railroader 4.3.4

data/lib/railroader/checks/check_sql_cves.rb

@@ -0,0 +1,106 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSQLCVEs < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Checks for several SQL CVEs"
+
+  def run_check
+    check_rails_versions_against_cve_issues
+    check_cve_2014_0080
+  end
+
+  def check_rails_versions_against_cve_issues
+    issues = [
+      {
+        :cve => "CVE-2012-2660",
+        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
+      },
+      {
+        :cve => "CVE-2012-2661",
+        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-2695",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-5664",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+      },
+      {
+        :cve => "CVE-2013-0155",
+        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
+      },
+      {
+        :cve => "CVE-2016-6317",
+        :versions => [%w[4.2.0 4.2.7.0 4.2.7.1]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/WccgKSKiPZA/9DrsDVSoCgAJ"
+      },
+
+    ]
+
+    unless lts_version? '2.3.18.6'
+     issues << {
+        :cve => "CVE-2013-6417",
+        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
+      }
+    end
+
+    if tracker.config.has_gem? :pg
+      issues << {
+        :cve => "CVE-2014-3482",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
+      } <<
+      {
+        :cve => "CVE-2014-3483",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J" }
+    end
+
+    issues.each do |cve_issue|
+      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
+    end
+  end
+
+  def cve_warning_for versions, cve, link
+    upgrade_version = upgrade_version? versions
+    return unless upgrade_version
+
+    code = cve.tr('-', '_').to_sym
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => code,
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :confidence => :high,
+      :gem_info => gemfile_or_environment,
+      :link_path => link
+  end
+
+  def upgrade_version? versions
+    versions.each do |low, high, upgrade|
+      return upgrade if version_between? low, high
+    end
+
+    false
+  end
+
+  def check_cve_2014_0080
+    return unless version_between? "4.0.0", "4.0.2" and
+                  @tracker.config.has_gem? :pg
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => :CVE_2014_0080,
+      :message => "Rails #{rails_version} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :confidence => :high,
+      :gem_info => gemfile_or_environment(:pg),
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+  end
+end

data/lib/railroader/checks/check_ssl_verify.rb

@@ -0,0 +1,48 @@
+require 'railroader/checks/base_check'
+
+# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
+
+class Railroader::CheckSSLVerify < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  SSL_VERIFY_NONE = s(:colon2, s(:colon2, s(:const, :OpenSSL), :SSL), :VERIFY_NONE)
+
+  @description = "Checks for OpenSSL::SSL::VERIFY_NONE"
+
+  def run_check
+    check_open_ssl_verify_none
+    check_http_start
+  end
+
+  def check_open_ssl_verify_none
+    tracker.find_call(:method => :verify_mode=).each {|call| process_verify_mode_result(call) }
+  end
+
+  def process_verify_mode_result result
+    if result[:call].last_arg == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+
+  def check_http_start
+    tracker.find_call(:target => :'Net::HTTP', :method => :start).each { |call| process_http_start_result call }
+  end
+
+  def process_http_start_result result
+    arg = result[:call].last_arg
+
+    if hash? arg and hash_access(arg, :verify_mode) == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+
+  def warn_about_ssl_verification_bypass result
+    return unless original? result
+
+    warn :result => result,
+      :warning_type => "SSL Verification Bypass",
+      :warning_code => :ssl_verification_bypass,
+      :message => "SSL certificate verification was bypassed",
+      :confidence => :high
+  end
+end

data/lib/railroader/checks/check_strip_tags.rb

@@ -0,0 +1,89 @@
+require 'railroader/checks/base_check'
+
+#Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
+#https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
+#
+#Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+#
+#Check for user of strip_tags with rails-html-sanitizer 1.0.2:
+#https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
+class Railroader::CheckStripTags < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Report strip_tags vulnerabilities"
+
+  def run_check
+    if uses_strip_tags?
+      cve_2011_2931
+      cve_2012_3465
+    end
+
+    cve_2015_7579
+  end
+
+  def cve_2011_2931
+    if version_between?('2.0.0', '2.3.12') or version_between?('3.0.0', '3.0.9')
+      if rails_version =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)"
+      else
+        message = "Versions before 2.3.13 have a vulnerability in strip_tags (CVE-2011-2931)"
+      end
+
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2011_2931,
+        :message => message,
+        :gem_info => gemfile_or_environment,
+        :confidence => :high,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
+    end
+  end
+
+  def cve_2012_3465
+    case
+    when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
+      message = "All Rails 2.x versions have a vulnerability in strip_tags (CVE-2012-3465)"
+    when version_between?('3.0.10', '3.0.16')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.0.17"
+    when version_between?('3.1.0', '3.1.7')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.1.8"
+    when version_between?('3.2.0', '3.2.7')
+      message = "Rails #{rails_version} has a vulnerability in strip_tags (CVE-2012-3465). Upgrade to 3.2.8"
+    else
+      return
+    end
+
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2012_3465,
+      :message => message,
+      :confidence => :high,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
+  end
+
+  def cve_2015_7579
+    if tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
+      if uses_strip_tags?
+        confidence = :high
+      else
+        confidence = :medium
+      end
+
+      message = "rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3"
+
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2015_7579,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
+
+    end
+  end
+
+  def uses_strip_tags?
+    Railroader.debug "Finding calls to strip_tags()"
+
+    not tracker.find_call(:target => false, :method => :strip_tags, :nested => true).empty?
+  end
+end

