railroader 4.3.5 → 4.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +16 -0
- data/README.md +15 -0
- data/bin/railroader +1 -1
- data/lib/railroader/call_index.rb +11 -11
- data/lib/railroader/checks/base_check.rb +43 -43
- data/lib/railroader/checks/check_basic_auth.rb +3 -3
- data/lib/railroader/checks/check_content_tag.rb +9 -9
- data/lib/railroader/checks/check_create_with.rb +2 -2
- data/lib/railroader/checks/check_cross_site_scripting.rb +24 -24
- data/lib/railroader/checks/check_default_routes.rb +5 -5
- data/lib/railroader/checks/check_deserialize.rb +1 -1
- data/lib/railroader/checks/check_dynamic_finders.rb +1 -1
- data/lib/railroader/checks/check_escape_function.rb +3 -3
- data/lib/railroader/checks/check_evaluation.rb +4 -4
- data/lib/railroader/checks/check_execute.rb +8 -8
- data/lib/railroader/checks/check_file_access.rb +2 -2
- data/lib/railroader/checks/check_filter_skipping.rb +2 -2
- data/lib/railroader/checks/check_forgery_setting.rb +3 -3
- data/lib/railroader/checks/check_jruby_xml.rb +1 -1
- data/lib/railroader/checks/check_json_parsing.rb +2 -2
- data/lib/railroader/checks/check_link_to.rb +12 -12
- data/lib/railroader/checks/check_link_to_href.rb +9 -9
- data/lib/railroader/checks/check_mail_to.rb +4 -4
- data/lib/railroader/checks/check_mass_assignment.rb +5 -5
- data/lib/railroader/checks/check_model_attributes.rb +6 -6
- data/lib/railroader/checks/check_model_serialize.rb +2 -2
- data/lib/railroader/checks/check_nested_attributes.rb +2 -2
- data/lib/railroader/checks/check_nested_attributes_bypass.rb +1 -1
- data/lib/railroader/checks/check_quote_table_name.rb +3 -3
- data/lib/railroader/checks/check_redirect.rb +19 -19
- data/lib/railroader/checks/check_regex_dos.rb +3 -3
- data/lib/railroader/checks/check_render.rb +4 -4
- data/lib/railroader/checks/check_response_splitting.rb +2 -2
- data/lib/railroader/checks/check_safe_buffer_manipulation.rb +4 -4
- data/lib/railroader/checks/check_sanitize_methods.rb +2 -2
- data/lib/railroader/checks/check_select_tag.rb +4 -4
- data/lib/railroader/checks/check_select_vulnerability.rb +3 -3
- data/lib/railroader/checks/check_send.rb +1 -1
- data/lib/railroader/checks/check_send_file.rb +1 -1
- data/lib/railroader/checks/check_session_settings.rb +10 -10
- data/lib/railroader/checks/check_single_quotes.rb +8 -8
- data/lib/railroader/checks/check_skip_before_filter.rb +5 -5
- data/lib/railroader/checks/check_sql.rb +41 -41
- data/lib/railroader/checks/check_strip_tags.rb +6 -6
- data/lib/railroader/checks/check_symbol_dos_cve.rb +0 -1
- data/lib/railroader/checks/check_translate_bug.rb +4 -4
- data/lib/railroader/checks/check_unsafe_reflection.rb +1 -1
- data/lib/railroader/checks/check_validation_regex.rb +7 -7
- data/lib/railroader/checks/check_weak_hash.rb +1 -1
- data/lib/railroader/checks/check_without_protection.rb +9 -9
- data/lib/railroader/checks/check_yaml_parsing.rb +5 -5
- data/lib/railroader/checks.rb +18 -18
- data/lib/railroader/commandline.rb +1 -1
- data/lib/railroader/differ.rb +2 -2
- data/lib/railroader/options.rb +7 -7
- data/lib/railroader/parsers/rails2_erubis.rb +1 -1
- data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +4 -4
- data/lib/railroader/parsers/template_parser.rb +1 -1
- data/lib/railroader/processor.rb +17 -17
- data/lib/railroader/processors/alias_processor.rb +72 -72
- data/lib/railroader/processors/base_processor.rb +31 -31
- data/lib/railroader/processors/controller_alias_processor.rb +31 -31
- data/lib/railroader/processors/controller_processor.rb +29 -29
- data/lib/railroader/processors/erb_template_processor.rb +8 -8
- data/lib/railroader/processors/erubis_template_processor.rb +6 -6
- data/lib/railroader/processors/gem_processor.rb +1 -1
- data/lib/railroader/processors/haml_template_processor.rb +14 -14
- data/lib/railroader/processors/lib/call_conversion_helper.rb +1 -1
- data/lib/railroader/processors/lib/find_all_calls.rb +15 -15
- data/lib/railroader/processors/lib/find_call.rb +26 -26
- data/lib/railroader/processors/lib/find_return_value.rb +11 -11
- data/lib/railroader/processors/lib/module_helper.rb +1 -1
- data/lib/railroader/processors/lib/processor_helper.rb +4 -4
