Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
22b0c47c
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
22b0c47c
编写于
6月 06, 2014
作者:
J
Justin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #502 from presidentbeef/add_check_for_cve_2014_0130
Add check for CVE-2014-0130
上级
eeb5a6fe
98c0fdd5
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
193 addition
and
36 deletion
+193
-36
lib/brakeman/checks/check_default_routes.rb
lib/brakeman/checks/check_default_routes.rb
+65
-20
lib/brakeman/warning_codes.rb
lib/brakeman/warning_codes.rb
+2
-1
test/tests/markdown_output.rb
test/tests/markdown_output.rb
+2
-2
test/tests/only_files_option.rb
test/tests/only_files_option.rb
+13
-1
test/tests/rails2.rb
test/tests/rails2.rb
+16
-4
test/tests/rails3.rb
test/tests/rails3.rb
+13
-1
test/tests/rails31.rb
test/tests/rails31.rb
+13
-1
test/tests/rails32.rb
test/tests/rails32.rb
+13
-1
test/tests/rails4.rb
test/tests/rails4.rb
+13
-1
test/tests/rails4_with_engines.rb
test/tests/rails4_with_engines.rb
+13
-1
test/tests/rails_lts.rb
test/tests/rails_lts.rb
+15
-0
test/tests/rails_with_xss_plugin.rb
test/tests/rails_with_xss_plugin.rb
+13
-1
test/tests/tabs_output.rb
test/tests/tabs_output.rb
+2
-2
未找到文件。
lib/brakeman/checks/check_default_routes.rb
浏览文件 @
22b0c47c
...
...
@@ -9,33 +9,78 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
#Checks for :allow_all_actions globally and for individual routes
#if it is not enabled globally.
def
run_check
if
tracker
.
routes
[
:allow_all_actions
]
check_for_default_routes
check_for_action_globs
check_for_cve_2014_0130
end
def
check_for_default_routes
if
allow_all_actions?
#Default routes are enabled globally
warn
:warning_type
=>
"Default Routes"
,
warn
:warning_type
=>
"Default Routes"
,
:warning_code
=>
:all_default_routes
,
:message
=>
"All public methods in controllers are available as actions in routes.rb"
,
:line
=>
tracker
.
routes
[
:allow_all_actions
].
line
,
:line
=>
tracker
.
routes
[
:allow_all_actions
].
line
,
:confidence
=>
CONFIDENCE
[
:high
],
:file
=>
"
#{
tracker
.
options
[
:app_path
]
}
/config/routes.rb"
else
#Report each controller separately
Brakeman
.
debug
"Checking each controller for default routes"
tracker
.
routes
.
each
do
|
name
,
actions
|
if
actions
.
is_a?
Array
and
actions
[
0
]
==
:allow_all_actions
if
actions
[
1
].
is_a?
Hash
and
actions
[
1
][
:allow_verb
]
verb
=
actions
[
1
][
:allow_verb
]
else
verb
=
"any"
end
warn
:controller
=>
name
,
:warning_type
=>
"Default Routes"
,
:warning_code
=>
:controller_default_routes
,
:message
=>
"Any public method in
#{
name
}
can be used as an action for
#{
verb
}
requests."
,
:line
=>
actions
[
2
],
:confidence
=>
CONFIDENCE
[
:med
],
:file
=>
"
#{
tracker
.
options
[
:app_path
]
}
/config/routes.rb"
end
end
def
check_for_action_globs
return
if
allow_all_actions?
Brakeman
.
debug
"Checking each controller for default routes"
tracker
.
routes
.
each
do
|
name
,
actions
|
if
actions
.
is_a?
Array
and
actions
[
0
]
==
:allow_all_actions
@actions_allowed_on_controller
=
true
if
actions
[
1
].
is_a?
Hash
and
actions
[
1
][
:allow_verb
]
verb
=
actions
[
1
][
:allow_verb
]
else
verb
=
"any"
end
warn
:controller
=>
name
,
:warning_type
=>
"Default Routes"
,
:warning_code
=>
:controller_default_routes
,
:message
=>
"Any public method in
#{
name
}
can be used as an action for
#{
verb
}
requests."
,
:line
=>
actions
[
2
],
:confidence
=>
CONFIDENCE
[
:med
],
:file
=>
"
#{
tracker
.
options
[
:app_path
]
}
/config/routes.rb"
end
end
end
def
check_for_cve_2014_0130
case
when
lts_version?
