brakeman-lib 4.10.0 → 5.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +46 -0
  3. data/README.md +11 -2
  4. data/lib/brakeman.rb +21 -4
  5. data/lib/brakeman/app_tree.rb +36 -3
  6. data/lib/brakeman/checks/base_check.rb +7 -1
  7. data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
  8. data/lib/brakeman/checks/check_evaluation.rb +1 -1
  9. data/lib/brakeman/checks/check_execute.rb +2 -1
  10. data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
  11. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  12. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
  13. data/lib/brakeman/checks/check_sql.rb +16 -3
  14. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
  15. data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
  16. data/lib/brakeman/file_parser.rb +50 -22
  17. data/lib/brakeman/options.rb +5 -1
  18. data/lib/brakeman/parsers/template_parser.rb +26 -3
  19. data/lib/brakeman/processors/alias_processor.rb +91 -19
  20. data/lib/brakeman/processors/base_processor.rb +4 -4
  21. data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
  22. data/lib/brakeman/processors/controller_processor.rb +1 -1
  23. data/lib/brakeman/processors/haml_template_processor.rb +8 -1
  24. data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -0
  25. data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
  26. data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
  27. data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
  28. data/lib/brakeman/processors/library_processor.rb +9 -0
  29. data/lib/brakeman/processors/output_processor.rb +1 -1
  30. data/lib/brakeman/processors/template_alias_processor.rb +5 -0
  31. data/lib/brakeman/report.rb +12 -1
  32. data/lib/brakeman/report/ignore/interactive.rb +1 -1
  33. data/lib/brakeman/report/report_base.rb +0 -2
  34. data/lib/brakeman/report/report_csv.rb +37 -60
  35. data/lib/brakeman/report/report_github.rb +31 -0
  36. data/lib/brakeman/report/report_junit.rb +2 -2
  37. data/lib/brakeman/report/report_sarif.rb +1 -1
  38. data/lib/brakeman/report/report_sonar.rb +38 -0
  39. data/lib/brakeman/report/report_tabs.rb +1 -1
  40. data/lib/brakeman/report/report_text.rb +1 -1
  41. data/lib/brakeman/rescanner.rb +7 -5
  42. data/lib/brakeman/scanner.rb +47 -18
  43. data/lib/brakeman/tracker.rb +39 -4
  44. data/lib/brakeman/tracker/collection.rb +27 -5
  45. data/lib/brakeman/tracker/config.rb +73 -0
  46. data/lib/brakeman/tracker/controller.rb +1 -1
  47. data/lib/brakeman/tracker/method_info.rb +29 -0
  48. data/lib/brakeman/util.rb +17 -4
  49. data/lib/brakeman/version.rb +1 -1
  50. data/lib/brakeman/warning.rb +10 -2
  51. data/lib/brakeman/warning_codes.rb +2 -0
  52. data/lib/ruby_parser/bm_sexp.rb +9 -9
  53. metadata +39 -5
@@ -125,7 +125,7 @@ module Brakeman
125
125
  value = args[-1][2]
126
126
  case value.node_type
127
127
  when :array
128
- filter[option] = value[1..-1].map {|v| v[1] }
128
+ filter[option] = value.sexp_body.map {|v| v[1] }
129
129
  when :lit, :str
130
130
  filter[option] = value[1]
131
131
  else
@@ -0,0 +1,29 @@
1
+ require 'brakeman/util'
2
+
3
+ module Brakeman
4
+ class MethodInfo
5
+ include Brakeman::Util
6
+
7
+ attr_reader :name, :src, :owner, :file, :type
8
+
9
+ def initialize name, src, owner, file
10
+ @name = name
11
+ @src = src
12
+ @owner = owner
13
+ @file = file
14
+ @type = case src.node_type
15
+ when :defn
16
+ :instance
17
+ when :defs
18
+ :class
19
+ else
20
+ raise "Expected sexp type: #{src.node_type}"
21
+ end
22
+ end
23
+
24
+ # To support legacy code that expected a Hash
25
+ def [] attr
26
+ self.send(attr)
27
+ end
28
+ end
29
+ end
data/lib/brakeman/util.rb CHANGED
@@ -142,6 +142,14 @@ module Brakeman::Util
142
142
  nil
143
143
  end
144
144
 
