow inspection of recursive Sexps
+* Add line numbers to class-level warnings
+* Handle `private def ...`
+* Catch divide-by-zero in alias processing
+* Reduce string allocations in Warning#initialize
+* Sortable tables in HTML report (David Lanner)
+* Search for config file relative to application root
+
 # 3.1.1
 
 * Add optional check for use of MD5 and SHA1

data/lib/brakeman.rb

@@ -1,5 +1,5 @@
 require 'rubygems'
-require 'yaml'
+require 'safe_yaml/load'
 require 'set'
 
 module Brakeman
@@ -73,7 +73,7 @@ module Brakeman
       options.delete :quiet
     end
 
-    options = default_options.merge(load_options(options[:config_file], options[:quiet])).merge(options)
+    options = default_options.merge(load_options(options)).merge(options)
 
     if options[:quiet].nil? and not command_line
       options[:quiet] = true
@@ -85,17 +85,15 @@ module Brakeman
     options
   end
 
-  CONFIG_FILES = [
-    File.expand_path("./config/brakeman.yml"),
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
-
   #Load options from YAML file
-  def self.load_options custom_location, quiet
+  def self.load_options line_options
+    custom_location = line_options[:config_file]
+    quiet = line_options[:quiet]
+    app_path = line_options[:app_path]
+
     #Load configuration file
-    if config = config_file(custom_location)
-      options = YAML.load_file config
+    if config = config_file(custom_location, app_path)
+      options = SafeYAML.load_file config, :deserialize_symbols => true
 
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
@@ -115,8 +113,14 @@ module Brakeman
     end
   end
 
-  def self.config_file custom_location = nil
-    supported_locations = [File.expand_path(custom_location || "")] + CONFIG_FILES
+  CONFIG_FILES = [
+    File.expand_path("~/.brakeman/config.yml"),
+    File.expand_path("/etc/brakeman/config.yml")
+  ]
+
+  def self.config_file custom_location, app_path
+    app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
+    supported_locations = [File.expand_path(custom_location || ""), app_config] + CONFIG_FILES
     supported_locations.detect {|f| File.file?(f) }
   end
 

data/lib/brakeman/checks/base_check.rb

@@ -404,6 +404,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     if exp.is_a? Symbol
       @models.include? exp
+    elsif call? exp and exp.target.nil? and exp.method == :current_user
+      true
     elsif sexp? exp
       @models.include? class_name(exp)
     else

data/lib/brakeman/checks/check_content_tag.rb

@@ -102,7 +102,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :warning_type => "Cross Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
-        :user_input => input.match,
+        :user_input => input,
         :confidence => CONFIDENCE[:high],
         :link_path => "content_tag"
 
@@ -136,7 +136,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :warning_type => "Cross Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
-        :user_input => @matched.match,
+        :user_input => @matched,
         :confidence => CONFIDENCE[:med],
         :link_path => "content_tag"
     end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -199,7 +199,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
             :warning_code => warning_code,
             :message => message,
             :code => exp,
-            :user_input => @matched.match,
+            :user_input => @matched,
             :confidence => confidence,
             :link_path => link_path
         end
@@ -340,7 +340,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def ignore_call? target, method
     ignored_method?(target, method) or
     safe_input_attribute?(target, method) or
-    ignored_model_method?(method) or
+    ignored_model_method?(target, method) or
     form_builder_method?(target, method) or
     haml_escaped?(target, method) or
     boolean_method?(method) or
@@ -348,10 +348,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     xml_escaped?(target, method)
   end
 