(
"2.3.18.9"
)
#TODO: Should support LTS 3.0.20 too
return
when
version_between?
(
"2.0.0"
,
"2.3.18"
)
upgrade
=
"3.2.18"
when
version_between?
(
"3.0.0"
,
"3.2.17"
)
upgrade
=
"3.2.18"
when
version_between?
(
"4.0.0"
,
"4.0.4"
)
upgrade
=
"4.0.5"
when
version_between?
(
"4.1.0"
,
"4.1.0"
)
upgrade
=
"4.1.1"
else
return
end
if
allow_all_actions?
or
@actions_allowed_on_controller
confidence
=
CONFIDENCE
[
:high
]
else
confidence
=
CONFIDENCE
[
:med
]
end
warn
:warning_type
=>
"Remote Code Execution"
,
:warning_code
=>
:CVE_2014_0130
,
:message
=>
"Rails
#{
tracker
.
config
[
:rails_version
]
}
with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to
#{
upgrade
}
"
,
:confidence
=>
confidence
,
:file
=>
"
#{
tracker
.
options
[
:app_path
]
}
/config/routes.rb"
,
:link
=>
"http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
end
def
allow_all_actions?
tracker
.
routes
[
:allow_all_actions
]
end
end
lib/brakeman/warning_codes.rb
浏览文件 @
22b0c47c
...
...
@@ -76,7 +76,8 @@ module Brakeman::WarningCodes
:CVE_2014_0081
=>
73
,
:CVE_2014_0081_call
=>
74
,
:CVE_2014_0082
=>
75
,
:regex_dos
=>
76
:regex_dos
=>
76
,
:CVE_2014_0130
=>
77
,
}
def
self
.
code
name
...
...
test/tests/markdown_output.rb
浏览文件 @
22b0c47c
...
...
@@ -3,9 +3,9 @@ class TestMarkdownOutput < Test::Unit::TestCase
def
test_reported_warnings
if
Brakeman
::
Scanner
::
RUBY_1_9
assert_equal
167
,
Report
.
lines
.
to_a
.
count
else
assert_equal
168
,
Report
.
lines
.
to_a
.
count
else
assert_equal
169
,
Report
.
lines
.
to_a
.
count
end
end
end
test/tests/only_files_option.rb
浏览文件 @
22b0c47c
...
...
@@ -11,7 +11,7 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
:controller
=>
8
,
:model
=>
0
,
:template
=>
1
,
:generic
=>
8
}
:generic
=>
9
}
if
RUBY_PLATFORM
==
'java'
@expected
[
:generic
]
+=
1
...
...
@@ -97,4 +97,16 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.2\.9\.rc2\ with\ globbing\ routes\ is\ /
,
:confidence
=>
0
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
end
test/tests/rails2.rb
浏览文件 @
22b0c47c
...
...
@@ -17,13 +17,13 @@ class Rails2Tests < Test::Unit::TestCase
:controller
=>
1
,
:model
=>
3
,
:template
=>
47
,
:generic
=>
5
4
}
:generic
=>
5
5
}
else
@expected
||=
{
:controller
=>
1
,
:model
=>
3
,
:template
=>
47
,
:generic
=>
5
5
}
:generic
=>
5
6
}
end
end
...
...
@@ -1020,6 +1020,18 @@ class Rails2Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 2\.3\.11\ with\ globbing\ routes\ is\ vul/
,
:confidence
=>
0
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_to_json
assert_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
...
...
@@ -1373,13 +1385,13 @@ class Rails2WithOptionsTests < Test::Unit::TestCase
:controller
=>
1
,
:model
=>
4
,
:template
=>
47
,
:generic
=>
5
4
}
:generic
=>
5
5
}
else
@expected
||=
{
:controller
=>
1
,
:model
=>
4
,
:template
=>
47
,
:generic
=>
5
5
}
:generic
=>
5
6
}
end
end
...
...
test/tests/rails3.rb
浏览文件 @
22b0c47c
...
...
@@ -16,7 +16,7 @@ class Rails3Tests < Test::Unit::TestCase
:controller
=>
1
,
:model
=>
8
,
:template
=>
38
,
:generic
=>
7
1
:generic
=>
7
2
}
if
RUBY_PLATFORM
==
'java'
...
...
@@ -1185,6 +1185,18 @@ class Rails3Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.0\.3\ with\ globbing\ routes\ is\ vuln/
,
:confidence
=>
0
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_http_only_session_setting
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Session Setting"
,
...
