Class: Brakeman::CheckSymbolDoS

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_symbol_dos.rb

Constant Summary

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, inherited, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params, #process_string_interp

Methods included from Util

#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_all!, #process_call_args, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#check_unsafe_symbol_creation(result) ⇒ Object 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/brakeman/checks/check_symbol_dos.rb', line 35

def check_unsafe_symbol_creation result
  return if duplicate? result or result[:call].original_line

  add_result result

  call = result[:call]

  if result[:method] == :to_sym
    args = [call.target]
  else
    args = call.select { |e| sexp? e }
  end

  if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
    confidence = CONFIDENCE[:high]
  elsif input = args.map{ |arg| include_user_input?(arg) }.compact.first
    confidence = CONFIDENCE[:med]
  end

  if confidence
    message = "Symbol conversion from unsafe string (#{friendly_type_of input})"

    warn :result => result,
      :warning_type => "Denial of Service",
      :warning_code => :unsafe_symbol_creation,
      :message => message,
      :user_input => input.match,
      :confidence => confidence
  end

end

#run_checkObject 



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/brakeman/checks/check_symbol_dos.rb', line 8

def run_check
  fix_version = case
    when version_between?('2.0.0', '2.3.17')
      '2.3.18'
    when version_between?('3.1.0', '3.1.11')
      '3.1.12'
    when version_between?('3.2.0', '3.2.12')
      '3.2.13'
    else
      nil
    end

  if fix_version && active_record_models.any?
    warn :warning_type => "Denial of Service",
      :warning_code => :CVE_2013_1854,
      :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
      :confidence => CONFIDENCE[:med],
      :file => gemfile_or_environment,
      :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
  end

  tracker.find_call(:methods => [:to_sym, :literal_to_sym], :nested => true).each do |result|
    check_unsafe_symbol_creation(result)
  end

end