Add check for select vulnerability in Rails 3

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

Add check for select vulnerability in Rails 3
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
71222ecd · Justin Collins · 2f6fb06d · 71222ecd · 71222ecd · 71222ecd
3 changed file
--- a/lib/brakeman/checks/check_select_vulnerability.rb
+++ b/lib/brakeman/checks/check_select_vulnerability.rb
+require 'brakeman/checks/base_check'
+
+#Checks for select() helper vulnerability in some versions of Rails 3
+#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
+class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
+
+  def run_check
+
+    if version_between? "3.0.0", "3.0.11"
+      suggested_version = "3.0.12"
+    elsif version_between? "3.1.0", "3.1.3"
+      suggested_version = "3.1.4"
+    elsif version_between? "3.2.0", "3.2.1"
+      suggested_version = "3.2.2"
+    else
+      return
+    end
+
+    @message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
+
+    calls = tracker.find_call(:target => nil, :method => :select).select do |result|
+      result[:location][0] == :template
+    end
+
+    calls.each do |result|
+      process_result result
+    end
+  end
+
+  def process_result result
+    return if duplicate? result
+
+    args = result[:call][3]
+
+    #Check for user input in options parameter
+    if sexp? args[3] and include_user_input? args[3]
+      add_result result
+
+      if node_type? args[3], :string_interp, :dstr
+        confidence = CONFIDENCE[:med]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :template => result[:location][1],
+          :warning_type => "Cross Site Scripting",
+          :result => result,
+          :message => @message,
+          :confidence => confidence
+    end
+  end
+end
--- a/test/apps/rails3.1/app/views/users/_form.html.erb
+++ b/test/apps/rails3.1/app/views/users/_form.html.erb
@@ -31,7 +31,11 @@
    <%= f.label :role %><br />
    <%= f.text_field :role %>
  </div>
+  <div class="field">
+    <%= f.label :something %>
+  </div>
  <div class="actions">
    <%= f.submit %>
  </div>
+
 <% end %>
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -103,7 +103,7 @@ class Rails31Tests < Test::Unit::TestCase
      :warning_type => "Cross Site Scripting",
      :line => 2,
      :message => /^Upgrade to Rails 3.1.4, 3.1.0 select\(\) helper is vulnerable/,
-      :confidence => 0,
+      :confidence => 1,
      :file => /edit\.html\.erb/
  end
 end