brakeman 3.1.4 → 3.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2f73f15176bd0a6f4d9dfcc629f2c058b30d837
-  data.tar.gz: b3eb152ea1d579034ccae53d8c0ae2a5765533af
+  metadata.gz: 449a20c68813d646031a349e4ef3144c387462f1
+  data.tar.gz: 65f2ed189a51bfc5e9b3d7bbe0d04d7fdfc8ae39
 SHA512:
-  metadata.gz: 9b576a52670e2fe3b3ae035d6f4da88c94635da2c20bab6214fdec4301ae19b30d056a8541742e6ef4abaac801214c65a6438ca94588c44d8cf5b3546602125b
-  data.tar.gz: 1d807d4acc2b35e8aaa6d938a669d953347be9aace422fdd5ce2c9fb4e6b840665b916d34cc52dee2c37d25caab0b6642e1de26b6c37cead2619f14e4cc665a0
+  metadata.gz: fe400de4fdfe2d81dc1dfab9e5ff9f0b6f8c53f4c30f868b8e605185e74a907b2932ab3dbe5b793425fd90c5e55fb3f34efdd7d755f04223939ba38d4e5bb3ef
+  data.tar.gz: 1a7e2f419f4c8a2fdfc438406700220b2aba13409a5371db909a571d7a51bde96b1a231fbcd12d19fce49b463288b4d65100d35ba7e4879ed8fd04b729a037a7

data/CHANGES

@@ -1,3 +1,22 @@
+# 3.1.5
+
+* Fix CodeClimate construction of --only-files (Will Fleming)
+* Add check for denial of service via routes (CVE-2015-7581)
+* Warn about RCE with `render params` (CVE-2016-0752)
+* Add check for `strip_tags` XSS (CVE-2015-7579)
+* Add check for `sanitize` XSS (CVE-2015-7578/80)
+* Add check for `reject_if` proc bypass (CVE-2015-7577)
+* Add check for mime-type denial of service (CVE-2016-0751)
+* Add check for basic auth timing attack (CVE-2015-7576)
+* Add initial Rails 5 support
+* Check for implict integer comparison in dynamic finders
+* Support directories better in --only-files and --skip-files (Patrick Toomey)
+* Avoid warning about `permit` in SQL
+* Handle guards using `detect`
+* Avoid warning on user input in comparisons
+* Handle module names with self methods
+* Add session manipulation documentation
+
 # 3.1.4
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)

data/README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
 [![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
 [![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
+[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
 # Brakeman
 
@@ -82,9 +83,9 @@ By default, Brakeman will return 0 as an exit code unless something went very wr
 
     brakeman -z
 
-To skip certain files that Brakeman may have trouble parsing, use:
+To skip certain files or directories that Brakeman may have trouble parsing, use:
 
-    brakeman --skip-files file1,file2,etc
+    brakeman --skip-files file1,/path1/,path2/
 
 To compare results of a scan with a previous scan, use the JSON output option and then:
 

data/lib/brakeman/app_tree.rb

@@ -1,3 +1,5 @@
+require 'pathname'
+
 module Brakeman
   class AppTree
     VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb html.slim].join(",")
@@ -10,15 +12,45 @@ module Brakeman
       # Convert files into Regexp for matching
       init_options = {}
       if options[:skip_files]
-        init_options[:skip_files] = Regexp.new("(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$")
+        init_options[:skip_files] = regex_for_paths(options[:skip_files])
       end
+
       if options[:only_files]
-        init_options[:only_files] = Regexp.new("(?:" << options[:only_files].map { |f| Regexp.escape f }.join("|") << ")")
+        init_options[:only_files] = regex_for_paths(options[:only_files])
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       new(root, init_options)
     end
 
