RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/checks/check_mail_to.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require 'railroader/checks/base_check'
+#Check for cross-site scripting vulnerability in mail_to :encode => :javascript
+#with certain versions of Rails (< 2.3.11 or < 3.0.4).
+#
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+class Railroader::CheckMailTo < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for mail_to XSS vulnerability in certain versions"
+  def run_check
+    if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
+      message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
+      if version_between? "2.3.0", "2.3.10"
+        message << "2.3.11"
+      else
+        message << "3.0.4"
+      end
+      warn :result => result,
+        :warning_type => "Mail Link",
+        :warning_code => :CVE_2011_0446,
+        :message => message,
+        :confidence => :high,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
+    end
+  end
+  #Check for javascript encoding of mail_to address
+  #    mail_to email, name, :encode => :javascript
+  def mail_to_javascript?
+    Railroader.debug "Checking calls to mail_to for javascript encoding"
+    tracker.find_call(:target => false, :method => :mail_to).each do |result|
+      result[:call].each_arg do |arg|
+        if hash? arg
+          if option = hash_access(arg, :encode)
+            return result if symbol? option and option.value == :javascript
+          end
+        end
+      end
+    end
+    false
+  end
+end

data/lib/railroader/checks/check_mass_assignment.rb ADDED Viewed

@@ -0,0 +1,196 @@
+require 'railroader/checks/base_check'
+require 'set'
+#Checks for mass assignments to models.
+#
+#See http://guides.rubyonrails.org/security.html#mass-assignment for details
+class Railroader::CheckMassAssignment < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Finds instances of mass assignment"
+  def initialize(*)
+    super
+    @mass_assign_calls = nil
+  end
+  def run_check
+    check_mass_assignment
+    check_permit!
+  end
+  def find_mass_assign_calls
+    return @mass_assign_calls if @mass_assign_calls
+    models = []
+    tracker.models.each do |name, m|
+      if m.is_a? Hash
+        p m
+      end
+      if m.unprotected_model?
+        models << name
+      end
+    end
+    return [] if models.empty?
+    Railroader.debug "Finding possible mass assignment calls on #{models.length} models"
+    @mass_assign_calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
+      :attributes=,
+      :update_attributes,
+      :update_attributes!,
+      :create,
+      :create!,
+      :build,
+      :first_or_create,
+      :first_or_create!,
+      :first_or_initialize!,
+      :assign_attributes,
+      :update
+    ]
+  end
+  def check_mass_assignment
+    return if mass_assign_disabled?
+    Railroader.debug "Processing possible mass assignment calls"
+    find_mass_assign_calls.each do |result|
+      process_result result
+    end
+  end
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[:call]
+    check = check_call call
+    if check and original? res
+      model = tracker.models[res[:chain].first]
+      attr_protected = (model and model.attr_protected)
+      if attr_protected and tracker.options[:ignore_attr_protected]
+        return
+      elsif input = include_user_input?(call.arglist)
+        first_arg = call.first_arg
+        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+          return
+        elsif not node_type? first_arg, :hash
+          if attr_protected
+            confidence = :medium
+          else
+            confidence = :high
+          end
+        else
+          return
+        end
+      elsif node_type? call.first_arg, :lit, :str
+        return
+      else
+        confidence = :weak
+        input = nil
+      end
+      warn :result => res,
+        :warning_type => "Mass Assignment",
+        :warning_code => :mass_assign_call,
+        :message => "Unprotected mass assignment",
+        :code => call,
+        :user_input => input,
+        :confidence => confidence
+    end
+    res
+  end
+  #Want to ignore calls to Model.new that have no arguments
+  def check_call call
+    process_call_args call
+    if call.method == :update
+      arg = call.second_arg
+    else
+      arg = call.first_arg
+    end
+    if arg.nil? #empty new()
+      false
+    elsif hash? arg and not include_user_input? arg
+      false
+    elsif all_literal_args? call
+      false
+    else
+      true
+    end
+  end
+  LITERALS = Set[:lit, :true, :false, :nil, :string]
+  def all_literal_args? exp
+    if call? exp
+      exp.each_arg do |arg|
+        return false unless literal? arg
+      end
+      true
+    else
+      exp.all? do |arg|
+        literal? arg
+      end
+    end
+  end
+  def literal? exp
+    if sexp? exp
+      if exp.node_type == :hash
+        all_literal_args? exp
+      else
+        LITERALS.include? exp.node_type
+      end
+    else
+      true
+    end
+  end
+  # Look for and warn about uses of Parameters#permit! for mass assignment
+  def check_permit!
+    tracker.find_call(:method => :permit!).each do |result|
+      if params? result[:call].target and not result[:chain].include? :slice
+        warn_on_permit! result
+      end
+    end
+  end
+  # Look for actual use of params in mass assignment to avoid
+  # warning about uses of Parameters#permit! without any mass assignment
+  # or when mass assignment is restricted by model instead.
+  def subsequent_mass_assignment? result
+    location = result[:location]
+    line = result[:call].line
+    find_mass_assign_calls.any? do |call|
+      call[:location] == location and
+      params? call[:call].first_arg and
+      call[:call].line >= line
+    end
+  end
+  def warn_on_permit! result
+    return unless original? result
+    confidence = if subsequent_mass_assignment? result
+                   :high
+                 else
+                   :medium
+                 end
+    warn :result => result,
+      :warning_type => "Mass Assignment",
+      :warning_code => :mass_assign_permit!,
+      :message => "Parameters should be whitelisted for mass assignment",
+      :confidence => confidence
+  end
+end

