Merge pull request #502 from presidentbeef/add_check_for_cve_2014_0130

Add check for CVE-2014-0130

lib/brakeman/checks/check_default_routes.rb

@@ -9,33 +9,78 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check
-    if tracker.routes[:allow_all_actions]
+    check_for_default_routes
+    check_for_action_globs
+    check_for_cve_2014_0130
+  end
+
+  def check_for_default_routes
+    if allow_all_actions?
       #Default routes are enabled globally
-      warn :warning_type => "Default Routes", 
+      warn :warning_type => "Default Routes",
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
-        :line => tracker.routes[:allow_all_actions].line, 
+        :line => tracker.routes[:allow_all_actions].line,
         :confidence => CONFIDENCE[:high],
         :file => "#{tracker.options[:app_path]}/config/routes.rb"
-    else #Report each controller separately
-      Brakeman.debug "Checking each controller for default routes"
-
-      tracker.routes.each do |name, actions|
-        if actions.is_a? Array and actions[0] == :allow_all_actions
-          if actions[1].is_a? Hash and actions[1][:allow_verb]
-            verb = actions[1][:allow_verb]
-          else
-            verb = "any"
-          end
-          warn :controller => name,
-            :warning_type => "Default Routes", 
-            :warning_code => :controller_default_routes,
-            :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
-            :line => actions[2],
-            :confidence => CONFIDENCE[:med],
-            :file => "#{tracker.options[:app_path]}/config/routes.rb"
+    end
+  end
+
+  def check_for_action_globs
+    return if allow_all_actions?
+    Brakeman.debug "Checking each controller for default routes"
+
+    tracker.routes.each do |name, actions|
+      if actions.is_a? Array and actions[0] == :allow_all_actions
+        @actions_allowed_on_controller = true
+        if actions[1].is_a? Hash and actions[1][:allow_verb]
+          verb = actions[1][:allow_verb]
+        else
+          verb = "any"
         end
+        warn :controller => name,
+          :warning_type => "Default Routes",
+          :warning_code => :controller_default_routes,
+          :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
+          :line => actions[2],
+          :confidence => CONFIDENCE[:med],
+          :file => "#{tracker.options[:app_path]}/config/routes.rb"
       end
     end
   end
+
+  def check_for_cve_2014_0130
+    case
+    when lts_version?("2.3.18.9")
+      #TODO: Should support LTS 3.0.20 too
+      return
+    when version_between?("2.0.0", "2.3.18")
+      upgrade = "3.2.18"
+    when version_between?("3.0.0", "3.2.17")
+      upgrade = "3.2.18"
+    when version_between?("4.0.0", "4.0.4")
+      upgrade = "4.0.5"
+    when version_between?("4.1.0", "4.1.0")
+      upgrade = "4.1.1"
+    else
+      return
+    end
+
+    if allow_all_actions? or @actions_allowed_on_controller
+      confidence = CONFIDENCE[:high]
+    else
+      confidence = CONFIDENCE[:med]
+    end
+
+    warn :warning_type => "Remote Code Execution",
+      :warning_code => :CVE_2014_0130,
+      :message => "Rails #{tracker.config[:rails_version]} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
+      :confidence => confidence,
+      :file => "#{tracker.options[:app_path]}/config/routes.rb",
+      :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+  end
+
+  def allow_all_actions?
+    tracker.routes[:allow_all_actions]
+  end
 end

lib/brakeman/warning_codes.rb

@@ -76,7 +76,8 @@ module Brakeman::WarningCodes
     :CVE_2014_0081 => 73,
     :CVE_2014_0081_call => 74,
     :CVE_2014_0082 => 75,
-    :regex_dos => 76
+    :regex_dos => 76,
+    :CVE_2014_0130 => 77,
   }
 
   def self.code name

test/tests/markdown_output.rb

@@ -3,9 +3,9 @@ class TestMarkdownOutput < Test::Unit::TestCase
 
   def test_reported_warnings
     if Brakeman::Scanner::RUBY_1_9
-      assert_equal 167, Report.lines.to_a.count
-    else
       assert_equal 168, Report.lines.to_a.count
+    else
+      assert_equal 169, Report.lines.to_a.count
     end
   end
 end

test/tests/only_files_option.rb

@@ -11,7 +11,7 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
       :controller => 8,
       :model => 0,
       :template => 1,
-      :generic => 8 }
+      :generic => 9 }
 
     if RUBY_PLATFORM == 'java'
       @expected[:generic] += 1
@@ -97,4 +97,16 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
       :relative_path => "Gemfile",
       :user_input => nil
   end
+
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2\ with\ globbing\ routes\ is\ /,
+      :confidence => 0,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
 end

test/tests/rails2.rb

@@ -17,13 +17,13 @@ class Rails2Tests < Test::Unit::TestCase
         :controller => 1,
         :model => 3,
         :template => 47,
-        :generic => 54 }
+        :generic => 55 }
     else
       @expected ||= {
         :controller => 1,
         :model => 3,
         :template => 47,
-        :generic => 55 }
+        :generic => 56 }
     end
   end
 
