Check exec-type calls if they are targets

fixes #1199
presidentbeef · May 9, 2018 · 4058c0a · 4058c0a
1 parent 7b37078
commit 4058c0a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/lib/brakeman/checks/check_execute.rb b/lib/brakeman/checks/check_execute.rb
@@ -33,7 +33,7 @@ def run_check
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
       :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
         :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
-        :popen3, :spawn, :syscall, :system]
+        :popen3, :spawn, :syscall, :system], :nested => true
 
     Brakeman.debug "Processing system calls"
     calls.each do |result|

diff --git a/test/apps/rails5.2/lib/shell.rb b/test/apps/rails5.2/lib/shell.rb
@@ -22,4 +22,8 @@ def nested_system_interp
     filename = Shellwords.escape("#{file_prefix}.txt")
     system "echo #{filename}"
   end
+
+  def system_as_target
+    !system("echo #{foo}")
+  end
 end
diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 0,
-      :generic => 5
+      :generic => 6
     }
   end
 
@@ -105,7 +105,7 @@ def test_command_injection_nested_shellwords
       :user_input => s(:call, nil, :file_prefix)
   end
 
-  def test_command_injection_as_target
+  def test_command_injection_backticks_as_target
     assert_warning :type => :warning,
       :warning_code => 14,
       :fingerprint => "9af991a12b23b815013ce0c69727b7a14cfb08e62f4e66a8851513af7cc6a757",
@@ -118,6 +118,19 @@ def test_command_injection_as_target
       :user_input => s(:lvar, :path)
   end
 
+  def test_command_injection_as_target
+    assert_warning :type => :warning,
+      :warning_code => 14,
+      :fingerprint => "18e51f5a40dc0e63a90908e88ec5f2ed585fa3a645622f997026ada323cf7552",
+      :warning_type => "Command Injection",
+      :line => 27,
+      :message => /^Possible\ command\ injection/,
+      :confidence => 1,
+      :relative_path => "lib/shell.rb",
+      :code => s(:call, nil, :system, s(:dstr, "echo ", s(:evstr, s(:call, nil, :foo)))),
+      :user_input => s(:call, nil, :foo)
+  end
+
   def test_cross_site_scripting_loofah_CVE_2018_8048
     assert_warning :type => :warning,
       :warning_code => 106,