Class: Brakeman::BaseCheck

Inherits:

SexpProcessor

• Object
• SexpProcessor
• Brakeman::BaseCheck

Includes:

ProcessorHelper, SafeCallHelper, Util

Defined in:

lib/brakeman/checks/base_check.rb

Overview

Basis of vulnerability checks.

Direct Known Subclasses

CheckBasicAuth, CheckBasicAuthTimingAttack, CheckCreateWith, CheckCrossSiteScripting, CheckDefaultRoutes, CheckDeserialize, CheckDetailedExceptions, CheckDigestDoS, CheckDivideByZero, CheckDynamicFinders, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFileDisclosure, CheckFilterSkipping, CheckForgerySetting, CheckHeaderDoS, CheckI18nXSS, CheckJRubyXML, CheckJSONEncoding, CheckJSONParsing, CheckMailTo, CheckMassAssignment, CheckMimeTypeDoS, CheckModelAttrAccessible, CheckModelAttributes, CheckModelSerialize, CheckNestedAttributes, CheckNestedAttributesBypass, CheckNumberToCurrency, CheckPermitAttributes, CheckQuoteTableName, CheckRedirect, CheckRegexDoS, CheckRender, CheckRenderDoS, CheckResponseSplitting, CheckRouteDoS, CheckSQL, CheckSQLCVEs, CheckSSLVerify, CheckSafeBufferManipulation, CheckSanitizeMethods, CheckSecrets, CheckSelectTag, CheckSelectVulnerability, CheckSend, CheckSessionManipulation, CheckSessionSettings, CheckSingleQuotes, CheckSkipBeforeFilter, CheckStripTags, CheckSymbolDoS, CheckSymbolDoSCVE, CheckTranslateBug, CheckUnsafeReflection, CheckUnscopedFind, CheckValidationRegex, CheckWeakHash, CheckWithoutProtection, CheckXMLDoS, CheckYAMLParsing

Defined Under Namespace

Classes: Match

Constant Summary

CONFIDENCE =

This is for legacy support. Use :high, :medium, or :low instead when creating warnings.

Brakeman::Warning::CONFIDENCE

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Class Attribute Summary

• .name ⇒ Object

  Returns the value of attribute name.

Instance Attribute Summary

• #tracker ⇒ Object readonly

  Returns the value of attribute tracker.

• #warnings ⇒ Object readonly

  Returns the value of attribute warnings.

Attributes inherited from SexpProcessor

#context, #env, #expected

Class Method Summary

• .inherited(subclass) ⇒ Object

Instance Method Summary

• #add_result(result, location = nil) ⇒ Object

  Add result to result list, which is used to check for duplicates.

• #initialize(app_tree, tracker) ⇒ BaseCheck constructor

  Initialize Check with Checks.

• #process_call(exp) ⇒ Object

  Process calls and check if they include user input.

• #process_cookies(exp) ⇒ Object

  Note that cookies are included in current expression.

• #process_default(exp) ⇒ Object

  Default Sexp processing.

• #process_dstr(exp) ⇒ Object

  Does not actually process string interpolation, but notes that it occurred.

• #process_if(exp) ⇒ Object
• #process_params(exp) ⇒ Object

  Note that params are included in current expression.

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#current_file_name, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(app_tree, tracker) ⇒ BaseCheck

Initialize Check with Checks.

# File 'lib/brakeman/checks/base_check.rb', line 28

def initialize(app_tree, tracker)
  super()
  @app_tree = app_tree
  @results = [] #only to check for duplicates
  @warnings = []
  @tracker = tracker
  @string_interp = false
  @current_set = nil
  @current_template = @current_module = @current_class = @current_method = nil
  @active_record_models = nil
  @mass_assign_disabled = nil
  @has_user_input = nil
  @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
  @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
end

Class Attribute Details

.name ⇒ Object

Returns the value of attribute name.

# File 'lib/brakeman/checks/base_check.rb', line 20

def name
  @name
end

Instance Attribute Details

#tracker ⇒ Object (readonly)

Returns the value of attribute tracker.

# File 'lib/brakeman/checks/base_check.rb', line 11

def tracker
  @tracker
end

#warnings ⇒ Object (readonly)

Returns the value of attribute warnings.

# File 'lib/brakeman/checks/base_check.rb', line 11

def warnings
  @warnings
end

Class Method Details

.inherited(subclass) ⇒ Object

# File 'lib/brakeman/checks/base_check.rb', line 22

def inherited(subclass)
  subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
end

Instance Method Details

#add_result(result, location = nil) ⇒ Object

Add result to result list, which is used to check for duplicates

# File 'lib/brakeman/checks/base_check.rb', line 45

def add_result result, location = nil
  location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
  location = location[:name] if location.is_a? Hash
  location = location.name if location.is_a? Brakeman::Collection
  location = location.to_sym

  if result.is_a? Hash
    line = result[:call].original_line || result[:call].line
  elsif sexp? result
    line = result.original_line || result.line
  else
    raise ArgumentError
  end

  @results << [line, location, result]
end

#process_call(exp) ⇒ Object

Process calls and check if they include user input

# File 'lib/brakeman/checks/base_check.rb', line 73

def process_call exp
  unless @comparison_ops.include? exp.method
    process exp.target if sexp? exp.target
    process_call_args exp
  end

  target = exp.target

  unless always_safe_method? exp.method
    if params? target
      @has_user_input = Match.new(:params, exp)
    elsif cookies? target
      @has_user_input = Match.new(:cookies, exp)
    elsif request_env? target
      @has_user_input = Match.new(:request, exp)
    elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
      @has_user_input = Match.new(:model, exp)
    end
  end

  exp
end

#process_cookies(exp) ⇒ Object

Note that cookies are included in current expression

# File 'lib/brakeman/checks/base_check.rb', line 115

def process_cookies exp
  @has_user_input = Match.new(:cookies, exp)
  exp
end

#process_default(exp) ⇒ Object

Default Sexp processing. Iterates over each value in the Sexp and processes them if they are also Sexps.

# File 'lib/brakeman/checks/base_check.rb', line 64

def process_default exp
  exp.each do |e|
    process e if sexp? e
  end

  exp
end

#process_dstr(exp) ⇒ Object

Does not actually process string interpolation, but notes that it occurred.

# File 'lib/brakeman/checks/base_check.rb', line 121

def process_dstr exp
  @string_interp = Match.new(:interp, exp)
  process_default exp
end

#process_if(exp) ⇒ Object

# File 'lib/brakeman/checks/base_check.rb', line 96

def process_if exp
  #This is to ignore user input in condition
  current_user_input = @has_user_input
  process exp.condition
  @has_user_input = current_user_input

  process exp.then_clause if sexp? exp.then_clause
  process exp.else_clause if sexp? exp.else_clause

  exp
end

#process_params(exp) ⇒ Object

Note that params are included in current expression

# File 'lib/brakeman/checks/base_check.rb', line 109

def process_params exp
  @has_user_input = Match.new(:params, exp)
  exp
end