data/lib/railroader/checks/check_mime_type_dos.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckMimeTypeDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for mime type denial of service (CVE-2016-0751)"
+  def run_check
+    fix_version = case
+               when version_between?("3.0.0", "3.2.22")
+                 "3.2.22.1"
+               when version_between?("4.0.0", "4.1.14")
+                 "4.1.14.1"
+               when version_between?("4.2.0", "4.2.5")
+                 "4.2.5.1"
+               else
+                 return
+               end
+    return if has_workaround?
+    message = "Rails #{rails_version} is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version #{fix_version}"
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2016_0751,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
+  end
+  def has_workaround?
+    tracker.check_initializers(:Mime, :const_set).any? do |match|
+      arg = match.call.first_arg
+      symbol? arg and arg.value == :LOOKUP
+    end
+  end
+end

data/lib/railroader/checks/check_model_attr_accessible.rb ADDED Viewed

@@ -0,0 +1,55 @@
+require 'railroader/checks/base_check'
+# Author: Paul Deardorff (themetric)
+# Checks models to see if important foreign keys
+# or attributes are exposed as attr_accessible when
+# they probably shouldn't be.
+class Railroader::CheckModelAttrAccessible < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  SUSP_ATTRS = [
+    [:admin, :high], # Very dangerous unless some Rails authorization used
+    [:role, :medium],
+    [:banned, :medium],
+    [:account_id, :high],
+    [/\S*_id(s?)\z/, :weak] # All other foreign keys have weak/low confidence
+  ]
+  def run_check
+    check_models do |name, model|
+      model.attr_accessible.each do |attribute|
+        next if role_limited? model, attribute
+        SUSP_ATTRS.each do |susp_attr, confidence|
+          if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
+            warn :model => name,
+              :file => model.file,
+              :warning_type => "Mass Assignment",
+              :warning_code => :dangerous_attr_accessible,
+              :message => "Potentially dangerous attribute available for mass assignment",
+              :confidence => confidence,
+              :code => Sexp.new(:lit, attribute)
+            break # Prevent from matching single attr multiple times
+          end
+        end
+      end
+    end
+  end
+  def role_limited? model, attribute
+    role_accessible = model.role_accessible
+    return if role_accessible.nil?
+    role_accessible.include? attribute
+  end
+  def check_models
+    tracker.models.each do |name, model|
+      if !model.attr_accessible.nil?
+        yield name, model
+      end
+    end
+  end
+end

