railroader 4.3.5 → 4.3.7

data/lib/railroader/checks/check_select_vulnerability.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Checks for select() helper vulnerability in some versions of Rails 3
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+# Checks for select() helper vulnerability in some versions of Rails 3
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
 class Railroader::CheckSelectVulnerability < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -39,7 +39,7 @@ class Railroader::CheckSelectVulnerability < Railroader::BaseCheck
 
     third_arg = result[:call].third_arg
 
-    #Check for user input in options parameter
+    # Check for user input in options parameter
     if sexp? third_arg and include_user_input? third_arg
       add_result result
 

data/lib/railroader/checks/check_send.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#Checks if user supplied data is passed to send
+# Checks if user supplied data is passed to send
 class Railroader::CheckSend < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_send_file.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/check_file_access'
 require 'railroader/processors/lib/processor_helper'
 
-#Checks for user input in send_file()
+# Checks for user input in send_file()
 class Railroader::CheckSendFile < Railroader::CheckFileAccess
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_session_settings.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#Checks for session key length and http_only settings
+# Checks for session key length and http_only settings
 class Railroader::CheckSessionSettings < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -17,7 +17,7 @@ class Railroader::CheckSessionSettings < Railroader::BaseCheck
   end
 
   def run_check
-    settings = tracker.config.session_settings 
+    settings = tracker.config.session_settings
 
     check_for_issues settings, @app_tree.expand_path("config/environment.rb")
 
@@ -32,14 +32,14 @@ class Railroader::CheckSessionSettings < Railroader::BaseCheck
     end
   end
 
-  #Looks for ActionController::Base.session = { ... }
-  #in Rails 2.x apps
+  # Looks for ActionController::Base.session = { ... }
+  # in Rails 2.x apps
   #
-  #and App::Application.config.secret_token =
-  #in Rails 3.x apps
+  # and App::Application.config.secret_token =
+  # in Rails 3.x apps
   #
-  #and App::Application.config.secret_key_base =
-  #in Rails 4.x apps
+  # and App::Application.config.secret_key_base =
+  # in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
       check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
@@ -54,8 +54,8 @@ class Railroader::CheckSessionSettings < Railroader::BaseCheck
     exp
   end
 
-  #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
-  #in Rails 3.x apps
+  # Looks for Rails3::Application.config.session_store :cookie_store, { ... }
+  # in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
       check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")

data/lib/railroader/checks/check_single_quotes.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Checks for versions which do not escape single quotes.
-#https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
+# Checks for versions which do not escape single quotes.
+# https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion
 class Railroader::CheckSingleQuotes < Railroader::BaseCheck
   Railroader::Checks.add self
   RACK_UTILS = Sexp.new(:colon2, Sexp.new(:const, :Rack), :Utils)
@@ -37,8 +37,8 @@ class Railroader::CheckSingleQuotes < Railroader::BaseCheck
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
   end
 
-  #Process initializers to see if they use workaround
-  #by replacing Erb::Util.html_escape
+  # Process initializers to see if they use workaround
+  # by replacing Erb::Util.html_escape
   def uses_rack_escape?
     @tracker.initializers.each do |_name, src|
       process src
@@ -47,7 +47,7 @@ class Railroader::CheckSingleQuotes < Railroader::BaseCheck
     @uses_rack_escape
   end
 
-  #Look for
+  # Look for
   #
   #    class ERB
   def process_class exp
@@ -60,7 +60,7 @@ class Railroader::CheckSingleQuotes < Railroader::BaseCheck
     exp
   end
 
-  #Look for
+  # Look for
   #
   #    module Util
   def process_module exp
@@ -73,7 +73,7 @@ class Railroader::CheckSingleQuotes < Railroader::BaseCheck
     exp
   end
 
-  #Look for
+  # Look for
   #
   #    def html_escape
   def process_defn exp
@@ -86,7 +86,7 @@ class Railroader::CheckSingleQuotes < Railroader::BaseCheck
     exp
   end
 
-  #Look for
+  # Look for
   #
   #    Rack::Utils.escape_html
   def process_call exp

data/lib/railroader/checks/check_skip_before_filter.rb

@@ -1,12 +1,12 @@
 require 'railroader/checks/base_check'
 
-#At the moment, this looks for
+# At the moment, this looks for
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
-#the check)
+# which is essentially a blacklist approach (no actions are checked EXCEPT the
+# ones listed) versus a whitelist approach (ONLY the actions listed will skip
+# the check)
 class Railroader::CheckSkipBeforeFilter < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -23,7 +23,7 @@ class Railroader::CheckSkipBeforeFilter < Railroader::BaseCheck
   def process_skip_filter filter, controller
     case skip_except_value filter
     when :verify_authenticity_token
-      warn :class => controller.name, #ugh this should be a controller warning, too
+      warn :class => controller.name, # ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
         :message => "Use whitelist (:only => [..]) when skipping CSRF check",

data/lib/railroader/checks/check_sql.rb

@@ -1,8 +1,8 @@
 require 'railroader/checks/base_check'
 
