tainted_love 0.1.3

data/lib/tainted_love.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+Dir[File.dirname(__FILE__) + '/tainted_love/**/*.rb'].each { |f| require f }
+
+module TaintedLove
+  class << self
+    include TaintedLove::Utils
+
+    attr_reader :configuration
+
+    # Enables TaintedLove. Use a block to configure the TaintedLove::Configuration
+    #
+    # @yield [TaintedLove::Configuration]
+    # @returns [TaintedLove::Configuration]
+    def enable!
+      configuration = TaintedLove::Configuration.new
+
+      configuration.logger.info('TaintedLove is enabled')
+      configuration.replacers = TaintedLove::Replacer::Base.replacers
+      configuration.validators = TaintedLove::Validator::Base.validators
+      configuration.reporter = TaintedLove::Reporter::StdoutReporter.new
+
+      # Allows customization of which replacers/validators should be used
+      yield configuration if block_given?
+
+      @configuration = configuration
+
+      configuration.replacers.each do |replacer|
+        replacer = replacer.new
+        replacer.replace! if replacer.should_replace?
+      end
+
+      configuration
+    end
+
+    # Report tainted input
+    #
+    # @param replacer [Symbol] Replacer reporting the issue
+    # @param tainted_input [Object] Tainted object
+    # @param tags [Array<Symbol>] Tags to classify the warning
+    # @param message [String] Message about the warning
+    def report(replacer, tainted_input, tags = [], message = nil)
+      warning = TaintedLove::Warning.new
+      warning.tainted_input = tainted_input
+      warning.stack_trace = TaintedLove::StackTrace.new(Thread.current.backtrace(3))
+      warning.replacer = replacer
+      warning.tags = tags
+      warning.message = message
+
+      should_remove = @configuration.validators.any? do |validator|
+        validator.new.remove?(warning)
+      end
+
+      @configuration.reporter.add_warning(warning) unless should_remove
+    end
+  end
+end

data/lib/tainted_love/configuration.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+module TaintedLove
+  class Configuration
+    attr_accessor :reporter, :logger, :validators, :replacers
+
+    def initialize
+      @reporter = TaintedLove::Reporter::StdoutReporter.new
+      @logger = Logger.new(STDERR)
+      @validators = []
+      @replacers = []
+    end
+  end
+end