data/lib/railroader/checks/check_model_attributes.rb ADDED Viewed

@@ -0,0 +1,119 @@
+require 'railroader/checks/base_check'
+#Check if mass assignment is used with models
+#which inherit from ActiveRecord::Base.
+#
+#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
+#which do not use attr_accessible will be reported in a single warning
+class Railroader::CheckModelAttributes < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
+  def run_check
+    return if mass_assign_disabled?
+    #Roll warnings into one warning for all models
+    if tracker.options[:collapse_mass_assignment]
+      no_accessible_names = []
+      protected_names = []
+      check_models do |name, model|
+        if model.attr_protected.nil?
+          no_accessible_names << name.to_s
+        elsif not tracker.options[:ignore_attr_protected]
+          protected_names << name.to_s
+        end
+      end
+      unless no_accessible_names.empty?
+        warn :model => no_accessible_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :warning_code => :no_attr_accessible,
+          :message => "Mass assignment is not restricted using attr_accessible",
+          :confidence => :high
+      end
+      unless protected_names.empty?
+        message, confidence, link = check_for_attr_protected_bypass
+        if link
+          warning_code = :CVE_2013_0276
+        else
+          warning_code = :attr_protected_used
+        end
+        warn :model => protected_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :warning_code => warning_code,
+          :message => message,
+          :confidence => confidence,
+          :link => link
+      end
+    else #Output one warning per model
+      check_models do |name, model|
+        if model.attr_protected.nil?
+          warn :model => name,
+            :file => model.file,
+            :line => model.top_line,
+            :warning_type => "Attribute Restriction",
+            :warning_code => :no_attr_accessible,
+            :message => "Mass assignment is not restricted using attr_accessible",
+            :confidence => :high
+        elsif not tracker.options[:ignore_attr_protected]
+          message, confidence, link = check_for_attr_protected_bypass
+          if link
+            warning_code = :CVE_2013_0276
+          else
+            warning_code = :attr_protected_used
+          end
+          warn :model => name,
+            :file => model.file,
+            :line => model.attr_protected.first.line,
+            :warning_type => "Attribute Restriction",
+            :warning_code => warning_code,
+            :message => message,
+            :confidence => confidence
+        end
+      end
+    end
+  end
+  def check_models
+    tracker.models.each do |name, model|
+      if model.unprotected_model?
+        yield name, model
+      end
+    end
+  end
+  def check_for_attr_protected_bypass
+    upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      when version_between?("3.1.0", "3.1.10")
+                        "3.1.11"
+                      when version_between?("3.2.0", "3.2.11")
+                        "3.2.12"
+                      else
+                        nil
+                      end
+    if upgrade_version
+      message = "attr_protected is bypassable in #{rails_version}, use attr_accessible or upgrade to #{upgrade_version}"
+      confidence = :high
+      link = "https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion"
+    else
+      message = "attr_accessible is recommended over attr_protected"
+      confidence = :medium
+      link = nil
+    end
+    return message, confidence, link
+  end
+end

data/lib/railroader/checks/check_model_serialize.rb ADDED Viewed

@@ -0,0 +1,67 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckModelSerialize < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Report uses of serialize in versions vulnerable to CVE-2013-0277"
+  def run_check
+    @upgrade_version = case
+                      when version_between?("2.0.0", "2.3.16")
+                        "2.3.17"
+                      when version_between?("3.0.0", "3.0.99")
+                        "3.2.11"
+                      else
+                        nil
+                      end
+    return unless @upgrade_version
+    tracker.models.each do |_name, model|
+      check_for_serialize model
+    end
+  end
+  #High confidence warning on serialized, unprotected attributes.
+  #Medium confidence warning for serialized, protected attributes.
+  def check_for_serialize model
+    if serialized_attrs = model.options[:serialize]
+      attrs = Set.new
+      serialized_attrs.each do |arglist|
+        arglist.each do |arg|
+          attrs << arg if symbol? arg
+        end
+      end
+      if unsafe_attrs = model.attr_accessible
+        attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
+      elsif protected_attrs = model.attr_protected
+        safe_attrs = Set.new
+        protected_attrs.each do |arglist|
+          arglist.each do |arg|
+            safe_attrs << arg if symbol? arg
+          end
+        end
+        attrs.delete_if { |attr| safe_attrs.include? attr }
+      end
+      if attrs.empty?
+        confidence = :medium
+      else
+        confidence = :high
+      end
+      warn :model => model.name,
+        :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0277,
+        :message => "Serialized attributes are vulnerable in Rails #{rails_version}, upgrade to #{@upgrade_version} or patch.",
+        :confidence => confidence,
+        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
+        :file => model.file,
+        :line => model.top_line
+    end
+  end
+end