-#This check tests for find calls which do not use Rails' auto SQL escaping
+# This check tests for find calls which do not use Rails' auto SQL escaping
 #
-#For example:
+# For example:
 # Project.find(:all, :conditions => "name = '" + params[:name] + "'")
 #
 # Project.find(:all, :conditions => "name = '#{params[:name]}'")
@@ -62,8 +62,8 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     calls.each { |call| process_result call }
   end
 
-  #Find calls to named_scope() or scope() in models
-  #RP 3 TODO
+  # Find calls to named_scope() or scope() in models
+  # RP 3 TODO
   def find_scope_calls
     scope_calls = []
 
@@ -130,7 +130,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     end
   end
 
-  #Process possible SQL injection sites:
+  # Process possible SQL injection sites:
   #
   # Model#find
   #
@@ -253,7 +253,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
   end
 
 
-  #The 'find' methods accept a number of different types of parameters:
+  # The 'find' methods accept a number of different types of parameters:
   #
   # * The first argument might be :all, :first, or :last
   # * The first argument might be an integer ID or an array of IDs
@@ -263,7 +263,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
   # * The second argument might contain properly parameterized SQL fragments in arrays
   # * The second argument might contain improperly parameterized SQL fragments in arrays
   #
-  #This method should only be passed the second argument.
+  # This method should only be passed the second argument.
   def check_find_arguments arg
     return nil if not sexp? arg or node_type? arg, :lit, :string, :str, :true, :false, :nil
 
@@ -271,7 +271,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
   end
 
   def check_scope_arguments call
-    scope_arg = call.second_arg #first arg is name of scope
+    scope_arg = call.second_arg # first arg is name of scope
 
     node_type?(scope_arg, :iter) ? unsafe_sql?(scope_arg.block) : unsafe_sql?(scope_arg)
   end
@@ -295,19 +295,19 @@ class Railroader::CheckSQL < Railroader::BaseCheck
         arg
       end
     elsif hash? arg
-      #This is generally going to be a hash of column names and values, which
-      #would escape the values. But the keys _could_ be user input.
+      # This is generally going to be a hash of column names and values, which
+      # would escape the values. But the keys _could_ be user input.
       check_hash_keys arg
     elsif node_type? arg, :lit, :str
       nil
     else
-      #Hashes are safe...but we check above for hash, so...?
+      # Hashes are safe...but we check above for hash, so...?
       unsafe_sql? arg, :ignore_hash
     end
   end
 
-  #Checks each argument to order/reorder/group for possible SQL.
-  #Anything used with these methods is passed in verbatim.
+  # Checks each argument to order/reorder/group for possible SQL.
+  # Anything used with these methods is passed in verbatim.
   def check_order_arguments args
     return unless sexp? args
 
@@ -318,18 +318,18 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     end
   end
 
-  #find_by_sql and count_by_sql can take either a straight SQL string
-  #or an array with values to bind.
+  # find_by_sql and count_by_sql can take either a straight SQL string
+  # or an array with values to bind.
   def check_by_sql_arguments arg
     return unless sexp? arg
 
-    #This is kind of unnecessary, because unsafe_sql? will handle an array
-    #correctly, but might be better to be explicit.
+    # This is kind of unnecessary, because unsafe_sql? will handle an array
+    # correctly, but might be better to be explicit.
     array?(arg) ? unsafe_sql?(arg[1]) : unsafe_sql?(arg)
   end
 
-  #joins can take a string, hash of associations, or an array of both(?)
-  #We only care about the possible string values.
+  # joins can take a string, hash of associations, or an array of both(?)
+  # We only care about the possible string values.
   def check_joins_arguments arg
     return unless sexp? arg and not node_type? arg, :hash, :string, :str
 
@@ -354,9 +354,9 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     nil
   end
 
-  #Model#lock essentially only cares about strings. But those strings can be
-  #any SQL fragment. This does not apply to all databases. (For those who do not
-  #support it, the lock method does nothing).
+  # Model#lock essentially only cares about strings. But those strings can be
+  # any SQL fragment. This does not apply to all databases. (For those who do not
+  # support it, the lock method does nothing).
   def check_lock_arguments arg
     return unless sexp? arg and not node_type? arg, :hash, :array, :string, :str
 
