RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/checks/check_permit_attributes.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckPermitAttributes < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  SUSPICIOUS_KEYS = {
+    admin: :high,
+    account_id: :high,
+    role: :medium,
+    banned: :medium,
+  }
+  def run_check
+    tracker.find_call(:method => :permit).each do |result|
+      check_permit result
+    end
+  end
+  def check_permit result
+    return unless original? result
+    call = result[:call]
+    call.each_arg do |arg|
+      if symbol? arg
+        if SUSPICIOUS_KEYS.key? arg.value
+          warn_on_permit_key result, arg
+        end
+      end
+    end
+  end
+  def warn_on_permit_key result, key, confidence = nil
+    warn :result => result,
+      :warning_type => "Mass Assignment",
+      :warning_code => :dangerous_permit_key,
+      :message => "Potentially dangerous key allowed for mass assignment",
+      :confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
+      :user_input => key
+  end
+end

data/lib/railroader/checks/check_quote_table_name.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'railroader/checks/base_check'
+#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
+class Railroader::CheckQuoteTableName < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
+  def run_check
+    if (version_between?('2.0.0', '2.3.13') or
+        version_between?('3.0.0', '3.0.9'))
+      if uses_quote_table_name?
+        confidence = :high
+      else
+        confidence = :medium
+      end
+      if rails_version =~ /^3/
+        message = "Versions before 3.0.10 have a vulnerability in quote_table_name: CVE-2011-2930"
+      else
+        message = "Versions before 2.3.14 have a vulnerability in quote_table_name: CVE-2011-2930"
+      end
+      warn :warning_type => "SQL Injection",
+        :warning_code => :CVE_2011_2930,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion"
+    end
+  end
+  def uses_quote_table_name?
+    Railroader.debug "Finding calls to quote_table_name()"
+    not tracker.find_call(:target => false, :method => :quote_table_name).empty?
+  end
+end

