RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

data/lib/brakeman/processors/lib/render_helper.rb ADDED

@@ -0,0 +1,181 @@
+require 'digest/sha1'
+#Processes a call to render() in a controller or template
+module Brakeman::RenderHelper
+  #Process s(:render, TYPE, OPTION?, OPTIONS)
+  def process_render exp
+    process_default exp
+    @rendered = true
+    case exp.render_type
+    when :action, :template
+      process_action exp[2][1], exp[3], exp.line
+    when :default
+      begin
+        process_template template_name, exp[3], nil, exp.line
+      rescue ArgumentError
+        Brakeman.debug "Problem processing render: #{exp}"
+      end
+    when :partial, :layout
+      process_partial exp[2], exp[3], exp.line
+    when :nothing
+    end
+    exp
+  end
+  #Processes layout
+  def process_layout name = nil
+    if name.nil? and defined? layout_name
+      name = layout_name
+    end
+    return unless name
+    process_template name, nil, nil, nil
+  end
+  #Determines file name for partial and then processes it
+  def process_partial name, args, line
+    if name == "" or !(string? name or symbol? name)
+      return
+    end
+    names = name.value.to_s.split("/")
+    names[-1] = "_" + names[-1]
+    process_template template_name(names.join("/")), args, nil, line
+  end
+  #Processes a given action
+  def process_action name, args, line
+    if name.is_a? String or name.is_a? Symbol
+      process_template template_name(name), args, nil, line
+    end
+  end
+  #Processes a template, adding any instance variables
+  #to its environment.
+  def process_template name, args, called_from = nil, *_
+    Brakeman.debug "Rendering #{name} (#{called_from})"
+    #Get scanned source for this template
+    name = name.to_s.gsub(/^\//, "")
+    template = @tracker.templates[name.to_sym]
+    unless template
+      Brakeman.debug "[Notice] No such template: #{name}"
+      return
+    end
+    template_env = only_ivars(:include_request_vars)
+    #Hash the environment and the source of the template to avoid
+    #pointlessly processing templates, which can become prohibitively
+    #expensive in terms of time and memory.
+    digest = Digest::SHA1.new.update(template_env.instance_variable_get(:@env).to_a.sort.to_s << name).to_s.to_sym
+    if @tracker.template_cache.include? digest
+      #Already processed this template with identical environment
+      return
+    else
+      @tracker.template_cache << digest
+      options = get_options args
+      #Process layout
+      if string? options[:layout]
+        process_template "layouts/#{options[:layout][1]}", nil, nil, nil
+      elsif node_type? options[:layout], :false
+        #nothing
+      elsif not template.name.to_s.match(/[^\/_][^\/]+$/)
+        #Don't do this for partials
+        process_layout
+      end
+      if hash? options[:locals]
+        hash_iterate options[:locals] do |key, value|
+          template_env[Sexp.new(:call, nil, key.value)] = value
+        end
+      end
+      if options[:collection]
+        #The collection name is the name of the partial without the leading
+        #underscore.
+        variable = template.name.to_s.match(/[^\/_][^\/]+$/)[0].to_sym
+        #Unless the :as => :variable_name option is used
+        if options[:as]
+          if string? options[:as] or symbol? options[:as]
+            variable = options[:as].value.to_sym
+          end
+        end
+        collection = get_class_target(options[:collection]) || Brakeman::Tracker::UNKNOWN_MODEL
+        template_env[Sexp.new(:call, nil, variable)] = Sexp.new(:call, Sexp.new(:const, collection), :new)
+      end
+      #Set original_line for values so it is clear
+      #that values came from another file
+      template_env.all.each do |var, value|
+        unless value.original_line
+          #TODO: This has been broken for a while now and no one noticed
+          #so maybe we can skip it
+          value.original_line = value.line
+        end
+      end
+      #Run source through AliasProcessor with instance variables from the
+      #current environment.
+      #TODO: Add in :locals => { ... } to environment
+      src = Brakeman::TemplateAliasProcessor.new(@tracker, template, called_from).process_safely(template.src, template_env)
+      digest = Digest::SHA1.new.update(name + src.to_s).to_s.to_sym
+      if @tracker.template_cache.include? digest
+        return
+      else
+        @tracker.template_cache << digest
+      end
+      #Run alias-processed src through the template processor to pull out
+      #information and outputs.
+      #This information will be stored in tracker.templates, but with a name
+      #specifying this particular route. The original source should remain
+      #pristine (so it can be processed within other environments).
+      @tracker.processor.process_template name, src, template.type, called_from
+    end
+  end
+  #Override to process name, such as adding the controller name.
+  def template_name name
+    raise "RenderHelper#template_name should be overridden."
+  end
+  #Turn options Sexp into hash
+  def get_options args
+    options = {}
+    return options unless hash? args
+    hash_iterate args do |key, value|
+      if symbol? key
+        options[key.value] = value
+      end
+    end
+    options
+  end
+  def get_class_target sexp
+    if call? sexp
+      get_class_target sexp.target
+    else
+      klass = class_name sexp
+      if klass.is_a? Symbol
+        klass
+      else
+        nil
+      end
+    end
+  end
+end

