Class: Brakeman::CheckExecute
- Inherits:
-
BaseCheck
- Object
- SexpProcessor
- BaseCheck
- Brakeman::CheckExecute
- Defined in:
- lib/brakeman/checks/check_execute.rb
Overview
Checks for string interpolation and parameters in calls to Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
Examples of command injection vulnerabilities:
system(“rf -rf #:file”) exec(params) ‘unlink #params[:something`
Constant Summary collapse
- SAFE_VALUES =
[s(:const, :RAILS_ROOT), s(:call, s(:const, :Rails), :root), s(:call, s(:const, :Rails), :env)]
Constants inherited from BaseCheck
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from BaseCheck
Attributes inherited from SexpProcessor
Instance Method Summary collapse
-
#check_for_backticks(tracker) ⇒ Object
Looks for calls using backticks such as.
- #dangerous?(exp) ⇒ Boolean
- #dangerous_interp?(exp) ⇒ Boolean
-
#process_backticks(result) ⇒ Object
Processes backticks.
-
#process_result(result) ⇒ Object
Processes results from Tracker#find_call.
-
#run_check ⇒ Object
Check models, controllers, and views for command injection.
Methods inherited from BaseCheck
#add_result, inherited, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params, #process_string_interp
Methods included from Util
#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#class_name, #process_all, #process_all!, #process_call_args, #process_module
Methods inherited from SexpProcessor
#error_handler, #in_context, #initialize, #process, #process_dummy, #scope
Constructor Details
This class inherits a constructor from Brakeman::BaseCheck
Instance Method Details
#check_for_backticks(tracker) ⇒ Object
Looks for calls using backticks such as
‘rm -rf #:file`
72 73 74 75 76 |
# File 'lib/brakeman/checks/check_execute.rb', line 72 def check_for_backticks tracker tracker.find_call(:target => nil, :method => :`).each do |result| process_backticks result end end |
#dangerous?(exp) ⇒ Boolean
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/brakeman/checks/check_execute.rb', line 105 def dangerous? exp exp.each_sexp do |e| next if node_type? e, :lit, :str next if SAFE_VALUES.include? e if call? e and e.method == :to_s e = e.target end if node_type? e, :or, :evstr, :string_eval, :string_interp if res = dangerous?(e) return res end else return e end end false end |
#dangerous_interp?(exp) ⇒ Boolean
126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/brakeman/checks/check_execute.rb', line 126 def dangerous_interp? exp match = include_interp? exp return unless match interp = match.match interp.each_sexp do |e| if res = dangerous?(e) return Match.new(:interp, res) end end false end |
#process_backticks(result) ⇒ Object
Processes backticks.
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
# File 'lib/brakeman/checks/check_execute.rb', line 79 def process_backticks result return if duplicate? result add_result result exp = result[:call] if input = include_user_input?(exp) confidence = CONFIDENCE[:high] user_input = input.match elsif input = dangerous?(exp) confidence = CONFIDENCE[:med] user_input = input else return end warn :result => result, :warning_type => "Command Injection", :warning_code => :command_injection, :message => "Possible command injection", :code => exp, :user_input => user_input, :confidence => confidence end |
#process_result(result) ⇒ Object
Processes results from Tracker#find_call.
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/brakeman/checks/check_execute.rb', line 38 def process_result result call = result[:call] args = call.arglist first_arg = call.first_arg case call.method when :system, :exec failure = include_user_input?(first_arg) || dangerous_interp?(first_arg) else failure = include_user_input?(args) || dangerous_interp?(args) end if failure and not duplicate? result add_result result if failure.type == :interp #Not from user input confidence = CONFIDENCE[:med] else confidence = CONFIDENCE[:high] end warn :result => result, :warning_type => "Command Injection", :warning_code => :command_injection, :message => "Possible command injection", :code => call, :user_input => failure.match, :confidence => confidence end end |
#run_check ⇒ Object
Check models, controllers, and views for command injection.
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/brakeman/checks/check_execute.rb', line 21 def run_check Brakeman.debug "Finding system calls using ``" check_for_backticks tracker Brakeman.debug "Finding other system calls" calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil], :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r, :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e, :popen3, :spawn, :syscall, :system] Brakeman.debug "Processing system calls" calls.each do |result| process_result result end end |