- data/lib/railroader/processors/lib/rails2_config_processor.rb +20 -20
- data/lib/railroader/processors/lib/rails2_route_processor.rb +38 -38
- data/lib/railroader/processors/lib/rails3_config_processor.rb +14 -14
- data/lib/railroader/processors/lib/rails3_route_processor.rb +16 -16
- data/lib/railroader/processors/lib/render_helper.rb +32 -32
- data/lib/railroader/processors/lib/route_helper.rb +12 -12
- data/lib/railroader/processors/library_processor.rb +1 -1
- data/lib/railroader/processors/model_processor.rb +9 -9
- data/lib/railroader/processors/output_processor.rb +3 -3
- data/lib/railroader/processors/slim_template_processor.rb +4 -4
- data/lib/railroader/processors/template_alias_processor.rb +10 -10
- data/lib/railroader/processors/template_processor.rb +7 -7
- data/lib/railroader/report/renderer.rb +1 -1
- data/lib/railroader/report/report_base.rb +12 -12
- data/lib/railroader/report/report_csv.rb +2 -2
- data/lib/railroader/report/report_html.rb +5 -5
- data/lib/railroader/report/report_markdown.rb +2 -2
- data/lib/railroader/report/report_table.rb +3 -3
- data/lib/railroader/report/report_tabs.rb +2 -2
- data/lib/railroader/report/report_text.rb +3 -4
- data/lib/railroader/report.rb +3 -3
- data/lib/railroader/rescanner.rb +36 -36
- data/lib/railroader/scanner.rb +23 -23
- data/lib/railroader/tracker/config.rb +3 -3
- data/lib/railroader/tracker/controller.rb +2 -2
- data/lib/railroader/tracker.rb +42 -42
- data/lib/railroader/util.rb +47 -47
- data/lib/railroader/version.rb +1 -1
- data/lib/railroader/warning.rb +9 -10
- data/lib/railroader.rb +32 -32
- data/lib/ruby_parser/bm_sexp.rb +63 -63
- data/lib/ruby_parser/bm_sexp_processor.rb +3 -3
- metadata +4 -4
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for versions with vulnerable html escape method
|
|
4
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
|
|
3
|
+
# Check for versions with vulnerable html escape method
|
|
4
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
|
|
5
5
|
class Railroader::CheckEscapeFunction < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
8
8
|
@description = "Checks for versions before 2.3.14 which have a vulnerable escape method"
|
|
9
9
|
|
|
10
10
|
def run_check
|
|
11
|
-
if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0'
|
|
11
|
+
if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0'
|
|
12
12
|
|
|
13
13
|
warn :warning_type => 'Cross-Site Scripting',
|
|
14
14
|
:warning_code => :CVE_2011_2932,
|
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#This check looks for calls to +eval+, +instance_eval+, etc. which include
|
|
4
|
-
#user input.
|
|
3
|
+
# This check looks for calls to +eval+, +instance_eval+, etc. which include
|
|
4
|
+
# user input.
|
|
5
5
|
class Railroader::CheckEvaluation < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
8
8
|
@description = "Searches for evaluation of user input"
|
|
9
9
|
|
|
10
|
-
#Process calls
|
|
10
|
+
# Process calls
|
|
11
11
|
def run_check
|
|
12
12
|
Railroader.debug "Finding eval-like calls"
|
|
13
13
|
calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
|
|
@@ -18,7 +18,7 @@ class Railroader::CheckEvaluation < Railroader::BaseCheck
|
|
|
18
18
|
end
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
#Warns if eval includes user input
|
|
21
|
+
# Warns if eval includes user input
|
|
22
22
|
def process_result result
|
|
23
23
|
return unless original? result
|
|
24
24
|
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Checks for string interpolation and parameters in calls to
|
|
4
|
-
#Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
|
|
3
|
+
# Checks for string interpolation and parameters in calls to
|
|
4
|
+
# Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
|
|
5
5
|
#
|
|
6
|
-
#Examples of command injection vulnerabilities:
|
|
6
|
+
# Examples of command injection vulnerabilities:
|
|
7
7
|
#
|
|
8
8
|
# system("rf -rf #{params[:file]}")
|
|
9
9
|
# exec(params[:command])
|
|
@@ -22,7 +22,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
|
22
22
|
|
|
23
23
|
SHELLWORDS = s(:const, :Shellwords)
|
|
24
24
|
|
|
25
|
-
#Check models, controllers, and views for command injection.