@@ -1020,6 +1020,18 @@ class Rails2Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.11\ with\ globbing\ routes\ is\ vul/,
+      :confidence => 0,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_to_json
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",
@@ -1373,13 +1385,13 @@ class Rails2WithOptionsTests < Test::Unit::TestCase
         :controller => 1,
         :model => 4,
         :template => 47,
-        :generic => 54 }
+        :generic => 55 }
     else
       @expected ||= {
         :controller => 1,
         :model => 4,
         :template => 47,
-        :generic => 55 }
+        :generic => 56 }
     end
   end
 

test/tests/rails3.rb

@@ -16,7 +16,7 @@ class Rails3Tests < Test::Unit::TestCase
       :controller => 1,
       :model => 8,
       :template => 38,
-      :generic => 71
+      :generic => 72
     }
 
     if RUBY_PLATFORM == 'java'
@@ -1185,6 +1185,18 @@ class Rails3Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 3\.0\.3\ with\ globbing\ routes\ is\ vuln/,
+      :confidence => 0,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_http_only_session_setting
     assert_warning :type => :warning,
       :warning_type => "Session Setting",

test/tests/rails31.rb

@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 3,
       :template => 23,
       :controller => 4,
-      :generic => 78 }
+      :generic => 79 }
   end
 
   def test_without_protection
@@ -844,6 +844,18 @@ class Rails31Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 3\.1\.0\ with\ globbing\ routes\ is\ vuln/,
+      :confidence => 1,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_to_json_with_overwritten_config
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",

test/tests/rails32.rb

@@ -16,7 +16,7 @@ class Rails32Tests < Test::Unit::TestCase
       :controller => 8,
       :model => 5,
       :template => 11,
-      :generic => 16 }
+      :generic => 17 }
 
     if RUBY_PLATFORM == 'java'
       @expected[:generic] += 1
@@ -140,6 +140,18 @@ class Rails32Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2\ with\ globbing\ routes\ is\ /,
+      :confidence => 0,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_redirect_1
     assert_warning :type => :warning,
       :warning_type => "Redirect",

test/tests/rails4.rb

@@ -15,7 +15,7 @@ class Rails4Tests < Test::Unit::TestCase
       :controller => 0,
       :model => 1,
       :template => 2,
-      :generic => 25
+      :generic => 26
     }
   end
 
@@ -428,6 +428,18 @@ class Rails4Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ with\ globbing\ routes\ is\ vuln/,
+      :confidence => 1,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_mass_assignment_with_permit!
     assert_warning :type => :warning,
       :warning_code => 70,

test/tests/rails4_with_engines.rb

@@ -11,7 +11,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
       :controller => 0,
       :model => 5,
       :template => 11,
-      :generic => 6 }
+      :generic => 7 }
   end
 
   def report
@@ -74,6 +74,18 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "e833fd152ab95bf7481aada185323d97cd04c3e2322b90f3698632f4c4c04441",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ with\ globbing\ routes\ is\ vuln/,
+      :confidence => 1,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
+
   def test_redirect_1
     assert_warning :type => :generic,
       :warning_code => 18,

test/tests/rails_lts.rb

@@ -47,4 +47,19 @@ class RailsLTSTests < Test::Unit::TestCase
     assert_new 0
     assert_fixed 4 # 2 + CVE-2012-1099 + CVE_2014_0081
   end
+
+  def test_rails_lts_CVE_2014_0130
+    gemfile = "Gemfile.lock"
+
+    before_rescan_of gemfile, "rails_with_xss_plugin" do
+      append gemfile, "railslts-version (2.3.18.9)"
+    end
+
+    #@original is actually modified
+    assert @original.config[:gems][:"railslts-version"], "2.3.18.9"
+    assert_reindex :none
+    assert_changes
+    assert_new 0
+    assert_fixed 5
+  end
 end

test/tests/rails_with_xss_plugin.rb

@@ -11,7 +11,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :controller => 1,
       :model => 3,
       :template => 4,
-      :generic => 23 }
+      :generic => 24 }
   end
 
   def report
@@ -404,4 +404,16 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :relative_path => "Gemfile",
       :user_input => nil
   end
+
+  def test_remote_code_execution_CVE_2014_0130
+    assert_warning :type => :warning,
+      :warning_code => 77,
+      :fingerprint => "93393e44a0232d348e4db62276b18321b4cbc9051b702d43ba2fd3287175283c",
+      :warning_type => "Remote Code Execution",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.14\ with\ globbing\ routes\ is\ vul/,
+      :confidence => 0,
+      :relative_path => "config/routes.rb",
+      :user_input => nil
+  end
 end

test/tests/tabs_output.rb

@@ -3,9 +3,9 @@ class TestTabsOutput < Test::Unit::TestCase
 
   def test_reported_warnings
     if Brakeman::Scanner::RUBY_1_9
-      assert_equal 106, Report.lines.to_a.count
-    else
       assert_equal 107, Report.lines.to_a.count
+    else
+      assert_equal 108, Report.lines.to_a.count
     end
   end
 end