brakeman-lib 4.10.0 → 5.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +46 -0
  3. data/README.md +11 -2
  4. data/lib/brakeman.rb +21 -4
  5. data/lib/brakeman/app_tree.rb +36 -3
  6. data/lib/brakeman/checks/base_check.rb +7 -1
  7. data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
  8. data/lib/brakeman/checks/check_evaluation.rb +1 -1
  9. data/lib/brakeman/checks/check_execute.rb +2 -1
  10. data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
  11. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  12. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
  13. data/lib/brakeman/checks/check_sql.rb +16 -3
  14. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
  15. data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
  16. data/lib/brakeman/file_parser.rb +50 -22
  17. data/lib/brakeman/options.rb +5 -1
  18. data/lib/brakeman/parsers/template_parser.rb +26 -3
  19. data/lib/brakeman/processors/alias_processor.rb +91 -19
  20. data/lib/brakeman/processors/base_processor.rb +4 -4
  21. data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
  22. data/lib/brakeman/processors/controller_processor.rb +1 -1
  23. data/lib/brakeman/processors/haml_template_processor.rb +8 -1
  24. data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -0
  25. data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
  26. data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
  27. data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
  28. data/lib/brakeman/processors/library_processor.rb +9 -0
  29. data/lib/brakeman/processors/output_processor.rb +1 -1
  30. data/lib/brakeman/processors/template_alias_processor.rb +5 -0
  31. data/lib/brakeman/report.rb +12 -1
  32. data/lib/brakeman/report/ignore/interactive.rb +1 -1
  33. data/lib/brakeman/report/report_base.rb +0 -2
  34. data/lib/brakeman/report/report_csv.rb +37 -60
  35. data/lib/brakeman/report/report_github.rb +31 -0
  36. data/lib/brakeman/report/report_junit.rb +2 -2
  37. data/lib/brakeman/report/report_sarif.rb +1 -1
  38. data/lib/brakeman/report/report_sonar.rb +38 -0
  39. data/lib/brakeman/report/report_tabs.rb +1 -1
  40. data/lib/brakeman/report/report_text.rb +1 -1
  41. data/lib/brakeman/rescanner.rb +7 -5
  42. data/lib/brakeman/scanner.rb +47 -18
  43. data/lib/brakeman/tracker.rb +39 -4
  44. data/lib/brakeman/tracker/collection.rb +27 -5
  45. data/lib/brakeman/tracker/config.rb +73 -0
  46. data/lib/brakeman/tracker/controller.rb +1 -1
  47. data/lib/brakeman/tracker/method_info.rb +29 -0
  48. data/lib/brakeman/util.rb +17 -4
  49. data/lib/brakeman/version.rb +1 -1
  50. data/lib/brakeman/warning.rb +10 -2
  51. data/lib/brakeman/warning_codes.rb +2 -0
  52. data/lib/ruby_parser/bm_sexp.rb +9 -9
  53. metadata +39 -5
@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
51
51
  #Need to process the method like it was in a controller in order
52
52
  #to get the renders set
53
53
  processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
54
- method = mixin.get_method(name)[:src].deep_clone
54
+ method = mixin.get_method(name).src.deep_clone
55
55
 
56
56
  if node_type? method, :defn
57
57
  method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
143
143
  #Basically, adds any instance variable assignments to the environment.
144
144
  #TODO: method arguments?
145
145
  def process_before_filter name
146
- filter = find_method name, @current_class
146
+ filter = tracker.find_method name, @current_class
147
147
 
148
148
  if filter.nil?
149
149
  Brakeman.debug "[Notice] Could not find filter #{name}"
150
150
  return
151
151
  end
152
152
 
153
- method = filter[:method]
153
+ method = filter.src
154
154
 
155
- if ivars = @tracker.filter_cache[[filter[:controller], name]]
155
+ if ivars = @tracker.filter_cache[[filter.owner, name]]
156
156
  ivars.each do |variable, value|
157
157
  env[variable] = value
158
158
  end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
162
162
 
163
163
  ivars = processor.only_ivars(:include_request_vars).all
164
164
 
165
- @tracker.filter_cache[[filter[:controller], name]] = ivars
165
+ @tracker.filter_cache[[filter.owner, name]] = ivars
166
166
 