|
|
25
|
+
# Check models, controllers, and views for command injection.
|
|
26
26
|
def run_check
|
|
27
27
|
Railroader.debug "Finding system calls using ``"
|
|
28
28
|
check_for_backticks tracker
|
|
@@ -41,7 +41,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
#Processes results from Tracker#find_call.
|
|
44
|
+
# Processes results from Tracker#find_call.
|
|
45
45
|
def process_result result
|
|
46
46
|
call = result[:call]
|
|
47
47
|
args = call.arglist
|
|
@@ -60,7 +60,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
|
60
60
|
|
|
61
61
|
if failure and original? result
|
|
62
62
|
|
|
63
|
-
if failure.type == :interp #Not from user input
|
|
63
|
+
if failure.type == :interp # Not from user input
|
|
64
64
|
confidence = :medium
|
|
65
65
|
else
|
|
66
66
|
confidence = :high
|
|
@@ -100,7 +100,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
|
100
100
|
end
|
|
101
101
|
end
|
|
102
102
|
|
|
103
|
-
#Looks for calls using backticks such as
|
|
103
|
+
# Looks for calls using backticks such as
|
|
104
104
|
#
|
|
105
105
|
# `rm -rf #{params[:file]}`
|
|
106
106
|
def check_for_backticks tracker
|
|
@@ -109,7 +109,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
|
109
109
|
end
|
|
110
110
|
end
|
|
111
111
|
|
|
112
|
-
#Processes backticks.
|
|
112
|
+
# Processes backticks.
|
|
113
113
|
def process_backticks result
|
|
114
114
|
return unless original? result
|
|
115
115
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
require 'railroader/processors/lib/processor_helper'
|
|
3
3
|
|
|
4
|
-
#Checks for user input in methods which open or manipulate files
|
|
4
|
+
# Checks for user input in methods which open or manipulate files
|
|
5
5
|
class Railroader::CheckFileAccess < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -39,7 +39,7 @@ class Railroader::CheckFileAccess < Railroader::BaseCheck
|
|
|
39
39
|
elsif tracker.options[:check_arguments] and
|
|
40
40
|
match = include_user_input?(file_name)
|
|
41
41
|
|
|
42
|
-
#Check for string building in file name
|
|
42
|
+
# Check for string building in file name
|
|
43
43
|
if call?(file_name) and (file_name.method == :+ or file_name.method == :<<)
|
|
44
44
|
confidence = :high
|
|
45
45
|
else
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for filter skipping vulnerability
|
|
4
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
|
|
3
|
+
# Check for filter skipping vulnerability
|
|
4
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
|
|
5
5
|
class Railroader::CheckFilterSkipping < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Checks that +protect_from_forgery+ is set in the ApplicationController.
|
|
3
|
+
# Checks that +protect_from_forgery+ is set in the ApplicationController.
|
|
4
4
|
#
|
|
5
|
-
#Also warns for CSRF weakness in certain versions of Rails:
|
|
6
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
|
|
5
|
+
# Also warns for CSRF weakness in certain versions of Rails:
|
|
6
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
|
|
7
7
|
class Railroader::CheckForgerySetting < Railroader::BaseCheck
|
|
8
8
|
Railroader::Checks.add self
|
|
9
9
|
|
|
@@ -36,12 +36,12 @@ class Railroader::CheckJSONParsing < Railroader::BaseCheck
|
|
|
36
36
|
end
|
|
37
37
|
end
|
|
38
38
|
|
|
39
|
-
#Check if `yajl` is included in Gemfile
|
|
39
|
+
# Check if `yajl` is included in Gemfile
|
|
40
40
|
def uses_yajl?
|
|
41
41
|
tracker.config.has_gem? :yajl
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
#Check for `ActiveSupport::JSON.backend = "JSONGem"`
|
|
44
|
+
# Check for `ActiveSupport::JSON.backend = "JSONGem"`
|
|
45
45
|
def uses_gem_backend?
