brakeman-lib 4.10.0 → 5.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +46 -0
- data/README.md +11 -2
- data/lib/brakeman.rb +21 -4
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +16 -3
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +50 -22
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +26 -3
- data/lib/brakeman/processors/alias_processor.rb +91 -19
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -0
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/processors/library_processor.rb +9 -0
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report.rb +12 -1
- data/lib/brakeman/report/ignore/interactive.rb +1 -1
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_github.rb +31 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +47 -18
- data/lib/brakeman/tracker.rb +39 -4
- data/lib/brakeman/tracker/collection.rb +27 -5
- data/lib/brakeman/tracker/config.rb +73 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/tracker/method_info.rb +29 -0
- data/lib/brakeman/util.rb +17 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +39 -5
@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
51
51
|
#Need to process the method like it was in a controller in order
|
52
52
|
#to get the renders set
|
53
53
|
processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
|
54
|
-
method = mixin.get_method(name)
|
54
|
+
method = mixin.get_method(name).src.deep_clone
|
55
55
|
|
56
56
|
if node_type? method, :defn
|
57
57
|
method = processor.process_defn method
|
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
143
143
|
#Basically, adds any instance variable assignments to the environment.
|
144
144
|
#TODO: method arguments?
|
145
145
|
def process_before_filter name
|
146
|
-
filter = find_method name, @current_class
|
146
|
+
filter = tracker.find_method name, @current_class
|
147
147
|
|
148
148
|
if filter.nil?
|
149
149
|
Brakeman.debug "[Notice] Could not find filter #{name}"
|
150
150
|
return
|
151
151
|
end
|
152
152
|
|
153
|
-
method = filter
|
153
|
+
method = filter.src
|
154
154
|
|
155
|
-
if ivars = @tracker.filter_cache[[filter
|
155
|
+
if ivars = @tracker.filter_cache[[filter.owner, name]]
|
156
156
|
ivars.each do |variable, value|
|
157
157
|
env[variable] = value
|
158
158
|
end
|
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
162
162
|
|
163
163
|
ivars = processor.only_ivars(:include_request_vars).all
|
164
164
|
|
165
|
-
@tracker.filter_cache[[filter
|
165
|
+
@tracker.filter_cache[[filter.owner, name]] = ivars
|
166
166
|
|
167
167
|
ivars.each do |variable, value|
|
168
168
|
env[variable] = value
|
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
182
182
|
# method as the line number
|
183
183
|
if line.nil? and controller = @tracker.controllers[@current_class]
|
184
184
|
if meth = controller.get_method(@current_method)
|
185
|
-
if line = meth
|
185
|
+
if line = meth.src && meth.src.last && meth.src.last.line
|
186
186
|
line += 1
|
187
187
|
else
|
188
188
|
line = 1
|
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
241
241
|
[]
|
242
242
|
end
|
243
243
|
end
|
244
|
-
|
245
|
-
#Finds a method in the given class or a parent class
|
246
|
-
#
|
247
|
-
#Returns nil if the method could not be found.
|
248
|
-
#
|
249
|
-
#If found, returns hash table with controller name and method sexp.
|
250
|
-
def find_method method_name, klass
|
251
|
-
return nil if sexp? method_name
|
252
|
-
method_name = method_name.to_sym
|
253
|
-
|
254
|
-
if method = @method_cache[method_name]
|
255
|
-
return method
|
256
|
-
end
|
257
|
-
|
258
|
-
controller = @tracker.controllers[klass]
|
259
|
-
controller ||= @tracker.libs[klass]
|
260
|
-
|
261
|
-
if klass and controller
|
262
|
-
method = controller.get_method method_name
|
263
|
-
|
264
|
-
if method.nil?