167
167
  ivars.each do |variable, value|
168
168
  env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
182
182
  # method as the line number
183
183
  if line.nil? and controller = @tracker.controllers[@current_class]
184
184
  if meth = controller.get_method(@current_method)
185
- if line = meth[:src] && meth[:src].last && meth[:src].last.line
185
+ if line = meth.src && meth.src.last && meth.src.last.line
186
186
  line += 1
187
187
  else
188
188
  line = 1
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
241
241
  []
242
242
  end
243
243
  end
244
-
245
- #Finds a method in the given class or a parent class
246
- #
247
- #Returns nil if the method could not be found.
248
- #
249
- #If found, returns hash table with controller name and method sexp.
250
- def find_method method_name, klass
251
- return nil if sexp? method_name
252
- method_name = method_name.to_sym
253
-
254
- if method = @method_cache[method_name]
255
- return method
256
- end
257
-
258
- controller = @tracker.controllers[klass]
259
- controller ||= @tracker.libs[klass]
260
-
261
- if klass and controller
262
- method = controller.get_method method_name
263
-
264
- if method.nil?
265
- controller.includes.each do |included|
266
- method = find_method method_name, included
267
- if method
268
- @method_cache[method_name] = method
269
- return method
270
- end
271
- end
272
-
273
- @method_cache[method_name] = find_method method_name, controller.parent
274
- else
275
- @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
276
- end
277
- else
278
- nil
279
- end
280
- end
281
244
  end
@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
202
202
  end
203
203
 
204
204
  if node_type? exp.block, :block
205
- block_inner = exp.block[1..-1]
205
+ block_inner = exp.block.sexp_body
206
206
  else
207
207
  block_inner = [exp.block]
208
208
  end
@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
76
76
  end
77
77
  end
78
78
 
79
+ ESCAPE_METHODS = [
80
+ :html_escape,
81
+ :html_escape_without_haml_xss,
82
+ :escape_once,
83
+ :escape_once_without_haml_xss
84
+ ]
85
+
79
86
  def get_pushed_value exp, default = :output
80
87
  return exp unless sexp? exp
81
88
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
105
112
  when :call
106
113
  if exp.method == :to_s or exp.method == :strip
107
114
  get_pushed_value(exp.target, default)
108
- elsif haml_helpers? exp.target and exp.method == :html_escape
115
+ elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
109
116
  get_pushed_value(exp.first_arg, :escaped_output)
110
117
  elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
111
118
  get_pushed_value(exp.first_arg, :escaped_output)
@@ -76,6 +76,8 @@ module Brakeman
76
76
 
77
77
  #Have to do this because first element is :array and we have to skip it
78
78
  array[1..-1][index] or original_exp
79
+ elsif all_literals? array
80
+ safe_literal(array.line)
79
81
  else
80
82
  original_exp
81
83
  end
@@ -92,5 +94,13 @@ module Brakeman
92
94
  original_exp
93
95
  end
94
96
  end
97
+
98
+ def hash_values_at hash, keys
99
+ values = keys.map do |key|
100
+ process_hash_access hash, key
101
+ end
102
+
103
+ Sexp.new(:array).concat(values).line(hash.line)
104
+ end
95
105
  end
96
106
  end
@@ -0,0 +1,64 @@
1
+ module Brakeman
2
+ class FileTypeDetector < BaseProcessor
3
+ def initialize
4
+ super(nil)
5
+ reset
6
+ end
7
+
8
+ def detect_type(file)
9
+ reset
10
+ process(file.ast)
11
+
12
+ if @file_type.nil?
13
+ @file_type = guess_from_path(file.path.relative)
14
+ end
15
+
16
+ @file_type || :libs
17
+ end
18
+
19
+ MODEL_CLASSES = [
20
+ :'ActiveRecord::Base',
21
+ :ApplicationRecord
22
+ ]
23
+
24
+ def process_class exp
25
+ name = class_name(exp.class_name)
26
+ parent = class_name(exp.parent_name)
27
+
28
+ if name.match(/Controller$/)
29
+ @file_type = :controllers
30
+ return exp
31
+ elsif MODEL_CLASSES.include? parent
32
+ @file_type = :models
33
+ return exp
34
+ end
35
+
36
+ super
37
+ end
38
+
39
+ def guess_from_path path
40
+ case
41
+ when path.include?('app/models')
42
+ :models
43
+ when path.include?('app/controllers')
44
+ :controllers
45
+ when path.include?('config/initializers')
46
+ :initializers
47
+ when path.include?('lib/')
48
+ :libs
49
+ when path.match?(%r{config/environments/(?!production\.rb)$})
50
+ :skip
51
+ when path.match?(%r{environments/production\.rb$})
52
+ :skip
53
+ when path.match?(%r{application\.rb$})
54
+ :skip
55
+ end
56
+ end
57
+
58
+ private
59
+
60
+ def reset
61
+ @file_type = nil
62
+ end
63
+ end
64
+ end
@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
57
57
  exp
58
58
  end
59
59
 
