railroader 4.3.4

data/lib/railroader/checks/check_sanitize_methods.rb

@@ -0,0 +1,112 @@
+require 'railroader/checks/base_check'
+
+#sanitize and sanitize_css are vulnerable:
+#CVE-2013-1855 and CVE-2013-1857
+class Railroader::CheckSanitizeMethods < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Checks for versions with vulnerable sanitize and sanitize_css"
+
+  def run_check
+    @fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      end
+
+    if @fix_version
+      check_cve_2013_1855
+      check_cve_2013_1857
+    end
+
+    if tracker.config.has_gem? :'rails-html-sanitizer'
+      check_rails_html_sanitizer
+    end
+
+    check_cve_2018_8048
+  end
+
+  def check_cve_2013_1855
+    check_for_cve :sanitize_css, :CVE_2013_1855, "https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"
+  end
+
+  def check_cve_2013_1857
+    check_for_cve :sanitize, :CVE_2013_1857, "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ"
+  end
+
+  def check_for_cve method, code, link
+    tracker.find_call(:target => false, :method => method).each do |result|
+      next if duplicate? result
+      add_result result
+
+      message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
+
+      warn :result => result,
+        :warning_type => "Cross-Site Scripting",
+        :warning_code => code,
+        :message => message,
+        :confidence => :high,
+        :link_path => link
+    end
+  end
+
+  def check_rails_html_sanitizer
+    rhs_version = tracker.config.gem_version(:'rails-html-sanitizer')
+
+    if version_between? "1.0.0", "1.0.2", rhs_version
+      warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ", "1.0.3"
+      warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ", "1.0.3"
+    end
+
+    if version_between? "1.0.0", "1.0.3", rhs_version
+      warn_sanitizer_cve "CVE-2018-3741", "https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ", "1.0.4"
+    end
+  end
+
+  def check_cve_2018_8048
+    if loofah_vulnerable_cve_2018_8048?
+      message = "Loofah #{tracker.config.gem_version(:loofah)} is vulnerable (CVE-2018-8048). Upgrade to 2.1.2"
+
+      if tracker.find_call(:target => false, :method => :sanitize).any?
+        confidence = :high
+      else
+        confidence = :medium
+      end
+
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2018_8048,
+        :message => message,
+        :gem_info => gemfile_or_environment(:loofah),
+        :confidence => confidence,
+        :link_path => "https://github.com/flavorjones/loofah/issues/144"
+    end
+  end
+
+  def loofah_vulnerable_cve_2018_8048?
+    loofah_version = tracker.config.gem_version(:loofah)
+
+    loofah_version and loofah_version < "2.1.2"
+  end
+
+  def warn_sanitizer_cve cve, link, upgrade_version
+    message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to #{upgrade_version}"
+
+    if tracker.find_call(:target => false, :method => :sanitize).any?
+      confidence = :high
+    else
+      confidence = :medium
+    end
+
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => cve.tr('-', '_').to_sym,
+      :message => message,
+      :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
+      :confidence => confidence,
+      :link_path => link
+  end
+end

data/lib/railroader/checks/check_secrets.rb

@@ -0,0 +1,40 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSecrets < Railroader::BaseCheck
+  Railroader::Checks.add_optional self
+
+  @description = "Checks for secrets stored in source code"
+
+  def run_check
+    check_constants
+  end
+
+  def check_constants
+    @warned = Set.new
+
+    @tracker.constants.each do |constant|
+      name = constant.name_array.last
+      value = constant.value
+
+      if string? value and not value.value.empty? and looks_like_secret? name
+        match = [name, value, value.line]
+
+        unless @warned.include? match
+          @warned << match
+
+          warn :warning_code => :secret_in_source,
+            :warning_type => "Authentication",
+            :message => "Hardcoded value for #{name} in source code",
+            :confidence => :medium,
+            :file => constant.file,
+            :line => constant.line
+        end
+      end
+    end
+  end
+
+  def looks_like_secret? name
+    # REST_AUTH_SITE_KEY is the pepper in Devise
+    name.match /password|secret|(rest_auth_site|api)_key$/i
+  end
+end

