brakeman-lib 4.10.0 → 5.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +46 -0
- data/README.md +11 -2
- data/lib/brakeman.rb +21 -4
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +16 -3
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +50 -22
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +26 -3
- data/lib/brakeman/processors/alias_processor.rb +91 -19
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -0
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/processors/library_processor.rb +9 -0
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report.rb +12 -1
- data/lib/brakeman/report/ignore/interactive.rb +1 -1
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_github.rb +31 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +47 -18
- data/lib/brakeman/tracker.rb +39 -4
- data/lib/brakeman/tracker/collection.rb +27 -5
- data/lib/brakeman/tracker/config.rb +73 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/tracker/method_info.rb +29 -0
- data/lib/brakeman/util.rb +17 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +39 -5
@@ -0,0 +1,29 @@
|
|
1
|
+
require 'brakeman/util'
|
2
|
+
|
3
|
+
module Brakeman
|
4
|
+
class MethodInfo
|
5
|
+
include Brakeman::Util
|
6
|
+
|
7
|
+
attr_reader :name, :src, :owner, :file, :type
|
8
|
+
|
9
|
+
def initialize name, src, owner, file
|
10
|
+
@name = name
|
11
|
+
@src = src
|
12
|
+
@owner = owner
|
13
|
+
@file = file
|
14
|
+
@type = case src.node_type
|
15
|
+
when :defn
|
16
|
+
:instance
|
17
|
+
when :defs
|
18
|
+
:class
|
19
|
+
else
|
20
|
+
raise "Expected sexp type: #{src.node_type}"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
# To support legacy code that expected a Hash
|
25
|
+
def [] attr
|
26
|
+
self.send(attr)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -142,6 +142,14 @@ module Brakeman::Util
|
|
142
142
|
nil
|
143
143
|
end
|
144
144
|
|
145
|
+
def hash_values hash
|
146
|
+
values = hash.each_sexp.each_slice(2).map do |_, value|
|
147
|
+
value
|
148
|
+
end
|
149
|
+
|
150
|
+
Sexp.new(:array).concat(values).line(hash.line)
|
151
|
+
end
|
152
|
+
|
145
153
|
#These are never modified
|
146
154
|
PARAMS_SEXP = Sexp.new(:params)
|
147
155
|
SESSION_SEXP = Sexp.new(:session)
|
@@ -321,7 +329,7 @@ module Brakeman::Util
|
|
321
329
|
if node_type? current, :class
|
322
330
|
return true
|
323
331
|
elsif sexp? current
|
324
|
-
todo = current
|
332
|
+
todo = current.sexp_body.concat todo
|
325
333
|
end
|
326
334
|
end
|
327
335
|
|
@@ -334,7 +342,7 @@ module Brakeman::Util
|
|
334
342
|
if args.empty? or args.first.empty?
|
335
343
|
#nothing to do
|
336
344
|
elsif node_type? args.first, :arglist
|
337
|
-
call.concat args.first
|
345
|
+
call.concat args.first.sexp_body
|
338
346
|
elsif args.first.node_type.is_a? Sexp #just a list of args
|
339
347
|
call.concat args.first
|
340
348
|
else
|
@@ -368,8 +376,13 @@ module Brakeman::Util
|
|
368
376
|
#
|
369
377
|
# views/test/something.html.erb -> test/something
|
370
378
|
def template_path_to_name path
|
371
|
-
names = path.relative.split(
|
379
|
+
names = path.relative.split('/')
|
372
380
|
names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
|
373
|
-
|
381
|
+
|
382
|
+
if names.include? 'views'
|
383
|
+
names[(names.index('views') + 1)..-1]
|
384
|
+
else
|
385
|
+
names
|
386
|
+
end.join('/').to_sym
|
374
387
|
end
|
375
388
|
end
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -275,6 +275,14 @@ class Brakeman::Warning
|
|
275
275
|
self.file.relative
|
276
276
|
end
|
277
277
|
|
278
|
+
def check_name
|
279
|
+
@check_name ||= self.check.sub(/^Brakeman::Check/, '')
|
280
|
+
end
|
281
|
+
|
282
|
+
def confidence_name
|
283
|
+
TEXT_CONFIDENCE[self.confidence]
|
284
|
+
end
|
285
|
+
|
278
286
|
def to_hash absolute_paths: true
|
279
287
|
if self.called_from and not absolute_paths
|
280
288
|
render_path = self.called_from.with_relative_paths
|
@@ -285,7 +293,7 @@ class Brakeman::Warning
|
|
285
293
|
{ :warning_type => self.warning_type,
|
286
294
|
:warning_code => @warning_code,
|
287
295
|
:fingerprint => self.fingerprint,
|
288
|
-
:check_name => self.