145
+ def hash_values hash
146
+ values = hash.each_sexp.each_slice(2).map do |_, value|
147
+ value
148
+ end
149
+
150
+ Sexp.new(:array).concat(values).line(hash.line)
151
+ end
152
+
145
153
  #These are never modified
146
154
  PARAMS_SEXP = Sexp.new(:params)
147
155
  SESSION_SEXP = Sexp.new(:session)
@@ -321,7 +329,7 @@ module Brakeman::Util
321
329
  if node_type? current, :class
322
330
  return true
323
331
  elsif sexp? current
324
- todo = current[1..-1].concat todo
332
+ todo = current.sexp_body.concat todo
325
333
  end
326
334
  end
327
335
 
@@ -334,7 +342,7 @@ module Brakeman::Util
334
342
  if args.empty? or args.first.empty?
335
343
  #nothing to do
336
344
  elsif node_type? args.first, :arglist
337
- call.concat args.first[1..-1]
345
+ call.concat args.first.sexp_body
338
346
  elsif args.first.node_type.is_a? Sexp #just a list of args
339
347
  call.concat args.first
340
348
  else
@@ -368,8 +376,13 @@ module Brakeman::Util
368
376
  #
369
377
  # views/test/something.html.erb -> test/something
370
378
  def template_path_to_name path
371
- names = path.relative.split("/")
379
+ names = path.relative.split('/')
372
380
  names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
373
- names[(names.index("views") + 1)..-1].join("/").to_sym
381
+
382
+ if names.include? 'views'
383
+ names[(names.index('views') + 1)..-1]
384
+ else
385
+ names
386
+ end.join('/').to_sym
374
387
  end
375
388
  end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.10.0"
2
+ Version = "5.0.2"
3
3
  end
@@ -275,6 +275,14 @@ class Brakeman::Warning
275
275
  self.file.relative
276
276
  end
277
277
 
278
+ def check_name
279
+ @check_name ||= self.check.sub(/^Brakeman::Check/, '')
280
+ end
281
+
282
+ def confidence_name
283
+ TEXT_CONFIDENCE[self.confidence]
284
+ end
285
+
278
286
  def to_hash absolute_paths: true
279
287
  if self.called_from and not absolute_paths
280
288
  render_path = self.called_from.with_relative_paths
@@ -285,7 +293,7 @@ class Brakeman::Warning
285
293
  { :warning_type => self.warning_type,
286
294
  :warning_code => @warning_code,
287
295
  :fingerprint => self.fingerprint,
288
- :check_name => self.check.gsub(/^Brakeman::Check/, ''),
296
+ :check_name => self.check_name,
289
297
  :message => self.message.to_s,
290
298
  :file => (absolute_paths ? self.file.absolute : self.file.relative),
291
299
  :line => self.line,
@@ -294,7 +302,7 @@ class Brakeman::Warning
294
302
  :render_path => render_path,
295
303
  :location => self.location(false),
296
304
  :user_input => (@user_input && self.format_user_input(false)),
297
- :confidence => TEXT_CONFIDENCE[self.confidence]
305
+ :confidence => self.confidence_name
298
306
  }
299
307
  end
300
308
 
@@ -119,6 +119,8 @@ module Brakeman::WarningCodes
119
119
  :CVE_2020_8159 => 115,
120
120
  :CVE_2020_8166 => 116,
121
121
  :erb_template_injection => 117,
122
+ :http_verb_confusion => 118,
123
+ :unsafe_method_reflection => 119,
122
124
 
123
125
  :custom_check => 9090,
124
126
  }
@@ -175,7 +175,7 @@ class Sexp
175
175
  start_index = 3
176
176
 
177
177
  if exp.is_a? Sexp and exp.node_type == :arglist
178
- exp = exp[1..-1]
178
+ exp = exp.sexp_body
179
179
  end
180
180
 
