Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'master' into more_mass_assignment_methods

Conflicts:
	test/tests/test_rails3.rb
  • Loading branch information...
commit 4fc9af50c47af384abdd834c0df57f01c4f23a84 2 parents 0f30b08 + ccd1a64
@presidentbeef authored
View
2  .gitignore
@@ -1 +1,3 @@
Gemfile.lock
+.rbx
+**/.rbx
View
2  .travis.yml
@@ -8,3 +8,5 @@ rvm:
- "1.8.7"
- "1.9.2"
- "1.9.3"
+ - "jruby-18mode"
+ - "jruby-19mode"
View
4 lib/brakeman/checks/check_link_to_href.rb
@@ -65,6 +65,10 @@ def process_result result
# Decided NOT warn on models. polymorphic_path is called it a model is
# passed to link_to (which passes it to url_for)
+ elsif array? url_arg
+ # Just like models, polymorphic path/url is called if the argument is
+ # an array
+
elsif hash? url_arg
# url_for uses the key/values pretty carefully and I don't see a risk.
View
13 lib/brakeman/checks/check_sql.rb
@@ -46,6 +46,9 @@ def run_check
Brakeman.debug "Checking version of Rails for CVE-2012-2695"
check_rails_version_for_cve_2012_2695
+ Brakeman.debug "Checking version of Rails for CVE-2012-5664"
+ check_rails_version_for_cve_2012_5664
+
Brakeman.debug "Processing possible SQL calls"
calls.each do |c|
process_result c
@@ -121,6 +124,16 @@ def check_rails_version_for_cve_2012_2695
end
end
+ def check_rails_version_for_cve_2012_5664
+ if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.17") || version_between?("3.1.0", "3.1.8") || version_between?("3.2.0", "3.2.9")
+ warn :warning_type => 'SQL Injection',
+ :message => 'All versions of Rails before 3.0.18, 3.1.9, and 3.2.10 contain a SQL Injection Vulnerability: CVE-2012-5664; Upgrade to 3.2.10, 3.1.9, 3.0.18',
+ :confidence => CONFIDENCE[:high],
+ :file => gemfile_or_environment,
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+ end
+ end
+
def process_scope_with_block model_name, args
scope_name = args[1][1]
block = args[-1][-1]
View
4 test/apps/rails2/app/views/home/test_model.html.erb
@@ -5,3 +5,7 @@ Hello, <%= @name %>!
Very likely bad: <%= truncate User.profile %>
Bad for 2.x: <%= link_to User.first.name, "some_url" %>
+
+It's just a model <%= link_to "Hipster ipsum", User.first %>
+
+It's just a couple of models <%= link_to "Hipster ipsum", [Account.first, User.last] %>
View
4 test/apps/rails3/app/views/home/test_model.html.erb
@@ -6,3 +6,7 @@ Hello, <%= raw @name %>!