data/lib/railroader/checks/check_redirect.rb ADDED Viewed

@@ -0,0 +1,256 @@
+require 'railroader/checks/base_check'
+#Reports any calls to +redirect_to+ which include parameters in the arguments.
+#
+#For example:
+#
+# redirect_to params.merge(:action => :elsewhere)
+class Railroader::CheckRedirect < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Looks for calls to redirect_to with user input as arguments"
+  def run_check
+    Railroader.debug "Finding calls to redirect_to()"
+    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :last, :new]
+    if tracker.options[:rails3]
+      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
+    end
+    if version_between? "4.0.0", "9.9.9"
+      @model_find_calls.merge [:find_by, :find_by!, :take]
+    end
+    @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
+      process_result res
+    end
+  end
+  def process_result result
+    return unless original? result
+    call = result[:call]
+    method = call.method
+    opt = call.first_arg
+    if method == :redirect_to and
+        not only_path?(call) and
+        not explicit_host?(opt) and
+        not slice_call?(opt) and
+        not safe_permit?(opt) and
+        res = include_user_input?(call)
+      if res.type == :immediate
+        confidence = :high
+      else
+        confidence = :weak
+      end
+      warn :result => result,
+        :warning_type => "Redirect",
+        :warning_code => :open_redirect,
+        :message => "Possible unprotected redirect",
+        :code => call,
+        :user_input => res,
+        :confidence => confidence
+    end
+  end
+  #Custom check for user input. First looks to see if the user input
+  #is being output directly. This is necessary because of tracker.options[:check_arguments]
+  #which can be used to enable/disable reporting output of method calls which use
+  #user input as arguments.
+  def include_user_input? call, immediate = :immediate
+    Railroader.debug "Checking if call includes user input"
+    arg = call.first_arg
+    # if the first argument is an array, rails assumes you are building a
+    # polymorphic route, which will never jump off-host
+    return false if array? arg
+    if tracker.options[:ignore_redirect_to_model]
+      if model_instance?(arg) or decorated_model?(arg)
+        return false
+      end
+    end
+    if res = has_immediate_model?(arg)
+      unless call? arg and arg.method.to_s =~ /_path/
+        return Match.new(immediate, res)
+      end
+    elsif call? arg
+      if request_value? arg
+        return Match.new(immediate, arg)
+      elsif request_value? arg.target
+        return Match.new(immediate, arg.target)
+      elsif arg.method == :url_for and include_user_input? arg
+        return Match.new(immediate, arg)
+        #Ignore helpers like some_model_url?
+      elsif arg.method.to_s =~ /_(url|path)\z/
+        return false
+      end
+    elsif request_value? arg
+      return Match.new(immediate, arg)
+    end
+    if tracker.options[:check_arguments] and call? arg
+      include_user_input? arg, false  #I'm doubting if this is really necessary...
+    else
+      false
+    end
+  end
+  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  #nullifies the danger posed by redirecting with user input
+  def only_path? call
+    arg = call.first_arg
+    if hash? arg
+      return has_only_path? arg
+    elsif call? arg and arg.method == :url_for
+      return check_url_for(arg)
+    elsif call? arg and hash? arg.first_arg and use_unsafe_hash_method? arg
+      return has_only_path? arg.first_arg
+    end
+    false
+  end
+  def use_unsafe_hash_method? arg
+    return call_has_param(arg, :to_unsafe_hash) || call_has_param(arg, :to_unsafe_h)
+  end
+  def call_has_param arg, key
+    if call? arg and call? arg.target
+      target = arg.target
+      method = target.method
+      node_type? target.target, :params and method == key
+    else
+      false
+    end
+  end
+  def has_only_path? arg
+    if value = hash_access(arg, :only_path)
+      return true if true?(value)
+    end
+    false
+  end
+  def explicit_host? arg
+    return unless sexp? arg
+    if hash? arg
+      if value = hash_access(arg, :host)
+        return !has_immediate_user_input?(value)
+      end
+    elsif call? arg
+      target = arg.target
+      if hash? target and value = hash_access(target, :host)
+        return !has_immediate_user_input?(value)
+      elsif call? arg
+        return explicit_host? target
+      end
+    end
+    false
+  end
+  #+url_for+ is only_path => true by default. This checks to see if it is
+  #set to false for some reason.
+  def check_url_for call
+    arg = call.first_arg
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return false if false?(value)
+      end
+    end
+    true
+  end
+  #Returns true if exp is (probably) a model instance
+  def model_instance? exp
+    if node_type? exp, :or
+      model_instance? exp.lhs or model_instance? exp.rhs
+    elsif call? exp
+      if model_target? exp and
+        (@model_find_calls.include? exp.method or exp.method.to_s.match(/^find_by_/))
+        true
+      else
+        association?(exp.target, exp.method)
+      end
+    end
+  end
+  def model_target? exp
+    return false unless call? exp
+    model_name? exp.target or
+    friendly_model? exp.target or
+    model_target? exp.target
+  end
+  #Returns true if exp is (probably) a friendly model instance
+  #using the FriendlyId gem
+  def friendly_model? exp
+    call? exp and model_name? exp.target and exp.method == :friendly
+  end
+  #Returns true if exp is (probably) a decorated model instance
+  #using the Draper gem
+  def decorated_model? exp
+    if node_type? exp, :or
+      decorated_model? exp.lhs or decorated_model? exp.rhs
+    else
+      tracker.config.has_gem? :draper and
+      call? exp and
+      node_type?(exp.target, :const) and
+      exp.target.value.to_s.match(/Decorator$/) and
+      exp.method == :decorate
+    end
+  end
+  #Check if method is actually an association in a Model
+  def association? model_name, meth
+    if call? model_name
+      return association? model_name.target, meth
+    elsif model_name? model_name
+      model = tracker.models[class_name(model_name)]
+    else
+      return false
+    end
+    return false unless model
+    model.association? meth
+  end
+  def slice_call? exp
+    return unless call? exp
+    exp.method == :slice
+  end
+  DANGEROUS_KEYS = [:host, :subdomain, :domain, :port]
+  def safe_permit? exp
+    if call? exp and params? exp.target and exp.method == :permit
+      exp.each_arg do |opt|
+        if symbol? opt and DANGEROUS_KEYS.include? opt.value
+          return false
+        end
+      end
+      return true
+    end
+    false
+  end
+end