data/lib/railroader/checks/check_select_tag.rb

@@ -0,0 +1,59 @@
+require 'railroader/checks/base_check'
+
+#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
+#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
+class Railroader::CheckSelectTag < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Looks for unsafe uses of select_tag() in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.16"
+      suggested_version = "3.0.17"
+    elsif version_between? "3.1.0", "3.1.7"
+      suggested_version = "3.1.8"
+    elsif version_between? "3.2.0", "3.2.7"
+      suggested_version = "3.2.8"
+    else
+      return
+    end
+
+    @ignore_methods = Set[:escapeHTML, :escape_once, :h].merge tracker.options[:safe_methods]
+
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select_tag is vulnerable (CVE-2012-3463)"
+
+    calls = tracker.find_call(:target => nil, :method => :select_tag).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  #Check if select_tag is called with user input in :prompt option
+  def process_result result
+    return unless original? result
+
+    #Only concerned if user input is supplied for :prompt option
+    last_arg = result[:call].last_arg
+
+    if hash? last_arg
+      prompt_option = hash_access last_arg, :prompt
+
+      if call? prompt_option and @ignore_methods.include? prompt_option.method
+        return
+      elsif sexp? prompt_option and input = include_user_input?(prompt_option)
+
+        warn :warning_type => "Cross-Site Scripting",
+          :warning_code => :CVE_2012_3463,
+          :result => result,
+          :message => @message,
+          :confidence => :high,
+          :user_input => input,
+          :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
+      end
+    end
+  end
+end

data/lib/railroader/checks/check_select_vulnerability.rb

@@ -0,0 +1,60 @@
+require 'railroader/checks/base_check'
+
+#Checks for select() helper vulnerability in some versions of Rails 3
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+class Railroader::CheckSelectVulnerability < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Looks for unsafe uses of select() helper"
+
+  def run_check
+
+    if lts_version? "2.3.18.7"
+      return
+    elsif version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    elsif version_between? "2.0.0", "2.3.14"
+      suggested_version = "3 or use options_for_select"
+    else
+      return
+    end
+
+    @message = "Upgrade to Rails #{suggested_version}, #{rails_version} select() helper is vulnerable"
+
+    calls = tracker.find_call(:target => nil, :method => :select).select do |result|
+      result[:location][:type] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    third_arg = result[:call].third_arg
+
+    #Check for user input in options parameter
+    if sexp? third_arg and include_user_input? third_arg
+      add_result result
+
+      if string_interp? third_arg
+        confidence = :medium
+      else
+        confidence = :weak
+      end
+
+      warn :template => result[:location][:template],
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :select_options_vuln,
+          :result => result,
+          :message => @message,
+          :confidence => confidence
+    end
+  end
+end

data/lib/railroader/checks/check_send.rb

@@ -0,0 +1,47 @@
+require 'railroader/checks/base_check'
+
+#Checks if user supplied data is passed to send
+class Railroader::CheckSend < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Check for unsafe use of Object#send"
+
+  def run_check
+    @send_methods = [:send, :try, :__send__, :public_send]
+    Railroader.debug("Finding instances of #send")
+    calls = tracker.find_call :methods => @send_methods, :nested => true
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return unless original? result
+
+    send_call = get_send result[:call]
+    process_call_args send_call
+    process send_call.target
+
+    if input = has_immediate_user_input?(send_call.first_arg)
+      warn :result => result,
+        :warning_type => "Dangerous Send",
+        :warning_code => :dangerous_send,
+        :message => "User controlled method execution",
+        :code => result[:call],
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+
+  # Recursively check call chain for send call
+  def get_send exp
+    if call? exp
+      if @send_methods.include? exp.method
+        return exp
+      else
+        get_send exp.target
+      end
+    end
+  end
+end

data/lib/railroader/checks/check_send_file.rb

@@ -0,0 +1,19 @@
+require 'railroader/checks/check_file_access'
+require 'railroader/processors/lib/processor_helper'
+
+#Checks for user input in send_file()
+class Railroader::CheckSendFile < Railroader::CheckFileAccess
+  Railroader::Checks.add self
+
+  @description = "Check for user input in uses of send_file"
+
+  def run_check
+    Railroader.debug "Finding all calls to send_file()"
+
+    methods = tracker.find_call :target => false, :method => :send_file
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+end

data/lib/railroader/checks/check_session_manipulation.rb

@@ -0,0 +1,35 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSessionManipulation < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Check for user input in session keys"
+
+  def run_check
+    tracker.find_call(:method => :[]=, :target => :session).each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return unless original? result
+
+    index = result[:call].first_arg
+
+    if input = has_immediate_user_input?(index)
+      if params? index
+        confidence = :high
+      else
+        confidence = :medium
+      end
+
+      warn :result => result,
+        :warning_type => "Session Manipulation",
+        :warning_code => :session_key_manipulation,
+        :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
+        :code => result[:call],
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+end

