From 470bf5227bab71d4f371d26d55047887ede0b59d Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Fri, 22 Mar 2024 15:26:39 +1100 Subject: [PATCH 1/3] added all cwes to checks --- .travis.yml | 37 ------------------- gem_common.rb | 17 +++++---- lib/brakeman/checks/check_basic_auth.rb | 3 +- .../checks/check_basic_auth_timing_attack.rb | 3 +- lib/brakeman/checks/check_content_tag.rb | 9 +++-- lib/brakeman/checks/check_create_with.rb | 6 ++- .../checks/check_cross_site_scripting.rb | 9 +++-- lib/brakeman/checks/check_default_routes.rb | 5 ++- lib/brakeman/checks/check_deserialize.rb | 3 +- .../checks/check_detailed_exceptions.rb | 6 ++- lib/brakeman/checks/check_digest_dos.rb | 3 +- lib/brakeman/checks/check_divide_by_zero.rb | 3 +- lib/brakeman/checks/check_dynamic_finders.rb | 3 +- lib/brakeman/checks/check_escape_function.rb | 5 ++- lib/brakeman/checks/check_evaluation.rb | 3 +- lib/brakeman/checks/check_execute.rb | 9 +++-- lib/brakeman/checks/check_file_access.rb | 3 +- lib/brakeman/checks/check_file_disclosure.rb | 3 +- lib/brakeman/checks/check_filter_skipping.rb | 3 +- lib/brakeman/checks/check_forgery_setting.rb | 6 ++- lib/brakeman/checks/check_header_dos.rb | 3 +- lib/brakeman/checks/check_i18n_xss.rb | 3 +- lib/brakeman/checks/check_jruby_xml.rb | 3 +- lib/brakeman/checks/check_json_encoding.rb | 3 +- lib/brakeman/checks/check_json_parsing.rb | 6 ++- lib/brakeman/checks/check_link_to.rb | 3 +- lib/brakeman/checks/check_link_to_href.rb | 6 ++- lib/brakeman/checks/check_mail_to.rb | 3 +- lib/brakeman/checks/check_mass_assignment.rb | 6 ++- lib/brakeman/checks/check_mime_type_dos.rb | 3 +- .../checks/check_model_attr_accessible.rb | 3 +- lib/brakeman/checks/check_model_attributes.rb | 6 ++- lib/brakeman/checks/check_model_serialize.rb | 3 +- .../checks/check_nested_attributes.rb | 3 +- .../checks/check_nested_attributes_bypass.rb | 3 +- .../checks/check_number_to_currency.rb | 6 ++- .../checks/check_permit_attributes.rb | 3 +- lib/brakeman/checks/check_quote_table_name.rb | 5 ++- lib/brakeman/checks/check_redirect.rb | 7 ++-- lib/brakeman/checks/check_regex_dos.rb | 3 +- lib/brakeman/checks/check_render.rb | 8 ++-- lib/brakeman/checks/check_render_dos.rb | 3 +- lib/brakeman/checks/check_render_inline.rb | 6 ++- .../checks/check_response_splitting.rb | 3 +- lib/brakeman/checks/check_route_dos.rb | 3 +- .../checks/check_safe_buffer_manipulation.rb | 5 ++- lib/brakeman/checks/check_sanitize_methods.rb | 9 +++-- lib/brakeman/checks/check_secrets.rb | 3 +- lib/brakeman/checks/check_select_tag.rb | 3 +- .../checks/check_select_vulnerability.rb | 3 +- lib/brakeman/checks/check_send.rb | 3 +- .../checks/check_session_manipulation.rb | 3 +- lib/brakeman/checks/check_session_settings.rb | 11 ++++-- lib/brakeman/checks/check_simple_format.rb | 6 ++- lib/brakeman/checks/check_single_quotes.rb | 3 +- .../checks/check_skip_before_filter.rb | 6 ++- lib/brakeman/checks/check_sql.rb | 6 ++- lib/brakeman/checks/check_sql_cves.rb | 6 ++- lib/brakeman/checks/check_ssl_verify.rb | 3 +- lib/brakeman/checks/check_strip_tags.rb | 9 +++-- lib/brakeman/checks/check_symbol_dos.rb | 3 +- lib/brakeman/checks/check_symbol_dos_cve.rb | 4 +- lib/brakeman/checks/check_translate_bug.rb | 3 +- .../checks/check_unsafe_reflection.rb | 5 ++- lib/brakeman/checks/check_unscoped_find.rb | 3 +- lib/brakeman/checks/check_validation_regex.rb | 3 +- lib/brakeman/checks/check_weak_hash.rb | 9 +++-- .../checks/check_without_protection.rb | 13 ++++--- lib/brakeman/checks/check_xml_dos.rb | 3 +- lib/brakeman/checks/check_yaml_parsing.rb | 6 ++- .../processors/lib/processor_helper.rb | 11 ++++++ lib/brakeman/warning.rb | 8 ++-- 72 files changed, 235 insertions(+), 158 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 2ee49fd8f..000000000 --- a/.travis.yml +++ /dev/null @@ -1,37 +0,0 @@ -before_install: - - gem update bundler - -before_script: - - | - bash -c " - if [ ! -z "$CC_TEST_REPORTER_ID" ]; then - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter && \ - chmod +x ./cc-test-reporter && \ - ./cc-test-reporter before-build - fi - " -script: - - "bundle exec ruby test/test.rb" - -after_script: - - | - bash -c " - if [ ! -z "$CC_TEST_REPORTER_ID" ]; then - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT - fi - " - -matrix: - include: - - rvm: "ruby-head" - - rvm: "1.9.3" - - rvm: "2.3.5" - - rvm: "2.4.2" - - rvm: "2.5.1" - env: CC_TEST_REPORTER_ID=521d341f3320acda1902d0db0a3a92fb16b11ebfe3d5ab730218d4fc0fb3db13 - -branches: - only: - - master - -sudo: false diff --git a/gem_common.rb b/gem_common.rb index d24adba57..bd3159a76 100644 --- a/gem_common.rb +++ b/gem_common.rb @@ -2,23 +2,26 @@ module Brakeman module GemDependencies def self.dev_dependencies spec spec.add_development_dependency "minitest" + spec.add_development_dependency "minitest-ci" + spec.add_development_dependency "simplecov" + spec.add_development_dependency "simplecov-html", "=0.10.2" end def self.base_dependencies spec - spec.add_dependency "ruby_parser", "~>3.11.0" + spec.add_dependency "parallel", "~>1.20" + spec.add_dependency "ruby_parser", "~>3.20.2" spec.add_dependency "sexp_processor", "~> 4.7" spec.add_dependency "ruby2ruby", "~>2.4.0" - spec.add_dependency "safe_yaml", ">= 1.0" + spec.add_dependency "racc" end def self.extended_dependencies spec spec.add_dependency "terminal-table", "~>1.4" - spec.add_dependency "highline", ">=1.6.20", "<2.0" + spec.add_dependency "highline", "~>3.0" spec.add_dependency "erubis", "~>2.6" - spec.add_dependency "haml", ">=3.0", "<5.0" - spec.add_dependency "sass", "~>3.0", "<3.5.0" - spec.add_dependency "slim", ">=1.3.6", "<3.0.8" - spec.add_dependency "rexml", "~>3.2.6" + spec.add_dependency "haml", "~>5.1" + spec.add_dependency "slim", ">=1.3.6", "<=4.1" + spec.add_dependency "rexml", "~>3.0" end end end diff --git a/lib/brakeman/checks/check_basic_auth.rb b/lib/brakeman/checks/check_basic_auth.rb index b98247940..80c7c35e4 100644 --- a/lib/brakeman/checks/check_basic_auth.rb +++ b/lib/brakeman/checks/check_basic_auth.rb @@ -31,7 +31,8 @@ def check_basic_auth_filter :message => "Basic authentication password stored in source code", :code => call, :confidence => :high, - :file => controller.file + :file => controller.file, + :cwe => [259] break end end diff --git a/lib/brakeman/checks/check_basic_auth_timing_attack.rb b/lib/brakeman/checks/check_basic_auth_timing_attack.rb index 3c4b1286b..68ac8b289 100644 --- a/lib/brakeman/checks/check_basic_auth_timing_attack.rb +++ b/lib/brakeman/checks/check_basic_auth_timing_attack.rb @@ -27,7 +27,8 @@ def check_basic_auth_call :warning_code => :CVE_2015_7576, :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade", :confidence => :high, - :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ" + :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ", + :cwe => [1254] end end end diff --git a/lib/brakeman/checks/check_content_tag.rb b/lib/brakeman/checks/check_content_tag.rb