Add check for CVE-2013-6415 (number_to_currency)

f93112e6 · Justin Collins · 630ff40d · f93112e6 · f93112e6 · f93112e6
10 changed file
--- a/lib/brakeman/checks/check_number_to_currency.rb
+++ b/lib/brakeman/checks/check_number_to_currency.rb
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for number_to_currency XSS vulnerability in certain versions"
+
+  def run_check
+    if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
+      check_number_to_currency_usage
+
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number_to_currency (CVE-2013-6415). Upgrade to Rails version "
+
+    if version_between? "2.3.0", "3.2.15"
+      message << "3.2.16"
+    else
+      message << "4.0.2"
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6415,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
+  end
+
+  def check_number_to_currency_usage
+    tracker.find_call(:target => false, :method => :number_to_currency).each do |result|
+      arg = result[:call].second_arg
+      next unless arg
+
+      if match = (has_immediate_user_input? arg or has_immediate_model? arg)
+        match = match.match if match.is_a? Match
+        @found_any = true
+        warn_on_number_to_currency result, match
+      end
+    end
+  end
+
+  def warn_on_number_to_currency result, match
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6415_call,
+      :message => "Currency value in number_to_currency is not safe in Rails #{@tracker.config[:rails_version]}",
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion",
+      :user_input => match
+  end
+end
--- a/lib/brakeman/warning_codes.rb
+++ b/lib/brakeman/warning_codes.rb
@@ -65,6 +65,8 @@ module Brakeman::WarningCodes
    :detailed_exceptions => 62,
    :CVE_2013_4491 => 63,
    :CVE_2013_6414 => 64,
+    :CVE_2013_6415 => 65,
+    :CVE_2013_6415_call => 66,
  }

  def self.code name

--- a/test/apps/rails4/app/views/users/index.html.erb
+++ b/test/apps/rails4/app/views/users/index.html.erb
@@ -5,3 +5,7 @@
 <%= raw call_something(params).to_json %>

 <%= raw params[:stuff].to_json %>
+
+<%= number_to_currency(params[:cost], params[:currency]) %>
+
+<%= number_to_currency(params[:cost], h(params[:currency])) %> Should not warn
--- a/test/tests/only_files_option.rb
+++ b/test/tests/only_files_option.rb
@@ -75,4 +75,16 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
      :user_input => nil
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
 end
--- a/test/tests/rails2.rb
+++ b/test/tests/rails2.rb
@@ -955,6 +955,16 @@ class Rails2Tests < Test::Unit::TestCase
      :relative_path => "config/environment.rb"
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "1822c8179beeb0358b71c545bad0dd824104aed8b995fe0781c1b6e324417a91",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 2\.3\.11\ has\ a\ vulnerability\ in\ numb/,
+      :confidence => 1,
+      :relative_path => "config/environment.rb"
+  end
+
  def test_to_json
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",

--- a/test/tests/rails3.rb
+++ b/test/tests/rails3.rb
@@ -1099,6 +1099,18 @@ class Rails3Tests < Test::Unit::TestCase
      :relative_path => "Gemfile"
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.0\.3\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
  def test_http_only_session_setting
    assert_warning :type => :warning,
      :warning_type => "Session Setting",

--- a/test/tests/rails31.rb
+++ b/test/tests/rails31.rb
@@ -820,6 +820,18 @@ class Rails31Tests < Test::Unit::TestCase
      :relative_path => "Gemfile"
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.1\.0\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
  def test_to_json_with_overwritten_config
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",

--- a/test/tests/rails32.rb
+++ b/test/tests/rails32.rb
@@ -100,6 +100,18 @@ class Rails32Tests < Test::Unit::TestCase
      :relative_path => "Gemfile"
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
  def test_redirect_1
    assert_warning :type => :warning,
      :warning_type => "Redirect",

--- a/test/tests/rails4_with_engines.rb
+++ b/test/tests/rails4_with_engines.rb
@@ -28,6 +28,18 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
      :relative_path => "Gemfile"
  end

+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
  def test_redirect_1
    assert_warning :type => :generic,
      :warning_code => 18,

--- a/test/tests/rails_with_xss_plugin.rb
+++ b/test/tests/rails_with_xss_plugin.rb
@@ -334,4 +334,16 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
      :confidence => 1,
      :file => /Gemfile/
  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.14\ has\ a\ vulnerability\ in\ numb/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
 end