brakeman 5.3.1 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 828d560cb256d564c8e79fc7222e7c7edea911639a6c4b45699901371d0c750b
-  data.tar.gz: c9e8791df7f77b1e6a8d3bfe9cf0f5b753325171021fdafac3531f96edd3b7e1
+  metadata.gz: af17bb029ba552f60e4ec332399b3557ed24720b42fe005bd3ae057ff35c69ef
+  data.tar.gz: 0b1462edf2d398d503109a5bbb5fd05727bfb6d31af7b052a0eb7b463f31c8ce
 SHA512:
-  metadata.gz: 8d29d985cdba9407830c4881372dc4c8ba4cd635c1c48c6cfb16c6fc6b0ef7993816460af301cdf5ca51b096bfdf30699286d6d9fffaae79fff042160b481a87
-  data.tar.gz: 5d1824dba9dfd9661eccc7ed2a2bb9d2fd1c8d80e131bf0f97ab31cebc738f920682fe7204a8b84ee49c884c8730c2425ef20bd15f2b53c3ada1a2332d75779e
+  metadata.gz: 4ca3b2e7a76d69ef82bc451dba3383da830e89700565aaa38d0955a2566a15ee1a5e94e5d4e8c98dbb95a5083c97a000030361c2628ad6d39a02f178491eeeff
+  data.tar.gz: 6f0b414997abd0aed5bf511680cfc4e33916d18eca44b1505dec0b4d61c8b3ff566564b3c61f2c6952cd619f20f6d5069e268229394db3afd6c731350fdd26a2

data/CHANGES.md

@@ -1,3 +1,12 @@
+# 5.4.0 - 2022-11-17
+
+* Use relative paths for CodeClimate report format (Mike Poage)
+* Add check for weak RSA key sizes and padding modes
+* Handle multiple values and splats in case/when
+* Ignore more model methods in redirects
+* Add check for absolute paths issue with Pathname
+* Fix `load_rails_defaults` overwriting settings in the Rails application (James Gregory-Monk)
+
 # 5.3.1 - 2022-08-09
 
 * Fix version range for CVE-2022-32209

data/lib/brakeman/checks/check_pathname.rb

@@ -0,0 +1,48 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPathname < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for unexpected Pathname behavior"
+
+  def run_check
+    check_rails_root_join
+    check_pathname_join
+
+  end
+
+  def check_rails_root_join
+    tracker.find_call(target: :'Rails.root', method: :join, nested: true).each do |result|
+      check_result result
+    end
+  end
+
+  def check_pathname_join
+    pathname_methods = [
+      :'Pathname.new',
+      :'Pathname.getwd',
+      :'Pathname.glob',
+      :'Pathname.pwd',
+    ]
+
+    tracker.find_call(targets: pathname_methods, method: :join, nested: true).each do |result|
+      check_result result
+    end
+  end
+
+  def check_result result
+    return unless original? result
+
+    result[:call].each_arg do |arg|
+      if match = has_immediate_user_input?(arg)
+        warn :result => result,
+          :warning_type => "Path Traversal",
+          :warning_code => :pathname_traversal,
+          :message => "Absolute paths in `Pathname#join` cause the entire path to be relative to the absolute path, ignoring any prior values",
+          :user_input => match,
+          :confidence => :high,
+          :cwe_id => [22]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_redirect.rb

@@ -13,7 +13,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def run_check
     Brakeman.debug "Finding calls to redirect_to()"
 
-    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :last, :new]
+    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :first!, :last, :last!, :new, :sole]
 
     if tracker.options[:rails3]
       @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
@@ -23,6 +23,10 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
       @model_find_calls.merge [:find_by, :find_by!, :take]
     end
 
+    if version_between? "7.0.0", "9.9.9"
+      @model_find_calls << :find_sole_by
+    end
+
     @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
       process_result res
     end

