RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/checks/check_filter_skipping.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require 'railroader/checks/base_check'
+#Check for filter skipping vulnerability
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
+class Railroader::CheckFilterSkipping < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for versions 3.0-3.0.9 which had a vulnerability in filters"
+  def run_check
+    if version_between?('3.0.0', '3.0.9') and uses_arbitrary_actions?
+      warn :warning_type => "Default Routes",
+        :warning_code => :CVE_2011_2929,
+        :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
+        :confidence => :high,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
+    end
+  end
+  def uses_arbitrary_actions?
+    tracker.routes.each do |_name, actions|
+      if actions.include? :allow_all_actions
+        return true
+      end
+    end
+    false
+  end
+end

data/lib/railroader/checks/check_forgery_setting.rb ADDED Viewed

@@ -0,0 +1,81 @@
+require 'railroader/checks/base_check'
+#Checks that +protect_from_forgery+ is set in the ApplicationController.
+#
+#Also warns for CSRF weakness in certain versions of Rails:
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
+class Railroader::CheckForgerySetting < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base"
+  def run_check
+    return if tracker.config.default_protect_from_forgery?
+    tracker.controllers
+    .select { |_, controller| controller.parent == :"ActionController::Base" }
+    .each do |name, controller|
+      if controller and not controller.protect_from_forgery?
+        csrf_warning :controller => name,
+          :warning_code => :csrf_protection_missing,
+          :message => "'protect_from_forgery' should be called in #{name}",
+          :file => controller.file,
+          :line => controller.top_line
+      elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery]
+        unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
+          access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and
+          access_arg.value == :exception
+          args = {
+            :controller => name,
+            :warning_type => "Cross-Site Request Forgery",
+            :warning_code => :csrf_not_protected_by_raising_exception,
+            :message => "protect_from_forgery should be configured with 'with: :exception'",
+            :confidence => :medium,
+            :file => controller.file
+          }
+          args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
+          csrf_warning args
+        end
+      end
+      if controller.options[:protect_from_forgery]
+        check_cve_2011_0447
+      end
+    end
+  end
+  def csrf_warning opts
+    opts = {
+      :controller => :ApplicationController,
+      :warning_type => "Cross-Site Request Forgery",
+      :confidence => :high
+    }.merge opts
+    warn opts
+  end
+  def check_cve_2011_0447
+    @warned_cve_2011_0447 ||= false
+    return if @warned_cve_2011_0447
+    if version_between? "2.1.0", "2.3.10"
+      new_version = "2.3.11"
+    elsif version_between? "3.0.0", "3.0.3"
+      new_version = "3.0.4"
+    else
+      return
+    end
+    @warned_cve_2011_0447 = true # only warn once
+    csrf_warning :warning_code => :CVE_2011_0447,
+      :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to #{new_version} or apply patches as needed",
+      :gem_info => gemfile_or_environment,
+      :file => nil,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
+  end
+end

data/lib/railroader/checks/check_header_dos.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckHeaderDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for header DoS (CVE-2013-6414)"
+  def run_check
+    if (version_between? "3.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
+      message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version "
+      if version_between? "3.0.0", "3.2.15"
+        message << "3.2.16"
+      else
+        message << "4.0.2"
+      end
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_6414,
+        :message => message,
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
+    end
+  end
+  def has_workaround?
+    tracker.check_initializers(:ActiveSupport, :on_load).any? and
+    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+  end
+end

data/lib/railroader/checks/check_i18n_xss.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckI18nXSS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for i18n XSS (CVE-2013-4491)"
+  def run_check
+    if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
+      message = "Rails #{rails_version} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
+      i18n_gem = tracker.config.gem_version :i18n
+      if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
+        message << "3.2.16 or i18n 0.5.1"
+      elsif version_between? "3.2.0", "4.0.1" and version_before i18n_gem, "0.6.6"
+        message << "4.0.2 or i18n 0.6.6"
+      else
+        return
+      end
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2013_4491,
+        :message => message,
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment(:i18n),
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
+    end
+  end
+  def version_before gem_version, target
+    return true unless gem_version
+    gem_version.split('.').map(&:to_i).zip(target.split('.').map(&:to_i)).each do |gv, t|
+      if gv < t
+        return true
+      elsif gv > t
+        return false
+      end
+    end
+    false
+  end
+  def has_workaround?
+    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
+      match.last.first_arg == s(:lit, :MissingTranslation)
+    end
+  end
+end