|
296
|
+
:check_name => self.check_name,
|
289
297
|
:message => self.message.to_s,
|
290
298
|
:file => (absolute_paths ? self.file.absolute : self.file.relative),
|
291
299
|
:line => self.line,
|
@@ -294,7 +302,7 @@ class Brakeman::Warning
|
|
294
302
|
:render_path => render_path,
|
295
303
|
:location => self.location(false),
|
296
304
|
:user_input => (@user_input && self.format_user_input(false)),
|
297
|
-
:confidence =>
|
305
|
+
:confidence => self.confidence_name
|
298
306
|
}
|
299
307
|
end
|
300
308
|
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -175,7 +175,7 @@ class Sexp
|
|
175
175
|
start_index = 3
|
176
176
|
|
177
177
|
if exp.is_a? Sexp and exp.node_type == :arglist
|
178
|
-
exp = exp
|
178
|
+
exp = exp.sexp_body
|
179
179
|
end
|
180
180
|
|
181
181
|
exp.each_with_index do |e, i|
|
@@ -198,10 +198,10 @@ class Sexp
|
|
198
198
|
|
199
199
|
case self.node_type
|
200
200
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
201
|
-
self
|
201
|
+
self.sexp_body(3).unshift :arglist
|
202
202
|
when :super, :zsuper
|
203
203
|
if self[1]
|
204
|
-
self
|
204
|
+
self.sexp_body.unshift :arglist
|
205
205
|
else
|
206
206
|
Sexp.new(:arglist)
|
207
207
|
end
|
@@ -218,13 +218,13 @@ class Sexp
|
|
218
218
|
case self.node_type
|
219
219
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
220
220
|
if self[3]
|
221
|
-
self
|
221
|
+
self.sexp_body(3)
|
222
222
|
else
|
223
223
|
Sexp.new
|
224
224
|
end
|
225
225
|
when :super, :zsuper
|
226
226
|
if self[1]
|
227
|
-
self
|
227
|
+
self.sexp_body
|
228
228
|
else
|
229
229
|
Sexp.new
|
230
230
|
end
|
@@ -512,7 +512,7 @@ class Sexp
|
|
512
512
|
self.slice!(index..-1) #Remove old body
|
513
513
|
|
514
514
|
if exp.first == :rlist
|
515
|
-
exp = exp
|
515
|
+
exp = exp.sexp_body
|
516
516
|
end
|
517
517
|
|
518
518
|
#Insert new body
|
@@ -529,11 +529,11 @@ class Sexp
|
|
529
529
|
|
530
530
|
case self.node_type
|
531
531
|
when :defn, :class
|
532
|
-
self
|
532
|
+
self.sexp_body(3)
|
533
533
|
when :defs
|
534
|
-
self
|
534
|
+
self.sexp_body(4)
|
535
535
|
when :module
|
536
|
-
self
|
536
|
+
self.sexp_body(2)
|
537
537
|
end
|
538
538
|
end
|
539
539
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -66,6 +66,20 @@ dependencies:
|
|
66
66
|
- - '='
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: 0.10.2
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: parallel
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - "~>"
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '1.20'
|
76
|
+
type: :runtime
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - "~>"
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '1.20'
|
69
83
|
- !ruby/object:Gem::Dependency
|
70
84
|
name: ruby_parser
|
71
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -184,14 +198,14 @@ dependencies:
|
|
184
198
|
requirements:
|
185
199
|
- - "~>"
|
186
200
|
- !ruby/object:Gem::Version
|
187
|
-
version: 5.1
|
201
|
+
version: '5.1'
|
188
202
|
type: :runtime
|
189
203
|
prerelease: false
|
190
204
|
version_requirements: !ruby/object:Gem::Requirement
|
191
205
|
requirements:
|
192
206
|
- - "~>"
|
193
207
|
- !ruby/object:Gem::Version
|
194
|
-
version: 5.1
|
208
|
+
version: '5.1'
|
195
209
|
- !ruby/object:Gem::Dependency
|
196
210
|
name: slim
|
197
211
|
requirement: !ruby/object:Gem::Requirement
|
@@ -212,6 +226,20 @@ dependencies:
|
|
212
226
|
- - "<="
|
213
227
|
- !ruby/object:Gem::Version
|
214
228
|
version: '4.1'
|
229
|
+
- !ruby/object:Gem::Dependency
|
230
|
+
name: rexml
|
231
|
+
requirement: !ruby/object:Gem::Requirement
|
232
|
+
requirements:
|
233
|
+
- - "~>"
|
234
|
+
- !ruby/object:Gem::Version
|
235
|
+
version: '3.0'
|
236
|
+
type: :runtime
|
237
|
+
prerelease: false
|
238
|
+
version_requirements: !ruby/object:Gem::Requirement
|
239
|
+
requirements:
|
240
|
+
- - "~>"
|
241
|
+
- !ruby/object:Gem::Version
|
242
|
+
version: '3.0'
|
215
243
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
216
244
|
via static analysis. This package declares gem dependencies instead of bundling
|
217
245
|
them.
