Add check for CVE-2013-6416 (simple_format XSS)

c69e419f · Justin Collins · f93112e6 · c69e419f · c69e419f · c69e419f
5 changed file
--- a/lib/brakeman/checks/check_simple_format.rb
+++ b/lib/brakeman/checks/check_simple_format.rb
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
+
+  def run_check
+    if version_between? "4.0.0", "4.0.1"
+      @inspect_arguments = true
+      @ignore_methods = Set[:h, :escapeHTML]
+
+      check_simple_format_usage
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
+  end
+
+  def check_simple_format_usage
+    tracker.find_call(:target => false, :method => :simple_format).each do |result|
+      @matched = false
+      process_call result[:call]
+      if @matched
+        warn_on_simple_format result, @matched
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+  def warn_on_simple_format result, match
+    return if duplicate? result
+    add_result result
+
+    @found_any = true
+
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416_call,
+      :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
+      :user_input => match.match
+  end
+end
--- a/lib/brakeman/warning_codes.rb
+++ b/lib/brakeman/warning_codes.rb
@@ -67,6 +67,8 @@ module Brakeman::WarningCodes
    :CVE_2013_6414 => 64,
    :CVE_2013_6415 => 65,
    :CVE_2013_6415_call => 66,
+    :CVE_2013_6416 => 67,
+    :CVE_2013_6416_call => 68,
  }

  def self.code name

--- a/test/apps/rails4_with_engines/engines/user_removal/app/views/users/show.html.erb
+++ b/test/apps/rails4_with_engines/engines/user_removal/app/views/users/show.html.erb
@@ -15,6 +15,13 @@
  <%= @user_data %>
 </p>

+<p>
+  <b>Stuff I like:</b>
+  <%= simple_format(@user.likes, :class => "likes") %>
+  <%= simple_format("some string", :color => params[:color]) %>
+  <%= simple_format("some string", :id => h(params[:color])) %> should not warn
+</p>
+

 <%= link_to 'Edit', edit_user_path(@user) %> |
 <%= link_to 'Back', users_path %>

--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -14,8 +14,8 @@ class Rails4Tests < Test::Unit::TestCase
    @expected ||= {
      :controller => 0,
      :model => 0,
-      :template => 0,
-      :generic => 5
+      :template => 1,
+      :generic => 6
    }
  end


--- a/test/tests/rails4_with_engines.rb
+++ b/test/tests/rails4_with_engines.rb
@@ -10,8 +10,8 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
    @expected ||= {
      :controller => 0,
      :model => 5,
-      :template => 9,
-      :generic => 2 }
+      :template => 11,
+      :generic => 6 }
  end

  def report
@@ -40,6 +40,40 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
      :user_input => nil
  end

+  def test_xss_simple_format_CVE_2013_6416
+    assert_warning :type => :template,
+      :warning_code => 68,
+      :fingerprint => "0e340cc916e7487f118dae7cf3e3c1e6763c13455ec84ad56b4d3f520de8b3cb",
+      :warning_type => "Cross Site Scripting",
+      :line => 20,
+      :message => /^Values\ passed\ to\ simple_format\ are\ not\ s/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => s(:call, s(:call, s(:const, :User), :find, s(:call, s(:params), :[], s(:lit, :id))), :likes)
+
+    assert_warning :type => :template,
+      :warning_code => 68,
+      :fingerprint => "33d10865a3c6c1594ecbee5511cde466b474b0e819ef979193159559becfbd4c",
+      :warning_type => "Cross Site Scripting",
+      :line => 21,
+      :message => /^Values\ passed\ to\ simple_format\ are\ not\ s/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => s(:call, s(:params), :[], s(:lit, :color))
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
  def test_redirect_1
    assert_warning :type => :generic,
      :warning_code => 18,