data/lib/railroader/checks/check_jruby_xml.rb ADDED Viewed

@@ -0,0 +1,36 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckJRubyXML < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for versions with JRuby XML parsing backend"
+  def run_check
+    return unless RUBY_PLATFORM == "java"
+    fix_version = case
+      when version_between?('3.0.0', '3.0.99')
+        '3.2.13'
+      when version_between?('3.1.0', '3.1.11')
+        '3.1.12'
+      when version_between?('3.2.0', '3.2.12')
+        '3.2.13'
+      else
+        return
+      end
+    #Check for workaround
+    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
+      arg = result.call.first_arg
+      return if string? arg and arg.value == "REXML"
+    end
+    warn :warning_type => "File Access",
+      :warning_code => :CVE_2013_1856,
+      :message => "Rails #{rails_version} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
+      :confidence => :high,
+      :gem_info => gemfile_or_environment,
+      :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
+  end
+end

data/lib/railroader/checks/check_json_encoding.rb ADDED Viewed

@@ -0,0 +1,47 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckJSONEncoding < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for missing JSON encoding (CVE-2015-3226)"
+  def run_check
+    if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
+      message = "Rails #{rails_version} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
+      if version_between? "4.1.0", "4.1.10"
+        message << "4.1.11"
+      else
+        message << "4.2.2"
+      end
+      if tracker.find_call(:methods => [:to_json, :encode]).any?
+        confidence = :high
+      else
+        confidence = :medium
+      end
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2015_3226,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
+    end
+  end
+  def has_workaround?
+    workaround = s(:module, :ActiveSupport,
+                   s(:module, :JSON,
+                     s(:module, :Encoding,
+                       s(:call, nil, :private),
+                       s(:class, :EscapedString, nil,
+                         s(:defn, :to_s,
+                           s(:args),
+                           s(:self))))))
+    tracker.initializers.any? do |_name, initializer|
+      initializer == workaround
+    end
+  end
+end

data/lib/railroader/checks/check_json_parsing.rb ADDED Viewed

@@ -0,0 +1,107 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckJSONParsing < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
+  def run_check
+    check_cve_2013_0333
+    check_cve_2013_0269
+  end
+  def check_cve_2013_0333
+    return unless version_between? "0.0.0", "2.3.15" or version_between? "3.0.0", "3.0.19"
+    unless uses_yajl? or uses_gem_backend?
+      new_version = if version_between? "0.0.0", "2.3.14"
+                      "2.3.16"
+                    elsif version_between? "3.0.0", "3.0.19"
+                      "3.0.20"
+                    end
+      message = "Rails #{rails_version} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
+      if uses_yajl?
+        gem_info = gemfile_or_environment(:yajl)
+      else
+        gem_info = gemfile_or_environment
+      end
+      warn :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0333,
+        :message => message,
+        :confidence => :high,
+        :gem_info => gem_info,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
+    end
+  end
+  #Check if `yajl` is included in Gemfile
+  def uses_yajl?
+    tracker.config.has_gem? :yajl
+  end
+  #Check for `ActiveSupport::JSON.backend = "JSONGem"`
+  def uses_gem_backend?
+    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+    unless matches.empty?
+      json_gem = s(:str, "JSONGem")
+      matches.each do |result|
+        if result.call.first_arg == json_gem
+          return true
+        end
+      end
+    end
+    false
+  end
+  def check_cve_2013_0269
+    [:json, :json_pure].each do |name|
+      gem_hash = tracker.config.get_gem name
+      check_json_version name, gem_hash[:version] if gem_hash and gem_hash[:version]
+    end
+  end
+  def check_json_version name, version
+    return if version >= "1.7.7" or
+              (version >= "1.6.8" and version < "1.7.0") or
+              (version >= "1.5.5" and version < "1.6.0")
+    warning_type = "Denial of Service"
+    confidence = :medium
+    message = "#{name} gem version #{version} has a symbol creation vulnerablity: upgrade to "
+    if version >= "1.7.0"
+      confidence = :high
+      warning_type = "Remote Code Execution"
+      message = "#{name} gem version #{version} has a remote code vulnerablity: upgrade to 1.7.7"
+    elsif version >= "1.6.0"
+      message << "1.6.8"
+    elsif version >= "1.5.0"
+      message << "1.5.5"
+    else
+      confidence = :weak
+      message << "1.5.5"
+    end
+    if confidence == :medium and uses_json_parse?
+      confidence = :high
+    end
+    warn :warning_type => warning_type,
+      :warning_code => :CVE_2013_0269,
+      :message => message,
+      :confidence => confidence,
+      :gem_info => gemfile_or_environment(name),
+      :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
+  end
+  def uses_json_parse?
+    return @uses_json_parse unless @uses_json_parse.nil?
+    not tracker.find_call(:target => :JSON, :method => :parse).empty?
+  end
+end

