lib/brakeman/checks/check_create_with.rb
require 'brakeman/checks/base_check'
class Brakeman::CheckCreateWith < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for strong params bypass in CVE-2014-3514"
def run_check
@warned = false
if version_between? "4.0.0", "4.0.8"
suggested_version = "4.0.9"
elsif version_between? "4.1.0", "4.1.4"
suggested_version = "4.1.5"
else
return
end
@message = msg(msg_code("create_with"), " is vulnerable to strong params bypass. Upgrade to ", msg_version(suggested_version), " or patch")
tracker.find_call(:method => :create_with, :nested => true).each do |result|
process_result result
end
generic_warning unless @warned
end
def process_result result
return unless original? result
arg = result[:call].first_arg
confidence = danger_level arg
if confidence
@warned = true
warn :warning_type => "Mass Assignment",
:warning_code => :CVE_2014_3514_call,
:result => result,
:message => @message,
:confidence => confidence,
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
:cwe_id => [915]
end
end
#For a given create_with call, set confidence level.
#Ignore calls that use permit()
def danger_level exp
return unless sexp? exp
if call? exp and exp.method == :permit
nil
elsif request_value? exp
:high
elsif hash? exp
nil
elsif has_immediate_user_input?(exp)
:high
elsif include_user_input? exp
:medium
else
:weak
end
end
def generic_warning
warn :warning_type => "Mass Assignment",
:warning_code => :CVE_2014_3514,
:message => @message,
:gem_info => gemfile_or_environment,
:confidence => :medium,
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
:cwe_id => [915]
end
end