|
265
|
-
controller.includes.each do |included|
|
266
|
-
method = find_method method_name, included
|
267
|
-
if method
|
268
|
-
@method_cache[method_name] = method
|
269
|
-
return method
|
270
|
-
end
|
271
|
-
end
|
272
|
-
|
273
|
-
@method_cache[method_name] = find_method method_name, controller.parent
|
274
|
-
else
|
275
|
-
@method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
|
276
|
-
end
|
277
|
-
else
|
278
|
-
nil
|
279
|
-
end
|
280
|
-
end
|
281
244
|
end
|
@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
76
76
|
end
|
77
77
|
end
|
78
78
|
|
79
|
+
ESCAPE_METHODS = [
|
80
|
+
:html_escape,
|
81
|
+
:html_escape_without_haml_xss,
|
82
|
+
:escape_once,
|
83
|
+
:escape_once_without_haml_xss
|
84
|
+
]
|
85
|
+
|
79
86
|
def get_pushed_value exp, default = :output
|
80
87
|
return exp unless sexp? exp
|
81
88
|
|
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
105
112
|
when :call
|
106
113
|
if exp.method == :to_s or exp.method == :strip
|
107
114
|
get_pushed_value(exp.target, default)
|
108
|
-
elsif haml_helpers? exp.target and exp.method
|
115
|
+
elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
|
109
116
|
get_pushed_value(exp.first_arg, :escaped_output)
|
110
117
|
elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
|
111
118
|
get_pushed_value(exp.first_arg, :escaped_output)
|
@@ -76,6 +76,8 @@ module Brakeman
|
|
76
76
|
|
77
77
|
#Have to do this because first element is :array and we have to skip it
|
78
78
|
array[1..-1][index] or original_exp
|
79
|
+
elsif all_literals? array
|
80
|
+
safe_literal(array.line)
|
79
81
|
else
|
80
82
|
original_exp
|
81
83
|
end
|
@@ -92,5 +94,13 @@ module Brakeman
|
|
92
94
|
original_exp
|
93
95
|
end
|
94
96
|
end
|
97
|
+
|
98
|
+
def hash_values_at hash, keys
|
99
|
+
values = keys.map do |key|
|
100
|
+
process_hash_access hash, key
|
101
|
+
end
|
102
|
+
|
103
|
+
Sexp.new(:array).concat(values).line(hash.line)
|
104
|
+
end
|
95
105
|
end
|
96
106
|
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
module Brakeman
|
2
|
+
class FileTypeDetector < BaseProcessor
|
3
|
+
def initialize
|
4
|
+
super(nil)
|
5
|
+
reset
|
6
|
+
end
|
7
|
+
|
8
|
+
def detect_type(file)
|
9
|
+
reset
|
10
|
+
process(file.ast)
|
11
|
+
|
12
|
+
if @file_type.nil?
|
13
|
+
@file_type = guess_from_path(file.path.relative)
|
14
|
+
end
|
15
|
+
|
16
|
+
@file_type || :libs
|
17
|
+
end
|
18
|
+
|
19
|
+
MODEL_CLASSES = [
|
20
|
+
:'ActiveRecord::Base',
|
21
|
+
:ApplicationRecord
|
22
|
+
]
|
23
|
+
|
24
|
+
def process_class exp
|
25
|
+
name = class_name(exp.class_name)
|
26
|
+
parent = class_name(exp.parent_name)
|
27
|
+
|
28
|
+
if name.match(/Controller$/)
|
29
|
+
@file_type = :controllers
|
30
|
+
return exp
|
31
|
+
elsif MODEL_CLASSES.include? parent
|
32
|
+
@file_type = :models
|
33
|
+
return exp
|
34
|
+
end
|
35
|
+
|
36
|
+
