brakeman-lib 3.7.2 → 4.0.0

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -80,17 +80,17 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
           return
         elsif not node_type? first_arg, :hash
           if attr_protected
-            confidence = CONFIDENCE[:med]
+            confidence = :medium
           else
-            confidence = CONFIDENCE[:high]
+            confidence = :high
           end
         else
-          confidence = CONFIDENCE[:low]
+          return
         end
       elsif node_type? call.first_arg, :lit, :str
         return
       else
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
         input = nil
       end
 
@@ -182,9 +182,9 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     return unless original? result
 
     confidence = if subsequent_mass_assignment? result
-                   CONFIDENCE[:high]
+                   :high
                  else
-                   CONFIDENCE[:med]
+                   :medium
                  end
 
     warn :result => result,

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2016_0751,
       :message => message,
-      :confidence => CONFIDENCE[:med],
+      :confidence => :medium,
       :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
   end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -11,11 +11,11 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
 
   SUSP_ATTRS = [
-    [:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
-    [:role, CONFIDENCE[:med]],
-    [:banned, CONFIDENCE[:med]],
-    [:account_id, CONFIDENCE[:high]],
-    [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
+    [:admin, :high], # Very dangerous unless some Rails authorization used
+    [:role, :medium],
+    [:banned, :medium],
+    [:account_id, :high],
+    [/\S*_id(s?)\z/, :weak] # All other foreign keys have weak/low confidence
   ]
 
   def run_check

data/lib/brakeman/checks/check_model_attributes.rb

@@ -31,7 +31,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
           :warning_type => "Attribute Restriction",
           :warning_code => :no_attr_accessible,
           :message => "Mass assignment is not restricted using attr_accessible",
-          :confidence => CONFIDENCE[:high]
+          :confidence => :high
       end
 
       unless protected_names.empty?
@@ -60,7 +60,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
             :warning_type => "Attribute Restriction",
             :warning_code => :no_attr_accessible,
             :message => "Mass assignment is not restricted using attr_accessible",
-            :confidence => CONFIDENCE[:high]
+            :confidence => :high
         elsif not tracker.options[:ignore_attr_protected]
           message, confidence, link = check_for_attr_protected_bypass
 
@@ -106,11 +106,11 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     if upgrade_version
       message = "attr_protected is bypassable in #{rails_version}, use attr_accessible or upgrade to #{upgrade_version}"
-      confidence = CONFIDENCE[:high]
+      confidence = :high
       link = "https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion"
     else
       message = "attr_accessible is recommended over attr_protected"
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
       link = nil
     end
 

data/lib/brakeman/checks/check_model_serialize.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
 
     return unless @upgrade_version
 
-    tracker.models.each do |name, model|
+    tracker.models.each do |_name, model|
       check_for_serialize model
     end
   end
@@ -49,9 +49,9 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
       end
 
       if attrs.empty?
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       else
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       end
 
       warn :model => model.name,

data/lib/brakeman/checks/check_nested_attributes.rb

@@ -22,14 +22,14 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
       warn :warning_type => "Nested Attributes",
         :warning_code => :CVE_2010_3933,
         :message => message,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
     end
   end
 
   def uses_nested_attributes?
-    active_record_models.each do |name, model|
+    active_record_models.each do |_name, model|
       return true if model.options[:accepts_nested_attributes_for]
     end
 

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
       :message => message,
       :file => model.file,
       :line => args.line,
-      :confidence => CONFIDENCE[:med],
+      :confidence => :medium,
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
   end
 

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -31,10 +31,10 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
       message << "4.0.3"
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2014_0081,
       :message => message,
-      :confidence => CONFIDENCE[:med],
+      :confidence => :medium,
       :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
   end
@@ -46,7 +46,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
       next unless arg
 
       if not check_helper_option(result, arg) and hash? arg
-        hash_iterate(arg) do |key, value|
+        hash_iterate(arg) do |_key, value|
           break if check_helper_option(result, value)
         end
       end
@@ -64,10 +64,10 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
 
   def warn_on_number_helper result, match
     warn :result => result,
-      :warning_type => "Cross Site Scripting",
+      :warning_type => "Cross-Site Scripting",
       :warning_code => :CVE_2014_0081_call,
       :message => "Format options in #{result[:call].method} are not safe in Rails #{rails_version}",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
       :user_input => match
   end