-  def ignored_model_method? method
-    @matched and
-    @matched.type == :model and
-    IGNORE_MODEL_METHODS.include? method
+  def ignored_model_method? target, method
+    ((@matched and @matched.type == :model) or
+       model_name? target) and
+       IGNORE_MODEL_METHODS.include? method
   end
 
   def ignored_method? target, method

data/lib/brakeman/checks/check_deserialize.rb

@@ -49,7 +49,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
         :warning_type => "Remote Code Execution",
         :warning_code => :unsafe_deserialize,
         :message => message,
-        :user_input => input.match,
+        :user_input => input,
         :confidence => confidence,
         :link_path => "unsafe_deserialization"
     end

data/lib/brakeman/checks/check_evaluation.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :warning_code => :code_eval,
         :message => "User input in eval",
         :code => result[:call],
-        :user_input => input.match,
+        :user_input => input,
         :confidence => CONFIDENCE[:high]
     end
   end

data/lib/brakeman/checks/check_execute.rb

@@ -63,7 +63,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         :warning_code => :command_injection,
         :message => "Possible command injection",
         :code => call,
-        :user_input => failure.match,
+        :user_input => failure,
         :confidence => confidence
     end
   end
@@ -75,7 +75,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
           :warning_type => "Command Injection",
           :warning_code => :command_injection,
           :message => "Possible command injection in open()",
-          :user_input => match.match,
+          :user_input => match,
           :confidence => CONFIDENCE[:high]
       end
     end
@@ -111,10 +111,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     if input = include_user_input?(exp)
       confidence = CONFIDENCE[:high]
-      user_input = input.match
     elsif input = dangerous?(exp)
       confidence = CONFIDENCE[:med]
-      user_input = input
     else
       return
     end
@@ -124,7 +122,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       :warning_code => :command_injection,
       :message => "Possible command injection",
       :code => exp,
-      :user_input => user_input,
+      :user_input => input,
       :confidence => confidence
   end
 

data/lib/brakeman/checks/check_file_access.rb

@@ -57,7 +57,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
         :message => message,
         :confidence => confidence,
         :code => call,
-        :user_input => match.match
+        :user_input => match
     end
   end
 end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -28,7 +28,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_code => :csrf_protection_missing,
         :message => "'protect_from_forgery' should be called in ApplicationController",
         :confidence => CONFIDENCE[:high],
-        :file => app_controller.file
+        :file => app_controller.file,
+        :line => app_controller.top_line
 
     elsif version_between? "2.1.0", "2.3.10"
 

data/lib/brakeman/checks/check_link_to.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     message = "Unescaped #{friendly_type_of input} in link_to"
 
-    warn_xss(result, message, input.match, CONFIDENCE[:high])
+    warn_xss(result, message, input, CONFIDENCE[:high])
   end
 
   # Check if we should warn about the specified method
@@ -93,7 +93,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     message = "Unescaped #{friendly_type_of matched} in link_to"
 
-    warn_xss(result, message, @matched.match, CONFIDENCE[:med])
+    warn_xss(result, message, @matched, CONFIDENCE[:med])
   end
 
   # Create a warn for this xss

data/lib/brakeman/checks/check_link_to_href.rb

@@ -51,11 +51,11 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
           :warning_type => "Cross Site Scripting", 
           :warning_code => :xss_link_to_href,
           :message => message,
-          :user_input => input.match,
+          :user_input => input,
           :confidence => CONFIDENCE[:high],
           :link_path => "link_to_href"
       end
-    elsif has_immediate_model? url_arg
+    elsif has_immediate_model? url_arg or model_find_call? url_arg
 
       # Decided NOT warn on models.  polymorphic_path is called it a model is 
       # passed to link_to (which passes it to url_for)
@@ -84,7 +84,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
           :warning_type => "Cross Site Scripting", 
           :warning_code => :xss_link_to_href,
           :message => message,
-          :user_input => @matched.match,
+          :user_input => @matched,
           :confidence => CONFIDENCE[:med],
           :link_path => "link_to_href"
       end
@@ -105,4 +105,11 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
       method.to_s =~ /_path$/ or
       (target.nil? and method.to_s =~ /_url$/)
   end
+
+  def model_find_call? exp
+    return unless call? exp
+
+    MODEL_METHODS.include? exp.method or
+      exp.method.to_s =~ /^find_by_/
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -80,16 +80,14 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
           else
             confidence = CONFIDENCE[:high]
           end
-          user_input = input.match
         else
           confidence = CONFIDENCE[:low]
-          user_input = input.match
         end
       elsif node_type? call.first_arg, :lit, :str
         return
       else
         confidence = CONFIDENCE[:low]
-        user_input = nil
+        input = nil
       end
 