|
|
46
46
|
matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
|
|
47
47
|
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require 'railroader/checks/check_cross_site_scripting'
|
|
2
2
|
|
|
3
|
-
#Checks for calls to link_to in versions of Ruby where link_to did not
|
|
4
|
-
#escape the first argument.
|
|
3
|
+
# Checks for calls to link_to in versions of Ruby where link_to did not
|
|
4
|
+
# escape the first argument.
|
|
5
5
|
#
|
|
6
|
-
#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
|
|
6
|
+
# See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
|
|
7
7
|
class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
8
8
|
Railroader::Checks.add self
|
|
9
9
|
|
|
@@ -21,7 +21,7 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
|
21
21
|
:will_paginate].merge tracker.options[:safe_methods]
|
|
22
22
|
|
|
23
23
|
@known_dangerous = []
|
|
24
|
-
#Ideally, I think this should also check to see if people are setting
|
|
24
|
+
# Ideally, I think this should also check to see if people are setting
|
|
25
25
|
#:escape => false
|
|
26
26
|
@models = tracker.models.keys
|
|
27
27
|
@inspect_arguments = tracker.options[:check_arguments]
|
|
@@ -32,8 +32,8 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
|
32
32
|
def process_result result
|
|
33
33
|
return if duplicate? result
|
|
34
34
|
|
|
35
|
-
#Have to make a copy of this, otherwise it will be changed to
|
|
36
|
-
#an ignored method call by the code above.
|
|
35
|
+
# Have to make a copy of this, otherwise it will be changed to
|
|
36
|
+
# an ignored method call by the code above.
|
|
37
37
|
call = result[:call] = result[:call].dup
|
|
38
38
|
|
|
39
39
|
first_arg = call.first_arg
|
|
@@ -41,7 +41,7 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
|
41
41
|
|
|
42
42
|
@matched = false
|
|
43
43
|
|
|
44
|
-
#Skip if no arguments(?) or first argument is a hash
|
|
44
|
+
# Skip if no arguments(?) or first argument is a hash
|
|
45
45
|
return if first_arg.nil? or hash? first_arg
|
|
46
46
|
|
|
47
47
|
if version_between? "2.0.0", "2.2.99"
|
|
@@ -51,8 +51,8 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
|
51
51
|
check_argument result, second_arg
|
|
52
52
|
end
|
|
53
53
|
elsif second_arg
|
|
54
|
-
#Only check first argument if there is a second argument
|
|
55
|
-
#in Rails 2.3.x
|
|
54
|
+
# Only check first argument if there is a second argument
|
|
55
|
+
# in Rails 2.3.x
|
|
56
56
|
check_argument result, first_arg
|
|
57
57
|
end
|
|
58
58
|
end
|
|
@@ -122,9 +122,9 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
|
122
122
|
target = exp.target
|
|
123
123
|
target = process target.dup if sexp? target
|
|
124
124
|
|
|
125
|
-
#Bare records create links to the model resource,
|
|
126
|
-
#not a string that could have injection
|
|
127
|
-
#TODO: Needs test? I think this is broken?
|
|
125
|
+
# Bare records create links to the model resource,
|
|
126
|
+
# not a string that could have injection
|
|
127
|
+
# TODO: Needs test? I think this is broken?
|
|
128
128
|
return exp if model_name? target and context == [:call, :arglist]
|
|
129
129
|
|
|
130
130
|
super
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
require 'railroader/checks/check_cross_site_scripting'
|
|
2
2
|
|
|
3
|
-
#Checks for calls to link_to which pass in potentially hazardous data
|
|
4
|
-
#to the second argument. While this argument must be html_safe to not break
|
|
5
|
-
#the html, it must also be url safe as determined by calling a
|
|
3
|
+
# Checks for calls to link_to which pass in potentially hazardous data
|
|
4
|
+
# to the second argument. While this argument must be html_safe to not break
|
|
5
|
+
# the html, it must also be url safe as determined by calling a
|
|
6
6
|
#:url_safe_method. This prevents attacks such as javascript:evil() or
|
|
7
|
-
#data:<encoded XSS> which is html_safe, but not safe as an href
|
|
8
|
-
#Props to Nick Green for the idea.
|
|
7
|
+
# data:<encoded XSS> which is html_safe, but not safe as an href
|
|
8
|
+
# Props to Nick Green for the idea.
|
|
9
9
|
class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
|
|
10
10
|
Railroader::Checks.add self
|
|
11
11
|
|
|
@@ -30,8 +30,8 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
|
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
def process_result result
|
|
33
|
-
#Have to make a copy of this, otherwise it will be changed to
|
|
34
|
-
#an ignored method call by the code above.