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -12,9 +12,9 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
         version_between?('3.0.0', '3.0.9'))
 
       if uses_quote_table_name?
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       end
 
       if rails_version =~ /^3/

data/lib/brakeman/checks/check_redirect.rb

@@ -41,9 +41,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         res = include_user_input?(call)
 
       if res.type == :immediate
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       end
 
       warn :result => result,

data/lib/brakeman/checks/check_regex_dos.rb

@@ -35,12 +35,12 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
       next unless sexp? component
 
       if match = has_immediate_user_input?(component)
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       elsif match = has_immediate_model?(component)
         match = Match.new(:model, match)
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       elsif match = include_user_input?(component)
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       end
 
       if match

data/lib/brakeman/checks/check_render.rb

@@ -36,12 +36,12 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         else
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         end
       elsif input = include_user_input?(view)
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       else
         return
       end
@@ -77,7 +77,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
           :warning_code => :dynamic_render_path_rce,
           :message => "Passing query parameters to render() is vulnerable in Rails #{rails_version} (CVE-2016-0752)",
           :user_input => view,
-          :confidence => CONFIDENCE[:high]
+          :confidence => :high
       end
     end
   end

data/lib/brakeman/checks/check_render_dos.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2014_0082,
       :message => message,
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
       :gem_info => gemfile_or_environment
   end

data/lib/brakeman/checks/check_render_inline.rb

@@ -1,7 +1,7 @@
 class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
   Brakeman::Checks.add self
 
-  @description = "Checks for cross site scripting in render calls"
+  @description = "Checks for cross-site scripting in render calls"
 
   def run_check
     setup
@@ -24,18 +24,18 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
 
         if input = has_immediate_user_input?(render_value)
           warn :result => result,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => :cross_site_scripting_inline,
             :message => "Unescaped #{friendly_type_of input} rendered inline",
             :user_input => input,
-            :confidence => CONFIDENCE[:high]
+            :confidence => :high
         elsif input = has_immediate_model?(render_value)
           warn :result => result,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => :cross_site_scripting_inline,
             :message => "Unescaped model attribute rendered inline",
             :user_input => input,
-            :confidence => CONFIDENCE[:med]
+            :confidence => :medium
         end
       end
     end

data/lib/brakeman/checks/check_response_splitting.rb

@@ -13,7 +13,7 @@ class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
       warn :warning_type => "Response Splitting",
         :warning_code => :CVE_2011_3186,
         :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion"
     end

data/lib/brakeman/checks/check_route_dos.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2015_7581,
         :message => message,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
     end

data/lib/brakeman/checks/check_safe_buffer_manipulation.rb

@@ -22,10 +22,10 @@ class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
 
     message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => :safe_buffer_vuln, 
       :message => message,
-      :confidence => CONFIDENCE[:med],
+      :confidence => :medium,
       :gem_info => gemfile_or_environment
   end
 end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -46,16 +46,16 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
       message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
 
       if include_user_input? result[:call]
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:medium]
+        confidence = :medium
       end
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => code,
         :message => message,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link_path => link
     end
   end
@@ -64,12 +64,12 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
     message = "rails-html-sanitizer #{tracker.config.gem_version(:'rails-html-sanitizer')} is vulnerable (#{cve}). Upgrade to 1.0.3"
 
     if tracker.find_call(:target => false, :method => :sanitize).any?
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
-    warn :warning_type => "Cross Site Scripting",
+    warn :warning_type => "Cross-Site Scripting",
       :warning_code => cve.tr('-', '_').to_sym,
       :message => message,
       :gem_info => gemfile_or_environment,

data/lib/brakeman/checks/check_secrets.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckSecrets < Brakeman::BaseCheck
           warn :warning_code => :secret_in_source,
             :warning_type => "Authentication",
             :message => "Hardcoded value for #{name} in source code",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :file => constant.file,
             :line => constant.line
         end

data/lib/brakeman/checks/check_select_tag.rb

@@ -46,11 +46,11 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
         return
       elsif sexp? prompt_option and input = include_user_input?(prompt_option)
 
-        warn :warning_type => "Cross Site Scripting",
+        warn :warning_type => "Cross-Site Scripting",
           :warning_code => :CVE_2012_3463,
           :result => result,
           :message => @message,
-          :confidence => CONFIDENCE[:high],
+          :confidence => :high,
           :user_input => input,
           :link_path => "https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion"
       end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -44,13 +44,13 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       add_result result
 
       if string_interp? third_arg
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       else
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       end
 
       warn :template => result[:location][:template],
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :select_options_vuln,
           :result => result,
           :message => @message,

data/lib/brakeman/checks/check_send.rb

@@ -30,7 +30,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :message => "User controlled method execution",
         :code => result[:call],
         :user_input => input,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
     end
   end
 

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -18,9 +18,9 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
 
     if input = has_immediate_user_input?(index)
       if params? index
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       end
 
       warn :result => result,

data/lib/brakeman/checks/check_session_settings.rb

@@ -137,7 +137,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     warn :warning_type => "Session Setting",
       :warning_code => :http_cookies,
       :message => "Session cookies should be set to HTTP only",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :line => line,
       :file => file
 
@@ -147,7 +147,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     warn :warning_type => "Session Setting",
       :warning_code => :session_secret,
       :message => "Session secret should not be included in version control",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :line => line,
       :file => file
   end
@@ -156,7 +156,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     warn :warning_type => "Session Setting",
       :warning_code => :secure_cookies,
       :message => "Session cookie should be set to secure only",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :line => line,
       :file => file
   end