Add check for CVE-2015-3226

lib/brakeman/checks/check_json_encoding.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for missing JSON encoding (CVE-2015-3226)"
+
+  def run_check
+    if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
+      message = "Rails #{tracker.config[:rails_version]} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
+
+      if version_between? "4.1.0", "4.1.10"
+        message << "4.1.11"
+      else
+        message << "4.2.2"
+      end
+
+      if tracker.find_call(:methods => [:to_json, :encode]).any?
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2015_3226,
+        :message => message,
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
+    end
+  end
+
+  def has_workaround?
+    workaround = s(:module, :ActiveSupport,
+                   s(:module, :JSON,
+                     s(:module, :Encoding,
+                       s(:call, nil, :private),
+                       s(:class, :EscapedString, nil,
+                         s(:defn, :to_s,
+                           s(:args),
+                           s(:self))))))
+
+    tracker.initializers.any? do |name, initializer|
+      initializer == workaround
+    end
+  end
+end

lib/brakeman/warning_codes.rb

@@ -88,6 +88,7 @@ module Brakeman::WarningCodes
     :cross_site_scripting_inline => 84,
     :CVE_2014_7829 => 85,
     :csrf_not_protected_by_raising_exception => 86,
+    :CVE_2015_3226 => 87,
   }
 
   def self.code name

test/test.rb

@@ -197,7 +197,10 @@ module BrakemanTester::RescanTestHelper
   end
 
   def write_file file, content
-    File.open full_path(file), "w+" do |f|
+    require 'fileutils'
+    path = full_path(file)
+    FileUtils.mkdir_p(File.dirname(path))
+    File.open path, "w" do |f|
       f.puts content
     end
   end

test/tests/cves.rb

+require 'brakeman/rescanner'
+
+class CVETests < Test::Unit::TestCase
+  include BrakemanTester::RescanTestHelper
+  include BrakemanTester::FindWarning
+
+  def report
+    @rescanner.tracker.report.to_hash
+  end
+
+  def assert_version version, gem = :rails
+    if gem == :rails
+      assert_equal version, @rescanner.tracker.config[:rails_version]
+    else
+      assert_equal version, @rescanner.tracker.config[:gems][gem][:version]
+    end
+  end
+
+  def test_CVE_2015_3226_4_1_1
+    before_rescan_of "Gemfile", "rails4" do
+      replace "Gemfile", "4.0.0", "4.1.1"
+    end
+
+    assert_version "4.1.1"
+    assert_warning :type => :warning,
+      :warning_code => 87,
+      :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
+      :warning_type => "Cross Site Scripting",
+      :line => 4,
+      :message => /^Rails\ 4\.1\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil 
+  end
+
+  def test_CVE_2015_3226_4_2_1
+    before_rescan_of "Gemfile", "rails4" do
+      replace "Gemfile", "4.0.0", "4.2.1"
+    end
+
+    assert_version "4.2.1"
+    assert_warning :type => :warning,
+      :warning_code => 87,
+      :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
+      :warning_type => "Cross Site Scripting",
+      :line => 4,
+      :message => /^Rails\ 4\.2\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil 
+  end
+
+  def test_CVE_2015_3226_workaround
+    initializer = "config/initializers/json.rb"
+    before_rescan_of ["Gemfile", initializer], "rails4" do
+      replace "Gemfile", "4.0.0", "4.2.1"
+
+      write_file initializer, <<-RUBY
+      module ActiveSupport
+        module JSON
+          module Encoding
+            private
+            class EscapedString
+              def to_s
+                self
+              end
+            end
+          end
+        end
+      end 
+      RUBY
+    end
+
+    assert_version "4.2.1"
+    assert_no_warning :type => :warning,
+      :warning_code => 87,
+      :fingerprint => "6c2281400c467a0100bcedeb122bc2cb024d09e538e18f4c7328c3569fff6754",
+      :warning_type => "Cross Site Scripting",
+      :line => 4,
+      :message => /^Rails\ 4\.2\.1\ does\ not\ encode\ JSON\ keys\ \(C/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil 
+  end
+
+end