|
|
33
|
+
# Have to make a copy of this, otherwise it will be changed to
|
|
34
|
+
# an ignored method call by the code above.
|
|
35
35
|
call = result[:call] = result[:call].dup
|
|
36
36
|
@matched = false
|
|
37
37
|
url_arg = process call.second_arg
|
|
@@ -98,8 +98,8 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
|
|
|
98
98
|
ignore_interpolation? url_arg, exp
|
|
99
99
|
end
|
|
100
100
|
|
|
101
|
-
#Ignore situations where the href is an interpolated string
|
|
102
|
-
#with something before the user input
|
|
101
|
+
# Ignore situations where the href is an interpolated string
|
|
102
|
+
# with something before the user input
|
|
103
103
|
def ignore_interpolation? arg, suspect
|
|
104
104
|
return unless string_interp? arg
|
|
105
105
|
return true unless arg[1].chomp.empty? # plain string before interpolation
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for cross-site scripting vulnerability in mail_to :encode => :javascript
|
|
4
|
-
#with certain versions of Rails (< 2.3.11 or < 3.0.4).
|
|
3
|
+
# Check for cross-site scripting vulnerability in mail_to :encode => :javascript
|
|
4
|
+
# with certain versions of Rails (< 2.3.11 or < 3.0.4).
|
|
5
5
|
#
|
|
6
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
|
|
6
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
|
|
7
7
|
class Railroader::CheckMailTo < Railroader::BaseCheck
|
|
8
8
|
Railroader::Checks.add self
|
|
9
9
|
|
|
@@ -29,7 +29,7 @@ class Railroader::CheckMailTo < Railroader::BaseCheck
|
|
|
29
29
|
end
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
-
#Check for javascript encoding of mail_to address
|
|
32
|
+
# Check for javascript encoding of mail_to address
|
|
33
33
|
# mail_to email, name, :encode => :javascript
|
|
34
34
|
def mail_to_javascript?
|
|
35
35
|
Railroader.debug "Checking calls to mail_to for javascript encoding"
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
require 'set'
|
|
3
3
|
|
|
4
|
-
#Checks for mass assignments to models.
|
|
4
|
+
# Checks for mass assignments to models.
|
|
5
5
|
#
|
|
6
|
-
#See http://guides.rubyonrails.org/security.html#mass-assignment for details
|
|
6
|
+
# See http://guides.rubyonrails.org/security.html#mass-assignment for details
|
|
7
7
|
class Railroader::CheckMassAssignment < Railroader::BaseCheck
|
|
8
8
|
Railroader::Checks.add self
|
|
9
9
|
|
|
@@ -59,7 +59,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
|
|
|
59
59
|
end
|
|
60
60
|
end
|
|
61
61
|
|
|
62
|
-
#All results should be Model.new(...) or Model.attributes=() calls
|
|
62
|
+
# All results should be Model.new(...) or Model.attributes=() calls
|
|
63
63
|
def process_result res
|
|
64
64
|
call = res[:call]
|
|
65
65
|
|
|
@@ -106,7 +106,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
|
|
|
106
106
|
res
|
|
107
107
|
end
|
|
108
108
|
|
|
109
|
-
#Want to ignore calls to Model.new that have no arguments
|
|
109
|
+
# Want to ignore calls to Model.new that have no arguments
|
|
110
110
|
def check_call call
|
|
111
111
|
process_call_args call
|
|
112
112
|
|
|
@@ -116,7 +116,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
|
|
|
116
116
|
arg = call.first_arg
|
|
117
117
|
end
|
|
118
118
|
|
|
119
|
-
if arg.nil? #empty new()
|
|
119
|
+
if arg.nil? # empty new()
|
|
120
120
|
false
|
|
121
121
|
elsif hash? arg and not include_user_input? arg
|
|
122
122
|
false
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check if mass assignment is used with models
|
|
4
|
-
#which inherit from ActiveRecord::Base.