index 4a936737c..13266b616 100644 --- a/lib/brakeman/checks/check_content_tag.rb +++ b/lib/brakeman/checks/check_content_tag.rb @@ -106,7 +106,8 @@ def check_argument result, exp :message => message, :user_input => input, :confidence => :high, - :link_path => "content_tag" + :link_path => "content_tag", + :cwe => 79 elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg) unless IGNORE_MODEL_METHODS.include? match.method @@ -124,7 +125,8 @@ def check_argument result, exp :message => "Unescaped model attribute in content_tag", :user_input => match, :confidence => confidence, - :link_path => "content_tag" + :link_path => "content_tag", + :cwe => 79 end elsif @matched @@ -140,7 +142,8 @@ def check_argument result, exp :message => message, :user_input => @matched, :confidence => :medium, - :link_path => "content_tag" + :link_path => "content_tag", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_create_with.rb b/lib/brakeman/checks/check_create_with.rb index f24561974..6827a9a06 100644 --- a/lib/brakeman/checks/check_create_with.rb +++ b/lib/brakeman/checks/check_create_with.rb @@ -39,7 +39,8 @@ def process_result result :result => result, :message => @message, :confidence => confidence, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ", + :cwe => 915 end end @@ -69,6 +70,7 @@ def generic_warning :message => @message, :gem_info => gemfile_or_environment, :confidence => :medium, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ", + :cwe => 915 end end diff --git a/lib/brakeman/checks/check_cross_site_scripting.rb b/lib/brakeman/checks/check_cross_site_scripting.rb index fbbc89d43..333d3c9ba 100644 --- a/lib/brakeman/checks/check_cross_site_scripting.rb +++ b/lib/brakeman/checks/check_cross_site_scripting.rb @@ -77,7 +77,8 @@ def check_for_immediate_xss exp :warning_code => :cross_site_scripting, :message => message, :code => input.match, - :confidence => :high + :confidence => :high, + :cwe => 79 elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out) method = if call? match @@ -111,7 +112,8 @@ def check_for_immediate_xss exp :message => message, :code => match, :confidence => confidence, - :link_path => link_path + :link_path => link_path, + :cwe => 79 end else @@ -195,7 +197,8 @@ def process_call exp :code => exp, :user_input => @matched, :confidence => confidence, - :link_path => link_path + :link_path => link_path, + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_default_routes.rb b/lib/brakeman/checks/check_default_routes.rb index 2a7cc1e52..746793c46 100644 --- a/lib/brakeman/checks/check_default_routes.rb +++ b/lib/brakeman/checks/check_default_routes.rb @@ -23,6 +23,7 @@ def check_for_default_routes :line => tracker.routes[:allow_all_actions].line, :confidence => :high, :file => "#{tracker.app_path}/config/routes.rb" + :cwe => 22 end end @@ -45,6 +46,7 @@ def check_for_action_globs :line => actions[2], :confidence => :medium, :file => "#{tracker.app_path}/config/routes.rb" + :cwe => 22 end end end @@ -76,7 +78,8 @@ def check_for_cve_2014_0130 :warning_code => :CVE_2014_0130, :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}", :confidence => confidence, - :file => "#{tracker.app_path}/config/routes.rb", + :file => "#{tracker.app_path}/config/routes.rb" + :cwe => 22, :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf" end diff --git a/lib/brakeman/checks/check_deserialize.rb b/lib/brakeman/checks/check_deserialize.rb index f0c1ff9a0..5bc946aba 100644 --- a/lib/brakeman/checks/check_deserialize.rb +++ b/lib/brakeman/checks/check_deserialize.rb @@ -50,7 +50,8 @@ def check_deserialize result, target, arg = nil :message => message, :user_input => input, :confidence => confidence, - :link_path => "unsafe_deserialization" + :link_path => "unsafe_deserialization", + :cwe => 502 end end end diff --git a/lib/brakeman/checks/check_detailed_exceptions.rb b/lib/brakeman/checks/check_detailed_exceptions.rb index f4ff6c058..750d70984 100644 --- a/lib/brakeman/checks/check_detailed_exceptions.rb +++ b/lib/brakeman/checks/check_detailed_exceptions.rb @@ -19,7 +19,8 @@ def check_local_request_config :warning_code => :local_request_config, :message => "Detailed exceptions are enabled in production", :confidence => :high, - :file => "config/environments/production.rb" + :file => "config/environments/production.rb", + :cwe => 200 end end @@ -42,7 +43,8 @@ def check_detailed_exceptions :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'", :confidence => confidence, :code => src, - :file => definition[:file] + :file => definition[:file], + :cwe => 200 end end end diff --git a/lib/brakeman/checks/check_digest_dos.rb b/lib/brakeman/checks/check_digest_dos.rb index a4326165a..bb3b5aee8 100644 --- a/lib/brakeman/checks/check_digest_dos.rb +++ b/lib/brakeman/checks/check_digest_dos.rb @@ -29,7 +29,8 @@ def run_check :message => message, :confidence => confidence, :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion", - :gem_info => gemfile_or_environment + :gem_info => gemfile_or_environment, + :cwe => 287 end def with_http_digest? diff --git a/lib/brakeman/checks/check_divide_by_zero.rb b/lib/brakeman/checks/check_divide_by_zero.rb index 11d413d25..de9929530 100644 --- a/lib/brakeman/checks/check_divide_by_zero.rb +++ b/lib/brakeman/checks/check_divide_by_zero.rb @@ -36,7 +36,8 @@ def check_division result :warning_code => :divide_by_zero, :message => "Potential division by zero", :confidence => confidence, - :user_input => denominator + :user_input => denominator, + :cwe => 369 end end end diff --git a/lib/brakeman/checks/check_dynamic_finders.rb b/lib/brakeman/checks/check_dynamic_finders.rb index 9c0e89640..a804aa00d 100644 --- a/lib/brakeman/checks/check_dynamic_finders.rb +++ b/lib/brakeman/checks/check_dynamic_finders.rb @@ -27,7 +27,8 @@ def process_result result :warning_code => :sql_injection_dynamic_finder, :message => "MySQL integer conversion may cause 0 to match any string", :confidence => :medium, - :user_input => arg + :user_input => arg, + :cwe => 89 break end diff --git a/lib/brakeman/checks/check_escape_function.rb b/lib/brakeman/checks/check_escape_function.rb index d05b65d4b..ae45e8e39 100644 --- a/lib/brakeman/checks/check_escape_function.rb +++ b/lib/brakeman/checks/check_escape_function.rb @@ -8,14 +8,15 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck @description = "Checks for versions before 2.3.14 which have a vulnerable escape method" def run_check - if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' + if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' warn :warning_type => 'Cross-Site Scripting', :warning_code => :CVE_2011_2932, :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932', :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion", + :cwe => 79 end end end diff --git a/lib/brakeman/checks/check_evaluation.rb b/lib/brakeman/checks/check_evaluation.rb index 4394d8cdb..c877554d0 100644 --- a/lib/brakeman/checks/check_evaluation.rb +++ b/lib/brakeman/checks/check_evaluation.rb @@ -29,7 +29,8 @@ def process_result result :message => "User input in eval", :code => result[:call], :user_input => input, - :confidence => :high + :confidence => :high, + :cwe => 95 end end end diff --git a/lib/brakeman/checks/check_execute.rb b/lib/brakeman/checks/check_execute.rb index 7db030333..ae1b3b90e 100644 --- a/lib/brakeman/checks/check_execute.rb +++ b/lib/brakeman/checks/check_execute.rb @@ -72,7 +72,8 @@ def process_result result :message => "Possible command injection", :code => call, :user_input => failure, - :confidence => confidence + :confidence => confidence, + :cwe => 77 end end @@ -84,7 +85,8 @@ def check_open_calls :warning_code => :command_injection, :message => "Possible command injection in open()", :user_input => match, - :confidence => :high + :confidence => :high, + :cwe => 77 end end end @@ -129,7 +131,8 @@ def process_backticks result :message => "Possible command injection", :code => exp, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 77 end # This method expects a :dstr or :evstr node diff --git a/lib/brakeman/checks/check_file_access.rb b/lib/brakeman/checks/check_file_access.rb index 6c0b3590c..1ffa62bbd 100644 --- a/lib/brakeman/checks/check_file_access.rb +++ b/lib/brakeman/checks/check_file_access.rb @@ -57,7 +57,8 @@ def process_result result :message => message, :confidence => confidence, :code => call, - :user_input => match + :user_input => match, + :cwe => 22 end end diff --git a/lib/brakeman/checks/check_file_disclosure.rb b/lib/brakeman/checks/check_file_disclosure.rb index 0c86bfe51..52f3e2263 100644 --- a/lib/brakeman/checks/check_file_disclosure.rb +++ b/lib/brakeman/checks/check_file_disclosure.rb @@ -25,7 +25,8 @@ def run_check :message => "Rails #{rails_version} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets", :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ", + :cwe => 22 end end diff --git a/lib/brakeman/checks/check_filter_skipping.rb b/lib/brakeman/checks/check_filter_skipping.rb index b2c797c2e..3b896b5d3 100644 --- a/lib/brakeman/checks/check_filter_skipping.rb +++ b/lib/brakeman/checks/check_filter_skipping.rb @@ -15,7 +15,8 @@ def run_check :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929", :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion", + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index 426ec944e..69ae6c43c 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -52,7 +52,8 @@ def csrf_warning opts opts = { :controller => :ApplicationController, :warning_type => "Cross-Site Request Forgery", - :confidence => :high + :confidence => :high, + :cwe => 352 }.merge opts warn opts @@ -76,6 +77,7 @@ def check_cve_2011_0447 :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to #{new_version} or apply patches as needed", :gem_info => gemfile_or_environment, :file => nil, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion", + :cwe => 352 end end diff --git a/lib/brakeman/checks/check_header_dos.rb b/lib/brakeman/checks/check_header_dos.rb index 83bc1e512..4692c517a 100644 --- a/lib/brakeman/checks/check_header_dos.rb +++ b/lib/brakeman/checks/check_header_dos.rb @@ -20,7 +20,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ" + :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_i18n_xss.rb b/lib/brakeman/checks/check_i18n_xss.rb index 63418bb1b..91990621e 100644 --- a/lib/brakeman/checks/check_i18n_xss.rb +++ b/lib/brakeman/checks/check_i18n_xss.rb @@ -23,7 +23,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment(:i18n), - :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ" + :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_jruby_xml.rb b/lib/brakeman/checks/check_jruby_xml.rb index 7e3f2ccfd..abbd0681d 100644 --- a/lib/brakeman/checks/check_jruby_xml.rb +++ b/lib/brakeman/checks/check_jruby_xml.rb @@ -31,6 +31,7 @@ def run_check :message => "Rails #{rails_version} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch", :confidence => :high, :gem_info => gemfile_or_environment, - :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ" + :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ", + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_json_encoding.rb b/lib/brakeman/checks/check_json_encoding.rb index 91d49f71e..66e5a663c 100644 --- a/lib/brakeman/checks/check_json_encoding.rb +++ b/lib/brakeman/checks/check_json_encoding.rb @@ -26,7 +26,8 @@ def run_check :message => message, :confidence => confidence, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_json_parsing.rb b/lib/brakeman/checks/check_json_parsing.rb index 244a65a2b..e50ae56a0 100644 --- a/lib/brakeman/checks/check_json_parsing.rb +++ b/lib/brakeman/checks/check_json_parsing.rb @@ -32,7 +32,8 @@ def check_cve_2013_0333 :message => message, :confidence => :high, :gem_info => gem_info, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion", + :cwe => 74 end end @@ -96,7 +97,8 @@ def check_json_version name, version :message => message, :confidence => confidence, :gem_info => gemfile_or_environment(name), - :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion" + :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion", + :cwe => 74 end def uses_json_parse? diff --git a/lib/brakeman/checks/check_link_to.rb b/lib/brakeman/checks/check_link_to.rb index 82a305639..8561f4f8c 100644 --- a/lib/brakeman/checks/check_link_to.rb +++ b/lib/brakeman/checks/check_link_to.rb @@ -105,7 +105,8 @@ def warn_xss(result, message, user_input, confidence) :message => message, :user_input => user_input, :confidence => confidence, - :link_path => "link_to" + :link_path => "link_to", + :cwe => 79 true end diff --git a/lib/brakeman/checks/check_link_to_href.rb b/lib/brakeman/checks/check_link_to_href.rb index aab28f2e2..f3f626925 100644 --- a/lib/brakeman/checks/check_link_to_href.rb +++ b/lib/brakeman/checks/check_link_to_href.rb @@ -53,7 +53,8 @@ def process_result result :message => message, :user_input => input, :confidence => :high, - :link_path => "link_to_href" + :link_path => "link_to_href", + :cwe => 79 end elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg) return if ignore_model_call? url_arg, input or duplicate? result @@ -67,7 +68,8 @@ def process_result result :message => message, :user_input => input, :confidence => :weak, - :link_path => "link_to_href" + :link_path => "link_to_href", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_mail_to.rb b/lib/brakeman/checks/check_mail_to.rb index df9e3653e..cff246033 100644 --- a/lib/brakeman/checks/check_mail_to.rb +++ b/lib/brakeman/checks/check_mail_to.rb @@ -25,7 +25,8 @@ def run_check :message => message, :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_mass_assignment.rb b/lib/brakeman/checks/check_mass_assignment.rb index 63e3d1f7b..263bd161e 100644 --- a/lib/brakeman/checks/check_mass_assignment.rb +++ b/lib/brakeman/checks/check_mass_assignment.rb @@ -100,7 +100,8 @@ def process_result res :message => "Unprotected mass assignment", :code => call, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 915 end res @@ -191,6 +192,7 @@ def warn_on_permit! result :warning_type => "Mass Assignment", :warning_code => :mass_assign_permit!, :message => "Parameters should be whitelisted for mass assignment", - :confidence => confidence + :confidence => confidence, + :cwe => 915 end end diff --git a/lib/brakeman/checks/check_mime_type_dos.rb b/lib/brakeman/checks/check_mime_type_dos.rb index bc9e96f3b..617b9aae6 100644 --- a/lib/brakeman/checks/check_mime_type_dos.rb +++ b/lib/brakeman/checks/check_mime_type_dos.rb @@ -26,7 +26,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ", + :cwe => 399 end def has_workaround? diff --git a/lib/brakeman/checks/check_model_attr_accessible.rb b/lib/brakeman/checks/check_model_attr_accessible.rb index 01207603d..0ffea4527 100644 --- a/lib/brakeman/checks/check_model_attr_accessible.rb +++ b/lib/brakeman/checks/check_model_attr_accessible.rb @@ -31,7 +31,8 @@ def run_check :warning_code => :dangerous_attr_accessible, :message => "Potentially dangerous attribute available for mass assignment", :confidence => confidence, - :code => Sexp.new(:lit, attribute) + :code => Sexp.new(:lit, attribute), + :cwe => 915 break # Prevent from matching single attr multiple times end end diff --git a/lib/brakeman/checks/check_model_attributes.rb b/lib/brakeman/checks/check_model_attributes.rb index 8315637bf..3832fa51d 100644 --- a/lib/brakeman/checks/check_model_attributes.rb +++ b/lib/brakeman/checks/check_model_attributes.rb @@ -31,7 +31,8 @@ def run_check :warning_type => "Attribute Restriction", :warning_code => :no_attr_accessible, :message => "Mass assignment is not restricted using attr_accessible", - :confidence => :high + :confidence => :high, + :cwe => 915 end unless protected_names.empty? @@ -48,7 +49,8 @@ def run_check :warning_code => warning_code, :message => message, :confidence => confidence, - :link => link + :link => link, + :cwe => 915 end else #Output one warning per model diff --git a/lib/brakeman/checks/check_model_serialize.rb b/lib/brakeman/checks/check_model_serialize.rb index d4592ea6d..25843a663 100644 --- a/lib/brakeman/checks/check_model_serialize.rb +++ b/lib/brakeman/checks/check_model_serialize.rb @@ -61,7 +61,8 @@ def check_for_serialize model :confidence => confidence, :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion", :file => model.file, - :line => model.top_line + :line => model.top_line, + :cwe => 502 end end end diff --git a/lib/brakeman/checks/check_nested_attributes.rb b/lib/brakeman/checks/check_nested_attributes.rb index d2c9faf25..d91d7f084 100644 --- a/lib/brakeman/checks/check_nested_attributes.rb +++ b/lib/brakeman/checks/check_nested_attributes.rb @@ -24,7 +24,8 @@ def run_check :message => message, :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion", + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_nested_attributes_bypass.rb b/lib/brakeman/checks/check_nested_attributes_bypass.rb index 6bffa22c7..dfcdf7f03 100644 --- a/lib/brakeman/checks/check_nested_attributes_bypass.rb +++ b/lib/brakeman/checks/check_nested_attributes_bypass.rb @@ -39,7 +39,8 @@ def warn_about_nested_attributes name, model, args :file => model.file, :line => args.line, :confidence => :medium, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ", + :cwe => 284 end def allow_destroy? arg diff --git a/lib/brakeman/checks/check_number_to_currency.rb b/lib/brakeman/checks/check_number_to_currency.rb index c79922b47..4479a5411 100644 --- a/lib/brakeman/checks/check_number_to_currency.rb +++ b/lib/brakeman/checks/check_number_to_currency.rb @@ -36,7 +36,8 @@ def generic_warning :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ" + :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", + :cwe => 79 end def check_number_helper_usage @@ -69,6 +70,7 @@ def warn_on_number_helper result, match :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}", :confidence => :high, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", - :user_input => match + :user_input => match, + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_permit_attributes.rb b/lib/brakeman/checks/check_permit_attributes.rb index e055a4165..087491eba 100644 --- a/lib/brakeman/checks/check_permit_attributes.rb +++ b/lib/brakeman/checks/check_permit_attributes.rb @@ -38,6 +38,7 @@ def warn_on_permit_key result, key, confidence = nil :warning_code => :dangerous_permit_key, :message => "Potentially dangerous key allowed for mass assignment", :confidence => (confidence || SUSPICIOUS_KEYS[key.value]), - :user_input => key + :user_input => key, + :cwe => 915 end end diff --git a/lib/brakeman/checks/check_quote_table_name.rb b/lib/brakeman/checks/check_quote_table_name.rb index 61c4f066a..6a7c70087 100644 --- a/lib/brakeman/checks/check_quote_table_name.rb +++ b/lib/brakeman/checks/check_quote_table_name.rb @@ -8,7 +8,7 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10" def run_check - if (version_between?('2.0.0', '2.3.13') or + if (version_between?('2.0.0', '2.3.13') or version_between?('3.0.0', '3.0.9')) if uses_quote_table_name? @@ -28,7 +28,8 @@ def run_check :message => message, :confidence => confidence, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/ah5HN0S8OJs/discussion", + :cwe => 89 end end diff --git a/lib/brakeman/checks/check_redirect.rb b/lib/brakeman/checks/check_redirect.rb index 0852a9c1e..7a6a6697a 100644 --- a/lib/brakeman/checks/check_redirect.rb +++ b/lib/brakeman/checks/check_redirect.rb @@ -55,7 +55,8 @@ def process_result result :message => "Possible unprotected redirect", :code => call, :user_input => res, - :confidence => confidence + :confidence => confidence, + :cwe => 601 end end @@ -203,7 +204,7 @@ def model_target? exp def friendly_model? exp call? exp and model_name? exp.target and exp.method == :friendly end - + #Returns true if exp is (probably) a decorated model instance #using the Draper gem def decorated_model? exp @@ -244,7 +245,7 @@ def safe_permit? exp if call? exp and params? exp.target and exp.method == :permit exp.each_arg do |opt| if symbol? opt and DANGEROUS_KEYS.include? opt.value - return false + return false end end diff --git a/lib/brakeman/checks/check_regex_dos.rb b/lib/brakeman/checks/check_regex_dos.rb index 29bb1da5d..7c045bce5 100644 --- a/lib/brakeman/checks/check_regex_dos.rb +++ b/lib/brakeman/checks/check_regex_dos.rb @@ -51,7 +51,8 @@ def process_result result :warning_code => :regex_dos, :message => message, :confidence => confidence, - :user_input => match + :user_input => match, + :cwe => 185 end end end diff --git a/lib/brakeman/checks/check_render.rb b/lib/brakeman/checks/check_render.rb index 7ae1f194a..7aecd033e 100644 --- a/lib/brakeman/checks/check_render.rb +++ b/lib/brakeman/checks/check_render.rb @@ -56,7 +56,8 @@ def check_for_dynamic_path result :warning_code => :dynamic_render_path, :message => message, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 22 end end @@ -77,7 +78,8 @@ def check_for_rce result :warning_code => :dynamic_render_path_rce, :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)", :user_input => view, - :confidence => :high + :confidence => :high, + :cwe => 22 end end end @@ -94,4 +96,4 @@ def safe_param? exp end end end -end +end diff --git a/lib/brakeman/checks/check_render_dos.rb b/lib/brakeman/checks/check_render_dos.rb index 74f8d14af..f276c8bdc 100644 --- a/lib/brakeman/checks/check_render_dos.rb +++ b/lib/brakeman/checks/check_render_dos.rb @@ -32,6 +32,7 @@ def warn_about_text_render :message => message, :confidence => :high, :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", - :gem_info => gemfile_or_environment + :gem_info => gemfile_or_environment, + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_render_inline.rb b/lib/brakeman/checks/check_render_inline.rb index 0e5393004..06b854b71 100644 --- a/lib/brakeman/checks/check_render_inline.rb +++ b/lib/brakeman/checks/check_render_inline.rb @@ -28,14 +28,16 @@ def check_render result :warning_code => :cross_site_scripting_inline, :message => "Unescaped #{friendly_type_of input} rendered inline", :user_input => input, - :confidence => :high + :confidence => :high, + :cwe => 79 elsif input = has_immediate_model?(render_value) warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :cross_site_scripting_inline, :message => "Unescaped model attribute rendered inline", :user_input => input, - :confidence => :medium + :confidence => :medium, + :cwe => 79 end end end diff --git a/lib/brakeman/checks/check_response_splitting.rb b/lib/brakeman/checks/check_response_splitting.rb index 6fda456c4..09c18b0c8 100644 --- a/lib/brakeman/checks/check_response_splitting.rb +++ b/lib/brakeman/checks/check_response_splitting.rb @@ -15,7 +15,8 @@ def run_check :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186", :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion", + :cwe => 94 end end end diff --git a/lib/brakeman/checks/check_route_dos.rb b/lib/brakeman/checks/check_route_dos.rb index 4db305d98..606e364b3 100644 --- a/lib/brakeman/checks/check_route_dos.rb +++ b/lib/brakeman/checks/check_route_dos.rb @@ -23,7 +23,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ", + :cwe => 399 end end diff --git a/lib/brakeman/checks/check_safe_buffer_manipulation.rb b/lib/brakeman/checks/check_safe_buffer_manipulation.rb index 63bf9a755..405627209 100644 --- a/lib/brakeman/checks/check_safe_buffer_manipulation.rb +++ b/lib/brakeman/checks/check_safe_buffer_manipulation.rb @@ -23,9 +23,10 @@ def run_check message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches." warn :warning_type => "Cross-Site Scripting", - :warning_code => :safe_buffer_vuln, + :warning_code => :safe_buffer_vuln, :message => message, :confidence => :medium, - :gem_info => gemfile_or_environment + :gem_info => gemfile_or_environment, + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_sanitize_methods.rb b/lib/brakeman/checks/check_sanitize_methods.rb index cb8162a98..949e0a7e2 100644 --- a/lib/brakeman/checks/check_sanitize_methods.rb +++ b/lib/brakeman/checks/check_sanitize_methods.rb @@ -51,7 +51,8 @@ def check_for_cve method, code, link :warning_code => code, :message => message, :confidence => :high, - :link_path => link + :link_path => link, + :cwe => 79 end end @@ -83,7 +84,8 @@ def check_cve_2018_8048 :message => message, :gem_info => gemfile_or_environment(:loofah), :confidence => confidence, - :link_path => "https://github.com/flavorjones/loofah/issues/144" + :link_path => "https://github.com/flavorjones/loofah/issues/144", + :cwe => 79 end end @@ -107,6 +109,7 @@ def warn_sanitizer_cve cve, link, upgrade_version :message => message, :gem_info => gemfile_or_environment(:'rails-html-sanitizer'), :confidence => confidence, - :link_path => link + :link_path => link, + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_secrets.rb b/lib/brakeman/checks/check_secrets.rb index 1e796e0da..70d4cece1 100644 --- a/lib/brakeman/checks/check_secrets.rb +++ b/lib/brakeman/checks/check_secrets.rb @@ -27,7 +27,8 @@ def check_constants :message => "Hardcoded value for #{name} in source code", :confidence => :medium, :file => constant.file, - :line => constant.line + :line => constant.line, + :cwe => 798 end end end diff --git a/lib/brakeman/checks/check_select_tag.rb b/lib/brakeman/checks/check_select_tag.rb index 96385e099..eb546b9bb 100644 --- a/lib/brakeman/checks/check_select_tag.rb +++ b/lib/brakeman/checks/check_select_tag.rb @@ -52,7 +52,8 @@ def process_result result :message => @message, :confidence => :high, :user_input => input, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion", + :cwe => 79 end end end diff --git a/lib/brakeman/checks/check_select_vulnerability.rb b/lib/brakeman/checks/check_select_vulnerability.rb index 05ac3308a..259635476 100644 --- a/lib/brakeman/checks/check_select_vulnerability.rb +++ b/lib/brakeman/checks/check_select_vulnerability.rb @@ -54,7 +54,8 @@ def process_result result :warning_code => :select_options_vuln, :result => result, :message => @message, - :confidence => confidence + :confidence => confidence, + :cwe => 79 end end end diff --git a/lib/brakeman/checks/check_send.rb b/lib/brakeman/checks/check_send.rb index 4b5a9ecf9..bade14f2f 100644 --- a/lib/brakeman/checks/check_send.rb +++ b/lib/brakeman/checks/check_send.rb @@ -30,7 +30,8 @@ def process_result result :message => "User controlled method execution", :code => result[:call], :user_input => input, - :confidence => :high + :confidence => :high, + :cwe => 77 end end diff --git a/lib/brakeman/checks/check_session_manipulation.rb b/lib/brakeman/checks/check_session_manipulation.rb index 8e2aaf024..a050f047c 100644 --- a/lib/brakeman/checks/check_session_manipulation.rb +++ b/lib/brakeman/checks/check_session_manipulation.rb @@ -29,7 +29,8 @@ def process_result result :message => "#{friendly_type_of(input).capitalize} used as key in session hash", :code => result[:call], :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 20 end end end diff --git a/lib/brakeman/checks/check_session_settings.rb b/lib/brakeman/checks/check_session_settings.rb index 97a50f1b9..82da0fabe 100644 --- a/lib/brakeman/checks/check_session_settings.rb +++ b/lib/brakeman/checks/check_session_settings.rb @@ -17,7 +17,7 @@ def initialize *args end def run_check - settings = tracker.config.session_settings + settings = tracker.config.session_settings check_for_issues settings, @app_tree.expand_path("config/environment.rb") @@ -139,7 +139,8 @@ def warn_about_http_only line, file :message => "Session cookies should be set to HTTP only", :confidence => :high, :line => line, - :file => file + :file => file, + :cwe => 1004 end @@ -149,7 +150,8 @@ def warn_about_secret_token line, file :message => "Session secret should not be included in version control", :confidence => :high, :line => line, - :file => file + :file => file, + :cwe => 798 end def warn_about_secure_only line, file @@ -158,7 +160,8 @@ def warn_about_secure_only line, file :message => "Session cookie should be set to secure only", :confidence => :high, :line => line, - :file => file + :file => file, + :cwe => 614 end def ignored? file diff --git a/lib/brakeman/checks/check_simple_format.rb b/lib/brakeman/checks/check_simple_format.rb index de20ecfe0..dd11a1290 100644 --- a/lib/brakeman/checks/check_simple_format.rb +++ b/lib/brakeman/checks/check_simple_format.rb @@ -23,7 +23,8 @@ def generic_warning :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ" + :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ", + :cwe => 79 end def check_simple_format_usage @@ -53,6 +54,7 @@ def warn_on_simple_format result, match :message => "Values passed to simple_format are not safe in Rails #{rails_version}", :confidence => :high, :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ", - :user_input => match + :user_input => match, + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_single_quotes.rb b/lib/brakeman/checks/check_single_quotes.rb index 20987c4e8..46f55ffc9 100644 --- a/lib/brakeman/checks/check_single_quotes.rb +++ b/lib/brakeman/checks/check_single_quotes.rb @@ -34,7 +34,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion", + :cwe => 79 end #Process initializers to see if they use workaround diff --git a/lib/brakeman/checks/check_skip_before_filter.rb b/lib/brakeman/checks/check_skip_before_filter.rb index 9aa465baa..f837ab87f 100644 --- a/lib/brakeman/checks/check_skip_before_filter.rb +++ b/lib/brakeman/checks/check_skip_before_filter.rb @@ -29,7 +29,8 @@ def process_skip_filter filter, controller :message => "Use whitelist (:only => [..]) when skipping CSRF check", :code => filter, :confidence => :medium, - :file => controller.file + :file => controller.file, + :cwe => 352 when :login_required, :authenticate_user!, :require_user warn :controller => controller.name, @@ -39,7 +40,8 @@ def process_skip_filter filter, controller :code => filter, :confidence => :medium, :link => "authentication_whitelist", - :file => controller.file + :file => controller.file, + :cwe => 287 end end diff --git a/lib/brakeman/checks/check_sql.rb b/lib/brakeman/checks/check_sql.rb index b19d8d1b3..d05806c32 100644 --- a/lib/brakeman/checks/check_sql.rb +++ b/lib/brakeman/checks/check_sql.rb @@ -234,7 +234,8 @@ def process_result result :warning_code => :sql_injection, :message => "Possible SQL injection", :user_input => user_input, - :confidence => confidence + :confidence => confidence, + :cwe => 89 end if check_for_limit_or_offset_vulnerability call.last_arg @@ -248,7 +249,8 @@ def process_result result :warning_type => "SQL Injection", :warning_code => :sql_injection_limit_offset, :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection", - :confidence => confidence + :confidence => confidence, + :cwe => 89 end end diff --git a/lib/brakeman/checks/check_sql_cves.rb b/lib/brakeman/checks/check_sql_cves.rb index b8d03bde9..3ff8df939 100644 --- a/lib/brakeman/checks/check_sql_cves.rb +++ b/lib/brakeman/checks/check_sql_cves.rb @@ -81,7 +81,8 @@ def cve_warning_for versions, cve, link :message => "Rails #{rails_version} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}", :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => link + :link_path => link, + :cwe => 89 end def upgrade_version? versions @@ -101,6 +102,7 @@ def check_cve_2014_0080 :message => "Rails #{rails_version} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3", :confidence => :high, :gem_info => gemfile_or_environment(:pg), - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ", + :cwe => 89 end end diff --git a/lib/brakeman/checks/check_ssl_verify.rb b/lib/brakeman/checks/check_ssl_verify.rb index 0c6a169be..2feedad68 100644 --- a/lib/brakeman/checks/check_ssl_verify.rb +++ b/lib/brakeman/checks/check_ssl_verify.rb @@ -43,6 +43,7 @@ def warn_about_ssl_verification_bypass result :warning_type => "SSL Verification Bypass", :warning_code => :ssl_verification_bypass, :message => "SSL certificate verification was bypassed", - :confidence => :high + :confidence => :high, + :cwe => 295 end end diff --git a/lib/brakeman/checks/check_strip_tags.rb b/lib/brakeman/checks/check_strip_tags.rb index d0de9f7f2..4c54dec83 100644 --- a/lib/brakeman/checks/check_strip_tags.rb +++ b/lib/brakeman/checks/check_strip_tags.rb @@ -35,7 +35,8 @@ def cve_2011_2931 :message => message, :gem_info => gemfile_or_environment, :confidence => :high, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion", + :cwe => 79 end end @@ -58,7 +59,8 @@ def cve_2012_3465 :message => message, :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion", + :cwe => 79 end def cve_2015_7579 @@ -76,7 +78,8 @@ def cve_2015_7579 :message => message, :confidence => confidence, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_symbol_dos.rb b/lib/brakeman/checks/check_symbol_dos.rb index 5ec6171f1..1bbfe885d 100644 --- a/lib/brakeman/checks/check_symbol_dos.rb +++ b/lib/brakeman/checks/check_symbol_dos.rb @@ -45,7 +45,8 @@ def check_unsafe_symbol_creation result :warning_code => :unsafe_symbol_creation, :message => message, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 20 end end diff --git a/lib/brakeman/checks/check_symbol_dos_cve.rb b/lib/brakeman/checks/check_symbol_dos_cve.rb index 37c3f55eb..71a42aa3e 100644 --- a/lib/brakeman/checks/check_symbol_dos_cve.rb +++ b/lib/brakeman/checks/check_symbol_dos_cve.rb @@ -23,8 +23,8 @@ def run_check :message => "Rails #{rails_version} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch", :confidence => :medium, :gem_info => gemfile_or_environment, - :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ" + :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ", + :cwe => 20 end end end - diff --git a/lib/brakeman/checks/check_translate_bug.rb b/lib/brakeman/checks/check_translate_bug.rb index 5d7c51b63..56834da21 100644 --- a/lib/brakeman/checks/check_translate_bug.rb +++ b/lib/brakeman/checks/check_translate_bug.rb @@ -33,7 +33,8 @@ def run_check :message => message, :confidence => confidence, :gem_info => gemfile_or_environment, - :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5" + :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5", + :cwe => 79 end end diff --git a/lib/brakeman/checks/check_unsafe_reflection.rb b/lib/brakeman/checks/check_unsafe_reflection.rb index a83f4436c..9d8730c03 100644 --- a/lib/brakeman/checks/check_unsafe_reflection.rb +++ b/lib/brakeman/checks/check_unsafe_reflection.rb @@ -20,7 +20,7 @@ def run_check def check_unsafe_reflection result return unless original? result - call = result[:call] + call = result[:call] method = call.method case method @@ -44,7 +44,8 @@ def check_unsafe_reflection result :warning_code => :unsafe_constantize, :message => message, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 