Class: Brakeman::CheckModelSerialize

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_model_serialize.rb

Constant Summary

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, inherited, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params, #process_string_interp

Methods included from Util

#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_all!, #process_call_args, #process_class, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#check_for_serialize(model) ⇒ Object

High confidence warning on serialized, unprotected attributes. Medium confidence warning for serialized, protected attributes.


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/brakeman/checks/check_model_serialize.rb', line 27

def check_for_serialize model
  if serialized_attrs = model[:options] && model[:options][:serialize]
    attrs = Set.new

    serialized_attrs.each do |arglist|
      arglist.each do |arg|
        attrs << arg if symbol? arg
      end
    end

    if unsafe_attrs = model[:attr_accessible]
      attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
    elsif protected_attrs = model[:options][:attr_protected]
      safe_attrs = Set.new

      protected_attrs.each do |arglist|
        arglist.each do |arg|
          safe_attrs << arg if symbol? arg
        end
      end

      attrs.delete_if { |attr| safe_attrs.include? attr }
    end

    if attrs.empty?
      confidence = CONFIDENCE[:med]
    else
      confidence = CONFIDENCE[:high]
    end

    warn :model => model[:name],
      :warning_type => "Remote Code Execution",
      :warning_code => :CVE_2013_0277,
      :message => "Serialized attributes are vulnerable in Rails #{tracker.config[:rails_version]}, upgrade to #{@upgrade_version} or patch.",
      :confidence => confidence,
      :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
      :file => model[:files].first
  end
end

#run_checkObject


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# File 'lib/brakeman/checks/check_model_serialize.rb', line 8

def run_check
  @upgrade_version = case
                    when version_between?("2.0.0", "2.3.16")
                      "2.3.17"
                    when version_between?("3.0.0", "3.0.99")
                      "3.2.11"
                    else
                      nil
                    end

  return unless @upgrade_version

  tracker.models.each do |name, model|
    check_for_serialize model
  end
end