Add check for CVE-2014-0082

lib/brakeman/checks/check_render_dos.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn about denial of service with render :text (CVE-2014-0082)"
+
+  def run_check
+    if version_between? "3.0.0", "3.0.20" or
+       version_between? "3.1.0", "3.1.12" or
+       version_between? "3.2.0", "3.2.16"
+
+      tracker.find_call(:target => nil, :method => :render).each do |result|
+        if text_render? result
+          warn_about_text_render
+          break
+        end
+      end
+    end
+  end
+
+  def text_render? result
+    node_type? result[:call], :render and
+    result[:call].render_type == :text
+  end
+
+  def warn_about_text_render
+    message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
+
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2014_0082,
+      :message => message,
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
+      :file => gemfile_or_environment
+  end
+end

lib/brakeman/warning_codes.rb

@@ -75,6 +75,7 @@ module Brakeman::WarningCodes
     :CVE_2014_0080 => 72,
     :CVE_2014_0081 => 73,
     :CVE_2014_0081_call => 74,
+    :CVE_2014_0082 => 75,
   }
 
   def self.code name

test/apps/rails3.2/app/controllers/users_controller.rb

@@ -92,4 +92,8 @@ class UsersController < ApplicationController
   def show_detailed_exceptions?
     false # no warning
   end
+
+  def render_text
+    render :text => "oh noes my service"
+  end
 end

test/apps/rails3/app/controllers/products_controller.rb

@@ -80,4 +80,8 @@ class ProductsController < ApplicationController
       format.xml  { head :ok }
     end
   end
+
+  def render_some_text
+    render :text => "jello"
+  end
 end

test/tests/rails3.rb

@@ -16,7 +16,7 @@ class Rails3Tests < Test::Unit::TestCase
       :controller => 1,
       :model => 8,
       :template => 38,
-      :generic => 70
+      :generic => 71
     }
 
     if RUBY_PLATFORM == 'java'
@@ -1173,6 +1173,18 @@ class Rails3Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_denial_of_service_CVE_2014_0082
+    assert_warning :type => :warning,
+      :warning_code => 75,
+      :fingerprint => "403a72d08a90043384fe56d3a6bc3e255b8799b380693914143d403607433db7",
+      :warning_type => "Denial of Service",
+      :line => nil,
+      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_http_only_session_setting
     assert_warning :type => :warning,
       :warning_type => "Session Setting",

test/tests/rails32.rb

@@ -11,7 +11,7 @@ class Rails32Tests < Test::Unit::TestCase
       :controller => 0,
       :model => 5,
       :template => 11,
-      :generic => 10 }
+      :generic => 11 }
 
     if RUBY_PLATFORM == 'java'
       @expected[:generic] += 1
@@ -123,6 +123,18 @@ class Rails32Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_denial_of_service_CVE_2014_0082
+    assert_warning :type => :warning,
+      :warning_code => 75,
+      :fingerprint => "403a72d08a90043384fe56d3a6bc3e255b8799b380693914143d403607433db7",
+      :warning_type => "Denial of Service",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ /,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_redirect_1
     assert_warning :type => :warning,
       :warning_type => "Redirect",

test/tests/rescanner.rb

@@ -267,4 +267,23 @@ class RescannerTests < Test::Unit::TestCase
     assert_new 0
     assert_fixed 2
   end
+
+  def test_gemfile_rails_version_fix_CVE_2014_0082
+    gemfile = "Gemfile.lock"
+
+    before_rescan_of gemfile do
+      replace gemfile, "rails (3.2.9.rc2)", "rails (3.2.17)"
+    end
+
+    #@original is actually modified
+    assert @original.config[:rails_version], "3.2.17"
+    assert_reindex :none
+    assert_changes
+    assert_new 0
+    if RUBY_PLATFORM == "java"
+      assert_fixed 10
+    else
+      assert_fixed 9
+    end
+  end
 end