470 end end end diff --git a/lib/brakeman/checks/check_unscoped_find.rb b/lib/brakeman/checks/check_unscoped_find.rb index 22a87157f..5e8ffdb75 100644 --- a/lib/brakeman/checks/check_unscoped_find.rb +++ b/lib/brakeman/checks/check_unscoped_find.rb @@ -40,7 +40,8 @@ def process_result result :message => "Unscoped call to #{result[:target]}##{result[:method]}", :code => result[:call], :confidence => :weak, - :user_input => input + :user_input => input, + :cwe => 285 end def optional_belongs_to? exp diff --git a/lib/brakeman/checks/check_validation_regex.rb b/lib/brakeman/checks/check_validation_regex.rb index 69caf3172..872280f14 100644 --- a/lib/brakeman/checks/check_validation_regex.rb +++ b/lib/brakeman/checks/check_validation_regex.rb @@ -91,7 +91,8 @@ def check_regex value, validator :warning_code => :validation_regex, :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors", :line => value.line, - :confidence => :high + :confidence => :high, + :cwe => 777 end end diff --git a/lib/brakeman/checks/check_weak_hash.rb b/lib/brakeman/checks/check_weak_hash.rb index c019cee30..d81c6976d 100644 --- a/lib/brakeman/checks/check_weak_hash.rb +++ b/lib/brakeman/checks/check_weak_hash.rb @@ -54,7 +54,8 @@ def process_hash_result result :warning_code => :weak_hash_digest, :message => "Weak hashing algorithm#{alg} used", :confidence => confidence, - :user_input => input + :user_input => input, + :cwe => 328 end def process_hmac_result result @@ -75,7 +76,8 @@ def process_hmac_result result :warning_type => "Weak Hash", :warning_code => :weak_hash_hmac, :message => "Weak hashing algorithm (#{alg}) used in HMAC", - :confidence => :medium + :confidence => :medium, + :cwe => 328 end def process_openssl_result result @@ -91,7 +93,8 @@ def process_openssl_result result :warning_type => "Weak Hash", :warning_code => :weak_hash_digest, :message => "Weak hashing algorithm (#{alg}) used", - :confidence => :medium + :confidence => :medium, + :cwe => 328 end end end diff --git a/lib/brakeman/checks/check_without_protection.rb b/lib/brakeman/checks/check_without_protection.rb index e308c27a2..5fa3ddecc 100644 --- a/lib/brakeman/checks/check_without_protection.rb +++ b/lib/brakeman/checks/check_without_protection.rb @@ -18,8 +18,8 @@ def run_check Brakeman.debug "Finding all mass assignments" calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new, - :attributes=, - :update_attributes, + :attributes=, + :update_attributes, :update_attributes!, :create, :create!] @@ -49,13 +49,14 @@ def process_result res confidence = :medium end - warn :result => res, - :warning_type => "Mass Assignment", + warn :result => res, + :warning_type => "Mass Assignment", :warning_code => :mass_assign_without_protection, :message => "Unprotected mass assignment", - :code => call, + :code => call, :user_input => input, - :confidence => confidence + :confidence => confidence, + :cwe => 915 end end diff --git a/lib/brakeman/checks/check_xml_dos.rb b/lib/brakeman/checks/check_xml_dos.rb index c0a993a1c..93fb7bc06 100644 --- a/lib/brakeman/checks/check_xml_dos.rb +++ b/lib/brakeman/checks/check_xml_dos.rb @@ -30,7 +30,8 @@ def run_check :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J" + :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J", + :cwe => 125 end def has_workaround? diff --git a/lib/brakeman/checks/check_yaml_parsing.rb b/lib/brakeman/checks/check_yaml_parsing.rb index 4a0aa405c..c8da752b7 100644 --- a/lib/brakeman/checks/check_yaml_parsing.rb +++ b/lib/brakeman/checks/check_yaml_parsing.rb @@ -29,7 +29,8 @@ def run_check :message => message, :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion", + :cwe => 20 end #Warn if app accepts YAML @@ -41,7 +42,8 @@ def run_check :message => message, :confidence => :high, :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion" + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion", + :cwe => 20 end end diff --git a/lib/brakeman/processors/lib/processor_helper.rb b/lib/brakeman/processors/lib/processor_helper.rb index 3b9e303b1..7dc533c55 100644 --- a/lib/brakeman/processors/lib/processor_helper.rb +++ b/lib/brakeman/processors/lib/processor_helper.rb @@ -1,4 +1,15 @@ #Contains a couple shared methods for Processors. + +class Sexp + def each_sexp e + self.each do |e| + if e.is_a? Sexp + yield e + end + end + end +end + module Brakeman::ProcessorHelper def process_all exp exp.each_sexp do |e| diff --git a/lib/brakeman/warning.rb b/lib/brakeman/warning.rb index 00a7f2451..f28359117 100644 --- a/lib/brakeman/warning.rb +++ b/lib/brakeman/warning.rb @@ -4,7 +4,7 @@ #The Warning class stores information about warnings class Brakeman::Warning - attr_reader :called_from, :check, :class, :confidence, :controller, + attr_reader :called_from, :check, :class, :confidence, :controller, :cwe, :line, :method, :model, :template, :user_input, :user_input_type, :warning_code, :warning_set, :warning_type @@ -30,6 +30,7 @@ class Brakeman::Warning :class => :@class, :code => :@code, :controller => :@controller, + :cwe => :@cwe :file => :@file, :gem_info => :@gem_info, :line => :@line, @@ -210,6 +211,7 @@ def link def to_row type = :warning @row = { "Confidence" => self.confidence, "Warning Type" => self.warning_type.to_s, + "CWE" => self.cwe, "Message" => self.format_message } case type @@ -275,7 +277,8 @@ def to_hash :render_path => self.called_from, :location => self.location(false), :user_input => (@user_input && self.format_user_input(false)), - :confidence => TEXT_CONFIDENCE[self.confidence] + :confidence => TEXT_CONFIDENCE[self.confidence], + :cwe => cwe } end @@ -291,4 +294,3 @@ def format_ruby code, strip formatted end end - From 3bd1b573d19b2c98d461a91f243891edeff555ef Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Fri, 22 Mar 2024 16:40:26 +1100 Subject: [PATCH 2/3] added cwe to reports --- gem_common.rb | 2 +- lib/brakeman/checks/check_default_routes.rb | 6 +++--- lib/brakeman/report/report_base.rb | 10 +++++----- lib/brakeman/report/report_text.rb | 6 +++--- .../report/templates/controller_warnings.html.erb | 1 + .../report/templates/ignored_warnings.html.erb | 1 + lib/brakeman/report/templates/model_warnings.html.erb | 1 + .../report/templates/security_warnings.html.erb | 1 + lib/brakeman/report/templates/view_warnings.html.erb | 1 + lib/brakeman/warning.rb | 2 +- 10 files changed, 18 insertions(+), 13 deletions(-) diff --git a/gem_common.rb b/gem_common.rb index bd3159a76..1f417fa94 100644 --- a/gem_common.rb +++ b/gem_common.rb @@ -17,7 +17,7 @@ def self.base_dependencies spec def self.extended_dependencies spec spec.add_dependency "terminal-table", "~>1.4" - spec.add_dependency "highline", "~>3.0" + spec.add_dependency "highline", ">=1.6.20", "<2.0" spec.add_dependency "erubis", "~>2.6" spec.add_dependency "haml", "~>5.1" spec.add_dependency "slim", ">=1.3.6", "<=4.1" diff --git a/lib/brakeman/checks/check_default_routes.rb b/lib/brakeman/checks/check_default_routes.rb