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -0,0 +1,112 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for weak uses RSA keys"
+
+  def run_check
+    check_rsa_key_creation
+    check_rsa_operations
+  end
+
+  def check_rsa_key_creation
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA'], method: [:new, :generate], nested: true).each do |result|
+      key_size_arg = result[:call].first_arg
+      check_key_size(result, key_size_arg)
+    end
+
+    tracker.find_call(targets: [:'OpenSSL::PKey'], method: [:generate_key], nested: true).each do |result|
+      call = result[:call]
+      key_type = call.first_arg
+      options_arg = call.second_arg
+
+      next unless options_arg and hash? options_arg
+
+      if string? key_type and key_type.value.upcase == 'RSA'
+        key_size_arg = (hash_access(options_arg, :rsa_keygen_bits) || hash_access(options_arg, s(:str, 'rsa_key_gen_bits')))
+        check_key_size(result, key_size_arg)
+      end
+    end
+  end
+
+  def check_rsa_operations
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA.new'], methods: [:public_encrypt, :public_decrypt, :private_encrypt, :private_decrypt], nested: true).each do |result|
+      padding_arg = result[:call].second_arg
+      check_padding(result, padding_arg)
+    end
+
+    tracker.find_call(targets: [:'OpenSSL::PKey.generate_key'], methods: [:encrypt, :decrypt, :sign, :verify, :sign_raw, :verify_raw], nested: true).each do |result|
+      call = result[:call]
+      options_arg = call.last_arg
+
+      if options_arg and hash? options_arg
+        padding_arg = (hash_access(options_arg, :rsa_padding_mode) || hash_access(options_arg, s(:str, 'rsa_padding_mode')))
+      else
+        padding_arg = nil
+      end
+
+      check_padding(result, padding_arg)
+    end
+  end
+
+  def check_key_size result, key_size_arg
+    return unless number? key_size_arg
+    return unless original? result
+
+    key_size = key_size_arg.value
+
+    if key_size < 1024
+      confidence = :high
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered very weak. Use at least 2048 bit key size")
+    elsif key_size < 2048
+      confidence = :medium
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered weak. Use at least 2048 bit key size")
+    else
+      return
+    end
+
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :small_rsa_key_size,
+      message: message,
+      confidence: confidence,
+      user_input: key_size_arg,
+      cwe_id: [326]
+  end
+
+  PKCS1_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :PKCS1_PADDING).freeze
+  PKCS1_PADDING_STR = s(:str, 'pkcs1').freeze
+  SSLV23_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :SSLV23_PADDING).freeze
+  SSLV23_PADDING_STR = s(:str, 'sslv23').freeze
+  NO_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :NO_PADDING).freeze
+  NO_PADDING_STR = s(:str, 'none').freeze
+
+  def check_padding result, padding_arg
+    return unless original? result
+
+    if string? padding_arg
+      padding_arg = padding_arg.deep_clone(padding_arg.line)
+      padding_arg.value.downcase!
+    end
+
+    case padding_arg
+    when PKCS1_PADDING, PKCS1_PADDING_STR, nil
+      message = "Use of padding mode PKCS1 (default if not specified), which is known to be insecure. Use OAEP instead"
+    when SSLV23_PADDING, SSLV23_PADDING_STR
+      message = "Use of padding mode SSLV23 for RSA key, which is only useful for outdated versions of SSL. Use OAEP instead"
+    when NO_PADDING, NO_PADDING_STR
+      message = "No padding mode used for RSA key. A safe padding mode (OAEP) should be specified for RSA keys"
+    else
+      return
+    end
+
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :insecure_rsa_padding_mode,
+      message: message,
+      confidence: :high,
+      user_input: padding_arg,
+      cwe_id: [780]
+  end
+end

data/lib/brakeman/processors/alias_processor.rb

@@ -970,11 +970,27 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :==
   end
 
+  # Not a list of values
+  #   when :example
   def simple_when? exp
     node_type? exp[1], :array and
-      not node_type? exp[1][1], :splat, :array and
-      (exp[1].length == 2 or
-       exp[1].all? { |e| e.is_a? Symbol or node_type? e, :lit, :str })
+      exp[1].length == 2 and # only one element in the array
+      not node_type? exp[1][1], :splat, :array
+  end
+
+  # A list of literal values
+  #
+  #   when 1,2,3
+  #
+  # or
+  #
+  #   when *[:a, :b]
+  def all_literals_when? exp
+    if array? exp[1] # pretty sure this is always true
+      all_literals? exp[1] or # simple list, not actually array
+        (splat_array? exp[1][1] and
+         all_literals? exp[1][1][1])
+    end
   end
 
   def process_case exp
@@ -1002,9 +1018,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
 
