Merge remote-tracking branch 'daveworth/rails_sqli_check'

Conflicts: test/tests/test_rails3.rb test/tests/test_rails_with_xss_plugin.rb

Merge remote-tracking branch 'daveworth/rails_sqli_check'
Conflicts: test/tests/test_rails3.rb test/tests/test_rails_with_xss_plugin.rb
e807ed13 · Justin Collins · 7374d66a · 91f64f5d · e807ed13 · e807ed13
5 changed file
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -37,6 +37,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    Brakeman.debug "Finding calls to named_scope or scope"
    calls.concat find_scope_calls

+    Brakeman.debug "Checking version of Rails for CVE-2012-2660"
+    check_rails_version_for_cve_2012_2660
+
+    Brakeman.debug "Checking version of Rails for CVE-2012-2661"
+    check_rails_version_for_cve_2012_2661
+
    Brakeman.debug "Processing possible SQL calls"
    calls.each do |c|
      process_result c
@@ -80,6 +86,24 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    scope_calls
  end

+  def check_rails_version_for_cve_2012_2660
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
+  def check_rails_version_for_cve_2012_2661
+    if version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Injection Vulnerability: CVE-2012-2661; Upgrade to 3.2.5, 3.1.5, 3.0.13',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
  def process_scope_with_block model_name, args
    scope_name = args[1][1]
    block = args[-1][-1]

--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
        :controller => 1,
        :model => 2,
        :template => 27,
-        :warning => 26 }
+        :warning => 27 }
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
        :template => 27,
-        :warning => 27 }
+        :warning => 28 }
    end
  end

@@ -165,6 +165,13 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /session_store\.rb/
  end

+  def test_rails_cve_2012_2660
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2660/,
+      :confidence => 0
+  end
+
  def test_sql_injection_find_by_sql
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",

--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -15,7 +15,7 @@ class Rails3Tests < Test::Unit::TestCase
      :controller => 1,
      :model => 5,
      :template => 22,
-      :warning => 23
+      :warning => 25
    }
  end

@@ -167,6 +167,22 @@ class Rails3Tests < Test::Unit::TestCase
      :file => /other_controller\.rb/
  end

+  def test_rails_cve_2012_2660
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2660/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
+  def test_rails_cve_2012_2661
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2661/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
  def test_sql_injection_find_by_sql
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",

--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
      :model => 0,
      :template => 4,
      :controller => 1,
-      :warning => 37 }
+      :warning => 39 }
  end

  def test_without_protection
@@ -80,6 +80,22 @@ class Rails31Tests < Test::Unit::TestCase
      :file => /Gemfile/
  end

+  def test_rails_cve_2012_2660
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2660/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
+  def test_rails_cve_2012_2661
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2661/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
  def test_sql_injection_scope_lambda
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",

--- a/test/tests/test_rails_with_xss_plugin.rb
+++ b/test/tests/test_rails_with_xss_plugin.rb
@@ -11,7 +11,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
      :controller => 1,
      :model => 3,
      :template => 1,
-      :warning => 11 }
+      :warning => 12 }
  end

  def report
@@ -128,6 +128,14 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
  end


+  def test_rails_cve_2012_2660
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2660/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
  def test_sql_injection_12 
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",