brakeman-lib 4.10.0 → 5.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b264d50410107be24af470596fa3b5511eb8f174707f571f9884a6aea932d87
-  data.tar.gz: 4a8ab18c5e077e4b192ea52db29b52c7dd6006f66163862f0d4b1fd9973ba366
+  metadata.gz: d16867dd5c48de9ec2975e1dc420e3a5154939361988d70c4217f251881452ed
+  data.tar.gz: f5cae624d83a1298fb3f07108c76d1f55c756404d6998fccfd9e5fcfe69a068e
 SHA512:
-  metadata.gz: 524c94b3b25e13273dea5707e315fde68fe5ad984433e3c0a11674bc7baf1c133a9e4becc528fabb092536ba9b5d02f05714dd10dd32014067cff8e301c37096
-  data.tar.gz: 349db7828699760d574a0534f21361eee617454647033f27ed7440e16a9ef38b7807f76b62fbd62fd1746d024c70a557f3d3fa5970cc390f3e92eaf3ca004f0c
+  metadata.gz: f8724b266165ef9ed4ad926432e0786b955cb2e98b56e7100354b0ad04a51cc0eaa139343a769980852ae615bd209e8854f6f83616b0703d3a2aaf08229860c6
+  data.tar.gz: 963f46a856d6f943c74c6aca8ec3f3dc61ae3d82758fbfdda63bb4fc789ff95535f49cc73f9abef4cf1553323606d4fd50c8a03082178a6dd3cea0883e544a40

data/CHANGES.md

@@ -1,3 +1,49 @@
+# 5.0.2 - 2021-06-07
+
+* Fix Loofah version check
+
+# 5.0.1 - 2021-04-27
+
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
+
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
+
 # 4.10.0 - 2020-09-28
 
 * Add SARIF report format (Steve Winton)

data/README.md

@@ -76,7 +76,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
 
 Multiple output files can be specified:
 
@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
 
 # Configuration files
 
-Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+Brakeman options can be stored and read from YAML files.
+
+To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
+
+```sh
+$ brakeman -C --skip-files plugins/
+---
+:skip_files:
+- plugins/
+```
 
 Options passed in on the commandline have priority over configuration files.
 

data/lib/brakeman.rb

@@ -66,6 +66,7 @@ module Brakeman
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
   #  * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
@@ -156,10 +157,17 @@ module Brakeman
     end
   end
 
-  CONFIG_FILES = [
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
+  CONFIG_FILES = begin
+                   [
+                     File.expand_path("~/.brakeman/config.yml"),
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 rescue ArgumentError
+                   # In case $HOME or $USER aren't defined for use of `~`
+                   [
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 end
 
   def self.config_file custom_location, app_path
     app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
@@ -191,6 +199,7 @@ module Brakeman
       :report_progress => true,
       :safe_methods => Set.new,
       :skip_checks => Set.new,
+      :skip_vendor => true,
     }
   end
 
@@ -239,6 +248,10 @@ module Brakeman
       [:to_junit]
     when :sarif, :to_sarif
       [:to_sarif]
+    when :sonar, :to_sonar
+      [:to_sonar]
+    when :github, :to_github
+      [:to_github]
     else
       [:to_text]
     end
@@ -270,6 +283,10 @@ module Brakeman
         :to_junit
       when /\.sarif$/i
         :to_sarif
+      when /\.sonar$/i
+        :to_sonar
+      when /\.github$/i
+        :to_github
       else
         :to_text
       end

data/lib/brakeman/app_tree.rb

@@ -21,6 +21,7 @@ module Brakeman
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
+      init_options[:skip_vendor] = options[:skip_vendor]
       new(root, init_options)
     end
 
@@ -62,6 +63,7 @@ module Brakeman
       @engine_paths = init_options[:engine_paths] || []
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
+      @skip_vendor = init_options[:skip_vendor]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -96,6 +98,10 @@ module Brakeman
       end
     end
 
+    def ruby_file_paths
+      find_paths(".").uniq
+    end
+
     def initializer_paths
       @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
     end
@@ -109,8 +115,8 @@ module Brakeman
     end
 
     def template_paths
-      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
-                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+      @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
+        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -163,7 +169,8 @@ module Brakeman
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
-      convert_to_file_paths(paths)
+      paths = convert_to_file_paths(paths)
+      reject_global_excludes(paths)
     end
 
     def select_only_files(paths)
@@ -182,6 +189,32 @@ module Brakeman
       end
     end
 
+    EXCLUDED_PATHS = %w[
+      /generators/
+      lib/tasks/
+      lib/templates/
+      db/
+      spec/
+      test/
+      tmp/
+      public/
+      log/
+    ]
+
+    def reject_global_excludes(paths)
+      paths.reject do |path|
+        relative_path = path.relative
+
+        if @skip_vendor and relative_path.include? 'vendor/'
+          true
+        else
+          EXCLUDED_PATHS.any? do |excluded|
+            relative_path.include? excluded
+          end
+        end
+      end
+    end
+
     def match_path files, path
       absolute_path = Pathname.new(path)
       # relative root never has a leading separator. But, we use a leading

data/lib/brakeman/checks/base_check.rb

@@ -40,7 +40,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = nil
     @has_user_input = nil
     @in_array = false
-    @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
+    @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
@@ -151,6 +151,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     method[-1] == "?"
   end
 