+          # Process the when value for matching
+          process_default e[1]
+
           # set value of case var if possible
-          if case_value and simple_when? e
-            @branch_env[case_value] = e[1][1]
+          if case_value
+            if simple_when? e
+              @branch_env[case_value] = e[1][1]
+            elsif all_literals_when? e
+              @branch_env[case_value] = safe_literal(e.line + 1)
+            end
           end
 
           # when blocks aren't blocks, they are lists of expressions

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -86,7 +86,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
       end
     elsif include_rails_config? exp
       options_path = get_rails_config exp
-      @tracker.config.set_rails_config(exp.first_arg, *options_path)
+      @tracker.config.set_rails_config(value: exp.first_arg, path: options_path, overwrite: true)
     end
 
     exp

data/lib/brakeman/report/report_codeclimate.rb

@@ -73,7 +73,7 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
     if tracker.options[:path_prefix]
       (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
     else
-      warning.file
+      warning.relative_path
     end
   end
 end

data/lib/brakeman/tracker/config.rb

@@ -166,7 +166,7 @@ module Brakeman
     # then this will set
     #
     #   rails[:action_controller][:perform_caching] = value
-    def set_rails_config value, *path
+    def set_rails_config value:, path:, overwrite: false
       config = self.rails
 
       path[0..-2].each do |o|
@@ -182,7 +182,9 @@ module Brakeman
         config = option
       end
 
-      config[path.last] = value
+      if overwrite || config[path.last].nil?
+        config[path.last] = value
+      end
     end
 
     # Load defaults based on config.load_defaults value
@@ -195,38 +197,38 @@ module Brakeman
       false_value = Sexp.new(:false)
 
       if version >= 5.0
-        set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
-        set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
-        set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
+        set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
+        set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
+        set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
         # Note: this may need to be changed, because ssl_options is a Hash
-        set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
+        set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
       end
 
       if version >= 5.1
-        set_rails_config(false_value, :assets, :unknown_asset_fallback)
-        set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
+        set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
       end
 
       if version >= 5.2
-        set_rails_config(true_value, :active_record, :cache_versioning)
-        set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
-        set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
-        set_rails_config(true_value, :active_support, :use_sha1_digests)
-        set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
-        set_rails_config(true_value, :action_view, :form_with_generates_ids)
+        set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_sha1_digests])
+        set_rails_config(value: true_value, path: [:action_controller, :default_protect_from_forgery])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
       end
 
       if version >= 6.0
-        set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
-        set_rails_config(false_value, :action_view, :default_enforce_utf8)
-        set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
-        set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
-        set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
-        set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
-        set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
-        set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
-        set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
-        set_rails_config(true_value, :active_record, :collection_cache_versioning)
+        set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
+        set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), path: [:action_mailer, :delivery_job])
+        set_rails_config(value: true_value, path: [:active_job, :return_false_on_aborted_enqueue])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_analysis), path: [:active_storage, :queues, :analysis])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_purge), path: [:active_storage, :queues, :purge])
+        set_rails_config(value: true_value, path: [:active_storage, :replace_on_assign_to_many])
+        set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
       end
     end
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.3.1"
+  Version = "5.4.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -126,6 +126,10 @@ module Brakeman::WarningCodes
     :pending_eol_rails => 122,
     :pending_eol_ruby => 123,
     :CVE_2022_32209 => 124,
+    :pathname_traversal => 125,
+    :insecure_rsa_padding_mode => 126,
+    :missing_rsa_padding_mode => 127,
+    :small_rsa_key_size => 128,
 
     :custom_check => 9090,
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 5.3.1
+  version: 5.4.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-08-10 00:00:00.000000000 Z
+date: 2022-11-18 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -482,6 +482,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
 - lib/brakeman/checks/check_page_caching_cve.rb
+- lib/brakeman/checks/check_pathname.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -520,6 +521,7 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_verb_confusion.rb
 - lib/brakeman/checks/check_weak_hash.rb
+- lib/brakeman/checks/check_weak_rsa_key.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
@@ -646,7 +648,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.