data/lib/brakeman/processors/lib/render_path.rb ADDED

@@ -0,0 +1,107 @@
+module Brakeman
+  class RenderPath
+    attr_reader :path
+    def initialize
+      @path = []
+    end
+    def add_controller_render controller_name, method_name, line, file
+      method_name ||= ""
+      @path << { :type => :controller,
+                 :class => controller_name.to_sym,
+                 :method => method_name.to_sym,
+                 :line => line,
+                 :file => file
+                }
+      self
+    end
+    def add_template_render template_name, line, file
+      @path << { :type => :template,
+                 :name => template_name.to_sym,
+                 :line => line,
+                 :file => file
+               }
+      self
+    end
+    def include_template? name
+      name = name.to_sym
+      @path.any? do |loc|
+        loc[:type] == :template and loc[:name] == name
+      end
+    end
+    def include_controller? klass
+      klass = klass.to_sym
+      @path.any? do |loc|
+        loc[:type] == :controller and loc[:class] == klass
+      end
+    end
+    def include_any_method? method_names
+      names = method_names.map(&:to_sym)
+      @path.any? do |loc|
+        loc[:type] == :controller and names.include? loc[:method]
+      end
+    end
+    def rendered_from_controller?
+      @path.any? do |loc|
+        loc[:type] == :controller
+      end
+    end
+    def each &block
+      @path.each(&block)
+    end
+    def join *args
+      self.to_a.join(*args)
+    end
+    def length
+      @path.length
+    end
+    def to_a
+      @path.map do |loc|
+        case loc[:type]
+        when :template
+          "Template:#{loc[:name]}"
+        when :controller
+          "#{loc[:class]}##{loc[:method]}"
+        end
+      end
+    end
+    def last
+      self.to_a.last
+    end
+    def to_s
+      self.to_a.to_s
+    end
+    def to_sym
+      self.to_s.to_sym
+    end
+    def to_json *args
+      require 'json'
+      JSON.generate(@path)
+    end
+    def initialize_copy original
+      @path = original.path.dup
+      self
+    end
+  end
+end