super
|
37
|
+
end
|
38
|
+
|
39
|
+
def guess_from_path path
|
40
|
+
case
|
41
|
+
when path.include?('app/models')
|
42
|
+
:models
|
43
|
+
when path.include?('app/controllers')
|
44
|
+
:controllers
|
45
|
+
when path.include?('config/initializers')
|
46
|
+
:initializers
|
47
|
+
when path.include?('lib/')
|
48
|
+
:libs
|
49
|
+
when path.match?(%r{config/environments/(?!production\.rb)$})
|
50
|
+
:skip
|
51
|
+
when path.match?(%r{environments/production\.rb$})
|
52
|
+
:skip
|
53
|
+
when path.match?(%r{application\.rb$})
|
54
|
+
:skip
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
private
|
59
|
+
|
60
|
+
def reset
|
61
|
+
@file_type = nil
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
57
57
|
exp
|
58
58
|
end
|
59
59
|
|
60
|
+
#Look for configuration settings that
|
61
|
+
#are just a call like
|
62
|
+
#
|
63
|
+
# config.load_defaults 5.2
|
64
|
+
def process_call exp
|
65
|
+
return exp unless @inside_config
|
66
|
+
|
67
|
+
if exp.target == RAILS_CONFIG and exp.first_arg
|
68
|
+
@tracker.config.rails[exp.method] = exp.first_arg
|
69
|
+
end
|
70
|
+
|
71
|
+
exp
|
72
|
+
end
|
73
|
+
|
60
74
|
#Look for configuration settings
|
61
75
|
def process_attrasgn exp
|
62
76
|
return exp unless @inside_config
|
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
71
85
|
@tracker.config.rails[attribute] = exp.first_arg
|
72
86
|
end
|
73
87
|
elsif include_rails_config? exp
|
74
|
-
|
75
|
-
|
76
|
-
options[0..-2].each do |o|
|
77
|
-
level[o] ||= {}
|
78
|
-
|
79
|
-
option = level[o]
|
80
|
-
|
81
|
-
if not option.is_a? Hash
|
82
|
-
Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
|
83
|
-
return exp
|
84
|
-
end
|
85
|
-
|
86
|
-
level = level[o]
|
87
|
-
end
|
88
|
-
|
89
|
-
level[options.last] = exp.first_arg
|
88
|
+
options_path = get_rails_config exp
|
89
|
+
@tracker.config.set_rails_config(exp.first_arg, *options_path)
|
90
90
|
end
|
91
91
|
|
92
92
|
exp
|
@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
|
|
2
2
|
|
3
3
|
class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
|
4
4
|
APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
|
5
|
+
ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
|
5
6
|
|
6
7
|
# Look for Rails.application.configure do ... end
|
7
8
|
def process_iter exp
|
8
|
-
if exp.block_call == APPLICATION_CONFIG
|
9
|
+
if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
|
9
10
|
@inside_config = true
|
10
11
|
process exp.block if sexp? exp.block
|
11
12
|
@inside_config = false
|
@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
|
54
54
|
|
55
55
|
def process_call exp
|
56
56
|
if process_call_defn? exp
|
57
|
+
exp
|
58
|
+
elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
|
59
|
+
# Methods called inside class / module
|
60
|
+
case exp.method
|
61
|
+
when :include
|
62
|
+
module_name = class_name(exp.first_arg)