data/lib/railroader/checks/check_regex_dos.rb ADDED Viewed

@@ -0,0 +1,68 @@
+require 'railroader/checks/base_check'
+#This check looks for regexes that include user input.
+class Railroader::CheckRegexDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  ESCAPES = {
+    s(:const, :Regexp) => [
+      :escape,
+      :quote
+    ]
+  }
+  @description = "Searches regexes including user input"
+  #Process calls
+  def run_check
+    Railroader.debug "Finding dynamic regexes"
+    calls = tracker.find_call :method => [:railroader_regex_interp]
+    Railroader.debug "Processing dynamic regexes"
+    calls.each do |call|
+      process_result call
+    end
+  end
+  #Warns if regex includes user input
+  def process_result result
+    return unless original? result
+    call = result[:call]
+    components = call[1..-1]
+    components.any? do |component|
+      next unless sexp? component
+      if match = has_immediate_user_input?(component)
+        confidence = :high
+      elsif match = has_immediate_model?(component)
+        match = Match.new(:model, match)
+        confidence = :medium
+      elsif match = include_user_input?(component)
+        confidence = :weak
+      end
+      if match
+        message = "#{friendly_type_of(match).capitalize} used in regex"
+        warn :result => result,
+          :warning_type => "Denial of Service",
+          :warning_code => :regex_dos,
+          :message => message,
+          :confidence => confidence,
+          :user_input => match
+      end
+    end
+  end
+  def process_call(exp)
+    if escape_methods = ESCAPES[exp.target]
+      if escape_methods.include? exp.method
+        return exp
+      end
+    end
+    super
+  end
+end

data/lib/railroader/checks/check_render.rb ADDED Viewed

@@ -0,0 +1,97 @@
+require 'railroader/checks/base_check'
+#Check calls to +render()+ for dangerous values
+class Railroader::CheckRender < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Finds calls to render that might allow file access or code execution"
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render_result result
+    end
+  end
+  def process_render_result result
+    return unless node_type? result[:call], :render
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_rce(result) or
+        check_for_dynamic_path(result)
+    when :inline
+    when :js
+    when :json
+    when :text
+    when :update
+    when :xml
+    end
+  end
+  #Check if path to action or file is determined dynamically
+  def check_for_dynamic_path result
+    view = result[:call][2]
+    if sexp? view and original? result
+      if input = has_immediate_user_input?(view)
+        if string_interp? view
+          confidence = :medium
+        else
+          confidence = :high
+        end
+      elsif input = include_user_input?(view)
+        confidence = :weak
+      else
+        return
+      end
+      return if input.type == :model #skip models
+      return if safe_param? input.match
+      message = "Render path contains #{friendly_type_of input}"
+      warn :result => result,
+        :warning_type => "Dynamic Render Path",
+        :warning_code => :dynamic_render_path,
+        :message => message,
+        :user_input => input,
+        :confidence => confidence
+    end
+  end
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view
+        add_result result
+        return if safe_param? view
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
+          :user_input => view,
+          :confidence => :high
+      end
+    end
+  end
+  def safe_param? exp
+    if params? exp and call? exp
+      method_name = exp.method
+      if method_name == :[]
+        arg = exp.first_arg
+        symbol? arg and [:controller, :action].include? arg.value
+      else
+        boolean_method? method_name
+      end
+    end
+  end
+end