data/lib/railroader/checks/check_link_to.rb ADDED Viewed

@@ -0,0 +1,132 @@
+require 'railroader/checks/check_cross_site_scripting'
+#Checks for calls to link_to in versions of Ruby where link_to did not
+#escape the first argument.
+#
+#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
+class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
+  Railroader::Checks.add self
+  @description = "Checks for XSS in link_to in versions before 3.0"
+  def run_check
+    return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?
+    @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+    @known_dangerous = []
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    tracker.find_call(:target => false, :method => :link_to).each {|call| process_result call}
+  end
+  def process_result result
+    return if duplicate? result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+    first_arg = call.first_arg
+    second_arg = call.second_arg
+    @matched = false
+    #Skip if no arguments(?) or first argument is a hash
+    return if first_arg.nil? or hash? first_arg
+    if version_between? "2.0.0", "2.2.99"
+      check_argument result, first_arg
+      if second_arg and not hash? second_arg
+        check_argument result, second_arg
+      end
+    elsif second_arg
+      #Only check first argument if there is a second argument
+      #in Rails 2.3.x
+      check_argument result, first_arg
+    end
+  end
+  # Check the argument for possible xss exploits
+  def check_argument result, exp
+    argument = process(exp)
+    !check_user_input(result, argument) && !check_method(result, argument) && !check_matched(result, @matched)
+  end
+  # Check we should warn about the user input
+  def check_user_input(result, argument)
+    input = has_immediate_user_input?(argument)
+    return false unless input
+    message = "Unescaped #{friendly_type_of input} in link_to"
+    warn_xss(result, message, input, :high)
+  end
+  # Check if we should warn about the specified method
+  def check_method(result, argument)
+    return false if tracker.options[:ignore_model_output]
+    match = has_immediate_model?(argument)
+    return false unless match
+    method = match.method
+    return false if IGNORE_MODEL_METHODS.include? method
+    confidence = :medium
+    confidence = :high if likely_model_attribute? match
+    warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
+  end
+  # Check if we should warn about the matched result
+  def check_matched(result, matched = nil)
+    return false unless matched
+    return false if matched.type == :model and tracker.options[:ignore_model_output]
+    message = "Unescaped #{friendly_type_of matched} in link_to"
+    warn_xss(result, message, @matched, :medium)
+  end
+  # Create a warn for this xss
+  def warn_xss(result, message, user_input, confidence)
+    add_result(result)
+    warn :result => result,
+      :warning_type => "Cross-Site Scripting",
+      :warning_code => :xss_link_to,
+      :message => message,
+      :user_input => user_input,
+      :confidence => confidence,
+      :link_path => "link_to"
+    true
+  end
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+  def actually_process_call exp
+    return if @matched
+    target = exp.target
+    target = process target.dup if sexp? target
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    #TODO: Needs test? I think this is broken?
+    return exp if model_name? target and context == [:call, :arglist]
+    super
+  end
+end