data/lib/tainted_love/replacer/base.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  # Replacer will replace methods to report tainted input and taint values from user input coming
+  # from librairies.
+  module Replacer
+    class Base
+      # Determines if the replacer can run in the current context. This would usually check Ruby
+      # version or gem versions to see which classes and methods to replace.
+      def should_replace?
+        true
+      end
+
+      # List of defined replacers
+      #
+      # @return [Array<Class>]
+      def self.replacers
+        TaintedLove::Replacer.constants.map do |const|
+          cls = TaintedLove::Replacer.const_get(const)
+          cls if cls.method_defined?(:replace!)
+        end.compact
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_action_controller.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceActionController < Base
+      def should_replace?
+        Object.const_defined?('ActionController')
+      end
+
+      def replace!
+        TaintedLove.proxy_method('ActionController::Instrumentation', :send_file) do |_, *args|
+          TaintedLove.report(
+            :ReplaceActionController,
+            args.first,
+            [:lfi],
+            'Sendfile using tainted file name'
+          ) if args.first.tainted?
+        end
+
+        TaintedLove.proxy_method('ActionController::Instrumentation', :render) do |_, *args|
+          unless args.empty?
+            f = args.first
+
+            if f.is_a?(Hash)
+              if f.key?(:inline) && f[:inline].tainted?
+                TaintedLove.report(
+                  :ReplaceActionController,
+                  f[:inline],
+                  [:rce],
+                  'render(inline:) using tainted string'
+                )
+              end
+
+              if f.key?(:file) && f[:file].tainted?
+                TaintedLove.report(
+                  :ReplaceActionController,
+                  f[:file],
+                  [:lfi],
+                  'render(file:) using tainted file name'
+                )
+              end
+            end
+
+            if f.is_a?(String) && f.tainted?
+              TaintedLove.report(
+                :ReplaceActionController,
+                f,
+                [:lfi],
+                'render using tainted template name'
+              )
+            end
+          end
+        end
+
+        TaintedLove.proxy_method('ActionController::Base', :redirect_to) do |_, *args|
+          TaintedLove.report(:ReplaceActionController, args.first, [:open_redirect]) if args.first.tainted?
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_action_view.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceActionView < Base
+      def should_replace?
+        Object.const_defined?('ActionView')
+      end
+
+      def replace!
+        ActionView::OutputBuffer.class_eval do
+          def append=(value)
+            if value.tainted? && value.html_safe?
+              TaintedLove.report(
+                :ReplaceActionView,
+                value,
+                [:xss],
+                'Tainted string is html_safe'
+              )
+            end
+
+            self << value
+          end
+        end
+
+        # Untaint the yield of a template
+        mod = Module.new do
+          def render(*args, &block)
+            super(*args) do |*sub_args, &sub_block|
+              block.call(*sub_args, &sub_block).untaint
+            end
+          end
+        end
+
+        ActionView::Template.prepend(mod) if Object.const_defined?('ActionView::Template')
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_active_record.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceActiveRecord < Base
+      def should_replace?
+        Object.const_defined?('ActiveRecord')
+      end
+
+      def replace!
+        require 'active_record/relation'
+
+        TaintedLove.proxy_method('ActiveRecord::QueryMethods', :where) do |_, *args|
+          unless args.empty?
+            f = args.first
+            if f.is_a?(String) && f.tainted?
+              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model.where using tainted string')
+            end
+          end
+        end
+
+        TaintedLove.proxy_method('ActiveRecord::QueryMethods', :select) do |_, *args|
+          unless args.empty?
+            f = args.first
+            if f.is_a?(String) && f.tainted?
+              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model#select using tainted string')
+            end
+          end
+        end
+
+        mod = Module.new do
+          [:find_by_sql, :count_by_sql].each do |method|
+            define_method(method) do |*args|
+              if args.first.tainted?
+                TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string")
+              end
+
+              super(*args)
+            end
+          end
+        end
+
+        ActiveRecord::Base.extend(mod)
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_digest.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceDigest < Base
+      def should_replace?
+        Object.const_defined?('Digest')
+      end
+
+      def replace!
+        digests = [:MD5, :SHA256, :SHA512, :SHA2, :SHA384, :SHA1]
+
+        digests.each do |digest|
+          mod = Digest.const_get(digest)
+          mod.extend(create_module(mod)) if Object.const_defined?(mod.to_s)
+        end
+      end
+
+      def create_module(digest_class)
+        module_code = %{
+        Module.new do
+          def hexdigest(value)
+            digest = super
+
+            digest.instance_eval do
+              def tainted_love_origin
+                #{digest_class}
+              end
+            end
+
+            digest
+          end
+        end
+}
+        eval(module_code)
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_file.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceFile < Base
+      def replace!
+        File.instance_eval do
+          alias :_tainted_love_original_read :read
+          alias :_tainted_love_original_write :write
+
+          def read(*args)
+            if args.first.tainted?
+              TaintedLove.report(:ReplaceFile, args.first, [:lfi], 'File read using tainted file name')
+
+              _tainted_love_original_read(*args)
+            else
+              _tainted_love_original_read(*args).untaint
+            end
+          end
+
+          def write(*args)
+            if args.first.tainted?
+              TaintedLove.report(:ReplaceFile, args.first, [:lfi], 'File write using tainted file name')
+            end
+
+            _tainted_love_original_write(*args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_kernel.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceKernel < Base
+      def replace!
+        %i[eval system `].each do |method|
+          TaintedLove.proxy_method(Kernel, method) do |_, *args|
+            TaintedLove.report(
+              :ReplaceKernel,
+              args.first,
+              [:rce],
+              'Command execution using tainted input'
+            ) if args.first&.tainted?
+          end
+        end
+
+        Kernel.class_eval do
+          alias_method :_tainted_love_original_open, :open
+
+          def open(*args, &block)
+            first = args.first
+            return_value = _tainted_love_original_open(*args, &block)
+
+            if first.tainted?
+              return_value.taint
+
+              TaintedLove.report(
+                :ReplaceKernel,
+                first,
+                [:rce],
+                'Kernel#open begins with "|" and uses tainted input'
+              ) if first.is_a?(String) && first[0] == '|'
+            else
+              return_value.untaint
+            end
+
+            return_value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_marshal.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceMarshal < Base
+      def replace!
+        mod = Module.new do
+          def load(source, proc = nil)
+            TaintedLove.report(:ReplaceMarshal, source, [:rce], 'Marshal.load using tainted input') if source.tainted?
+
+            super(source, proc)
+          end
+        end
+
+        Marshal.singleton_class.prepend(mod)
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_object.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceObject < Base
+      def replace!
+        mod = Module.new do
+          def send(*args, &block)
+            if args[0].tainted? && args[1].tainted?
+              TaintedLove.report(
+                :ReplaceObject,
+                args.first,
+                [:rce],
+                'User input in the first 2 arguments of Object#send'
+              )
+            end
+
+            super(*args, &block)
+          end
+
+          def tainted_love_tracking
+            @tainted_love_tracking ||= []
+          end
+        end
+
+        Object.prepend(mod)
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_rails_user_input.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    # Ensures user input is tainted in Rails
+    class ReplaceRailsUserInput < Base
+      def should_replace?
+        Object.const_defined?('Rails')
+      end
+
+      def replace!
+        # taint headers
+        TaintedLove.proxy_method('ActionDispatch::Http::Headers', :[]) do |return_value, *_args|
+          return_value.taint
+        end
+
+        # taint the values loaded from the database
+        if Object.const_defined?('ActiveRecord::Base')
+          ActiveRecord::Base.after_find do
+            attributes.values.each do |value|
+              value.taint unless value.frozen?
+            end
+          end
+        end
+
+        if Object.const_defined?('ActionController::Base')
+          ActionController::Base.class_eval do
+            before_action :taint_params
+            before_action :taint_cookies
+
+            private
+
+            def taint_params(value = params)
+              if value.is_a?(ActionController::Parameters) || value.is_a?(ActiveSupport::HashWithIndifferentAccess)
+                value.values.map { |x| x.taint unless x.frozen? }
+                value.values.each { |x| taint_params(x) }
+              else
+                value.taint unless value.frozen?
+              end
+            end
+
+            def taint_cookies
+              request.cookies.values.each(&:taint)
+            end
+          end
+        end
+
+        # taint params keys
+        if Object.const_defined?('ActionController::Parameters')
+          ActionController::Parameters.class_eval do
+            def keys
+              @parameters.keys.map { |key| key.dup.taint }
+            end
+          end
+        end
+      end
+    end
+  end
+end