+    # Accepts an array of filenames and paths with the following format and
+    # returns a Regexp to match them:
+    #   * "path1/file1.rb" - Matches a specific filename in the project directory.
+    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
+    #
+    def self.regex_for_paths(paths)
+      path_regexes = paths.map do |f|
+        # If path ends in a file separator then we assume it is a path rather
+        # than a filename.
+        if f.end_with?(File::SEPARATOR)
+          # If path starts with a file separator then we assume that they
+          # want the project relative path to start with this path prefix.
+          if f.start_with?(File::SEPARATOR)
+            "\\A#{Regexp.escape f}"
+          # If it ends in a file separator, but does not begin with a file
+          # separator then we assume the path can match any path component in
+          # the project.
+          else
+            Regexp.escape f
+          end
+        else
+          "#{Regexp.escape f}\\z"
+        end
+      end
+      Regexp.new("(?:" << path_regexes.join("|") << ")")
+    end
+    private_class_method(:regex_for_paths)
+
     def initialize(root, init_options = {})
       @root = root
       @skip_files = init_options[:skip_files]
@@ -96,13 +128,34 @@ module Brakeman
 
     def select_only_files(paths)
       return paths unless @only_files
-      paths.select { |f| @only_files.match f }
+      project_root  = Pathname.new(@root)
+      paths.select do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @only_files.match(project_relative_path)
+      end
     end
 
     def reject_skipped_files(paths)
       return paths unless @skip_files
-      paths.reject { |f| @skip_files.match f }
+      project_root  = Pathname.new(@root)
+      paths.reject do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @skip_files.match(project_relative_path)
+      end
     end
-
   end
 end

data/lib/brakeman/checks/base_check.rb

@@ -35,6 +35,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = nil
     @has_user_input = nil
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
+    @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
   #Add result to result list, which is used to check for duplicates
@@ -71,12 +72,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Process calls and check if they include user input
   def process_call exp
-    process exp.target if sexp? exp.target
-    process_call_args exp
+    unless @comparison_ops.include? exp.method
+      process exp.target if sexp? exp.target
+      process_call_args exp
+    end
 
     target = exp.target
 
-    unless @safe_input_attributes.include? exp.method
+    unless always_safe_method? exp.method
       if params? target
         @has_user_input = Match.new(:params, exp)
       elsif cookies? target
@@ -123,6 +126,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   private
 
+  def always_safe_method? meth
+    @safe_input_attributes.include? meth or
+      @comparison_ops.include? meth
+  end
+
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }
@@ -286,7 +294,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def has_immediate_user_input? exp
     if exp.nil?
       false
-    elsif call? exp and not @safe_input_attributes.include? exp.method
+    elsif call? exp and not always_safe_method? exp.method
       if params? exp
         return Match.new(:params, exp)
       elsif cookies? exp
@@ -345,7 +353,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       target = exp.target
       method = exp.method
 
-      if @safe_input_attributes.include? method
+      if always_safe_method? method
         false
       elsif call? target and not method.to_s[-1,1] == "?"
         if has_immediate_model?(target, out)

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for timing attack in basic auth (CVE-2015-7576)"
+
+  def run_check
+    @upgrade = case
+               when version_between?("0.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+
+    check_basic_auth_filter
+    check_basic_auth_call
+  end
+
+  def check_basic_auth_filter
+    controllers = tracker.controllers.select do |name, c|
+      c.options[:http_basic_authenticate_with]
+    end
+
+    Hash[controllers].each do |name, controller|
+      controller.options[:http_basic_authenticate_with].each do |call|
+        warn :controller => name,
+          :warning_type => "Timing Attack",
+          :warning_code => :CVE_2015_7576,
+          :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+          :code => call,
+          :confidence => CONFIDENCE[:high],
+          :file => controller.file,
+          :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+      end
+    end
+  end
+
+  def check_basic_auth_call
+    # This is relatively unusual, but found in the wild
+    tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
+      warn :result => result,
+        :warning_type => "Timing Attack",
+        :warning_code => :CVE_2015_7576,
+        :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+        :confidence => CONFIDENCE[:high],
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+    end
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -281,7 +281,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def setup
-    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+    @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
@@ -300,17 +300,23 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
 
-    if version_between? "2.0.0", "2.3.14"
+    if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
       @known_dangerous << :strip_tags
     end
 