index 746793c46..c8685b9d4 100644 --- a/lib/brakeman/checks/check_default_routes.rb +++ b/lib/brakeman/checks/check_default_routes.rb @@ -22,7 +22,7 @@ def check_for_default_routes :message => "All public methods in controllers are available as actions in routes.rb", :line => tracker.routes[:allow_all_actions].line, :confidence => :high, - :file => "#{tracker.app_path}/config/routes.rb" + :file => "#{tracker.app_path}/config/routes.rb", :cwe => 22 end end @@ -45,7 +45,7 @@ def check_for_action_globs :message => "Any public method in #{name} can be used as an action for #{verb} requests.", :line => actions[2], :confidence => :medium, - :file => "#{tracker.app_path}/config/routes.rb" + :file => "#{tracker.app_path}/config/routes.rb", :cwe => 22 end end @@ -78,7 +78,7 @@ def check_for_cve_2014_0130 :warning_code => :CVE_2014_0130, :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}", :confidence => confidence, - :file => "#{tracker.app_path}/config/routes.rb" + :file => "#{tracker.app_path}/config/routes.rb", :cwe => 22, :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf" end diff --git a/lib/brakeman/report/report_base.rb b/lib/brakeman/report/report_base.rb index 230569713..a2207615d 100644 --- a/lib/brakeman/report/report_base.rb +++ b/lib/brakeman/report/report_base.rb @@ -89,7 +89,7 @@ def generate_warnings render_warnings generic_warnings, :warning, 'security_warnings', - ["Confidence", "Class", "Method", "Warning Type", "Message"], + ["Confidence", "Class", "Method", "Warning Type", "CWE", "Message"], 'Class' end @@ -98,7 +98,7 @@ def generate_template_warnings render_warnings template_warnings, :template, 'view_warnings', - ['Confidence', 'Template', 'Warning Type', 'Message'], + ['Confidence', 'Template', 'Warning Type', "CWE", 'Message'], 'Template' end @@ -108,7 +108,7 @@ def generate_model_warnings render_warnings model_warnings, :model, 'model_warnings', - ['Confidence', 'Model', 'Warning Type', 'Message'], + ['Confidence', 'Model', 'Warning Type', "CWE", 'Message'], 'Model' end @@ -117,7 +117,7 @@ def generate_controller_warnings render_warnings controller_warnings, :controller, 'controller_warnings', - ['Confidence', 'Controller', 'Warning Type', 'Message'], + ['Confidence', 'Controller', 'Warning Type', "CWE", 'Message'], 'Controller' end @@ -125,7 +125,7 @@ def generate_ignored_warnings render_warnings ignored_warnings, :ignored, 'ignored_warnings', - ['Confidence', 'Warning Type', 'File', 'Message'], + ['Confidence', 'Warning Type', 'File', "CWE", 'Message'], 'Warning Type' end diff --git a/lib/brakeman/report/report_text.rb b/lib/brakeman/report/report_text.rb index 018a47876..2615ef63d 100644 --- a/lib/brakeman/report/report_text.rb +++ b/lib/brakeman/report/report_text.rb @@ -19,7 +19,7 @@ def generate_report add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes] add_chunk generate_templates if tracker.options[:debug] add_chunk generate_obsolete - add_chunk generate_errors + add_chunk generate_errors add_chunk generate_warnings end @@ -35,7 +35,7 @@ def add_chunk chunk, out = @output_string def generate_header [ - header("Brakeman Report"), + header("Brakeman Report"), label("Application Path", tracker.app_path), label("Rails Version", rails_version), label("Brakeman Version", Brakeman::Version), @@ -133,6 +133,7 @@ def output_warning w label('Confidence', confidence(w.confidence)), label('Category', w.warning_type.to_s), label('Check', w.check.gsub(/^Brakeman::Check/, '')), + label('CWE', w.cwe), label('Message', w.message) ] @@ -195,4 +196,3 @@ def render_array name, cols, values, locals double_space "Controller Overview", controllers end end - diff --git a/lib/brakeman/report/templates/controller_warnings.html.erb b/lib/brakeman/report/templates/controller_warnings.html.erb index 1195bab4a..1406d9933 100644 --- a/lib/brakeman/report/templates/controller_warnings.html.erb +++ b/lib/brakeman/report/templates/controller_warnings.html.erb @@ -14,6 +14,7 @@ <%= warning['Confidence']%> <%= warning['Controller']%> <%= warning['Warning Type']%> + <%= warning['CWE']%> <%= warning['Message']%> <% end %> diff --git a/lib/brakeman/report/templates/ignored_warnings.html.erb b/lib/brakeman/report/templates/ignored_warnings.html.erb index 123d5c603..22d725bc8 100644 --- a/lib/brakeman/report/templates/ignored_warnings.html.erb +++ b/lib/brakeman/report/templates/ignored_warnings.html.erb @@ -16,6 +16,7 @@ <%= warning['Confidence']%> <%= warning['File']%> <%= warning['Warning Type']%> + <%= warning['CWE']%> <%= warning['Message']%> <%= warning['Note']%> diff --git a/lib/brakeman/report/templates/model_warnings.html.erb b/lib/brakeman/report/templates/model_warnings.html.erb index 25cb6ca56..261119246 100644 --- a/lib/brakeman/report/templates/model_warnings.html.erb +++ b/lib/brakeman/report/templates/model_warnings.html.erb @@ -14,6 +14,7 @@ <%= warning['Confidence']%> <%= warning['Model']%> <%= warning['Warning Type']%> + <%= warning['CWE']%> <%= warning['Message']%> <% end %> diff --git a/lib/brakeman/report/templates/security_warnings.html.erb b/lib/brakeman/report/templates/security_warnings.html.erb index c5abc30a9..b5ba3b483 100644 --- a/lib/brakeman/report/templates/security_warnings.html.erb +++ b/lib/brakeman/report/templates/security_warnings.html.erb @@ -16,6 +16,7 @@ <%= warning['Class']%> <%= warning['Method']%> <%= warning['Warning Type']%> + <%= warning['CWE']%> <%= warning['Message']%> <% end %> diff --git a/lib/brakeman/report/templates/view_warnings.html.erb b/lib/brakeman/report/templates/view_warnings.html.erb index 896c4198d..9caf7cbbf 100644 --- a/lib/brakeman/report/templates/view_warnings.html.erb +++ b/lib/brakeman/report/templates/view_warnings.html.erb @@ -27,6 +27,7 @@ <% end %> <%= warning['Warning Type']%> + <%= warning['CWE']%> <%= warning['Message']%> <% end %> diff --git a/lib/brakeman/warning.rb b/lib/brakeman/warning.rb index f28359117..2663f8a4b 100644 --- a/lib/brakeman/warning.rb +++ b/lib/brakeman/warning.rb @@ -30,7 +30,7 @@ class Brakeman::Warning :class => :@class, :code => :@code, :controller => :@controller, - :cwe => :@cwe + :cwe => :@cwe, :file => :@file, :gem_info => :@gem_info, :line => :@line, From e6f513353e64742bd8ccaf397b917a31325296e9 Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Fri, 22 Mar 2024 17:01:55 +1100 Subject: [PATCH 3/3] fixed parsing error --- lib/brakeman/processors/lib/processor_helper.rb | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lib/brakeman/processors/lib/processor_helper.rb b/lib/brakeman/processors/lib/processor_helper.rb index 7dc533c55..3b9e303b1 100644 --- a/lib/brakeman/processors/lib/processor_helper.rb +++ b/lib/brakeman/processors/lib/processor_helper.rb @@ -1,15 +1,4 @@ #Contains a couple shared methods for Processors. - -class Sexp - def each_sexp e - self.each do |e| - if e.is_a? Sexp - yield e - end - end - end -end - module Brakeman::ProcessorHelper def process_all exp exp.each_sexp do |e|