|
@@ -301,8 +329,10 @@ files:
|
|
301
329
|
- lib/brakeman/checks/check_template_injection.rb
|
302
330
|
- lib/brakeman/checks/check_translate_bug.rb
|
303
331
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
332
|
+
- lib/brakeman/checks/check_unsafe_reflection_methods.rb
|
304
333
|
- lib/brakeman/checks/check_unscoped_find.rb
|
305
334
|
- lib/brakeman/checks/check_validation_regex.rb
|
335
|
+
- lib/brakeman/checks/check_verb_confusion.rb
|
306
336
|
- lib/brakeman/checks/check_weak_hash.rb
|
307
337
|
- lib/brakeman/checks/check_without_protection.rb
|
308
338
|
- lib/brakeman/checks/check_xml_dos.rb
|
@@ -333,6 +363,7 @@ files:
|
|
333
363
|
- lib/brakeman/processors/haml_template_processor.rb
|
334
364
|
- lib/brakeman/processors/lib/basic_processor.rb
|
335
365
|
- lib/brakeman/processors/lib/call_conversion_helper.rb
|
366
|
+
- lib/brakeman/processors/lib/file_type_detector.rb
|
336
367
|
- lib/brakeman/processors/lib/find_all_calls.rb
|
337
368
|
- lib/brakeman/processors/lib/find_call.rb
|
338
369
|
- lib/brakeman/processors/lib/find_return_value.rb
|
@@ -363,12 +394,14 @@ files:
|
|
363
394
|
- lib/brakeman/report/report_base.rb
|
364
395
|
- lib/brakeman/report/report_codeclimate.rb
|
365
396
|
- lib/brakeman/report/report_csv.rb
|
397
|
+
- lib/brakeman/report/report_github.rb
|
366
398
|
- lib/brakeman/report/report_hash.rb
|
367
399
|
- lib/brakeman/report/report_html.rb
|
368
400
|
- lib/brakeman/report/report_json.rb
|
369
401
|
- lib/brakeman/report/report_junit.rb
|
370
402
|
- lib/brakeman/report/report_markdown.rb
|
371
403
|
- lib/brakeman/report/report_sarif.rb
|
404
|
+
- lib/brakeman/report/report_sonar.rb
|
372
405
|
- lib/brakeman/report/report_table.rb
|
373
406
|
- lib/brakeman/report/report_tabs.rb
|
374
407
|
- lib/brakeman/report/report_text.rb
|
@@ -391,6 +424,7 @@ files:
|
|
391
424
|
- lib/brakeman/tracker/constants.rb
|
392
425
|
- lib/brakeman/tracker/controller.rb
|
393
426
|
- lib/brakeman/tracker/library.rb
|
427
|
+
- lib/brakeman/tracker/method_info.rb
|
394
428
|
- lib/brakeman/tracker/model.rb
|
395
429
|
- lib/brakeman/tracker/template.rb
|
396
430
|
- lib/brakeman/util.rb
|
@@ -418,7 +452,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
418
452
|
requirements:
|
419
453
|
- - ">="
|
420
454
|
- !ruby/object:Gem::Version
|
421
|
-
version:
|
455
|
+
version: 2.4.0
|
422
456
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
423
457
|
requirements:
|
424
458
|
- - ">="
|