+    if tracker.config.has_gem? :'rails-html-sanitizer' and
+       version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      @known_dangerous << :sanitize
+    end
+
     json_escape_on = false
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
     initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
     if tracker.config.escape_html_entities_in_json?
         json_escape_on = true
-    elsif version_between? "4.0.0", "5.0.0"
+    elsif version_between? "4.0.0", "9.9.9"
       json_escape_on = true
     end
 
@@ -370,7 +376,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
 
   def safe_input_attribute? target, method
-    target and @safe_input_attributes.include? method
+    target and always_safe_method? method
   end
 
   def boolean_method? method

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -0,0 +1,49 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check unsafe usage of find_by_*"
+
+  def run_check
+    if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
+      tracker.find_call(:method => /^find_by_/).each do |result|
+        process_result result
+      end
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+    add_result result
+
+    call = result[:call]
+
+    if potentially_dangerous? call.method
+      call.each_arg do |arg|
+        if params? arg and not safe_call? arg
+          warn :result => result,
+            :warning_type => "SQL Injection",
+            :warning_code => :sql_injection_dynamic_finder,
+            :message => "MySQL integer conversion may cause 0 to match any string",
+            :confidence => CONFIDENCE[:med],
+            :user_input => arg
+
+          break
+        end
+      end
+    end
+  end
+
+  def safe_call? arg
+    return false unless call? arg
+
+    meth = arg.method
+    meth == :to_s or meth == :to_i
+  end
+
+  def potentially_dangerous? method_name
+    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+  end
+end

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -0,0 +1,39 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for mime type denial of service (CVE-2016-0751)"
+
+  def run_check
+    fix_version = case
+               when version_between?("3.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+
+    return if has_workaround?
+
+    message = "Rails #{rails_version} is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version #{fix_version}"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2016_0751,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:Mime, :const_set).any? do |match|
+      arg = match.call.first_arg
+
+      symbol? arg and arg.value == :LOOKUP
+    end
+  end
+end

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -0,0 +1,58 @@
+require 'brakeman/checks/base_check'
+
+#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
+class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for nested attributes vulnerability (CVE-2015-7577)"
+
+  def run_check
+    if version_between? "3.1.0", "3.2.22" or
+       version_between? "4.0.0", "4.1.14" or
+       version_between? "4.2.0", "4.2.5"
+
+      unless workaround?
+        check_nested_attributes
+      end
+    end
+  end
+
+  def check_nested_attributes
+    active_record_models.each do |name, model|
+      if opts = model.options[:accepts_nested_attributes_for]
+        opts.each do |args|
+          if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
+            warn_about_nested_attributes name, model, args
+          end
+        end
+      end
+    end
+  end
+
+  def warn_about_nested_attributes name, model, args
+    message = "Rails #{rails_version} does not call :reject_if option when :allow_destroy is false (CVE-2015-7577)"
+
+    warn :model => name,
+      :warning_type => "Nested Attributes",
+      :warning_code => :CVE_2015_7577,
+      :message => message,
+      :file => model.file,
+      :line => args.line,
+      :confidence => CONFIDENCE[:med],
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
+  end
+
+  def allow_destroy? arg
+    hash? arg and
+      false? hash_access(arg, :allow_destroy)
+  end
+
+  def reject_if? arg
+    hash? arg and
+      hash_access(arg, :reject_if)
+  end
+
+  def workaround?
+    tracker.check_initializers([], :will_be_destroyed?).any?
+  end
+end

data/lib/brakeman/checks/check_render.rb

@@ -4,7 +4,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckRender < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Finds calls to render that might allow file access"
+  @description = "Finds calls to render that might allow file access or code execution"
 
   def run_check
     tracker.find_call(:target => nil, :method => :render).each do |result|
@@ -17,7 +17,8 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
     case result[:call].render_type
     when :partial, :template, :action, :file
-      check_for_dynamic_path result
+      check_for_rce(result) or
+        check_for_dynamic_path(result)
     when :inline
     when :js
     when :json
@@ -59,4 +60,25 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         :confidence => confidence
     end
   end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
+          :user_input => view,
+          :confidence => CONFIDENCE[:high]
+      end
+    end
+  end
 end 