|
|
3
|
+
# Check if mass assignment is used with models
|
|
4
|
+
# which inherit from ActiveRecord::Base.
|
|
5
5
|
#
|
|
6
|
-
#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
|
|
7
|
-
#which do not use attr_accessible will be reported in a single warning
|
|
6
|
+
# If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
|
|
7
|
+
# which do not use attr_accessible will be reported in a single warning
|
|
8
8
|
class Railroader::CheckModelAttributes < Railroader::BaseCheck
|
|
9
9
|
Railroader::Checks.add self
|
|
10
10
|
|
|
@@ -13,7 +13,7 @@ class Railroader::CheckModelAttributes < Railroader::BaseCheck
|
|
|
13
13
|
def run_check
|
|
14
14
|
return if mass_assign_disabled?
|
|
15
15
|
|
|
16
|
-
#Roll warnings into one warning for all models
|
|
16
|
+
# Roll warnings into one warning for all models
|
|
17
17
|
if tracker.options[:collapse_mass_assignment]
|
|
18
18
|
no_accessible_names = []
|
|
19
19
|
protected_names = []
|
|
@@ -50,7 +50,7 @@ class Railroader::CheckModelAttributes < Railroader::BaseCheck
|
|
|
50
50
|
:confidence => confidence,
|
|
51
51
|
:link => link
|
|
52
52
|
end
|
|
53
|
-
else #Output one warning per model
|
|
53
|
+
else # Output one warning per model
|
|
54
54
|
|
|
55
55
|
check_models do |name, model|
|
|
56
56
|
if model.attr_protected.nil?
|
|
@@ -22,8 +22,8 @@ class Railroader::CheckModelSerialize < Railroader::BaseCheck
|
|
|
22
22
|
end
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
-
#High confidence warning on serialized, unprotected attributes.
|
|
26
|
-
#Medium confidence warning for serialized, protected attributes.
|
|
25
|
+
# High confidence warning on serialized, unprotected attributes.
|
|
26
|
+
# Medium confidence warning for serialized, protected attributes.
|
|
27
27
|
def check_for_serialize model
|
|
28
28
|
if serialized_attrs = model.options[:serialize]
|
|
29
29
|
attrs = Set.new
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
|
|
4
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
|
|
3
|
+
# Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
|
|
4
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
|
|
5
5
|
class Railroader::CheckNestedAttributes < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
|
|
3
|
+
# https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
|
|
4
4
|
class Railroader::CheckNestedAttributesBypass < Railroader::BaseCheck
|
|
5
5
|
Railroader::Checks.add self
|
|
6
6
|
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
|
|
4
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
|
|
3
|
+
# Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
|
|
4
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
|
|
5
5
|
class Railroader::CheckQuoteTableName < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
8
8
|
@description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
|
|
9
9
|
|
|
10
10
|
def run_check
|
|
11
|
-
if (version_between?('2.0.0', '2.3.13') or
|
|
11
|
+
if (version_between?('2.0.0', '2.3.13') or
|
|
12
12
|
version_between?('3.0.0', '3.0.9'))
|
|
13
13
|
|
|
14
14
|
if uses_quote_table_name?
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Reports any calls to +redirect_to+ which include parameters in the arguments.
|
|
3
|
+
# Reports any calls to +redirect_to+ which include parameters in the arguments.
|
|
4
4
|
#
|
|
5
|
-
#For example:
|
|
5
|
+
# For example:
|
|
6
6
|
#
|
|
7
7
|
# redirect_to params.merge(:action => :elsewhere)
|
|
8
8
|
class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
@@ -59,10 +59,10 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
59
59
|
end
|
|
60
60
|
end
|
|
61
61
|
|
|
62
|
-
#Custom check for user input. First looks to see if the user input
|
|
63
|
-
#is being output directly. This is necessary because of tracker.options[:check_arguments]
|
|
64
|
-
#which can be used to enable/disable reporting output of method calls which use
|
|
65
|
-
#user input as arguments.
|
|
62
|
+
# Custom check for user input. First looks to see if the user input
|
|
63
|
+
# is being output directly. This is necessary because of tracker.options[:check_arguments]
|
|
64
|
+
# which can be used to enable/disable reporting output of method calls which use
|
|
65
|
+
# user input as arguments.
|
|
66
66
|
def include_user_input? call, immediate = :immediate
|
|
67
67
|
Railroader.debug "Checking if call includes user input"
|
|
68
68
|
|
|
@@ -89,7 +89,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
89
89
|
return Match.new(immediate, arg.target)
|
|
90
90
|
elsif arg.method == :url_for and include_user_input? arg
|
|
91
91
|
return Match.new(immediate, arg)
|
|
92
|
-
#Ignore helpers like some_model_url?