data/lib/railroader/checks/check_symbol_dos.rb

@@ -0,0 +1,71 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSymbolDoS < Railroader::BaseCheck
+  Railroader::Checks.add_optional self
+
+  UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
+
+  @description = "Checks for symbol denial of service"
+
+  def run_check
+    return if rails_version and rails_version >= "5.0.0"
+    return if tracker.config.ruby_version >= "2.2"
+
+    tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
+      check_unsafe_symbol_creation(result)
+    end
+  end
+
+  def check_unsafe_symbol_creation result
+    return unless original? result
+
+    call = result[:call]
+
+    if result[:method] == :literal_to_sym
+      args = call.select { |e| sexp? e }
+    else
+      args = [call.target]
+    end
+
+    if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
+      confidence = :high
+    elsif input = args.map{ |arg| include_user_input?(arg) }.compact.first
+      confidence = :medium
+    end
+
+
+    if confidence
+      return if safe_parameter? input.match
+      return if symbolizing_attributes? input
+
+      message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
+
+      warn :result => result,
+        :warning_type => "Denial of Service",
+        :warning_code => :unsafe_symbol_creation,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+
+  def safe_parameter? input
+    if call? input
+      if node_type? input.target, :params
+        input.method == :[] and
+        symbol? input.first_arg and
+        [:controller, :action].include? input.first_arg.value
+      else
+        safe_parameter? input.target
+      end
+    else
+      false
+    end
+  end
+
+  def symbolizing_attributes? input
+    input.type == :model and
+      call? input.match and
+      input.match.method == :attributes
+  end
+end

data/lib/railroader/checks/check_symbol_dos_cve.rb

@@ -0,0 +1,30 @@
+require 'railroader/checks/base_check'
+
+class Railroader::CheckSymbolDoSCVE < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Checks for versions with ActiveRecord symbol denial of service vulnerability"
+
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.17')
+        '2.3.18'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        nil
+      end
+
+    if fix_version && active_record_models.any?
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_1854,
+        :message => "Rails #{rails_version} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
+    end
+  end
+end
+

data/lib/railroader/checks/check_translate_bug.rb

@@ -0,0 +1,45 @@
+require 'railroader/checks/base_check'
+
+#Check for vulnerability in translate() helper that allows cross-site scripting
+class Railroader::CheckTranslateBug < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Report XSS vulnerability in translate helper"
+
+  def run_check
+    return if lts_version? '2.3.18.6'
+    if (version_between?('2.3.0', '2.3.99') and tracker.config.escape_html?) or
+        version_between?('3.0.0', '3.0.10') or
+        version_between?('3.1.0', '3.1.1')
+
+      confidence = if uses_translate?
+        :high
+      else
+        :medium
+      end
+
+      description = "have a vulnerability in the translate helper with keys ending in _html"
+
+      message = if rails_version =~ /^3\.1/
+        "Versions before 3.1.2 #{description}."
+      elsif rails_version =~ /^3\.0/
+        "Versions before 3.0.11 #{description}."
+      else
+        "Rails 2.3.x using the rails_xss plugin #{description}."
+      end
+
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :translate_vuln,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
+    end
+  end
+
+  def uses_translate?
+    Railroader.debug "Finding calls to translate() or t()"
+
+    tracker.find_call(:target => nil, :methods => [:t, :translate]).any?
+  end
+end

data/lib/railroader/checks/check_unsafe_reflection.rb

@@ -0,0 +1,50 @@
+require 'railroader/checks/base_check'
+
+# Checks for string interpolation and parameters in calls to
+# String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.
+#
+# Exploit examples at: http://blog.conviso.com.br/exploiting-unsafe-reflection-in-rubyrails-applications/
+class Railroader::CheckUnsafeReflection < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Checks for unsafe reflection"
+
+  def run_check
+    reflection_methods = [:constantize, :safe_constantize, :const_get, :qualified_const_get]
+
+    tracker.find_call(:methods => reflection_methods, :nested => true).each do |result|
+      check_unsafe_reflection result
+    end
+  end
+
+  def check_unsafe_reflection result
+    return unless original? result
+
+    call = result[:call] 
+    method = call.method
+
+    case method
+    when :constantize, :safe_constantize
+      arg = call.target
+    else
+      arg = call.first_arg
+    end
+
+    if input = has_immediate_user_input?(arg)
+      confidence = :high
+    elsif input = include_user_input?(arg)
+      confidence = :medium
+    end
+
+    if confidence
+      message = "Unsafe reflection method #{method} called with #{friendly_type_of input}"
+
+      warn :result => result,
+        :warning_type => "Remote Code Execution",
+        :warning_code => :unsafe_constantize,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+end

