Add check for detailed exceptions

closes #391

lib/brakeman/checks/check_detailed_exceptions.rb

+require 'brakeman/checks/base_check'
+
+# Check for detailed exceptions enabled for production
+class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  LOCAL_REQUEST = s(:call, s(:call, nil, :request), :local?)
+
+  @description = "Checks for information disclosure displayed via detailed exceptions"
+
+  def run_check
+    check_local_request_config
+    check_detailed_exceptions
+  end
+
+  def check_local_request_config
+    if true? tracker.config[:rails][:consider_all_requests_local]
+      warn :warning_type => "Information Disclosure",
+           :warning_code => :local_request_config,
+           :message => "Detailed exceptions are enabled in production",
+           :confidence => CONFIDENCE[:high]
+    end
+  end
+
+  def check_detailed_exceptions
+    tracker.controllers.each do |name, controller|
+      controller[:public].each do |name, method|
+        body = method.body.last
+        next unless body
+
+        if name == :show_detailed_exceptions? and not safe? body
+          if true? body
+            confidence = CONFIDENCE[:high]
+          else
+            confidence = CONFIDENCE[:med]
+          end
+
+          warn :warning_type => "Information Disclosure",
+               :warning_code => :detailed_exceptions,
+               :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'",
+               :confidence => confidence,
+               :code => method,
+               :file => controller[:file]
+        end
+      end
+    end
+  end
+
+  def safe? body
+    false? body or
+    body == LOCAL_REQUEST
+  end
+end

lib/brakeman/warning_codes.rb

@@ -60,7 +60,9 @@ module Brakeman::WarningCodes
     :CVE_2013_1856 => 57,
     :CVE_2013_1857 => 58,
     :unsafe_symbol_creation => 59,
-    :dangerous_attr_accessible => 60
+    :dangerous_attr_accessible => 60,
+    :local_request_config => 61,
+    :detailed_exceptions => 62
   }
 
   def self.code name

test/apps/rails3.1/app/controllers/admin_controller.rb

@@ -25,4 +25,8 @@ class AdminController < ApplicationController
       username == "foo" && password == correct_password
     end
   end
+
+  def show_detailed_exceptions?
+    yeah_sure_they_are_an_admin_right? current_user
+  end
 end

test/apps/rails3.2/app/controllers/users_controller.rb

@@ -88,4 +88,8 @@ class UsersController < ApplicationController
     @user = User.find(params[:id])
     @query = params[:query]
   end
+
+  def show_detailed_exceptions?
+    false # no warning
+  end
 end

test/apps/rails4/app/controllers/application_controller.rb

@@ -2,4 +2,8 @@ class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
+
+  def show_detailed_exceptions?
+    true
+  end
 end

test/apps/rails4/config/environments/production.rb

@@ -11,7 +11,7 @@ Rails4::Application.configure do
   config.eager_load = true
 
   # Full error reports are disabled and caching is turned on.
-  config.consider_all_requests_local       = false
+  config.consider_all_requests_local       = true
   config.action_controller.perform_caching = true
 
   # Enable Rack::Cache to put a simple HTTP cache in front of your application

test/tests/rails31.rb

@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 3,
       :template => 23,
       :controller => 4,
-      :generic => 72 }
+      :generic => 73 }
   end
 
   def test_without_protection
@@ -1075,4 +1075,15 @@ class Rails31Tests < Test::Unit::TestCase
       :confidence => 0,
       :relative_path => "app/views/other/test_model_in_haml.html.haml"
   end
+
+  def test_information_disclosure_detailed_exceptions_override
+    assert_warning :type => :warning,
+      :warning_code => 62,
+      :fingerprint => "16f60330426df3603595f5692c7b0916e38c8674a214fef45d7acf248a8db6b3",
+      :warning_type => "Information Disclosure",
+      :line => 29,
+      :message => /^Detailed\ exceptions\ may\ be\ enabled\ in\ 's/,
+      :confidence => 1,
+      :relative_path => "app/controllers/admin_controller.rb"
+  end
 end

test/tests/rails4.rb

@@ -15,7 +15,7 @@ class Rails4Tests < Test::Unit::TestCase
       :controller => 0,
       :model => 0,
       :template => 0,
-      :generic => 1
+      :generic => 3
     }
   end
 
@@ -67,4 +67,25 @@ class Rails4Tests < Test::Unit::TestCase
       :confidence => 0,
       :relative_path => "app/views/users/index.html.erb"
   end
+
+  def test_information_disclosure_local_request_config
+    assert_warning :type => :warning,
+      :warning_code => 61,
+      :fingerprint => "fd19ecddf78b117041a99cac38a3277913a1fa061367963dd7df3843d79167dd",
+      :warning_type => "Information Disclosure",
+      :message => /^Detailed\ exceptions\ are\ enabled\ in\ produ/,
+      :confidence => 0,
+      :relative_path => nil
+  end
+
+  def test_information_disclosure_detailed_exceptions_override
+    assert_warning :type => :warning,
+      :warning_code => 62,
+      :fingerprint => "c1c1c512feca03b77e560939098efabbc2ec9279ef66f75bc63a84f815b54ec2",
+      :warning_type => "Information Disclosure",
+      :line => 6,
+      :message => /^Detailed\ exceptions\ may\ be\ enabled\ in\ 's/,
+      :confidence => 0,
+      :relative_path => "app/controllers/application_controller.rb"
+  end
 end