Sha256: 06457d674f62e12a117183828c879029a84b873f4843c24a387d02d967916481

Contents?: true

Size: 1.47 KB

Versions: 1

Compression:

Stored size: 1.47 KB

Contents

require 'brakeman/checks/base_check'

#YAML.load can be used for remote code execution
class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Checks for uses of YAML.load"

  def run_check
    yaml_methods = [:load, :load_documents, :load_stream, :parse_documents, :parse_stream]

    tracker.find_call(:target => :YAML, :methods => yaml_methods ).each do |result|
      check_yaml_load result
    end
  end

  def check_yaml_load result
    return if duplicate? result
    add_result result

    arg = result[:call].first_arg
    method = result[:call].method

    if input = has_immediate_user_input?(arg)
      confidence = CONFIDENCE[:high]
    elsif input = include_user_input?(arg)
      confidence = CONFIDENCE[:med]
    end

    if confidence
      input_type = case input.type
                   when :params
                     "parameter value"
                   when :cookies
                     "cookies value"
                   when :request
                     "request value"
                   when :model
                     "model attribute"
                   else
                     "user input"
                   end

      message = "YAML.#{method} called with #{input_type}"

      warn :result => result,
        :warning_type => "Remote Code Execution",
        :message => message,
        :user_input => input.match,
        :confidence => confidence,
        :link_path => "remote_code_execution_yaml_load"
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version Path
brakeman-1.9.2 lib/brakeman/checks/check_yaml_load.rb