brakeman-lib 4.10.0 → 5.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +46 -0
- data/README.md +11 -2
- data/lib/brakeman.rb +21 -4
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +16 -3
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +50 -22
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +26 -3
- data/lib/brakeman/processors/alias_processor.rb +91 -19
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -0
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/processors/library_processor.rb +9 -0
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report.rb +12 -1
- data/lib/brakeman/report/ignore/interactive.rb +1 -1
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_github.rb +31 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +47 -18
- data/lib/brakeman/tracker.rb +39 -4
- data/lib/brakeman/tracker/collection.rb +27 -5
- data/lib/brakeman/tracker/config.rb +73 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/tracker/method_info.rb +29 -0
- data/lib/brakeman/util.rb +17 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +39 -5
@@ -0,0 +1,29 @@
|
|
1
|
+
require 'brakeman/util'
|
2
|
+
|
3
|
+
module Brakeman
|
4
|
+
class MethodInfo
|
5
|
+
include Brakeman::Util
|
6
|
+
|
7
|
+
attr_reader :name, :src, :owner, :file, :type
|
8
|
+
|
9
|
+
def initialize name, src, owner, file
|
10
|
+
@name = name
|
11
|
+
@src = src
|
12
|
+
@owner = owner
|
13
|
+
@file = file
|
14
|
+
@type = case src.node_type
|
15
|
+
when :defn
|
16
|
+
:instance
|
17
|
+
when :defs
|
18
|
+
:class
|
19
|
+
else
|
20
|
+
raise "Expected sexp type: #{src.node_type}"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
# To support legacy code that expected a Hash
|
25
|
+
def [] attr
|
26
|
+
self.send(attr)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -142,6 +142,14 @@ module Brakeman::Util
|
|
142
142
|
nil
|
143
143
|
end
|
144
144
|
|
145
|
+
def hash_values hash
|
146
|
+
values = hash.each_sexp.each_slice(2).map do |_, value|
|
147
|
+
value
|
148
|
+
end
|
149
|
+
|
150
|
+
Sexp.new(:array).concat(values).line(hash.line)
|
151
|
+
end
|
152
|
+
|
145
153
|
#These are never modified
|
146
154
|
PARAMS_SEXP = Sexp.new(:params)
|
147
155
|
SESSION_SEXP = Sexp.new(:session)
|
@@ -321,7 +329,7 @@ module Brakeman::Util
|
|
321
329
|
if node_type? current, :class
|
322
330
|
return true
|
323
331
|
elsif sexp? current
|
324
|
-
todo = current
|
332
|
+
todo = current.sexp_body.concat todo
|
325
333
|
end
|
326
334
|
end
|
327
335
|
|
@@ -334,7 +342,7 @@ module Brakeman::Util
|
|
334
342
|
if args.empty? or args.first.empty?
|
335
343
|
#nothing to do
|
336
344
|
elsif node_type? args.first, :arglist
|
337
|
-
call.concat args.first
|
345
|
+
call.concat args.first.sexp_body
|
338
346
|
elsif args.first.node_type.is_a? Sexp #just a list of args
|
339
347
|
call.concat args.first
|
340
348
|
else
|
@@ -368,8 +376,13 @@ module Brakeman::Util
|
|
368
376
|
#
|
369
377
|
# views/test/something.html.erb -> test/something
|
370
378
|
def template_path_to_name path
|
371
|
-
names = path.relative.split(
|
379
|
+
names = path.relative.split('/')
|
372
380
|
names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
|
373
|
-
|
381
|
+
|
382
|
+
if names.include? 'views'
|
383
|
+
names[(names.index('views') + 1)..-1]
|
384
|
+
else
|
385
|
+
names
|
386
|
+
end.join('/').to_sym
|
374
387
|
end
|
375
388
|
end
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -275,6 +275,14 @@ class Brakeman::Warning
|
|
275
275
|
self.file.relative
|
276
276
|
end
|
277
277
|
|
278
|
+
def check_name
|
279
|
+
@check_name ||= self.check.sub(/^Brakeman::Check/, '')
|
280
|
+
end
|
281
|
+
|
282
|
+
def confidence_name
|
283
|
+
TEXT_CONFIDENCE[self.confidence]
|
284
|
+
end
|
285
|
+
|
278
286
|
def to_hash absolute_paths: true
|
279
287
|
if self.called_from and not absolute_paths
|
280
288
|
render_path = self.called_from.with_relative_paths
|
@@ -285,7 +293,7 @@ class Brakeman::Warning
|
|
285
293
|
{ :warning_type => self.warning_type,
|
286
294
|
:warning_code => @warning_code,
|
287
295
|
:fingerprint => self.fingerprint,
|
288
|
-
:check_name => self.
