From 7225f6f57d1054a7ab488ffdba3a7737d636fc5b Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Thu, 30 Jul 2015 07:43:38 -0700
Subject: [PATCH] Expand SSL verify mode to Net::HTTP.start options

---
 lib/brakeman/checks/check_ssl_verify.rb | 36 ++++++++++++++++++-------
 test/apps/rails4/lib/sweet_lib.rb       |  4 +++
 test/tests/rails4.rb                    | 14 +++++++++-
 3 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/lib/brakeman/checks/check_ssl_verify.rb b/lib/brakeman/checks/check_ssl_verify.rb
index 3f418c85..6a7b35a6 100644
--- a/lib/brakeman/checks/check_ssl_verify.rb
+++ b/lib/brakeman/checks/check_ssl_verify.rb
@@ -11,21 +11,39 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
 
   def run_check
     check_open_ssl_verify_none
+    check_http_start
   end
 
   def check_open_ssl_verify_none
-    tracker.find_call(:method => :verify_mode=).each {|call| process_result(call)}
+    tracker.find_call(:method => :verify_mode=).each {|call| process_verify_mode_result(call) }
   end
 
-  def process_result(result)
-    return if duplicate?(result)
+  def process_verify_mode_result result
     if result[:call].last_arg == SSL_VERIFY_NONE
-      add_result result
-      warn :result => result,
-        :warning_type => "SSL Verification Bypass",
-        :warning_code => :ssl_verification_bypass,
-        :message => "SSL certificate verification was bypassed",
-        :confidence => CONFIDENCE[:high]
+      warn_about_ssl_verification_bypass result
     end
   end
+
+  def check_http_start
+    tracker.find_call(:target => :'Net::HTTP', :method => :start).each { |call| process_http_start_result call }
+  end
+
+  def process_http_start_result result
+    arg = result[:call].last_arg
+
+    if hash? arg and hash_access(arg, :verify_mode) == SSL_VERIFY_NONE
+      warn_about_ssl_verification_bypass result
+    end
+  end
+
+  def warn_about_ssl_verification_bypass result
+    return if duplicate?(result)
+    add_result result
+
+    warn :result => result,
+      :warning_type => "SSL Verification Bypass",
+      :warning_code => :ssl_verification_bypass,
+      :message => "SSL certificate verification was bypassed",
+      :confidence => CONFIDENCE[:high]
+  end
 end
diff --git a/test/apps/rails4/lib/sweet_lib.rb b/test/apps/rails4/lib/sweet_lib.rb
index 2de82dcb..bd197770 100644
--- a/test/apps/rails4/lib/sweet_lib.rb
+++ b/test/apps/rails4/lib/sweet_lib.rb
@@ -7,4 +7,8 @@ class SweetLib
     #Should warn about command injection
     system("rm #{@bad}")
   end
+
+  def test_net_http_start_ssl
+    Net::HTTP.start(uri.host, uri.port, :use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE)
+  end
 end
diff --git a/test/tests/rails4.rb b/test/tests/rails4.rb
index e207b7e1..149e5152 100644
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -14,7 +14,7 @@ class Rails4Tests < Test::Unit::TestCase
       :controller => 0,
       :model => 2,
       :template => 7,
-      :generic => 61
+      :generic => 62
     }
   end
 
@@ -1068,6 +1068,18 @@ class Rails4Tests < Test::Unit::TestCase
       :user_input => nil
   end
 
+  def test_ssl_verification_bypass_net_start
+    assert_warning :type => :warning,
+      :warning_code => 71,
+      :fingerprint => "fed73f1d7511e72e158a7080eefe377c0c34ad18190471829216e9a2c4f7126d",
+      :warning_type => "SSL Verification Bypass",
+      :line => 12,
+      :message => /^SSL\ certificate\ verification\ was\ bypasse/,
+      :confidence => 0,
+      :relative_path => "lib/sweet_lib.rb",
+      :user_input => nil
+  end
+
   def test_unscoped_find_by_id_bang
     assert_warning :type => :warning,
       :warning_code => 82,
-- 
GitLab