data/lib/brakeman/checks/check_route_dos.rb

@@ -0,0 +1,42 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for route DoS (CVE-2015-7581)"
+
+  def run_check
+    fix_version = case
+                  when version_between?("4.0.0", "4.1.14")
+                    "4.1.14.1"
+                  when version_between?("4.2.0", "4.2.5")
+                    "4.2.5.1"
+                  else
+                    return
+                  end
+
+    if controller_wildcards?
+      message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"
+
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2015_7581,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
+    end
+  end
+
+  def controller_wildcards?
+    tracker.routes.each do |name, actions|
+      if name == :':controllerController'
+        # awful hack for routes with :controller in them
+        return true
+      elsif string? actions and actions.value.include? ":controller"
+        return true
+      end
+    end
+
+    false
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -17,12 +17,17 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
         '3.1.12'
       when version_between?('3.2.0', '3.2.12')
         '3.2.13'
-      else
-        return
       end
 
-    check_cve_2013_1855
-    check_cve_2013_1857
+    if @fix_version
+      check_cve_2013_1855
+      check_cve_2013_1857
+    elsif tracker.config.has_gem? :'rails-html-sanitizer' and
+          version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
+
+      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
+      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
+    end
   end
 
   def check_cve_2013_1855
@@ -54,4 +59,21 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
         :link_path => link
     end
   end
+
+  def warn_sanitizer_cve cve, link
+    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
+
+    if tracker.find_call(:target => false, :method => :sanitize).any?
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => cve.tr('-', '_').to_sym,
+      :message => message,
+      :gem_info => gemfile_or_environment,
+      :confidence => confidence,
+      :link_path => link
+  end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -59,7 +59,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         call = make_call(nil, :named_scope, args).line(args.line)
         scope_calls << scope_call_hash(call, name, :named_scope)
       end
-    elsif version_between?("3.1.0", "4.9.9")
+    elsif version_between?("3.1.0", "9.9.9")
       ar_scope_calls(:scope) do |name, args|
         second_arg = args[2]
         next unless sexp? second_arg
@@ -264,8 +264,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      # Model.where(params[:where])
-      arg
+      unless call? arg and params? arg.target and arg.method == :permit
+        # Model.where(params[:where])
+        arg
+      end
     elsif hash? arg
       #This is generally going to be a hash of column names and values, which
       #would escape the values. But the keys _could_ be user input.

data/lib/brakeman/checks/check_strip_tags.rb

@@ -5,16 +5,21 @@ require 'brakeman/checks/base_check'
 #
 #Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
 #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+#
+#Check for user of strip_tags with rails-html-sanitizer 1.0.2:
+#https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
 class Brakeman::CheckStripTags < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Report strip_tags vulnerabilities CVE-2011-2931 and CVE-2012-3465"
+  @description = "Report strip_tags vulnerabilities"
 
   def run_check
     if uses_strip_tags?
       cve_2011_2931
       cve_2012_3465
     end
+
+    cve_2015_7579
   end
 
   def cve_2011_2931
@@ -56,9 +61,29 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
   end
 
+  def cve_2015_7579
+    if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
+      if uses_strip_tags?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2015_7579,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
+
+    end
+  end
+
   def uses_strip_tags?
     Brakeman.debug "Finding calls to strip_tags()"
 
-    not tracker.find_call(:target => false, :method => :strip_tags).empty?
+    not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
   end
 end

data/lib/brakeman/options.rb

@@ -52,6 +52,12 @@ module Brakeman::Options
           options[:rails4] = true
         end
 
+        opts.on "-5", "--rails5", "Force Rails 5 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -110,12 +116,12 @@ module Brakeman::Options
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
         end
 
-        opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
+        opts.on "--skip-files file1,path2,etc", Array, "Skip processing of these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
           options[:skip_files] ||= Set.new
           options[:skip_files].merge files
         end
 
-        opts.on "--only-files file1,file2,etc", Array, "Process only these files" do |files|
+        opts.on "--only-files file1,path2,etc", Array, "Process only these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
           options[:only_files] ||= Set.new
           options[:only_files].merge files
         end

data/lib/brakeman/processors/alias_processor.rb

@@ -212,6 +212,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
+    if array_detect_all_literals? exp[1]
+      return exp.block_call.target[1]
+    end
+
     @exp_context.pop
 
     env.scope do
@@ -524,6 +528,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
   end
 