data/lib/railroader/checks/check_link_to_href.rb ADDED Viewed

@@ -0,0 +1,146 @@
+require 'railroader/checks/check_cross_site_scripting'
+#Checks for calls to link_to which pass in potentially hazardous data
+#to the second argument.  While this argument must be html_safe to not break
+#the html, it must also be url safe as determined by calling a
+#:url_safe_method.  This prevents attacks such as javascript:evil() or
+#data:<encoded XSS> which is html_safe, but not safe as an href
+#Props to Nick Green for the idea.
+class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
+  Railroader::Checks.add self
+  @description = "Checks to see if values used for hrefs are sanitized using a :url_safe_method to protect against javascript:/data: XSS"
+  def run_check
+    @ignore_methods = Set[:button_to, :check_box,
+                           :field_field, :fields_for, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :polymorphic_url, :radio_button, :select, :slice,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :u,
+                           :will_paginate].merge(tracker.options[:url_safe_methods] || [])
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    methods = tracker.find_call :target => false, :method => :link_to
+    methods.each do |call|
+      process_result call
+    end
+  end
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+    @matched = false
+    url_arg = process call.second_arg
+    if check_argument? url_arg
+      url_arg = url_arg.first_arg
+    end
+    return if call? url_arg and ignore_call? url_arg.target, url_arg.method
+    if input = has_immediate_user_input?(url_arg)
+      message = "Unsafe #{friendly_type_of input} in link_to href"
+      unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :xss_link_to_href,
+          :message => message,
+          :user_input => input,
+          :confidence => :high,
+          :link_path => "link_to_href"
+      end
+    elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg)
+      return if ignore_model_call? url_arg, input or duplicate? result
+      add_result result
+      message = "Potentially unsafe model attribute in link_to href"
+      warn :result => result,
+        :warning_type => "Cross-Site Scripting",
+        :warning_code => :xss_link_to_href,
+        :message => message,
+        :user_input => input,
+        :confidence => :weak,
+        :link_path => "link_to_href"
+    end
+  end
+  CHECK_INSIDE_METHODS = [:url_for, :h, :sanitize]
+  def check_argument? url_arg
+    return unless call? url_arg
+    target = url_arg.target
+    method = url_arg.method
+    CHECK_INSIDE_METHODS.include? method or
+      cgi_escaped? target, method
+  end
+  def ignore_model_call? url_arg, exp
+    return true unless call? exp
+    target = exp.target
+    method = exp.method
+    return true unless model_find_call? target
+    return true unless method.to_s =~ /url|uri|link|page|site/
+    ignore_call? target, method or
+      IGNORE_MODEL_METHODS.include? method or
+      ignore_interpolation? url_arg, exp
+  end
+  #Ignore situations where the href is an interpolated string
+  #with something before the user input
+  def ignore_interpolation? arg, suspect
+    return unless string_interp? arg
+    return true unless arg[1].chomp.empty? # plain string before interpolation
+    first_interp = arg.find_nodes(:evstr).first
+    return unless first_interp
+    first_interp[1].deep_each do |e|
+      if suspect == e
+        return false
+      end
+    end
+    true
+  end
+  def ignore_call? target, method
+    decorated_model? method or super
+  end
+  def decorated_model? method
+    tracker.config.has_gem? :draper and
+      method == :decorate
+  end
+  def ignored_method? target, method
+    @ignore_methods.include? method or
+      method.to_s =~ /_path$/ or
+      (target.nil? and method.to_s =~ /_url$/)
+  end
+  def model_find_call? exp
+    return unless call? exp
+    MODEL_METHODS.include? exp.method or
+      exp.method.to_s =~ /^find_by_/
+  end
+  def call_on_params? exp
+    call? exp and
+    params? exp.target and
+    exp.method != :[]
+  end
+end