tainted_love 0.1.3

data/lib/tainted_love/replacer/replace_sprokets.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceSprokets < Base
+      def should_replace?
+        Object.const_defined?('Sprockets')
+      end
+
+      def replace!
+        mod = Module.new do
+          def javascript_include_tag(*sources)
+            super(*sources).untaint
+          end
+
+          def stylesheet_link_tag(*sources)
+            super(*sources).untaint
+          end
+        end
+
+        Sprockets::Rails::Helper.prepend(mod)
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_yaml.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Replacer
+    class ReplaceYAML < Base
+      def should_replace?
+        Object.const_defined?('YAML')
+      end
+
+      def replace!
+        YAML.instance_eval do
+          alias :_tainted_love_original_load :load
+
+          def load(source, *args)
+            TaintedLove.report(
+              :ReplaceYAML,
+              source,
+              [:rce],
+              'YAML.load using tainted input'
+            ) if source.tainted?
+
+            _tainted_love_original_load(source, *args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/reporter/base.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module TaintedLove
+  module Reporter
+    # Base reporter
+    class Base
+      attr_reader :warnings
+
+      def initialize
+        @warnings = Hash.new do |h, k|
+          h[k] = {
+            stack_trace: nil,
+            replacer: nil,
+            inputs: {},
+            tags: [],
+            message: nil,
+          }
+        end
+      end
+
+      # Stores a warning by its stack trace hash
+      #
+      # @param warning [TaintedLove::Warning]
+      def store_warning(warning)
+        key = warning.stack_trace.trace_hash
+
+        @warnings[key].merge!(
+          replacer: warning.replacer,
+          stack_trace: warning.stack_trace.lines,
+          tags: warning.tags,
+          message: warning.message,
+        )
+
+        @warnings[key][:inputs][warning.tainted_input] = warning.reported_at
+      end
+
+      # Adds a warning to the reporter
+      #
+      # @param warning [TaintedLove::Warning]
+      def add_warning(warning)
+        store_warning(warning)
+      end
+    end
+  end
+end

data/lib/tainted_love/reporter/file_reporter.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module TaintedLove
+  module Reporter
+    # Reporter that outputs warnings into a JSON file
+    class FileReporter < Base
+      attr_reader :file_path
+
+      def initialize
+        super
+
+        @file_path = '/tmp/tainted_love.json'
+      end
+
+      def add_warning(warning)
+        super(warning)
+
+        update_file
+      end
+
+      def update_file
+        File.write(@file_path, @warnings.to_json)
+      end
+    end
+  end
+end

data/lib/tainted_love/reporter/stdout_reporter.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Reporter
+    # Reporter that outputs warnings in the console
+    class StdoutReporter < Base
+      def add_warning(warning)
+        puts ''
+        puts format_warning(warning)
+        puts ''
+      end
+
+      def format_warning(warning)
+        out = []
+        out << "[!] Tainted input found by #{warning.replacer}"
+        out << warning.stack_trace.trace_hash
+
+        out << if warning.tainted_input.size < 100
+          warning.tainted_input.inspect
+        else
+          warning.tainted_input.inspect[0..100] + '...'
+        end
+
+        out << warning.stack_trace.lines.take(5)
+
+        out.join("\n")
+      end
+    end
+  end
+end

data/lib/tainted_love/stack_trace.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  class StackTrace
+    BACKTRACE_LINE_REGEX = /^((?:[a-zA-Z]:)?[^:]+):(\d+)(?::in `([^']+)')?$/.freeze
+
+    attr_accessor :stack_trace, :lines
+
+    def initialize(stack_trace)
+      @stack_trace = stack_trace
+      @lines = stack_trace.map do |line|
+        next unless line.match(BACKTRACE_LINE_REGEX)
+        {
+          file: Regexp.last_match(1),
+          line_number: Regexp.last_match(2).to_i,
+          method: Regexp.last_match(3),
+        }
+      end.compact
+
+      # Hack to remove TaintedLove.proxy_method
+      @lines.shift if @lines.first[:file]['tainted_love/utils.rb']
+    end
+
+    # Produces a hash from the stack trace to identify identical code path
+    #
+    # @return [String]
+    def trace_hash
+      lines = @lines.map { |line| "#{line[:file]}:#{line[:number]}" }.join(',')
+      TaintedLove.hash(lines)
+    end
+
+    def to_json
+      {
+        trace_hash: trace_hash,
+      }.to_json
+    end
+
+    # Create a new StackTrace object from the current thread backtrace
+    #
+    # @param skip [Integer] number of trace line to skip
+    # @return [TaintedLove::StackTrace]
+    def self.current(skip = 2)
+      new(Thread.current.backtrace(skip))
+    end
+  end
+end

