Merge branch 'master' into scan_jobs_directory

presidentbeef · Mar 22, 2018 · 746ea3e · 746ea3e
2 parents 05105be + a965f55
commit 746ea3e
Show file tree

Hide file tree

Showing 5 changed files with 268 additions and 2 deletions.
diff --git a/lib/brakeman/checks/check_sanitize_methods.rb b/lib/brakeman/checks/check_sanitize_methods.rb
@@ -28,6 +28,8 @@ def run_check
       warn_sanitizer_cve "CVE-2015-7578", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ"
       warn_sanitizer_cve "CVE-2015-7580", "https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
     end
+
+    check_cve_2018_8048
   end
 
   def check_cve_2013_1855
@@ -60,6 +62,31 @@ def check_for_cve method, code, link
     end
   end
 
+  def check_cve_2018_8048
+    if loofah_vulnerable_cve_2018_8048?
+      message = "Loofah #{tracker.config.gem_version(:loofah)} is vulnerable (CVE-2018-8048). Upgrade to 2.1.2"
+
+      if tracker.find_call(:target => false, :method => :sanitize).any?
+        confidence = :high
+      else
+        confidence = :medium
+      end
+
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :CVE_2018_8048,
+        :message => message,
+        :gem_info => gemfile_or_environment,
+        :confidence => confidence,
+        :link_path => "https://github.com/flavorjones/loofah/issues/144"
+    end
+  end
+
+  def loofah_vulnerable_cve_2018_8048?
+    loofah_version = tracker.config.gem_version(:loofah)
+
+    loofah_version and loofah_version < "2.1.2"
+  end
+
   def warn_sanitizer_cve cve, link
     message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
 

diff --git a/lib/brakeman/warning_codes.rb b/lib/brakeman/warning_codes.rb
@@ -107,6 +107,7 @@ module Brakeman::WarningCodes
     :CVE_2016_6317 => 103,
     :divide_by_zero => 104,
     :dangerous_permit_key => 105,
+    :CVE_2018_8048 => 106,
   }
 
   def self.code name

diff --git a/test/apps/rails5.2/Gemfile.lock b/test/apps/rails5.2/Gemfile.lock
@@ -0,0 +1,214 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.2.0.beta2)
+      actionpack (= 5.2.0.beta2)
+      nio4r (~> 2.0)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.2.0.beta2)
+      actionpack (= 5.2.0.beta2)
+      actionview (= 5.2.0.beta2)
+      activejob (= 5.2.0.beta2)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.0.beta2)
+      actionview (= 5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      globalid (>= 0.3.6)
+    activemodel (5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+    activerecord (5.2.0.beta2)
+      activemodel (= 5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      arel (>= 9.0)
+    activestorage (5.2.0.beta2)
+      actionpack (= 5.2.0.beta2)
+      activerecord (= 5.2.0.beta2)
+    activesupport (5.2.0.beta2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    archive-zip (0.7.0)
+      io-like (~> 0.3.0)
+    arel (9.0.0)
+    bindex (0.5.0)
+    bootsnap (1.1.5)
+      msgpack (~> 1.0)
+    builder (3.2.3)
+    byebug (9.1.0)
+    capybara (2.16.1)
+      addressable
+      mini_mime (>= 0.1.3)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
+    childprocess (0.8.0)
+      ffi (~> 1.0, >= 1.0.11)
+    chromedriver-helper (1.1.0)
+      archive-zip (~> 0.7.0)
+      nokogiri (~> 1.6)
+    coffee-rails (4.2.2)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.12.2)
+    concurrent-ruby (1.0.5)
+    crass (1.0.3)
+    erubi (1.7.0)
+    execjs (2.7.0)
+    ffi (1.9.18)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    i18n (0.9.1)
+      concurrent-ruby (~> 1.0)
+    io-like (0.3.0)
+    jbuilder (2.7.0)
+      activesupport (>= 4.2.0)
+      multi_json (>= 1.2)
+    listen (3.1.5)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+      ruby_dep (~> 1.2)
+    loofah (2.1.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
+    method_source (0.9.0)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.10.3)
+    msgpack (1.2.0)
+    multi_json (1.12.2)
+    nio4r (2.1.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    public_suffix (3.0.1)
+    puma (3.11.0)
+    rack (2.0.3)
+    rack-test (0.8.2)
+      rack (>= 1.0, < 3)
+    rails (5.2.0.beta2)
+      actioncable (= 5.2.0.beta2)
+      actionmailer (= 5.2.0.beta2)
+      actionpack (= 5.2.0.beta2)
+      actionview (= 5.2.0.beta2)
+      activejob (= 5.2.0.beta2)
+      activemodel (= 5.2.0.beta2)
+      activerecord (= 5.2.0.beta2)
+      activestorage (= 5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      bundler (>= 1.3.0)
+      railties (= 5.2.0.beta2)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.2.0.beta2)
+      actionpack (= 5.2.0.beta2)
+      activesupport (= 5.2.0.beta2)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.3.0)
+    rb-fsevent (0.10.2)
+    rb-inotify (0.9.10)
+      ffi (>= 0.5.0, < 2)
+    ruby_dep (1.5.0)
+    rubyzip (1.2.1)
+    sass (3.5.3)
+      sass-listen (~> 4.0.0)
+    sass-listen (4.0.0)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+    sass-rails (5.0.7)
+      railties (>= 4.0.0, < 6)
+      sass (~> 3.1)
+      sprockets (>= 2.8, < 4.0)
+      sprockets-rails (>= 2.0, < 4.0)
+      tilt (>= 1.1, < 3)
+    selenium-webdriver (3.8.0)
+      childprocess (~> 0.5)
+      rubyzip (~> 1.0)
+    spring (2.0.2)
+      activesupport (>= 4.2)
+    spring-watcher-listen (2.0.1)
+      listen (>= 2.7, < 4.0)
+      spring (>= 1.2, < 3.0)
+    sprockets (3.7.1)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.13)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    tilt (2.0.8)
+    turbolinks (5.0.1)
+      turbolinks-source (~> 5)
+    turbolinks-source (5.0.3)
+    tzinfo (1.2.4)
+      thread_safe (~> 0.1)
+    uglifier (4.0.1)
+      execjs (>= 0.3.0, < 3)
+    web-console (3.5.1)
+      actionview (>= 5.0)
+      activemodel (>= 5.0)
+      bindex (>= 0.4.0)
+      railties (>= 5.0)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+    xpath (2.1.0)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bootsnap (>= 1.1.0)
+  byebug
+  capybara (~> 2.15)
+  chromedriver-helper
+  coffee-rails (~> 4.2)
+  jbuilder (~> 2.5)
+  listen (>= 3.0.5, < 3.2)
+  puma (~> 3.11)
+  rails (~> 5.2.0.beta2)
+  sass-rails (~> 5.0)
+  selenium-webdriver
+  spring
+  spring-watcher-listen (~> 2.0.0)
+  sqlite3
+  turbolinks (~> 5)
+  tzinfo-data
+  uglifier (>= 1.3.0)
+  web-console (>= 3.3.0)
+
+RUBY VERSION
+   ruby 2.3.1p112
+
+BUNDLED WITH
+   1.15.4
diff --git a/test/tests/rails5.rb b/test/tests/rails5.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 9,
-      :generic => 17
+      :generic => 18
     }
   end
 