+  def array_detect_all_literals? exp
+    call? exp and
+    [:detect, :find].include? exp.method and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.first_arg.nil? and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?

data/lib/brakeman/processors/controller_processor.rb

@@ -208,11 +208,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_defs exp
     name = exp.method_name
 
-    if exp[1].node_type == :self
+    if node_type? exp[1], :self
       if @current_class
         target = @current_class.name
       elsif @current_module
-        target = @current_module
+        target = @current_module.name
       else
         target = nil
       end

data/lib/brakeman/processors/lib/route_helper.rb

@@ -31,6 +31,10 @@ module Brakeman::RouteHelper
 
     return unless route.is_a? String or route.is_a? Symbol
 
+    if route.is_a? String and controller.nil? and route.include? ":controller"
+      controller = ":controller"
+    end
+
     route = route.to_sym
 
     if controller

data/lib/brakeman/processors/model_processor.rb

@@ -163,11 +163,11 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     return exp unless @current_class
     name = exp.method_name
 
-    if exp[1].node_type == :self
+    if node_type? exp[1], :self
       if @current_class
         target = @current_class.name
       elsif @current_module
-        target = @current_module
+        target = @current_module.name
       else
         target = nil
       end

data/lib/brakeman/scanner.rb

@@ -96,7 +96,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3]
+    if options[:rails3] or options[:rails4] or options[:rails5]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -155,8 +155,13 @@ class Brakeman::Scanner
       if @app_tree.exists?("script/rails")
         tracker.options[:rails3] = true
         Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif @app_tree.exists?("app/channels")
+        tracker.options[:rails3] = true
+        tracker.options[:rails4] = true
+        tracker.options[:rails5] = true
+        Brakeman.notify "[Notice] Detected Rails 5 application"
       elsif not @app_tree.exists?("script")
-        tracker.options[:rails3] = true # Probably need to do some refactoring
+        tracker.options[:rails3] = true
         tracker.options[:rails4] = true
         Brakeman.notify "[Notice] Detected Rails 4 application"
       end

data/lib/brakeman/tracker/config.rb

@@ -7,6 +7,7 @@ module Brakeman
     attr_reader :rails, :tracker
     attr_accessor :rails_version
     attr_writer :erubis, :escape_html
+    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -76,6 +77,11 @@ module Brakeman
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             Brakeman.notify "[Notice] Detected Rails 4 application"
+          elsif @rails_version.start_with? "5"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            Brakeman.notify "[Notice] Detected Rails 5 application"
           end
         end
       end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.4"
+  Version = "3.1.5"
 end

data/lib/brakeman/warning_codes.rb

@@ -93,6 +93,15 @@ module Brakeman::WarningCodes
     :session_key_manipulation => 89,
     :weak_hash_digest => 90,
     :weak_hash_hmac => 91,
+    :sql_injection_dynamic_finder => 92,
+    :CVE_2015_7576 => 93,
+    :CVE_2016_0751 => 94,
+    :CVE_2015_7577 => 95,
+    :CVE_2015_7578 => 96,
+    :CVE_2015_7580 => 97,
+    :CVE_2015_7579 => 98,
+    :dynamic_render_path_rce => 99,
+    :CVE_2015_7581 => 100,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.4
+  version: 3.1.5
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2016-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -223,6 +223,7 @@ files:
 - lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_basic_auth_timing_attack.rb
 - lib/brakeman/checks/check_content_tag.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
@@ -230,6 +231,7 @@ files:
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
 - lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_dynamic_finders.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
@@ -246,10 +248,12 @@ files:
 - lib/brakeman/checks/check_link_to_href.rb
 - lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_mime_type_dos.rb
 - lib/brakeman/checks/check_model_attr_accessible.rb
 - lib/brakeman/checks/check_model_attributes.rb
 - lib/brakeman/checks/check_model_serialize.rb
 - lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -258,6 +262,7 @@ files:
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
 - lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_route_dos.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
 - lib/brakeman/checks/check_select_tag.rb