60
+ #Look for configuration settings that
61
+ #are just a call like
62
+ #
63
+ # config.load_defaults 5.2
64
+ def process_call exp
65
+ return exp unless @inside_config
66
+
67
+ if exp.target == RAILS_CONFIG and exp.first_arg
68
+ @tracker.config.rails[exp.method] = exp.first_arg
69
+ end
70
+
71
+ exp
72
+ end
73
+
60
74
  #Look for configuration settings
61
75
  def process_attrasgn exp
62
76
  return exp unless @inside_config
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
71
85
  @tracker.config.rails[attribute] = exp.first_arg
72
86
  end
73
87
  elsif include_rails_config? exp
74
- options = get_rails_config exp
75
- level = @tracker.config.rails
76
- options[0..-2].each do |o|
77
- level[o] ||= {}
78
-
79
- option = level[o]
80
-
81
- if not option.is_a? Hash
82
- Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
83
- return exp
84
- end
85
-
86
- level = level[o]
87
- end
88
-
89
- level[options.last] = exp.first_arg
88
+ options_path = get_rails_config exp
89
+ @tracker.config.set_rails_config(exp.first_arg, *options_path)
90
90
  end
91
91
 
92
92
  exp
@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
2
2
 
3
3
  class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
4
4
  APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
5
+ ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
5
6
 
6
7
  # Look for Rails.application.configure do ... end
7
8
  def process_iter exp
8
- if exp.block_call == APPLICATION_CONFIG
9
+ if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
9
10
  @inside_config = true
10
11
  process exp.block if sexp? exp.block
11
12
  @inside_config = false
@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
54
54
 
55
55
  def process_call exp
56
56
  if process_call_defn? exp
57
+ exp
58
+ elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
59
+ # Methods called inside class / module
60
+ case exp.method
61
+ when :include
62
+ module_name = class_name(exp.first_arg)
63
+ (@current_class || @current_module).add_include module_name
64
+ end
65
+
57
66
  exp
58
67
  else
59
68
  process_default exp
@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
88
88
 
89
89
  def process_iter exp
90
90
  call = process exp[1]
91
- block = process_rlist exp[3..-1]
91
+ block = process_rlist exp.sexp_body(3)
92
92
  out = "#{call} do\n #{block}\n end"
93
93
 
94
94
  out
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
20
20
 
21
21
  #Process template
22
22
  def process_template name, args, _, line = nil
23
+ # Strip forward slash from beginning of template path.
24
+ # This also happens in RenderHelper#process_template but
25
+ # we need it here too to accurately avoid circular renders below.
26
+ name = name.to_s.gsub(/^\//, "")
27
+
23
28
  if @called_from
24
29
  if @called_from.include_template? name
25
30
  Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
6
6
  class Brakeman::Report
7
7
  attr_reader :tracker
8
8
 
9
- VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
9
+ VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
10
10
 
11
11
  def initialize tracker
12
12
  @app_tree = tracker.app_tree
@@ -45,6 +45,12 @@ class Brakeman::Report
45
45
  Brakeman::Report::JUnit
46
46
  when :to_sarif
47
47
  return self.to_sarif
48
+ when :to_sonar
49
+ require_report 'sonar'
50
+ Brakeman::Report::Sonar
51
+ when :to_github
52
+ require_report 'github'
53
+ Brakeman::Report::Github
48
54
  else
49
55
  raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
50
56
  end
@@ -69,6 +75,11 @@ class Brakeman::Report
69
75
  generate Brakeman::Report::JSON
70
76
  end
71
77
 