data/lib/railroader/checks/check_unscoped_find.rb

@@ -0,0 +1,57 @@
+require 'railroader/checks/base_check'
+
+# Checks for unscoped calls to models' #find and #find_by_id methods.
+class Railroader::CheckUnscopedFind < Railroader::BaseCheck
+  Railroader::Checks.add_optional self
+
+  @description = "Check for unscoped ActiveRecord queries"
+
+  def run_check
+    Railroader.debug("Finding instances of #find on models with associations")
+
+    associated_model_names = active_record_models.keys.select do |name|
+      if belongs_to = active_record_models[name].associations[:belongs_to]
+        not optional_belongs_to? belongs_to
+      else
+        false
+      end
+    end
+
+    calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
+                              :targets => associated_model_names
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return if duplicate? result or result[:call].original_line
+
+    # Not interested unless argument is user controlled.
+    inputs = result[:call].args.map { |arg| include_user_input?(arg) }
+    return unless input = inputs.compact.first
+
+    add_result result
+
+    warn :result => result,
+      :warning_type => "Unscoped Find",
+      :warning_code => :unscoped_find,
+      :message      => "Unscoped call to #{result[:target]}##{result[:method]}",
+      :code         => result[:call],
+      :confidence   => :weak,
+      :user_input   => input
+  end
+
+  def optional_belongs_to? exp
+    return false unless exp.is_a? Array
+
+    exp.each do |e|
+      if hash? e and true? hash_access(e, :optional)
+        return true
+      end
+    end
+
+    false
+  end
+end

data/lib/railroader/checks/check_validation_regex.rb

@@ -0,0 +1,116 @@
+require 'railroader/checks/base_check'
+
+#Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
+#as anchors in the given regular expression.
+#
+#For example:
+#
+# #Allows anything after new line
+# validates_format_of :user_name, :with => /^\w+$/
+class Railroader::CheckValidationRegex < Railroader::BaseCheck
+  Railroader::Checks.add self
+
+  @description = "Report uses of validates_format_of with improper anchors"
+
+  WITH = Sexp.new(:lit, :with)
+  FORMAT = Sexp.new(:lit, :format)
+
+  def run_check
+    active_record_models.each do |name, model|
+      @current_model = name
+      format_validations = model.options[:validates_format_of]
+
+      if format_validations
+        format_validations.each do |v|
+          process_validates_format_of v
+        end
+      end
+
+      validates = model.options[:validates]
+
+      if validates
+        validates.each do |v|
+          process_validates v
+        end
+      end
+    end
+  end
+
+  #Check validates_format_of
+  def process_validates_format_of validator
+    if value = hash_access(validator.last, WITH)
+      check_regex value, validator
+    end
+  end
+
+  #Check validates ..., :format => ...
+  def process_validates validator
+    hash_arg = validator.last
+    return unless hash? hash_arg
+
+    value = hash_access(hash_arg, FORMAT)
+
+    if hash? value
+      value = hash_access(value, WITH)
+    end
+
+    if value
+      check_regex value, validator
+    end
+  end
+
+  # Match secure regexp without extended option
+  SECURE_REGEXP_PATTERN = %r{
+    \A
+    \\A
+    .*
+    \\[zZ]
+    \z
+  }x
+
+  # Match secure of regexp with extended option
+  EXTENDED_SECURE_REGEXP_PATTERN = %r{
+    \A
+    \s*
+    \\A
+    .*
+    \\[zZ]
+    \s*
+    \z
+  }mx
+
+  #Issue warning if the regular expression does not use
+  #+\A+ and +\z+
+  def check_regex value, validator
+    return unless regexp? value
+
+    regex = value.value
+    unless secure_regex?(regex)
+      warn :model => @current_model,
+      :warning_type => "Format Validation",
+      :warning_code => :validation_regex,
+      :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors",
+      :line => value.line,
+      :confidence => :high
+    end
+  end
+
+  #Get the name of the attribute being validated.
+  def get_name validator
+    name = validator[1]
+
+    if sexp? name
+      name.value
+    else
+      name
+    end
+  end
+
+  private
+
+  def secure_regex?(regex)
+    extended_regex = Regexp::EXTENDED == regex.options & Regexp::EXTENDED
+    regex_pattern = extended_regex ? EXTENDED_SECURE_REGEXP_PATTERN : SECURE_REGEXP_PATTERN
+    regex_pattern =~ regex.source
+  end
+end