Class: Brakeman::CheckDefaultRoutes

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_default_routes.rb

Overview

Checks if default routes are allowed in routes.rb

Constant Summary

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, inherited, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params, #process_string_interp

Methods included from Util

#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_all!, #process_call_args, #process_class, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#allow_all_actions?Boolean

Returns:

  • (Boolean)

83
84
85
# File 'lib/brakeman/checks/check_default_routes.rb', line 83

def allow_all_actions?
  tracker.routes[:allow_all_actions]
end

#check_for_action_globsObject


29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/brakeman/checks/check_default_routes.rb', line 29

def check_for_action_globs
  return if allow_all_actions?
  Brakeman.debug "Checking each controller for default routes"

  tracker.routes.each do |name, actions|
    if actions.is_a? Array and actions[0] == :allow_all_actions
      @actions_allowed_on_controller = true
      if actions[1].is_a? Hash and actions[1][:allow_verb]
        verb = actions[1][:allow_verb]
      else
        verb = "any"
      end
      warn :controller => name,
        :warning_type => "Default Routes",
        :warning_code => :controller_default_routes,
        :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
        :line => actions[2],
        :confidence => CONFIDENCE[:med],
        :file => "#{tracker.app_path}/config/routes.rb"
    end
  end
end

#check_for_cve_2014_0130Object


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'lib/brakeman/checks/check_default_routes.rb', line 52

def check_for_cve_2014_0130
  case
  when lts_version?("2.3.18.9")
    #TODO: Should support LTS 3.0.20 too
    return
  when version_between?("2.0.0", "2.3.18")
    upgrade = "3.2.18"
  when version_between?("3.0.0", "3.2.17")
    upgrade = "3.2.18"
  when version_between?("4.0.0", "4.0.4")
    upgrade = "4.0.5"
  when version_between?("4.1.0", "4.1.0")
    upgrade = "4.1.1"
  else
    return
  end

  if allow_all_actions? or @actions_allowed_on_controller
    confidence = CONFIDENCE[:high]
  else
    confidence = CONFIDENCE[:med]
  end

  warn :warning_type => "Remote Code Execution",
    :warning_code => :CVE_2014_0130,
    :message => "Rails #{tracker.config[:rails_version]} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
    :confidence => confidence,
    :file => "#{tracker.app_path}/config/routes.rb",
    :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
end

#check_for_default_routesObject


17
18
19
20
21
22
23
24
25
26
27
# File 'lib/brakeman/checks/check_default_routes.rb', line 17

def check_for_default_routes
  if allow_all_actions?
    #Default routes are enabled globally
    warn :warning_type => "Default Routes",
      :warning_code => :all_default_routes,
      :message => "All public methods in controllers are available as actions in routes.rb",
      :line => tracker.routes[:allow_all_actions].line,
      :confidence => CONFIDENCE[:high],
      :file => "#{tracker.app_path}/config/routes.rb"
  end
end

#run_checkObject

Checks for :allow_all_actions globally and for individual routes if it is not enabled globally.


11
12
13
14
15
# File 'lib/brakeman/checks/check_default_routes.rb', line 11

def run_check
  check_for_default_routes
  check_for_action_globs
  check_for_cve_2014_0130
end