Very likely bad: <%= raw auto_link User.profile %>
Not a problem in Rails 3: <%= link_to User.first.name, "some url" %>
+
+It's just a model <%= link_to "Hipster ipsum", User.first %>
+
+It's just a couple of models <%= link_to "Hipster ipsum", [Account.first, User.last] %>
View
28 test/tests/test_rails2.rb
@@ -12,13 +12,13 @@ def expected
:controller => 1,
:model => 2,
:template => 41,
- :warning => 32 }
+ :warning => 33 }
else
@expected ||= {
:controller => 1,
:model => 2,
:template => 41,
- :warning => 33 }
+ :warning => 34 }
end
end
@@ -429,6 +429,22 @@ def test_href_parameter_in_link_to
:file => /test_params\.html\.erb/
end
+ def test_polymorphic_url_in_href
+ assert_no_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 9,
+ :message => /^Unsafe parameter value in link_to href/,
+ :confidence => 1,
+ :file => /test_model\.html\.erb/
+
+ assert_no_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 11,
+ :message => /^Unsafe parameter value in link_to href/,
+ :confidence => 1,
+ :file => /test_model\.html\.erb/
+ end
+
def test_unescaped_body_in_link_to
assert_warning :type => :template,
:warning_type => "Cross Site Scripting",
@@ -762,6 +778,14 @@ def test_strip_tags_CVE_2012_3465_high
:file => /test_strip_tags\.html\.erb/
end
+ def test_sql_injection_CVE_2012_5664
+ assert_warning :type => :warning,
+ :warning_type => "SQL Injection",
+ :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.18,\ 3\.1/,
+ :confidence => 0,
+ :file => /environment\.rb/
+ end
+
def test_to_json
assert_warning :type => :template,
:warning_type => "Cross Site Scripting",
View
27 test/tests/test_rails3.rb
@@ -15,7 +15,7 @@ def expected
:controller => 1,
:model => 5,
:template => 32,
- :warning => 41
+ :warning => 42
}
end
@@ -231,6 +231,14 @@ def test_rails_cve_2012_2695
:file => /Gemfile/
end
+ def test_sql_injection_CVE_2012_5664
+ assert_warning :type => :warning,
+ :warning_type => "SQL Injection",
+ :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.18,\ 3\.1/,
+ :confidence => 0,
+ :file => /Gemfile/
+ end
+
def test_sql_injection_find_by_sql
assert_warning :type => :warning,
:warning_type => "SQL Injection",
@@ -435,6 +443,23 @@ def test_href_parameter_in_link_to
:file => /test_params\.html\.erb/
end
+ def test_polymorphic_url_in_href
+ assert_no_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 10,
+ :message => /^Unsafe parameter value in link_to href/,
+ :confidence => 1,
+ :file => /test_model\.html\.erb/
+
+ assert_no_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 12,
+ :message => /^Unsafe parameter value in link_to href/,
+ :confidence => 1,
+ :file => /test_model\.html\.erb/
+ end
+
+
def test_file_access_in_template
assert_warning :type => :template,
:warning_type => "File Access",
View
10 test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ def expected
:model => 3,
:template => 22,
:controller => 1,
- :warning => 49 }
+ :warning => 50 }
end
def test_without_protection
@@ -149,6 +149,14 @@ def test_rails_cve_2012_2695
:file => /Gemfile/
end
+ def test_sql_injection_CVE_2012_5664
+ assert_warning :type => :warning,
+ :warning_type => "SQL Injection",
+ :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.18,\ 3\.1/,
+ :confidence => 0,
+ :file => /Gemfile/
+ end
+
def test_sql_injection_scope_lambda
assert_warning :type => :warning,
:warning_type => "SQL Injection",
View
10 test/tests/test_rails32.rb
@@ -11,7 +11,7 @@ def expected
:controller => 0,
:model => 0,
:template => 6,
- :warning => 2 }
+ :warning => 3 }
end
def report
@@ -22,6 +22,14 @@ def test_rc_version_number
assert_equal "3.2.9.rc2", Rails32[:config][:rails_version]
end
+ def test_sql_injection_CVE_2012_5664
+ assert_warning :type => :warning,
+ :warning_type => "SQL Injection",
+ :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.18,\ 3\.1/,
+ :confidence => 0,
+ :file => /Gemfile/
+ end
+
def test_redirect_1
assert_warning :type => :warning,
:warning_type => "Redirect",
View
10 test/tests/test_rails_with_xss_plugin.rb
@@ -11,7 +11,7 @@ def expected
:controller => 1,
:model => 3,
:template => 2,
- :warning => 15 }
+ :warning => 16 }
end
def report
@@ -258,6 +258,14 @@ def test_strip_tags_CVE_2012_3465
:file => /Gemfile/
end
+ def test_sql_injection_CVE_2012_5664
+ assert_warning :type => :warning,
+ :warning_type => "SQL Injection",
+ :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.18,\ 3\.1/,
+ :confidence => 0,
+ :file => /Gemfile/
+ end
+
def test_to_json
assert_warning :type => :template,
:warning_type => "Cross Site Scripting",
Please sign in to comment.
Something went wrong with that request. Please try again.