|
296
|
+
:check_name => self.check_name,
|
289
297
|
:message => self.message.to_s,
|
290
298
|
:file => (absolute_paths ? self.file.absolute : self.file.relative),
|
291
299
|
:line => self.line,
|
@@ -294,7 +302,7 @@ class Brakeman::Warning
|
|
294
302
|
:render_path => render_path,
|
295
303
|
:location => self.location(false),
|
296
304
|
:user_input => (@user_input && self.format_user_input(false)),
|
297
|
-
:confidence =>
|
305
|
+
:confidence => self.confidence_name
|
298
306
|
}
|
299
307
|
end
|
300
308
|
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -175,7 +175,7 @@ class Sexp
|
|
175
175
|
start_index = 3
|
176
176
|
|
177
177
|
if exp.is_a? Sexp and exp.node_type == :arglist
|
178
|
-
exp = exp
|
178
|
+
exp = exp.sexp_body
|
179
179
|
end
|
180
180
|
|
181
181
|
exp.each_with_index do |e, i|
|
@@ -198,10 +198,10 @@ class Sexp
|
|
198
198
|
|
199
199
|
case self.node_type
|
200
200
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
201
|
-
self
|
201
|
+
self.sexp_body(3).unshift :arglist
|
202
202
|
when :super, :zsuper
|
203
203
|
if self[1]
|
204
|
-
self
|
204
|
+
self.sexp_body.unshift :arglist
|
205
205
|
else
|
206
206
|
Sexp.new(:arglist)
|
207
207
|
end
|
@@ -218,13 +218,13 @@ class Sexp
|
|
218
218
|
case self.node_type
|
219
219
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
220
220
|
if self[3]
|
221
|
-
self
|
221
|
+
self.sexp_body(3)
|
222
222
|
else
|
223
223
|
Sexp.new
|
224
224
|
end
|
225
225
|
when :super, :zsuper
|
226
226
|
if self[1]
|
227
|
-
self
|
227
|
+
self.sexp_body
|
228
228
|
else
|
229
229
|
Sexp.new
|
230
230
|
end
|
@@ -512,7 +512,7 @@ class Sexp
|
|
512
512
|
self.slice!(index..-1) #Remove old body
|
513
513
|
|
514
514
|
if exp.first == :rlist
|
515
|
-
exp = exp
|
515
|
+
exp = exp.sexp_body
|
516
516
|
end
|
517
517
|
|
518
518
|
#Insert new body
|
@@ -529,11 +529,11 @@ class Sexp
|
|
529
529
|
|
530
530
|
case self.node_type
|
531
531
|
when :defn, :class
|
532
|
-
self
|
532
|
+
self.sexp_body(3)
|
533
533
|
when :defs
|
534
|
-
self
|
534
|
+
self.sexp_body(4)
|
535
535
|
when :module
|
536
|
-
self
|
536
|
+
self.sexp_body(2)
|
537
537
|
end
|
538
538
|
end
|
539
539
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -66,6 +66,20 @@ dependencies:
|
|
66
66
|
- - '='
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: 0.10.2
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: parallel
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - "~>"
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '1.20'
|
76
|
+
type: :runtime
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - "~>"
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '1.20'
|
69
83
|
- !ruby/object:Gem::Dependency
|
70
84
|
name: ruby_parser
|
71
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -184,14 +198,14 @@ dependencies:
|
|
184
198
|
requirements:
|
185
199
|
- - "~>"
|
186
200
|
- !ruby/object:Gem::Version
|
187
|
-
version: 5.1
|
201
|
+
version: '5.1'
|
188
202
|
type: :runtime
|
189
203
|
prerelease: false
|
190
204
|
version_requirements: !ruby/object:Gem::Requirement
|
191
205
|
requirements:
|
192
206
|
- - "~>"
|
193
207
|
- !ruby/object:Gem::Version
|
194
|
-
version: 5.1
|
208
|
+
version: '5.1'
|
195
209
|
- !ruby/object:Gem::Dependency
|
196
210
|
name: slim
|
197
211
|
requirement: !ruby/object:Gem::Requirement
|
@@ -212,6 +226,20 @@ dependencies:
|
|
212
226
|
- - "<="
|
213
227
|
- !ruby/object:Gem::Version
|
214
228
|
version: '4.1'
|
229
|
+
- !ruby/object:Gem::Dependency
|
230
|
+
name: rexml
|
231
|
+
requirement: !ruby/object:Gem::Requirement
|
232
|
+
requirements:
|
233
|
+
- - "~>"
|
234
|
+
- !ruby/object:Gem::Version
|
235
|
+
version: '3.0'
|
236
|
+
type: :runtime
|
237
|
+
prerelease: false
|
238
|
+
version_requirements: !ruby/object:Gem::Requirement
|
239
|
+
requirements:
|
240
|
+
- - "~>"
|
241
|
+
- !ruby/object:Gem::Version
|
242
|
+
version: '3.0'
|
215
243
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
216
244
|
via static analysis. This package declares gem dependencies instead of bundling
|
217
245
|
them.
