lib/brakeman/checks/check_sql.rb in brakeman-min-2.4.3 vs lib/brakeman/checks/check_sql.rb in brakeman-min-2.5.0

- old
+ new

@@ -44,17 +44,12 @@ calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result } Brakeman.debug "Finding calls to named_scope or scope" calls.concat find_scope_calls - Brakeman.debug "Checking version of Rails for CVE issues" - check_rails_versions_against_cve_issues - Brakeman.debug "Processing possible SQL calls" calls.each { |call| process_result call } - - check_CVE_2014_0080 end #Find calls to named_scope() or scope() in models #RP 3 TODO def find_scope_calls @@ -63,11 +58,11 @@ if version_between?("2.1.0", "3.0.9") ar_scope_calls(:named_scope) do |name, args| call = make_call(nil, :named_scope, args).line(args.line) scope_calls << scope_call_hash(call, name, :named_scope) end - elsif version_between?("3.1.0", "3.9.9") + elsif version_between?("3.1.0", "4.9.9") ar_scope_calls(:scope) do |name, args| second_arg = args[2] next unless sexp? second_arg if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call @@ -112,12 +107,16 @@ if block.node_type == :block find_calls = Brakeman::FindAllCalls.new(tracker) find_calls.process_source(block, :class => model_name, :method => scope_name) find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) } elsif block.node_type == :call - process_result :target => block.target, :method => block.method, :call => block, - :location => { :type => :class, :class => model_name, :method => scope_name } + while call? block + process_result :target => block.target, :method => block.method, :call => block, + :location => { :type => :class, :class => model_name, :method => scope_name } + + block = block.target + end end end #Process possible SQL injection sites: # @@ -177,17 +176,17 @@ check_query_arguments call.arglist when :order, :group, :reorder check_order_arguments call.arglist when :joins check_joins_arguments call.first_arg - when :from, :select + when :from unsafe_sql? call.first_arg when :lock check_lock_arguments call.first_arg when :pluck unsafe_sql? call.first_arg - when :update_all + when :update_all, :select check_update_all_arguments call.args when *@connection_calls check_by_sql_arguments call.first_arg else Brakeman.debug "Unhandled SQL method: #{method}" @@ -538,11 +537,11 @@ IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash, :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions, - :to_sql] + :to_sql, :sanitize] def safe_value? exp return true unless sexp? exp case exp.node_type @@ -636,85 +635,7 @@ target == SELF_CLASS or node_type? target, :self or klass == :"ActiveRecord::Base" or active_record_models.include? klass end - end - - # TODO: Move all SQL CVE checks to separate class - def check_CVE_2014_0080 - return unless version_between? "4.0.0", "4.0.2" and - @tracker.config[:gems].include? :pg - - warn :warning_type => 'SQL Injection', - :warning_code => :CVE_2014_0080, - :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3", - :confidence => CONFIDENCE[:high], - :file => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ" - end - - def upgrade_version? versions - versions.each do |low, high, upgrade| - return upgrade if version_between? low, high - end - - false - end - - def check_rails_versions_against_cve_issues - issues = [ - { - :cve => "CVE-2012-2660", - :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]], - :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion" - }, - { - :cve => "CVE-2012-2661", - :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]], - :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion" - }, - { - :cve => "CVE-2012-2695", - :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]], - :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion" - }, - { - :cve => "CVE-2012-5664", - :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]], - :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion" - }, - { - :cve => "CVE-2013-0155", - :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]], - :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion" - }, - - ] - - unless lts_version? '2.3.18.6' - issues << { - :cve => "CVE-2013-6417", - :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]], - :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ" - } - end - - issues.each do |cve_issue| - cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url] - end - end - - def cve_warning_for versions, cve, link - upgrade_version = upgrade_version? versions - return unless upgrade_version - - code = cve.tr('-', '_').to_sym - - warn :warning_type => 'SQL Injection', - :warning_code => code, - :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}", - :confidence => CONFIDENCE[:high], - :file => gemfile_or_environment, - :link_path => link end end