data/lib/tainted_love/utils.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'digest/md5'
+
+module TaintedLove
+  module Utils
+    # Replaces a method defined in klass.
+    #
+    # @param klass [Class, String] The target class
+    # @param method [Symbol] The method name to replace
+    # @param replace_return_value [Boolean]
+    #   If true, the return value of the function will be the value returned by the block.
+    #   Otherwise, the function will return its original value.
+    # @yield [*args, &block] Block to execute when the function is called
+    def proxy_method(klass, method, replace_return_value = false, &block)
+      if klass.is_a?(String)
+        if Object.const_defined?(klass)
+          klass = Object.const_get(klass)
+        else
+          return
+        end
+      end
+
+      original_method = "_tainted_love_original_#{method}"
+
+      klass.class_eval do
+        alias_method original_method, method
+
+        define_method method do |*args, &given_block|
+          return_value = send(original_method, *args, &given_block)
+
+          block_return = block.call(return_value, *args, self, &block)
+
+          if replace_return_value
+            block_return
+          else
+            return_value
+          end
+        end
+      end
+    end
+
+    # Adds information about the object. The information can be about
+    # where the object is coming from, validation that has been done on the object, etc.
+    #
+    # If the object is frozen, the given block will be called with a new object.
+    # The caller has the responsability of replacing the frozen object with this
+    # new object.
+    #
+    # @param object [Object] Object to add tracking
+    # @param payload [Hash] Data to add to the object
+    # @yield [Object] Invoked with a duplicate unfrozen version of object
+    # @return [Object] Given object or dup of it
+    def add_tracking(object, payload = {}, &block)
+      frozen = object.frozen?
+
+      return if frozen && block.nil?
+
+      payload[:stacktrace] = StackTrace.current
+
+      object = object.dup if frozen
+
+      object.tainted_love_tracking << payload
+
+      block.call(object) if frozen
+
+      object
+    end
+
+    # Create a hex encoded MD5 hash
+    #
+    # @params str [String] Input string
+    # @returns [String]
+    def hash(str)
+      h = Digest::MD5.new
+      h.update(str)
+      h.hexdigest
+    end
+  end
+end

data/lib/tainted_love/validator/action_view_object_send.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Validator
+    class ActionViewObjectSend < Base
+      def remove?(warning)
+        return unless warning.replacer == :ReplaceObject
+
+        if warning.stack_trace.lines.first[:file]['actionview/template.rb']
+          return true
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/base.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  # Validator are used to prevent false positives based on user input, stack trace,
+  # Ruby version or gem version.
+  module Validator
+    class Base
+      def self.validators
+        TaintedLove::Validator.constants.map do |const|
+          cls = TaintedLove::Validator.const_get(const)
+          cls if cls.method_defined?(:remove?)
+        end.compact
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/erb_eval.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Validator
+    class ErbEval < Base
+      def remove?(warning)
+        if Object.const_defined?('Rails') || Object.const_defined?('ERB')
+          return true if warning.tainted_input['_erbout']
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/redis_store_serialization.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Validator
+    # Assumes that value unserialized from Redis are safe
+    class RedisStoreSerialization < Base
+      def remove?(warning)
+        warning.replacer == :ReplaceMarshal &&
+          warning.stack_trace_line[:file]['redis/store/serialization.rb']
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/sprokets_marshal.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Validator
+    class SproketsMarshal < Base
+      def remove?(warning)
+        calling = warning.stack_trace.lines.first
+
+        if calling[:method] == "unmarshaled_deflated" && calling[:file][/sprockets/]
+          return true
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  VERSION = '0.1.3'
+end

data/lib/tainted_love/warning.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  class Warning
+    attr_accessor :stack_trace, :replacer, :tainted_input, :reported_at, :message, :tags
+
+    def initialize
+      @reported_at = Time.now.to_i
+    end
+
+    def ==(other)
+      stack_trace == other.stack_trace && tainted_input == other.tainted_input
+    end
+
+    def stack_trace_line
+      @stack_trace.lines.first
+    end
+
+    def to_json
+      {
+        stack_trace: @stack_trace,
+        replacer: @replacer,
+        tainted_input: @tainted_input,
+        reported_at: @reported_at,
+        message: @message,
+        tags: @tags,
+      }.to_json
+    end
+  end
+end

data/tainted_love.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'tainted_love/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'tainted_love'
+  spec.version       = TaintedLove::VERSION
+  spec.authors       = ['Benoit Cote-Jodoin']
+  spec.email         = ['benoit.cotejodoin@shopify.com']
+
+  spec.summary       = 'TaintedLove is a dynamic security analysis tool for Ruby'
+  spec.homepage      = 'https://github.com/Shopify/tainted_love'
+  spec.license       = 'MIT'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    %x(git ls-files -z).split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = %w[lib]
+
+  spec.add_development_dependency('bundler', '~> 1.17')
+  spec.add_development_dependency('rake', '~> 10.0')
+  spec.add_development_dependency('rspec', '~> 3.0')
+  spec.add_development_dependency('rubocop', '~> 0.65.0')
+  spec.add_development_dependency('yard', '~> 0.9.18')
+end