|
@@ -301,8 +329,10 @@ files:
|
|
301
329
|
- lib/brakeman/checks/check_template_injection.rb
|
302
330
|
- lib/brakeman/checks/check_translate_bug.rb
|
303
331
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
332
|
+
- lib/brakeman/checks/check_unsafe_reflection_methods.rb
|
304
333
|
- lib/brakeman/checks/check_unscoped_find.rb
|
305
334
|
- lib/brakeman/checks/check_validation_regex.rb
|
335
|
+
- lib/brakeman/checks/check_verb_confusion.rb
|
306
336
|
- lib/brakeman/checks/check_weak_hash.rb
|
307
337
|
- lib/brakeman/checks/check_without_protection.rb
|
308
338
|
- lib/brakeman/checks/check_xml_dos.rb
|
@@ -333,6 +363,7 @@ files:
|
|
333
363
|
- lib/brakeman/processors/haml_template_processor.rb
|
334
364
|
- lib/brakeman/processors/lib/basic_processor.rb
|
335
365
|
- lib/brakeman/processors/lib/call_conversion_helper.rb
|
366
|
+
- lib/brakeman/processors/lib/file_type_detector.rb
|
336
367
|
- lib/brakeman/processors/lib/find_all_calls.rb
|
337
368
|
- lib/brakeman/processors/lib/find_call.rb
|
338
369
|
- lib/brakeman/processors/lib/find_return_value.rb
|
@@ -363,12 +394,14 @@ files:
|
|
363
394
|
- lib/brakeman/report/report_base.rb
|
364
395
|
- lib/brakeman/report/report_codeclimate.rb
|
365
396
|
- lib/brakeman/report/report_csv.rb
|
397
|
+
- lib/brakeman/report/report_github.rb
|
366
398
|
- lib/brakeman/report/report_hash.rb
|
367
399
|
- lib/brakeman/report/report_html.rb
|
368
400
|
- lib/brakeman/report/report_json.rb
|
369
401
|
- lib/brakeman/report/report_junit.rb
|
370
402
|
- lib/brakeman/report/report_markdown.rb
|
371
403
|
- lib/brakeman/report/report_sarif.rb
|
404
|
+
- lib/brakeman/report/report_sonar.rb
|
372
405
|
- lib/brakeman/report/report_table.rb
|
373
406
|
- lib/brakeman/report/report_tabs.rb
|
374
407
|
- lib/brakeman/report/report_text.rb
|
@@ -391,6 +424,7 @@ files:
|
|
391
424
|
- lib/brakeman/tracker/constants.rb
|
392
425
|
- lib/brakeman/tracker/controller.rb
|
393
426
|
- lib/brakeman/tracker/library.rb
|
427
|
+
- lib/brakeman/tracker/method_info.rb
|
394
428
|
- lib/brakeman/tracker/model.rb
|
395
429
|
- lib/brakeman/tracker/template.rb
|
396
430
|
- lib/brakeman/util.rb
|
@@ -418,7 +452,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
418
452
|
requirements:
|
419
453
|
- - ">="
|
420
454
|
- !ruby/object:Gem::Version
|
421
|
-
version:
|
455
|
+
version: 2.4.0
|
422
456
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
423
457
|
requirements:
|
424
458
|
- - ">="
|