data/lib/railroader/checks/check_session_settings.rb

@@ -0,0 +1,176 @@
+require 'railroader/checks/base_check'
+
+#Checks for session key length and http_only settings
+class Railroader::CheckSessionSettings < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Checks for session key length and http_only settings"
+
+  def initialize *args
+    super
+
+    unless tracker.options[:rails3]
+      @session_settings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+    else
+      @session_settings = nil
+    end
+  end
+
+  def run_check
+    settings = tracker.config.session_settings 
+
+    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
+
+    ["session_store.rb", "secret_token.rb"].each do |file|
+      if tracker.initializers[file] and not ignored? file
+        process tracker.initializers[file]
+      end
+    end
+
+    if tracker.options[:rails4]
+      check_secrets_yaml
+    end
+  end
+
+  #Looks for ActionController::Base.session = { ... }
+  #in Rails 2.x apps
+  #
+  #and App::Application.config.secret_token =
+  #in Rails 3.x apps
+  #
+  #and App::Application.config.secret_key_base =
+  #in Rails 4.x apps
+  def process_attrasgn exp
+    if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
+      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+    end
+
+    if tracker.options[:rails3] and settings_target?(exp.target) and
+      (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
+
+      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
+    end
+
+    exp
+  end
+
+  #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
+  #in Rails 3.x apps
+  def process_call exp
+    if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
+      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
+    end
+
+    exp
+  end
+
+  private
+
+  def settings_target? exp
+    call? exp and
+    exp.method == :config and
+    node_type? exp.target, :colon2 and
+    exp.target.rhs == :Application
+  end
+
+  def check_for_issues settings, file
+    if settings and hash? settings
+      if value = (hash_access(settings, :session_http_only) ||
+                  hash_access(settings, :http_only) ||
+                  hash_access(settings, :httponly))
+
+        if false? value
+          warn_about_http_only value.line, file
+        end
+      end
+
+      if value = hash_access(settings, :secret)
+        if string? value
+          warn_about_secret_token value.line, file
+        end
+      end
+    end
+  end
+
+  def check_for_rails3_issues settings, file
+    if settings and hash? settings
+      if value = hash_access(settings, :httponly)
+        if false? value
+          warn_about_http_only value.line, file
+        end
+      end
+
+      if value = hash_access(settings, :secure)
+        if false? value
+          warn_about_secure_only value.line, file
+        end
+      end
+    end
+  end
+
+  def check_secrets_yaml
+    secrets_file = "config/secrets.yml"
+
+    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
+      yaml = @app_tree.read secrets_file
+      require 'date' # https://github.com/dtao/safe_yaml/issues/80
+      require 'safe_yaml/load'
+      begin
+        secrets = SafeYAML.load yaml
+      rescue Psych::SyntaxError, RuntimeError => e
+        Railroader.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Railroader.debug "Failed to parse #{secrets_file}: #{e.inspect}"
+        return
+      end
+
+      if secrets["production"] and secret = secrets["production"]["secret_key_base"]
+        unless secret.include? "<%="
+          line = yaml.lines.find_index { |l| l.include? secret } + 1
+
+          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
+        end
+      end
+    end
+  end
+
+  def warn_about_http_only line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :http_cookies,
+      :message => "Session cookies should be set to HTTP only",
+      :confidence => :high,
+      :line => line,
+      :file => file
+
+  end
+
+  def warn_about_secret_token line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :session_secret,
+      :message => "Session secret should not be included in version control",
+      :confidence => :high,
+      :line => line,
+      :file => file
+  end
+
+  def warn_about_secure_only line, file
+    warn :warning_type => "Session Setting",
+      :warning_code => :secure_cookies,
+      :message => "Session cookie should be set to secure only",
+      :confidence => :high,
+      :line => line,
+      :file => file
+  end
+
+  def ignored? file
+    [".", "config", "config/initializers"].each do |dir|
+      ignore_file = "#{dir}/.gitignore"
+      if @app_tree.exists? ignore_file
+        input = @app_tree.read(ignore_file)
+
+        return true if input.include? file
+      end
+    end
+
+    false
+  end
+end

data/lib/railroader/checks/check_simple_format.rb

@@ -0,0 +1,58 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSimpleFormat < Railroader::CheckCrossSiteScripting
+  Railroader::Checks.add self
+
+  @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
+
+  def run_check
+    if version_between? "4.0.0", "4.0.1"
+      @inspect_arguments = true
+      @ignore_methods = Set[:h, :escapeHTML]
+
+      check_simple_format_usage
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{rails_version} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2013_6416,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
+  end
+
+  def check_simple_format_usage
+    tracker.find_call(:target => false, :method => :simple_format).each do |result|
+      @matched = false
+      process_call result[:call]
+      if @matched
+        warn_on_simple_format result, @matched
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+  def warn_on_simple_format result, match
+    return unless original? result
+
+    @found_any = true
+
+    warn :result => result,
+      :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2013_6416_call,
+      :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
+      :confidence => :high,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
+      :user_input => match
+  end
+end