@@ -605,6 +605,18 @@ def test_cross_site_scripting_CVE_2016_6316_general
       :user_input => nil
   end
 
+  def test_cross_site_scripting_loofah_CVE_2018_8048
+    assert_warning :type => :warning,
+      :warning_code => 106,
+      :fingerprint => "cdfb1541fdcc9cdcf0784ce5bd90013dc39316cb822eedea3f03b2521c06137f",
+      :warning_type => "Cross-Site Scripting",
+      :line => 115,
+      :message => /^Loofah\ 2\.0\.3\ is\ vulnerable\ \(CVE\-2018\-804/,
+      :confidence => 0,
+      :relative_path => "Gemfile.lock",
+      :user_input => nil
+  end
+
   def test_dangerous_eval_in_prior_class_method_with_same_name
     assert_warning :type => :warning,
       :warning_code => 13,

diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 0,
-      :generic => 1
+      :generic => 2
     }
   end
 
@@ -65,4 +65,16 @@ def test_command_injection_shellwords
       :code => s(:dxstr, "dig +short -x ", s(:evstr, s(:call, s(:const, :Shellwords), :shellescape, s(:lvar, :ip))), s(:str, " @"), s(:evstr, s(:call, s(:const, :Shellwords), :shellescape, s(:lvar, :one))), s(:str, " -p "), s(:evstr, s(:call, s(:const, :Shellwords), :escape, s(:lvar, :two)))),
       :user_input => s(:call, s(:const, :Shellwords), :shellescape, s(:lvar, :ip))
   end
+
+  def test_cross_site_scripting_loofah_CVE_2018_8048
+    assert_warning :type => :warning,
+      :warning_code => 106,
+      :fingerprint => "c8adc1c0caf2c9251d1d8de588fb949070212d0eed5e1580aee88bab2287b772",
+      :warning_type => "Cross-Site Scripting",
+      :line => 109,
+      :message => /^Loofah\ 2\.1\.1\ is\ vulnerable\ \(CVE\-2018\-804/,
+      :confidence => 1,
+      :relative_path => "Gemfile.lock",
+      :user_input => nil
+  end
 end