data/lib/brakeman/processors/lib/route_helper.rb ADDED

@@ -0,0 +1,68 @@
+module Brakeman::RouteHelper
+  #Manage Controller prefixes
+  #@prefix is an Array, but this method returns a string
+  #suitable for prefixing onto a controller name.
+  def prefix
+    if @prefix.length > 0
+      @prefix.join("::") << "::"
+    else
+      ''
+    end
+  end
+  #Sets the controller name to a proper class name.
+  #For example
+  # self.current_controller = :session
+  # @controller == :SessionController #true
+  #
+  #Also prepends the prefix if there is one set.
+  def current_controller= name
+    @current_controller = (prefix + camelize(name) + "Controller").to_sym
+    @tracker.routes[@current_controller] ||= Set.new
+  end
+  #Add route to controller. If a controller is specified,
+  #the current controller will be set to that controller.
+  #If no controller is specified, uses current controller value.
+  def add_route route, controller = nil
+    if node_type? route, :str, :lit
+      route = route.value
+    end
+    return unless route.is_a? String or route.is_a? Symbol
+    if route.is_a? String and controller.nil? and route.include? ":controller"
+      controller = ":controller"
+    end
+    route = route.to_sym
+    if controller
+      self.current_controller = controller
+    end
+    routes = @tracker.routes[@current_controller]
+    if routes and not routes.include? :allow_all_actions
+      routes << route
+    end
+  end
+  #Add default routes
+  def add_resources_routes
+    existing_routes = @tracker.routes[@current_controller]
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:index, :new, :create, :show, :edit, :update, :destroy]
+    end
+  end
+  #Add default routes minus :index
+  def add_resource_routes
+    existing_routes = @tracker.routes[@current_controller]
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:new, :create, :show, :edit, :update, :destroy]
+    end
+  end
+end

data/lib/brakeman/processors/lib/safe_call_helper.rb ADDED

@@ -0,0 +1,16 @@
+module Brakeman
+  module SafeCallHelper
+    [[:process_safe_call, :process_call],
+     [:process_safe_attrasgn, :process_attrasgn],
+     [:process_safe_op_asgn, :process_op_asgn],
+     [:process_safe_op_asgn2, :process_op_asgn2]].each do |call, replacement|
+       define_method(call) do |exp|
+         if self.respond_to? replacement
+           self.send(replacement, exp)
+         else
+           process_default exp
+         end
+       end
+     end
+  end
+end

data/lib/brakeman/processors/library_processor.rb ADDED

@@ -0,0 +1,119 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/tracker/library'
+#Process generic library and stores it in Tracker.libs
+class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
+  def initialize tracker
+    super
+    @file_name = nil
+    @alias_processor = Brakeman::AliasProcessor.new tracker
+    @current_module = nil
+    @current_class = nil
+  end
+  def process_library src, file_name = nil
+    @file_name = file_name
+    process src
+  end
+  def process_class exp
+    name = class_name(exp.class_name)
+    parent = class_name exp.parent_name
+    if @current_class
+      outer_class = @current_class
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
+    end
+    if @current_module
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
+    end
+    if @tracker.libs[name]
+      @current_class = @tracker.libs[name]
+      @current_class.add_file @file_name, exp
+    else
+      @current_class = Brakeman::Library.new name, parent, @file_name, exp, @tracker
+      @tracker.libs[name] = @current_class
+    end
+    exp.body = process_all! exp.body
+    if outer_class
+      @current_class = outer_class
+    else
+      @current_class = nil
+    end
+    exp
+  end
+  def process_module exp
+    name = class_name(exp.module_name)
+    if @current_module
+      outer_module = @current_module
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
+    end
+    if @current_class
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
+    end
+    if @tracker.libs[name]
+      @current_module = @tracker.libs[name]
+      @current_module.add_file @file_name, exp
+    else
+      @current_module = Brakeman::Library.new name, nil, @file_name, exp, @tracker
+      @tracker.libs[name] = @current_module
+    end
+    exp.body = process_all! exp.body
+    if outer_module
+      @current_module = outer_module
+    else
+      @current_module = nil
+    end
+    exp
+  end
+  def process_defn exp
+    exp = @alias_processor.process exp
+    if @current_class
+      exp.body = process_all! exp.body
+      @current_class.add_method :public, exp.method_name, exp, @file_name
+    elsif @current_module
+      exp.body = process_all! exp.body
+      @current_module.add_method :public, exp.method_name, exp, @file_name
+    end
+    exp
+  end
+  def process_defs exp
+    exp = @alias_processor.process exp
+    if @current_class
+      exp.body = process_all! exp.body
+      @current_class.add_method :public, exp.method_name, exp, @file_name
+    elsif @current_module
+      exp.body = process_all! exp.body
+      @current_module.add_method :public, exp.method_name, exp, @file_name
+    end
+    exp
+  end
+  def process_call exp
+    if process_call_defn? exp
+      exp
+    else
+      process_default exp
+    end
+  end
+end