+  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+
+  def temp_file_path? exp
+    exp == TEMP_FILE_PATH
+  end
+
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   def check_detailed_exceptions
     tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
-        src = definition[:src]
+        src = definition.src
         body = src.body.last
         next unless body
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"
-    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
+    calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
 
     Brakeman.debug "Processing eval-like calls"
     calls.each do |call|

data/lib/brakeman/checks/check_execute.rb

@@ -204,11 +204,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       next if node_type? e, :lit, :str
       next if SAFE_VALUES.include? e
       next if shell_escape? e
+      next if temp_file_path? e
 
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.values[1..-1])
+        if res = dangerous?(e.sexp_body.sexp_body)
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and original? res
 
       model = tracker.models[res[:chain].first]
-
       attr_protected = (model and model.attr_protected)
+      first_arg = call.first_arg
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
+      elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+        return
       elsif input = include_user_input?(call.arglist)
-        first_arg = call.first_arg
-
-        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
-          return
-        elsif not node_type? first_arg, :hash
+        if not node_type? first_arg, :hash
           if attr_protected
             confidence = :medium
           else

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call[1..-1]
+    components = call.sexp_body
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -90,7 +90,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.2.1"
+    # 2.2.1 is fix version
+    loofah_version and version_between?("0.0.0", "2.2.0", loofah_version)
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_sql.rb

@@ -572,11 +572,11 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key
+    :where_values_hash, :foreign_key, :uuid
   ]
 
   def safe_value? exp
@@ -592,7 +592,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         IGNORE_METHODS_IN_SQL.include? exp.method or
         quote_call? exp or
         arel? exp or
-        exp.method.to_s.end_with? "_id"
+        exp.method.to_s.end_with? "_id" or
+        number_target? exp
       end
     when :if
       safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -695,4 +696,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
+
+  def number_target? exp
+    return unless call? exp
+
+    if number? exp.target
+      true
+    elsif call? exp.target
+      number_target? exp.target
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_unsafe_reflection_methods.rb

@@ -0,0 +1,68 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe reflection to access methods"
+
+  def run_check
+    check_method
+    check_tap
+    check_to_proc
+  end
+
+  def check_method
+    tracker.find_call(method: :method, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_tap
+    tracker.find_call(method: :tap, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      # Argument is passed like a.tap(&argument)
+      if node_type? argument, :block_pass
+        argument = argument.value
+      end
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_to_proc
+    tracker.find_call(method: :to_proc, nested: true).each do |result|
+      target = result[:call].target
+
+      if user_input = include_user_input?(target)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def warn_unsafe_reflection result, input
+    return unless original? result
+    method = result[:call].method
+
+    confidence = if input.type == :params
+      :high
+    else
+      :medium
+    end
+
+    message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+
+    warn :result => result,
+      :warning_type => "Remote Code Execution",
+      :warning_code => :unsafe_method_reflection,
+      :message => message,
+      :user_input => input,
+      :confidence => confidence
+  end
+end

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -0,0 +1,75 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for uses of `request.get?` that might have unintentional behavior"
+
+  #Process calls
+  def run_check
+    calls = tracker.find_call(target: :request, methods: [:get?])
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    @current_result = result
+    @matched_call = result[:call]
+    klass = tracker.find_class(result[:location][:class])
+
+    # TODO: abstract into tracker.find_location ?
+    if klass.nil?
+      Brakeman.debug "No class found: #{result[:location][:class]}"
+      return
+    end
+
+    method = klass.get_method(result[:location][:method])
+
+    if method.nil?
+      Brakeman.debug "No method found: #{result[:location][:method]}"
+      return
+    end
+
+    process method.src
+  end
+
+  def process_if exp
+    if exp.condition == @matched_call
+      # Found `if request.get?`
+
+      # Do not warn if there is an `elsif` clause
+      if node_type? exp.else_clause, :if
+        return exp
+      end
+
+      warn_about_result @current_result, exp
+    end
+
+    exp
+  end
+
+  def warn_about_result result, code
+    return unless original? result
+
+    confidence = :weak
+    message = msg('Potential HTTP verb confusion. ',
+                  msg_code('HEAD'),
+                  ' is routed like ',
+                  msg_code('GET'),
+                  ' but ',
+                  msg_code('request.get?'),
+                  ' will return ',
+                  msg_code('false')
+                 )
+
+    warn :result => result,
+      :warning_type => "HTTP Verb Confusion",
+      :warning_code => :http_verb_confusion,
+      :message => message,
+      :code => code,
+      :user_input => result[:call],
+      :confidence => confidence
+  end
+end