|
|
92
|
+
# Ignore helpers like some_model_url?
|
|
93
93
|
elsif arg.method.to_s =~ /_(url|path)\z/
|
|
94
94
|
return false
|
|
95
95
|
end
|
|
@@ -98,14 +98,14 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
98
98
|
end
|
|
99
99
|
|
|
100
100
|
if tracker.options[:check_arguments] and call? arg
|
|
101
|
-
include_user_input? arg, false #I'm doubting if this is really necessary...
|
|
101
|
+
include_user_input? arg, false # I'm doubting if this is really necessary...
|
|
102
102
|
else
|
|
103
103
|
false
|
|
104
104
|
end
|
|
105
105
|
end
|
|
106
106
|
|
|
107
|
-
#Checks +redirect_to+ arguments for +only_path => true+ which essentially
|
|
108
|
-
#nullifies the danger posed by redirecting with user input
|
|
107
|
+
# Checks +redirect_to+ arguments for +only_path => true+ which essentially
|
|
108
|
+
# nullifies the danger posed by redirecting with user input
|
|
109
109
|
def only_path? call
|
|
110
110
|
arg = call.first_arg
|
|
111
111
|
|
|
@@ -164,7 +164,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
164
164
|
end
|
|
165
165
|
|
|
166
166
|
#+url_for+ is only_path => true by default. This checks to see if it is
|
|
167
|
-
#set to false for some reason.
|
|
167
|
+
# set to false for some reason.
|
|
168
168
|
def check_url_for call
|
|
169
169
|
arg = call.first_arg
|
|
170
170
|
|
|
@@ -177,7 +177,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
177
177
|
true
|
|
178
178
|
end
|
|
179
179
|
|
|
180
|
-
#Returns true if exp is (probably) a model instance
|
|
180
|
+
# Returns true if exp is (probably) a model instance
|
|
181
181
|
def model_instance? exp
|
|
182
182
|
if node_type? exp, :or
|
|
183
183
|
model_instance? exp.lhs or model_instance? exp.rhs
|
|
@@ -198,14 +198,14 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
198
198
|
model_target? exp.target
|
|
199
199
|
end
|
|
200
200
|
|
|
201
|
-
#Returns true if exp is (probably) a friendly model instance
|
|
202
|
-
#using the FriendlyId gem
|
|
201
|
+
# Returns true if exp is (probably) a friendly model instance
|
|
202
|
+
# using the FriendlyId gem
|
|
203
203
|
def friendly_model? exp
|
|
204
204
|
call? exp and model_name? exp.target and exp.method == :friendly
|
|
205
205
|
end
|
|
206
|
-
|
|
207
|
-
#Returns true if exp is (probably) a decorated model instance
|
|
208
|
-
#using the Draper gem
|
|
206
|
+
|
|
207
|
+
# Returns true if exp is (probably) a decorated model instance
|
|
208
|
+
# using the Draper gem
|
|
209
209
|
def decorated_model? exp
|
|
210
210
|
if node_type? exp, :or
|
|
211
211
|
decorated_model? exp.lhs or decorated_model? exp.rhs
|
|
@@ -218,7 +218,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
218
218
|
end
|
|
219
219
|
end
|
|
220
220
|
|
|
221
|
-
#Check if method is actually an association in a Model
|
|
221
|
+
# Check if method is actually an association in a Model
|
|
222
222
|
def association? model_name, meth
|
|
223
223
|
if call? model_name
|
|
224
224
|
return association? model_name.target, meth
|
|
@@ -244,7 +244,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
|
|
|
244
244
|
if call? exp and params? exp.target and exp.method == :permit
|
|
245
245
|
exp.each_arg do |opt|
|
|
246
246
|
if symbol? opt and DANGEROUS_KEYS.include? opt.value
|
|
247
|
-
return false
|
|
247
|
+
return false
|
|
248
248
|
end
|
|
249
249
|
end
|
|
250
250
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#This check looks for regexes that include user input.