78
+ def to_sonar
79
+ require_report 'sonar'
80
+ generate Brakeman::Report::Sonar
81
+ end
82
+
72
83
  def to_table
73
84
  require_report 'table'
74
85
  generate Brakeman::Report::Table
@@ -62,7 +62,7 @@ module Brakeman
62
62
  process_warnings
63
63
  end
64
64
 
65
- m.choice "Hide previously ignored warnings" do
65
+ m.choice "Inspect new warnings" do
66
66
  @skip_ignored = true
67
67
  pre_show_help
68
68
  process_warnings
@@ -11,8 +11,6 @@ class Brakeman::Report::Base
11
11
 
12
12
  attr_reader :tracker, :checks
13
13
 
14
- TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
15
-
16
14
  def initialize tracker
17
15
  @app_tree = tracker.app_tree
18
16
  @tracker = tracker
@@ -1,72 +1,49 @@
1
1
  require 'csv'
2
- require "brakeman/report/report_table"
3
2
 
4
- class Brakeman::Report::CSV < Brakeman::Report::Table
3
+ class Brakeman::Report::CSV < Brakeman::Report::Base
5
4
  def generate_report
6
- output = csv_header
7
- output << "\nSUMMARY\n"
8
-
9
- output << table_to_csv(generate_overview) << "\n"
10
-
11
- output << table_to_csv(generate_warning_overview) << "\n"
12
-
13
- #Return output early if only summarizing
14
- if tracker.options[:summary_only]
15
- return output
16
- end
17
-
18
- if tracker.options[:report_routes] or tracker.options[:debug]
19
- output << "CONTROLLERS\n"
20
- output << table_to_csv(generate_controllers) << "\n"
21
- end
22
-
23
- if tracker.options[:debug]
24
- output << "TEMPLATES\n\n"
25
- output << table_to_csv(generate_templates) << "\n"
5
+ headers = [
6
+ "Confidence",
7
+ "Warning Type",
8
+ "File",
9
+ "Line",
10
+ "Message",
11
+ "Code",
12
+ "User Input",
13
+ "Check Name",
14
+ "Warning Code",
15
+ "Fingerprint",
16
+ "Link"
17
+ ]
18
+
19
+ rows = tracker.filtered_warnings.sort_by do |w|
20
+ [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
21
+ end.map do |warning|
22
+ generate_row(headers, warning)
26
23
  end
27
24
 
28
- res = generate_errors
29
- output << "ERRORS\n" << table_to_csv(res) << "\n" if res
30
-
31
- res = generate_warnings
32
- output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
25
+ table = CSV::Table.new(rows)
33
26
 
34
- output << "Controller Warnings\n"
35
- res = generate_controller_warnings
36
- output << table_to_csv(res) << "\n" if res
37
-
38
- output << "Model Warnings\n"
39
- res = generate_model_warnings
40
- output << table_to_csv(res) << "\n" if res
41
-
42
- res = generate_template_warnings
43
- output << "Template Warnings\n"
44
- output << table_to_csv(res) << "\n" if res
45
-
46
- output
27
+ table.to_csv
47
28
  end
48
29
 
49
- #Generate header for CSV output
50
- def csv_header
51
- header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
52
- header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
53
- "BRAKEMAN REPORT\n\n" + header
30
+ def generate_row headers, warning
31
+ CSV::Row.new headers, warning_row(warning)
54
32
  end
55
33
 
56
- # rely on Terminal::Table to build the structure, extract the data out in CSV format
57
- def table_to_csv table
58
- return "" unless table
59
-
60
- Brakeman.load_brakeman_dependency 'terminal-table'
61
- headings = table.headings
62
- if headings.is_a? Array
63
- headings = headings.first
64
- end
65
-
66
- output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
67
- table.rows.each do |row|
68
- output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
69
- end
70
- output
34
+ def warning_row warning
35
+ [
36
+ warning.confidence_name,
37
+ warning.warning_type,
38
+ warning_file(warning),
39
+ warning.line,
40
+ warning.message,
41
+ warning.code && warning.format_code(false),
42
+ warning.user_input && warning.format_user_input(false),
43
+ warning.check_name,
44
+ warning.warning_code,
45
+ warning.fingerprint,
46
+ warning.link,
47
+ ]
71
48
  end
72
49
  end