Add check for CVE-2013-6414 (header DoS)

630ff40d · Justin Collins · af316fd9 · 630ff40d · 630ff40d · 630ff40d
7 changed file
--- a/lib/brakeman/checks/check_header_dos.rb
+++ b/lib/brakeman/checks/check_header_dos.rb
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for header DoS (CVE-2013-6414)"
+
+  def run_check
+    if (version_between? "3.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
+      message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version "
+
+      if version_between? "3.0.0", "3.2.15"
+        message << "3.2.16"
+      else
+        message << "4.0.2"
+      end
+
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_6414,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
+    end
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:ActiveSupport, :on_load).any? and
+    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+  end
+end
--- a/lib/brakeman/warning_codes.rb
+++ b/lib/brakeman/warning_codes.rb
@@ -64,6 +64,7 @@ module Brakeman::WarningCodes
    :local_request_config => 61,
    :detailed_exceptions => 62,
    :CVE_2013_4491 => 63,
+    :CVE_2013_6414 => 64,
  }

  def self.code name

--- a/test/apps/rails3.2/config/initializers/header_dos_protection.rb
+++ b/test/apps/rails3.2/config/initializers/header_dos_protection.rb
+# https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
+ActiveSupport.on_load(:action_view) do 
+  ActionView::LookupContext::DetailsKey.class_eval do 
+    class << self 
+      alias :old_get :get 
+
+      def get(details) 
+        if details[:formats] 
+          details = details.dup 
+          syms    = Set.new Mime::SET.symbols 
+          details[:formats] = details[:formats].select { |v| 
+            syms.include? v 
+          } 
+        end 
+        old_get details 
+      end 
+    end 
+  end 
+end 
--- a/test/tests/only_files_option.rb
+++ b/test/tests/only_files_option.rb
@@ -62,4 +62,17 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
      :confidence => 1,
      :relative_path => "Gemfile"
  end
+
+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ /,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
 end
--- a/test/tests/rails3.rb
+++ b/test/tests/rails3.rb
@@ -1081,12 +1081,24 @@ class Rails3Tests < Test::Unit::TestCase

  def test_denial_of_service_CVE_2013_1854
    assert_no_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
      :warning_type => "Denial of Service",
      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vul/,
      :confidence => 1,
      :file => /Gemfile/
  end

+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
  def test_http_only_session_setting
    assert_warning :type => :warning,
      :warning_type => "Session Setting",

--- a/test/tests/rails31.rb
+++ b/test/tests/rails31.rb
@@ -802,12 +802,24 @@ class Rails31Tests < Test::Unit::TestCase

  def test_denial_of_service_CVE_2013_1854
    assert_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
      :warning_type => "Denial of Service",
      :message => /^Rails\ 3\.1\.0\ has\ a\ denial\ of\ service\ vul/,
      :confidence => 1,
      :file => /Gemfile/
  end

+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :message => /^Rails\ 3\.1\.0\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
  def test_to_json_with_overwritten_config
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",

--- a/test/tests/rails32.rb
+++ b/test/tests/rails32.rb
@@ -82,6 +82,8 @@ class Rails32Tests < Test::Unit::TestCase

  def test_denial_of_service_CVE_2013_1854
    assert_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
      :warning_type => "Denial of Service",
      :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ vul/,
      :confidence => 1,