@@ -364,9 +364,9 @@ class Railroader::CheckSQL < Railroader::BaseCheck
   end
 
 
-  #Check hash keys for user input.
-  #(Seems unlikely, but if a user can control the column names queried, that
-  #could be bad)
+  # Check hash keys for user input.
+  # (Seems unlikely, but if a user can control the column names queried, that
+  # could be bad)
   def check_hash_keys exp
     hash_iterate(exp) do |key, _value|
       unless symbol?(key)
@@ -378,10 +378,10 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     false
   end
 
-  #Check an interpolated string for dangerous values.
+  # Check an interpolated string for dangerous values.
   #
-  #This method assumes values interpolated into strings are unsafe by default,
-  #unless safe_value? explicitly returns true.
+  # This method assumes values interpolated into strings are unsafe by default,
+  # unless safe_value? explicitly returns true.
   def check_string_interp arg
     arg.each do |exp|
       if dangerous = unsafe_string_interp?(exp)
@@ -392,7 +392,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     nil
   end
 
-  #Returns value if interpolated value is not something safe
+  # Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
     if node_type? exp, :evstr
       value = exp.value
@@ -426,10 +426,10 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     end
   end
 
-  #Checks the given expression for unsafe SQL values. If an unsafe value is
-  #found, returns that value (may be the given _exp_ or a subexpression).
+  # Checks the given expression for unsafe SQL values. If an unsafe value is
+  # found, returns that value (may be the given _exp_ or a subexpression).
   #
-  #Otherwise, returns false/nil.
+  # Otherwise, returns false/nil.
   def unsafe_sql? exp, ignore_hash = false
     return unless sexp?(exp)
 
@@ -437,17 +437,17 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     safe_value?(dangerous_value) ? false : dangerous_value
   end
 
-  #Check _exp_ for dangerous values. Used by unsafe_sql?
+  # Check _exp_ for dangerous values. Used by unsafe_sql?
   def find_dangerous_value exp, ignore_hash
     case exp.node_type
     when :lit, :str, :const, :colon2, :true, :false, :nil
       nil
     when :array
-      #Assume this is an array like
+      # Assume this is an array like
       #
       #  ["blah = ? AND thing = ?", ...]
       #
-      #and check first value
+      # and check first value
       unsafe_sql? exp[1]
     when :dstr
       check_string_interp exp
@@ -482,7 +482,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     end
   end
 
-  #Checks hash values associated with these keys:
+  # Checks hash values associated with these keys:
   #
   # * conditions
   # * order
@@ -627,7 +627,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     call? exp and (AREL_METHODS.include? exp.method or arel? exp.target)
   end
 
-  #Check call for string building
+  # Check call for string building
   def check_call exp
     return unless call? exp
     unsafe = check_for_string_building exp
@@ -649,10 +649,10 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     end
   end
 
-  #Prior to Rails 2.1.1, the :offset and :limit parameters were not
-  #escaping input properly.
+  # Prior to Rails 2.1.1, the :offset and :limit parameters were not
+  # escaping input properly.
   #
-  #http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
+  # http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
   def check_for_limit_or_offset_vulnerability options
     return false if rails_version.nil? or rails_version >= "2.1.1" or not hash?(options)
 
@@ -661,7 +661,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
     false
   end
 
-  #Look for something like this:
+  # Look for something like this:
   #
   # params[:x].constantize.find('something')
   #

data/lib/railroader/checks/check_strip_tags.rb

@@ -1,13 +1,13 @@
 require 'railroader/checks/base_check'
 
-#Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
-#https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
+# Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (including 2.3.x):
+# https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion
 #
-#Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
+# Check for uses of strip_tags in Rails versions before 2.3.13 and 3.0.10:
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
 #
-#Check for user of strip_tags with rails-html-sanitizer 1.0.2:
-#https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
+# Check for user of strip_tags with rails-html-sanitizer 1.0.2:
+# https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ
 class Railroader::CheckStripTags < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_symbol_dos_cve.rb

@@ -27,4 +27,3 @@ class Railroader::CheckSymbolDoSCVE < Railroader::BaseCheck
     end
   end
 end
-

data/lib/railroader/checks/check_translate_bug.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#Check for vulnerability in translate() helper that allows cross-site scripting
+# Check for vulnerability in translate() helper that allows cross-site scripting
 class Railroader::CheckTranslateBug < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -14,7 +14,7 @@ class Railroader::CheckTranslateBug < Railroader::BaseCheck
 
       confidence = if uses_translate?
         :high
-      else
+                   else
         :medium
       end
 
@@ -22,9 +22,9 @@ class Railroader::CheckTranslateBug < Railroader::BaseCheck
 
       message = if rails_version =~ /^3\.1/
         "Versions before 3.1.2 #{description}."
-      elsif rails_version =~ /^3\.0/
+                elsif rails_version =~ /^3\.0/
         "Versions before 3.0.11 #{description}."
-      else
+                else
         "Rails 2.3.x using the rails_xss plugin #{description}."
       end
 

data/lib/railroader/checks/check_unsafe_reflection.rb

@@ -20,7 +20,7 @@ class Railroader::CheckUnsafeReflection < Railroader::BaseCheck
   def check_unsafe_reflection result
     return unless original? result
 
