Class: Brakeman::BaseCheck

Inherits:

SexpProcessor

• Object
• SexpProcessor
• Brakeman::BaseCheck

Includes:

ProcessorHelper, Util

Defined in:

lib/brakeman/checks/base_check.rb

Overview

Basis of vulnerability checks.

Direct Known Subclasses

CheckBasicAuth, CheckCreateWith, CheckCrossSiteScripting, CheckDefaultRoutes, CheckDeserialize, CheckDetailedExceptions, CheckDigestDoS, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFileDisclosure, CheckFilterSkipping, CheckForgerySetting, CheckHeaderDoS, CheckI18nXSS, CheckJRubyXML, CheckJSONEncoding, CheckJSONParsing, CheckMailTo, CheckMassAssignment, CheckModelAttrAccessible, CheckModelAttributes, CheckModelSerialize, CheckNestedAttributes, CheckNumberToCurrency, CheckQuoteTableName, CheckRedirect, CheckRegexDoS, CheckRender, CheckRenderDoS, CheckResponseSplitting, CheckSQL, CheckSQLCVEs, CheckSSLVerify, CheckSafeBufferManipulation, CheckSanitizeMethods, CheckSelectTag, CheckSelectVulnerability, CheckSend, CheckSessionManipulation, CheckSessionSettings, CheckSingleQuotes, CheckSkipBeforeFilter, CheckStripTags, CheckSymbolDoS, CheckSymbolDoSCVE, CheckTranslateBug, CheckUnsafeReflection, CheckUnscopedFind, CheckValidationRegex, CheckWeakHash, CheckWithoutProtection, CheckXMLDoS, CheckYAMLParsing

Defined Under Namespace

Classes: Match

Constant Summary

CONFIDENCE =

{ :high => 0, :med => 1, :low => 2 }

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Class Attribute Summary

• .name ⇒ Object

  Returns the value of attribute name.

Instance Attribute Summary

• #tracker ⇒ Object readonly

  Returns the value of attribute tracker.

• #warnings ⇒ Object readonly

  Returns the value of attribute warnings.

Attributes inherited from SexpProcessor

#context, #env, #expected

Class Method Summary

• .inherited(subclass) ⇒ Object

Instance Method Summary

• #add_result(result, location = nil) ⇒ Object

  Add result to result list, which is used to check for duplicates.

• #initialize(app_tree, tracker) ⇒ BaseCheck constructor

  Initialize Check with Checks.

• #process_call(exp) ⇒ Object

  Process calls and check if they include user input.

• #process_cookies(exp) ⇒ Object

  Note that cookies are included in current expression.

• #process_default(exp) ⇒ Object

  Default Sexp processing.

• #process_dstr(exp) ⇒ Object

  Does not actually process string interpolation, but notes that it occurred.

• #process_if(exp) ⇒ Object
• #process_params(exp) ⇒ Object

  Note that params are included in current expression.

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(app_tree, tracker) ⇒ BaseCheck

Initialize Check with Checks.

# File 'lib/brakeman/checks/base_check.rb', line 25

def initialize(app_tree, tracker)
  super()
  @app_tree = app_tree
  @results = [] #only to check for duplicates
  @warnings = []
  @tracker = tracker
  @string_interp = false
  @current_set = nil
  @current_template = @current_module = @current_class = @current_method = nil
  @active_record_models = nil
  @mass_assign_disabled = nil
  @has_user_input = nil
  @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
end

Class Attribute Details

.name ⇒ Object

Returns the value of attribute name.

# File 'lib/brakeman/checks/base_check.rb', line 17

def name
  @name
end

Instance Attribute Details

#tracker ⇒ Object (readonly)

Returns the value of attribute tracker.

# File 'lib/brakeman/checks/base_check.rb', line 10

def tracker
  @tracker
end

#warnings ⇒ Object (readonly)

Returns the value of attribute warnings.

# File 'lib/brakeman/checks/base_check.rb', line 10

def warnings
  @warnings
end

Class Method Details

.inherited(subclass) ⇒ Object

# File 'lib/brakeman/checks/base_check.rb', line 19

def inherited(subclass)
  subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
end

Instance Method Details

#add_result(result, location = nil) ⇒ Object

Add result to result list, which is used to check for duplicates

# File 'lib/brakeman/checks/base_check.rb', line 41

def add_result result, location = nil
  location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
  location = location[:name] if location.is_a? Hash
  location = location.name if location.is_a? Brakeman::Collection
  location = location.to_sym

  if result.is_a? Hash
    line = result[:call].original_line || result[:call].line
  elsif sexp? result
    line = result.original_line || result.line
  else
    raise ArgumentError
  end

  @results << [line, location, result]
end

#process_call(exp) ⇒ Object

Process calls and check if they include user input

# File 'lib/brakeman/checks/base_check.rb', line 73

def process_call exp
  process exp.target if sexp? exp.target
  process_call_args exp

  target = exp.target

  unless @safe_input_attributes.include? exp.method
    if params? target
      @has_user_input = Match.new(:params, exp)
    elsif cookies? target
      @has_user_input = Match.new(:cookies, exp)
    elsif request_env? target
      @has_user_input = Match.new(:request, exp)
    elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
      @has_user_input = Match.new(:model, exp)
    end
  end

  exp
end

#process_cookies(exp) ⇒ Object

Note that cookies are included in current expression

# File 'lib/brakeman/checks/base_check.rb', line 113

def process_cookies exp
  @has_user_input = Match.new(:cookies, exp)
  exp
end

#process_default(exp) ⇒ Object

Default Sexp processing. Iterates over each value in the Sexp and processes them if they are also Sexps.

# File 'lib/brakeman/checks/base_check.rb', line 60

def process_default exp
  exp.each_with_index do |e, i|
    if sexp? e
      process e
    else
      e
    end
  end

  exp
end

#process_dstr(exp) ⇒ Object

Does not actually process string interpolation, but notes that it occurred.

# File 'lib/brakeman/checks/base_check.rb', line 119

def process_dstr exp
  @string_interp = Match.new(:interp, exp)
  process_default exp
end

#process_if(exp) ⇒ Object

# File 'lib/brakeman/checks/base_check.rb', line 94

def process_if exp
  #This is to ignore user input in condition
  current_user_input = @has_user_input
  process exp.condition
  @has_user_input = current_user_input

  process exp.then_clause if sexp? exp.then_clause
  process exp.else_clause if sexp? exp.else_clause

  exp
end

#process_params(exp) ⇒ Object

Note that params are included in current expression

# File 'lib/brakeman/checks/base_check.rb', line 107

def process_params exp
  @has_user_input = Match.new(:params, exp)
  exp
end