       warn :result => res,
@@ -97,7 +95,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
         :warning_code => :mass_assign_call,
         :message => "Unprotected mass assignment",
         :code => call,
-        :user_input => user_input,
+        :user_input => input,
         :confidence => confidence
     end
 

data/lib/brakeman/checks/check_model_attributes.rb

@@ -56,6 +56,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
         if model.attr_protected.nil?
           warn :model => name,
             :file => model.file,
+            :line => model.top_line,
             :warning_type => "Attribute Restriction",
             :warning_code => :no_attr_accessible,
             :message => "Mass assignment is not restricted using attr_accessible",

data/lib/brakeman/checks/check_model_serialize.rb

@@ -60,7 +60,8 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
         :message => "Serialized attributes are vulnerable in Rails #{rails_version}, upgrade to #{@upgrade_version} or patch.",
         :confidence => confidence,
         :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
-        :file => model.file
+        :file => model.file,
+        :line => model.top_line
     end
   end
 end

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -50,7 +50,6 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
 
   def check_helper_option result, exp
     if match = (has_immediate_user_input? exp or has_immediate_model? exp)
-      match = match.match if match.is_a? Match
       warn_on_number_helper result, match
       @found_any = true
     else

data/lib/brakeman/checks/check_redirect.rb

@@ -53,7 +53,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         :warning_code => :open_redirect,
         :message => "Possible unprotected redirect",
         :code => call,
-        :user_input => res.match,
+        :user_input => res,
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_regex_dos.rb

@@ -52,7 +52,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
           :warning_code => :regex_dos,
           :message => message,
           :confidence => confidence,
-          :user_input => match.match
+          :user_input => match
       end
     end
   end

data/lib/brakeman/checks/check_render.rb

@@ -55,7 +55,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         :warning_type => "Dynamic Render Path",
         :warning_code => :dynamic_render_path,
         :message => message,
-        :user_input => input.match,
+        :user_input => input,
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_render_inline.rb

@@ -20,23 +20,35 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
     if node_type? call, :render and
       (call.render_type == :text or call.render_type == :inline)
 
-      render_value = call[2]
-
-      if input = has_immediate_user_input?(render_value)
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :warning_code => :cross_site_scripting_inline,
-          :message => "Unescaped #{friendly_type_of input} rendered inline",
-          :code => input.match,
-          :confidence => CONFIDENCE[:high]
-      elsif input = has_immediate_model?(render_value)
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :warning_code => :cross_site_scripting_inline,
-          :message => "Unescaped model attribute rendered inline",
-          :code => input,
-          :confidence => CONFIDENCE[:med]
+      unless call.render_type == :text and content_type_set? call[3]
+        render_value = call[2]
+
+        if input = has_immediate_user_input?(render_value)
+          warn :result => result,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped #{friendly_type_of input} rendered inline",
+            :user_input => input,
+            :confidence => CONFIDENCE[:high]
+        elsif input = has_immediate_model?(render_value)
+          warn :result => result,
+            :warning_type => "Cross Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped model attribute rendered inline",
+            :user_input => input,
+            :confidence => CONFIDENCE[:med]
+        end
       end
     end
   end
+
+  CONTENT_TYPES = ["text/html", "text/javascript", "application/javascript"]
+
+  def content_type_set? opts
+    if hash? opts
+      content_type = hash_access(opts, :content_type)
+
+      string? content_type and not CONTENT_TYPES.include? content_type.value
+    end
+  end
 end

data/lib/brakeman/checks/check_select_tag.rb

@@ -52,7 +52,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
           :result => result,
           :message => @message,
           :confidence => CONFIDENCE[:high],
-          :user_input => input.match,
+          :user_input => input,
           :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
       end
     end

data/lib/brakeman/checks/check_send.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :warning_code => :dangerous_send,
         :message => "User controlled method execution",
         :code => result[:call],
-        :user_input => input.match,
+        :user_input => input,
         :confidence => CONFIDENCE[:high]
     end
   end

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
         :warning_code => :session_key_manipulation,
         :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
         :code => result[:call],
-        :user_input => input.match,
+        :user_input => input,
         :confidence => confidence
     end
   end