data/lib/railroader/checks/check_render_dos.rb ADDED Viewed

@@ -0,0 +1,37 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckRenderDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Warn about denial of service with render :text (CVE-2014-0082)"
+  def run_check
+    if version_between? "3.0.0", "3.0.20" or
+       version_between? "3.1.0", "3.1.12" or
+       version_between? "3.2.0", "3.2.16"
+      tracker.find_call(:target => nil, :method => :render).each do |result|
+        if text_render? result
+          warn_about_text_render
+          break
+        end
+      end
+    end
+  end
+  def text_render? result
+    node_type? result[:call], :render and
+    result[:call].render_type == :text
+  end
+  def warn_about_text_render
+    message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2014_0082,
+      :message => message,
+      :confidence => :high,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
+      :gem_info => gemfile_or_environment
+  end
+end

data/lib/railroader/checks/check_render_inline.rb ADDED Viewed

@@ -0,0 +1,53 @@
+class Railroader::CheckRenderInline < Railroader::CheckCrossSiteScripting
+  Railroader::Checks.add self
+  @description = "Checks for cross-site scripting in render calls"
+  def run_check
+    setup
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      check_render result
+    end
+  end
+  def check_render result
+    return unless original? result
+    call = result[:call]
+    if node_type? call, :render and
+      (call.render_type == :text or call.render_type == :inline)
+      unless call.render_type == :text and content_type_set? call[3]
+        render_value = call[2]
+        if input = has_immediate_user_input?(render_value)
+          warn :result => result,
+            :warning_type => "Cross-Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped #{friendly_type_of input} rendered inline",
+            :user_input => input,
+            :confidence => :high
+        elsif input = has_immediate_model?(render_value)
+          warn :result => result,
+            :warning_type => "Cross-Site Scripting",
+            :warning_code => :cross_site_scripting_inline,
+            :message => "Unescaped model attribute rendered inline",
+            :user_input => input,
+            :confidence => :medium
+        end
+      end
+    end
+  end
+  CONTENT_TYPES = ["text/html", "text/javascript", "application/javascript"]
+  def content_type_set? opts
+    if hash? opts
+      content_type = hash_access(opts, :content_type)
+      string? content_type and not CONTENT_TYPES.include? content_type.value
+    end
+  end
+end

data/lib/railroader/checks/check_response_splitting.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'railroader/checks/base_check'
+#Warn about response splitting in Rails versions before 2.3.13
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
+class Railroader::CheckResponseSplitting < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Report response splitting in Rails 2.3.0 - 2.3.13"
+  def run_check
+    if version_between?('2.3.0', '2.3.13')
+      warn :warning_type => "Response Splitting",
+        :warning_code => :CVE_2011_3186,
+        :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
+    end
+  end
+end

data/lib/railroader/checks/check_route_dos.rb ADDED Viewed

@@ -0,0 +1,42 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckRouteDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for route DoS (CVE-2015-7581)"
+  def run_check
+    fix_version = case
+                  when version_between?("4.0.0", "4.1.14")
+                    "4.1.14.1"
+                  when version_between?("4.2.0", "4.2.5")
+                    "4.2.5.1"
+                  else
+                    return
+                  end
+    if controller_wildcards?
+      message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2015_7581,
+        :message => message,
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
+    end
+  end
+  def controller_wildcards?
+    tracker.routes.each do |name, actions|
+      if name == :':controllerController'
+        # awful hack for routes with :controller in them
+        return true
+      elsif string? actions and actions.value.include? ":controller"
+        return true
+      end
+    end
+    false
+  end
+end

data/lib/railroader/checks/check_safe_buffer_manipulation.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require 'railroader/checks/base_check'
+#Check for unsafe manipulation of strings
+#Right now this is just a version check for
+#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
+class Railroader::CheckSafeBufferManipulation < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Check for Rails versions with SafeBuffer bug"
+  def run_check
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+    message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
+    warn :warning_type => "Cross-Site Scripting",
+      :warning_code => :safe_buffer_vuln,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment
+  end
+end