...
test/tests/rails31.rb
浏览文件 @
22b0c47c
...
...
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
:model
=>
3
,
:template
=>
23
,
:controller
=>
4
,
:generic
=>
7
8
}
:generic
=>
7
9
}
end
def
test_without_protection
...
...
@@ -844,6 +844,18 @@ class Rails31Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.1\.0\ with\ globbing\ routes\ is\ vuln/
,
:confidence
=>
1
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_to_json_with_overwritten_config
assert_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
...
...
test/tests/rails32.rb
浏览文件 @
22b0c47c
...
...
@@ -16,7 +16,7 @@ class Rails32Tests < Test::Unit::TestCase
:controller
=>
8
,
:model
=>
5
,
:template
=>
11
,
:generic
=>
1
6
}
:generic
=>
1
7
}
if
RUBY_PLATFORM
==
'java'
@expected
[
:generic
]
+=
1
...
...
@@ -140,6 +140,18 @@ class Rails32Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.2\.9\.rc2\ with\ globbing\ routes\ is\ /
,
:confidence
=>
0
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_redirect_1
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Redirect"
,
...
...
test/tests/rails4.rb
浏览文件 @
22b0c47c
...
...
@@ -15,7 +15,7 @@ class Rails4Tests < Test::Unit::TestCase
:controller
=>
0
,
:model
=>
1
,
:template
=>
2
,
:generic
=>
2
5
:generic
=>
2
6
}
end
...
...
@@ -428,6 +428,18 @@ class Rails4Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 4\.0\.0\ with\ globbing\ routes\ is\ vuln/
,
:confidence
=>
1
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_mass_assignment_with_permit!
assert_warning
:type
=>
:warning
,
:warning_code
=>
70
,
...
...
test/tests/rails4_with_engines.rb
浏览文件 @
22b0c47c
...
...
@@ -11,7 +11,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
:controller
=>
0
,
:model
=>
5
,
:template
=>
11
,
:generic
=>
6
}
:generic
=>
7
}
end
def
report
...
...
@@ -74,6 +74,18 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 4\.0\.0\ with\ globbing\ routes\ is\ vuln/
,
:confidence
=>
1
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
def
test_redirect_1
assert_warning
:type
=>
:generic
,
:warning_code
=>
18
,
...
...
test/tests/rails_lts.rb
浏览文件 @
22b0c47c
...
...
@@ -47,4 +47,19 @@ class RailsLTSTests < Test::Unit::TestCase
assert_new
0
assert_fixed
4
# 2 + CVE-2012-1099 + CVE_2014_0081
end
def
test_rails_lts_CVE_2014_0130
gemfile
=
"Gemfile.lock"
before_rescan_of
gemfile
,
"rails_with_xss_plugin"
do
append
gemfile
,
"railslts-version (2.3.18.9)"
end
#@original is actually modified
assert
@original
.
config
[
:gems
][
:"railslts-version"
],
"2.3.18.9"
assert_reindex
:none
assert_changes
assert_new
0
assert_fixed
5
end
end
test/tests/rails_with_xss_plugin.rb
浏览文件 @
22b0c47c
...
...
@@ -11,7 +11,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
:controller
=>
1
,
:model
=>
3
,
:template
=>
4
,
:generic
=>
2
3
}
:generic
=>
2
4
}
end
def
report
...
...
@@ -404,4 +404,16 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
end
def
test_remote_code_execution_CVE_2014_0130
assert_warning
:type
=>
:warning
,
:warning_code
=>
77
,
:fingerprint
=>
"93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c"
,
:warning_type
=>
"Remote Code Execution"
,
:line
=>
nil
,
:message
=>
/^Rails\ 2\.3\.14\ with\ globbing\ routes\ is\ vul/
,
:confidence
=>
0
,
:relative_path
=>
"config/routes.rb"
,
:user_input
=>
nil
end
end
test/tests/tabs_output.rb
浏览文件 @
22b0c47c
...
...
@@ -3,9 +3,9 @@ class TestTabsOutput < Test::Unit::TestCase
def
test_reported_warnings
if
Brakeman
::
Scanner
::
RUBY_1_9
assert_equal
106
,
Report
.
lines
.
to_a
.
count
else
assert_equal
107
,
Report
.
lines
.
to_a
.
count
else
assert_equal
108
,
Report
.
lines
.
to_a
.
count
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录