data/lib/railroader/checks/check_nested_attributes.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require 'railroader/checks/base_check'
+#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
+class Railroader::CheckNestedAttributes < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for nested attributes vulnerability in Rails 2.3.9 and 3.0.0"
+  def run_check
+    version = rails_version
+    if (version == "2.3.9" or version == "3.0.0") and uses_nested_attributes?
+      message = "Vulnerability in nested attributes (CVE-2010-3933). Upgrade to Rails version "
+      if version == "2.3.9"
+        message << "2.3.10"
+      else
+        message << "3.0.1"
+      end
+      warn :warning_type => "Nested Attributes",
+        :warning_code => :CVE_2010_3933,
+        :message => message,
+        :confidence => :high,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
+    end
+  end
+  def uses_nested_attributes?
+    active_record_models.each do |_name, model|
+      return true if model.options[:accepts_nested_attributes_for]
+    end
+    false
+  end
+end

data/lib/railroader/checks/check_nested_attributes_bypass.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require 'railroader/checks/base_check'
+#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
+class Railroader::CheckNestedAttributesBypass < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for nested attributes vulnerability (CVE-2015-7577)"
+  def run_check
+    if version_between? "3.1.0", "3.2.22" or
+       version_between? "4.0.0", "4.1.14" or
+       version_between? "4.2.0", "4.2.5"
+      unless workaround?
+        check_nested_attributes
+      end
+    end
+  end
+  def check_nested_attributes
+    active_record_models.each do |name, model|
+      if opts = model.options[:accepts_nested_attributes_for]
+        opts.each do |args|
+          if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
+            warn_about_nested_attributes name, model, args
+          end
+        end
+      end
+    end
+  end
+  def warn_about_nested_attributes name, model, args
+    message = "Rails #{rails_version} does not call :reject_if option when :allow_destroy is false (CVE-2015-7577)"
+    warn :model => name,
+      :warning_type => "Nested Attributes",
+      :warning_code => :CVE_2015_7577,
+      :message => message,
+      :file => model.file,
+      :line => args.line,
+      :confidence => :medium,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
+  end
+  def allow_destroy? arg
+    hash? arg and
+      false? hash_access(arg, :allow_destroy)
+  end
+  def reject_if? arg
+    hash? arg and
+      hash_access(arg, :reject_if)
+  end
+  def workaround?
+    tracker.check_initializers([], :will_be_destroyed?).any?
+  end
+end

data/lib/railroader/checks/check_number_to_currency.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckNumberToCurrency < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for number helpers XSS vulnerabilities in certain versions"
+  def initialize(*)
+    super
+    @found_any = false
+  end
+  def run_check
+    if version_between? "2.0.0", "2.3.18" or
+      version_between? "3.0.0", "3.2.16" or
+      version_between? "4.0.0", "4.0.2"
+      return if lts_version? "2.3.18.8"
+      check_number_helper_usage
+      generic_warning unless @found_any
+    end
+  end
+  def generic_warning
+    message = "Rails #{rails_version} has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version "
+    if version_between? "2.3.0", "3.2.16"
+      message << "3.2.17"
+    else
+      message << "4.0.3"
+    end
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2014_0081,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
+  end
+  def check_number_helper_usage
+    number_methods = [:number_to_currency, :number_to_percentage, :number_to_human]
+    tracker.find_call(:target => false, :methods => number_methods).each do |result|
+      arg = result[:call].second_arg
+      next unless arg
+      if not check_helper_option(result, arg) and hash? arg
+        hash_iterate(arg) do |_key, value|
+          break if check_helper_option(result, value)
+        end
+      end
+    end
+  end
+  def check_helper_option result, exp
+    if match = (has_immediate_user_input? exp or has_immediate_model? exp)
+      warn_on_number_helper result, match
+      @found_any = true
+    else
+      false
+    end
+  end
+  def warn_on_number_helper result, match
+    warn :result => result,
+      :warning_type => "Cross-Site Scripting",
+      :warning_code => :CVE_2014_0081_call,
+      :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}",
+      :confidence => :high,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
+      :user_input => match
+  end
+end