-    call = result[:call] 
+    call = result[:call]
     method = call.method
 
     case method

data/lib/railroader/checks/check_validation_regex.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
-#as anchors in the given regular expression.
+# Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
+# as anchors in the given regular expression.
 #
-#For example:
+# For example:
 #
 # #Allows anything after new line
 # validates_format_of :user_name, :with => /^\w+$/
@@ -36,14 +36,14 @@ class Railroader::CheckValidationRegex < Railroader::BaseCheck
     end
   end
 
-  #Check validates_format_of
+  # Check validates_format_of
   def process_validates_format_of validator
     if value = hash_access(validator.last, WITH)
       check_regex value, validator
     end
   end
 
-  #Check validates ..., :format => ...
+  # Check validates ..., :format => ...
   def process_validates validator
     hash_arg = validator.last
     return unless hash? hash_arg
@@ -79,7 +79,7 @@ class Railroader::CheckValidationRegex < Railroader::BaseCheck
     \z
   }mx
 
-  #Issue warning if the regular expression does not use
+  # Issue warning if the regular expression does not use
   #+\A+ and +\z+
   def check_regex value, validator
     return unless regexp? value
@@ -95,7 +95,7 @@ class Railroader::CheckValidationRegex < Railroader::BaseCheck
     end
   end
 
-  #Get the name of the attribute being validated.
+  # Get the name of the attribute being validated.
   def get_name validator
     name = validator[1]
 

data/lib/railroader/checks/check_weak_hash.rb

@@ -45,7 +45,7 @@ class Railroader::CheckWeakHash < Railroader::BaseCheck
            " (MD5)"
            when :SHA1
             " (SHA1)"
-          else
+           else
             ""
           end
 

data/lib/railroader/checks/check_without_protection.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Check for bypassing mass assignment protection
-#with without_protection => true
+# Check for bypassing mass assignment protection
+# with without_protection => true
 #
-#Only for Rails 3.1
+# Only for Rails 3.1
 class Railroader::CheckWithoutProtection < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -18,8 +18,8 @@ class Railroader::CheckWithoutProtection < Railroader::BaseCheck
 
     Railroader.debug "Finding all mass assignments"
     calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
-      :attributes=, 
-      :update_attributes, 
+      :attributes=,
+      :update_attributes,
       :update_attributes!,
       :create,
       :create!]
@@ -30,7 +30,7 @@ class Railroader::CheckWithoutProtection < Railroader::BaseCheck
     end
   end
 
-  #All results should be Model.new(...) or Model.attributes=() calls
+  # All results should be Model.new(...) or Model.attributes=() calls
   def process_result res
     call = res[:call]
     last_arg = call.last_arg
@@ -49,11 +49,11 @@ class Railroader::CheckWithoutProtection < Railroader::BaseCheck
             confidence = :medium
           end
 
-          warn :result => res, 
-            :warning_type => "Mass Assignment", 
+          warn :result => res,
+            :warning_type => "Mass Assignment",
             :warning_code => :mass_assign_without_protection,
             :message => "Unprotected mass assignment",
-            :code => call, 
+            :code => call,
             :user_input => input,
             :confidence => confidence
 

data/lib/railroader/checks/check_yaml_parsing.rb

@@ -32,7 +32,7 @@ class Railroader::CheckYAMLParsing < Railroader::BaseCheck
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
     end
 
-    #Warn if app accepts YAML
+    # Warn if app accepts YAML
     if version_between?("0.0.0", "2.3.14") and enabled_yaml_parser?
       message = "Parsing YAML request parameters enables remote code execution: disable YAML parser"
 
@@ -47,14 +47,14 @@ class Railroader::CheckYAMLParsing < Railroader::BaseCheck
 
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
-      #Look for ActionController::Base.param_parsers.delete(Mime::XML)
+      # Look for ActionController::Base.param_parsers.delete(Mime::XML)
       params_parser = s(:call,
                         s(:colon2, s(:const, :ActionController), :Base),
                         :param_parsers)
 
       matches = tracker.check_initializers(params_parser, :delete)
     else
-      #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
+      # Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
       matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
     end
 
@@ -71,8 +71,8 @@ class Railroader::CheckYAMLParsing < Railroader::BaseCheck
     false
   end
 
-  #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
-  #in Rails 2.x apps
+  # Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
+  # in Rails 2.x apps
   def enabled_yaml_parser?
     param_parsers = s(:call,
                       s(:colon2, s(:const, :ActionController), :Base),