|
|
3
|
+
# This check looks for regexes that include user input.
|
|
4
4
|
class Railroader::CheckRegexDoS < Railroader::BaseCheck
|
|
5
5
|
Railroader::Checks.add self
|
|
6
6
|
|
|
@@ -13,7 +13,7 @@ class Railroader::CheckRegexDoS < Railroader::BaseCheck
|
|
|
13
13
|
|
|
14
14
|
@description = "Searches regexes including user input"
|
|
15
15
|
|
|
16
|
-
#Process calls
|
|
16
|
+
# Process calls
|
|
17
17
|
def run_check
|
|
18
18
|
Railroader.debug "Finding dynamic regexes"
|
|
19
19
|
calls = tracker.find_call :method => [:railroader_regex_interp]
|
|
@@ -24,7 +24,7 @@ class Railroader::CheckRegexDoS < Railroader::BaseCheck
|
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
-
#Warns if regex includes user input
|
|
27
|
+
# Warns if regex includes user input
|
|
28
28
|
def process_result result
|
|
29
29
|
return unless original? result
|
|
30
30
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check calls to +render()+ for dangerous values
|
|
3
|
+
# Check calls to +render()+ for dangerous values
|
|
4
4
|
class Railroader::CheckRender < Railroader::BaseCheck
|
|
5
5
|
Railroader::Checks.add self
|
|
6
6
|
|
|
@@ -28,7 +28,7 @@ class Railroader::CheckRender < Railroader::BaseCheck
|
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
#Check if path to action or file is determined dynamically
|
|
31
|
+
# Check if path to action or file is determined dynamically
|
|
32
32
|
def check_for_dynamic_path result
|
|
33
33
|
view = result[:call][2]
|
|
34
34
|
|
|
@@ -46,7 +46,7 @@ class Railroader::CheckRender < Railroader::BaseCheck
|
|
|
46
46
|
return
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
-
return if input.type == :model #skip models
|
|
49
|
+
return if input.type == :model # skip models
|
|
50
50
|
return if safe_param? input.match
|
|
51
51
|
|
|
52
52
|
message = "Render path contains #{friendly_type_of input}"
|
|
@@ -94,4 +94,4 @@ class Railroader::CheckRender < Railroader::BaseCheck
|
|
|
94
94
|
end
|
|
95
95
|
end
|
|
96
96
|
end
|
|
97
|
-
end
|
|
97
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Warn about response splitting in Rails versions before 2.3.13
|
|
4
|
-
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
|
|
3
|
+
# Warn about response splitting in Rails versions before 2.3.13
|
|
4
|
+
# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
|
|
5
5
|
class Railroader::CheckResponseSplitting < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Check for unsafe manipulation of strings
|
|
4
|
-
#Right now this is just a version check for
|
|
5
|
-
#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
|
|
3
|
+
# Check for unsafe manipulation of strings
|
|
4
|
+
# Right now this is just a version check for
|
|
5
|
+
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
|
|
6
6
|
class Railroader::CheckSafeBufferManipulation < Railroader::BaseCheck
|
|
7
7
|
Railroader::Checks.add self
|
|
8
8
|
|
|
@@ -23,7 +23,7 @@ class Railroader::CheckSafeBufferManipulation < Railroader::BaseCheck
|
|
|
23
23
|
message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
|
|
24
24
|
|
|
25
25
|
warn :warning_type => "Cross-Site Scripting",
|
|
26
|
-
:warning_code => :safe_buffer_vuln,
|
|
26
|
+
:warning_code => :safe_buffer_vuln,
|
|
27
27
|
:message => message,
|
|
28
28
|
:confidence => :medium,
|
|
29
29
|
:gem_info => gemfile_or_environment
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#sanitize and sanitize_css are vulnerable:
|
|
4
|
-
#CVE-2013-1855 and CVE-2013-1857
|
|
3
|
+
# sanitize and sanitize_css are vulnerable:
|
|
4
|
+
# CVE-2013-1855 and CVE-2013-1857
|
|
5
5
|
class Railroader::CheckSanitizeMethods < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'railroader/checks/base_check'
|
|
2
2
|
|
|
3
|
-
#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
|
|
4
|
-
#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
|
|
3
|
+
# Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
|
|
4
|
+
# https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
|
|
5
5
|
class Railroader::CheckSelectTag < Railroader::BaseCheck
|
|
6
6
|
Railroader::Checks.add self
|
|
7
7
|
|
|
@@ -32,11 +32,11 @@ class Railroader::CheckSelectTag < Railroader::BaseCheck
|
|
|
32
32
|
end
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
#Check if select_tag is called with user input in :prompt option
|
|
35
|
+
# Check if select_tag is called with user input in :prompt option
|
|
36
36
|
def process_result result
|
|
37
37
|
return unless original? result
|
|
38
38
|
|
|
39
|
-
#Only concerned if user input is supplied for :prompt option
|
|
39
|
+
# Only concerned if user input is supplied for :prompt option
|
|
40
40
|
last_arg = result[:call].last_arg
|
|
41
41
|
|
|
42
42
|
if hash? last_arg
|