|
63
|
+
(@current_class || @current_module).add_include module_name
|
64
|
+
end
|
65
|
+
|
57
66
|
exp
|
58
67
|
else
|
59
68
|
process_default exp
|
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
20
20
|
|
21
21
|
#Process template
|
22
22
|
def process_template name, args, _, line = nil
|
23
|
+
# Strip forward slash from beginning of template path.
|
24
|
+
# This also happens in RenderHelper#process_template but
|
25
|
+
# we need it here too to accurately avoid circular renders below.
|
26
|
+
name = name.to_s.gsub(/^\//, "")
|
27
|
+
|
23
28
|
if @called_from
|
24
29
|
if @called_from.include_template? name
|
25
30
|
Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
|
data/lib/brakeman/report.rb
CHANGED
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
|
|
6
6
|
class Brakeman::Report
|
7
7
|
attr_reader :tracker
|
8
8
|
|
9
|
-
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
|
9
|
+
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
|
10
10
|
|
11
11
|
def initialize tracker
|
12
12
|
@app_tree = tracker.app_tree
|
@@ -45,6 +45,12 @@ class Brakeman::Report
|
|
45
45
|
Brakeman::Report::JUnit
|
46
46
|
when :to_sarif
|
47
47
|
return self.to_sarif
|
48
|
+
when :to_sonar
|
49
|
+
require_report 'sonar'
|
50
|
+
Brakeman::Report::Sonar
|
51
|
+
when :to_github
|
52
|
+
require_report 'github'
|
53
|
+
Brakeman::Report::Github
|
48
54
|
else
|
49
55
|
raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
|
50
56
|
end
|
@@ -69,6 +75,11 @@ class Brakeman::Report
|
|
69
75
|
generate Brakeman::Report::JSON
|
70
76
|
end
|
71
77
|
|
78
|
+
def to_sonar
|
79
|
+
require_report 'sonar'
|
80
|
+
generate Brakeman::Report::Sonar
|
81
|
+
end
|
82
|
+
|
72
83
|
def to_table
|
73
84
|
require_report 'table'
|
74
85
|
generate Brakeman::Report::Table
|
@@ -1,72 +1,49 @@
|
|
1
1
|
require 'csv'
|
2
|
-
require "brakeman/report/report_table"
|
3
2
|
|
4
|
-
class Brakeman::Report::CSV < Brakeman::Report::
|
3
|
+
class Brakeman::Report::CSV < Brakeman::Report::Base
|
5
4
|
def generate_report
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
output << "TEMPLATES\n\n"
|
25
|
-
output << table_to_csv(generate_templates) << "\n"
|
5
|
+
headers = [
|
6
|
+
"Confidence",
|
7
|
+
"Warning Type",
|
8
|
+
"File",
|
9
|
+
"Line",
|
10
|
+
"Message",
|
11
|
+
"Code",
|
12
|
+
"User Input",
|
13
|
+
"Check Name",
|
14
|
+
"Warning Code",
|
15
|
+
"Fingerprint",
|
16
|
+
"Link"
|
17
|
+
]
|
18
|
+
|
19
|
+
rows = tracker.filtered_warnings.sort_by do |w|
|
20
|
+
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
21
|
+
end.map do |warning|
|
22
|
+
generate_row(headers, warning)
|
26
23
|
end
|
27
24
|
|
28
|
-
|
29
|
-
output << "ERRORS\n" << table_to_csv(res) << "\n" if res
|
30
|
-
|
31
|
-
res = generate_warnings
|
32
|
-
output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
|
25
|
+
table = CSV::Table.new(rows)
|
33
26
|
|
34
|
-
|
35
|
-
res = generate_controller_warnings
|
36
|
-
output << table_to_csv(res) << "\n" if res
|
37
|
-
|
38
|
-
output << "Model Warnings\n"
|
39
|
-
res = generate_model_warnings
|
40
|
-
output << table_to_csv(res) << "\n" if res
|
41
|
-
|
42
|
-
res = generate_template_warnings
|
43
|
-
output << "Template Warnings\n"
|
44
|
-
output << table_to_csv(res) << "\n" if res
|
45
|
-
|
46
|
-
output
|
27
|
+
table.to_csv
|
47
28
|
end
|
48
29
|
|
49
|
-
|
50
|
-
|
51
|
-
header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
|
52
|
-
header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
|
53
|
-
"BRAKEMAN REPORT\n\n" + header
|
30
|
+
def generate_row headers, warning
|
31
|
+
CSV::Row.new headers, warning_row(warning)
|
54
32
|
end
|
55
33
|
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
output
|
34
|
+
def warning_row warning
|
35
|
+
[
|
36
|
+
warning.confidence_name,
|
37
|
+
warning.warning_type,
|
38
|
+
warning_file(warning),
|
39
|
+
warning.line,
|
40
|
+
warning.message,
|
41
|
+
warning.code && warning.format_code(false),
|
42
|
+
warning.user_input && warning.format_user_input(false),
|
43
|
+
warning.check_name,
|
44
|
+
warning.warning_code,
|
45
|
+
warning.fingerprint,
|
46
|
+
warning.link,
|
47
|
+
]
|
71
48
|
end
|
72
49
|
end
|