railroader 4.3.4

data/lib/railroader/checks/check_single_quotes.rb

@@ -0,0 +1,101 @@
+require 'railroader/checks/base_check'
+
+#Checks for versions which do not escape single quotes.
+#https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
+class Railroader::CheckSingleQuotes < Railroader::BaseCheck
+  Railroader::Checks.add self
+  RACK_UTILS = Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)
+
+  @description = "Check for versions which do not escape single quotes (CVE-2012-3464)"
+
+  def initialize *args
+    super
+    @inside_erb = @inside_util = @inside_html_escape = @uses_rack_escape = false
+  end
+
+  def run_check
+    return if uses_rack_escape?
+
+    case
+    when version_between?('2.0.0', '2.3.14')
+      message = "All Rails 2.x versions do not escape single quotes (CVE-2012-3464)"
+    when version_between?('3.0.0', '3.0.16')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{rails_version} does not escape single quotes (CVE-2012-3464). Upgrade to 3.2.8"
+    else
+      return
+    end
+
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2012_3464,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
+  end
+
+  #Process initializers to see if they use workaround
+  #by replacing Erb::Util.html_escape
+  def uses_rack_escape?
+    @tracker.initializers.each do |_name, src|
+      process src
+    end
+
+    @uses_rack_escape
+  end
+
+  #Look for
+  #
+  #    class ERB
+  def process_class exp
+    if exp.class_name == :ERB
+      @inside_erb = true
+      process_all exp.body
+      @inside_erb = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    module Util
+  def process_module exp
+    if @inside_erb and exp.module_name == :Util
+      @inside_util = true
+      process_all exp.body
+      @inside_util = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    def html_escape
+  def process_defn exp
+    if @inside_util and exp.method_name == :html_escape
+      @inside_html_escape = true
+      process_all exp.body
+      @inside_html_escape = false
+    end
+
+    exp
+  end
+
+  #Look for
+  #
+  #    Rack::Utils.escape_html
+  def process_call exp
+    if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
+      @uses_rack_escape = true
+    else
+      process exp.target if exp.target
+    end
+
+    exp
+  end
+end

data/lib/railroader/checks/check_skip_before_filter.rb

@@ -0,0 +1,60 @@
+require 'railroader/checks/base_check'
+
+#At the moment, this looks for
+#
+#  skip_before_filter :verify_authenticity_token, :except => [...]
+#
+#which is essentially a blacklist approach (no actions are checked EXCEPT the
+#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#the check)
+class Railroader::CheckSkipBeforeFilter < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Warn when skipping CSRF or authentication checks by default"
+
+  def run_check
+    tracker.controllers.each do |_name, controller|
+      controller.skip_filters.each do |filter|
+        process_skip_filter filter, controller
+      end
+    end
+  end
+
+  def process_skip_filter filter, controller
+    case skip_except_value filter
+    when :verify_authenticity_token
+      warn :class => controller.name, #ugh this should be a controller warning, too
+        :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :csrf_blacklist,
+        :message => "Use whitelist (:only => [..]) when skipping CSRF check",
+        :code => filter,
+        :confidence => :medium,
+        :file => controller.file
+
+    when :login_required, :authenticate_user!, :require_user
+      warn :controller => controller.name,
+        :warning_code => :auth_blacklist,
+        :warning_type => "Authentication",
+        :message => "Use whitelist (:only => [..]) when skipping authentication",
+        :code => filter,
+        :confidence => :medium,
+        :link => "authentication_whitelist",
+        :file => controller.file
+    end
+  end
+
+  def skip_except_value filter
+    return false unless call? filter
+
+    first_arg = filter.first_arg
+    last_arg = filter.last_arg
+
+    if symbol? first_arg and hash? last_arg
+      if hash_access(last_arg, :except)
+        return first_arg.value
+      end
+    end
+
+    false
+  end
+end