181
181
  exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
198
198
 
199
199
  case self.node_type
200
200
  when :call, :attrasgn, :safe_call, :safe_attrasgn
201
- self[3..-1].unshift :arglist
201
+ self.sexp_body(3).unshift :arglist
202
202
  when :super, :zsuper
203
203
  if self[1]
204
- self[1..-1].unshift :arglist
204
+ self.sexp_body.unshift :arglist
205
205
  else
206
206
  Sexp.new(:arglist)
207
207
  end
@@ -218,13 +218,13 @@ class Sexp
218
218
  case self.node_type
219
219
  when :call, :attrasgn, :safe_call, :safe_attrasgn
220
220
  if self[3]
221
- self[3..-1]
221
+ self.sexp_body(3)
222
222
  else
223
223
  Sexp.new
224
224
  end
225
225
  when :super, :zsuper
226
226
  if self[1]
227
- self[1..-1]
227
+ self.sexp_body
228
228
  else
229
229
  Sexp.new
230
230
  end
@@ -512,7 +512,7 @@ class Sexp
512
512
  self.slice!(index..-1) #Remove old body
513
513
 
514
514
  if exp.first == :rlist
515
- exp = exp[1..-1]
515
+ exp = exp.sexp_body
516
516
  end
517
517
 
518
518
  #Insert new body
@@ -529,11 +529,11 @@ class Sexp
529
529
 
530
530
  case self.node_type
531
531
  when :defn, :class
532
- self[3..-1]
532
+ self.sexp_body(3)
533
533
  when :defs
534
- self[4..-1]
534
+ self.sexp_body(4)
535
535
  when :module
536
- self[2..-1]
536
+ self.sexp_body(2)
537
537
  end
538
538
  end
539
539
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.10.0
4
+ version: 5.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-28 00:00:00.000000000 Z
11
+ date: 2021-06-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -66,6 +66,20 @@ dependencies:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
68
  version: 0.10.2
69
+ - !ruby/object:Gem::Dependency
70
+ name: parallel
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '1.20'
76
+ type: :runtime
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '1.20'
69
83
  - !ruby/object:Gem::Dependency
70
84
  name: ruby_parser
71
85
  requirement: !ruby/object:Gem::Requirement
@@ -184,14 +198,14 @@ dependencies:
184
198
  requirements:
185
199
  - - "~>"
186
200
  - !ruby/object:Gem::Version
187
- version: 5.1.0
201
+ version: '5.1'
188
202
  type: :runtime
189
203
  prerelease: false
190
204
  version_requirements: !ruby/object:Gem::Requirement
191
205
  requirements:
192
206
  - - "~>"
193
207
  - !ruby/object:Gem::Version
194
- version: 5.1.0
208
+ version: '5.1'
195
209
  - !ruby/object:Gem::Dependency
196
210
  name: slim
197
211
  requirement: !ruby/object:Gem::Requirement
@@ -212,6 +226,20 @@ dependencies:
212
226
  - - "<="
213
227
  - !ruby/object:Gem::Version
214
228
  version: '4.1'
229
+ - !ruby/object:Gem::Dependency
230
+ name: rexml
231
+ requirement: !ruby/object:Gem::Requirement
232
+ requirements:
233
+ - - "~>"
234
+ - !ruby/object:Gem::Version
235
+ version: '3.0'
236
+ type: :runtime
237
+ prerelease: false
238
+ version_requirements: !ruby/object:Gem::Requirement
239
+ requirements:
240
+ - - "~>"
241
+ - !ruby/object:Gem::Version
242
+ version: '3.0'
215
243
  description: Brakeman detects security vulnerabilities in Ruby on Rails applications
216
244
  via static analysis. This package declares gem dependencies instead of bundling
217
245
  them.
@@ -301,8 +329,10 @@ files:
301
329
  - lib/brakeman/checks/check_template_injection.rb
302
330
  - lib/brakeman/checks/check_translate_bug.rb
303
331
  - lib/brakeman/checks/check_unsafe_reflection.rb
332
+ - lib/brakeman/checks/check_unsafe_reflection_methods.rb
304
333
  - lib/brakeman/checks/check_unscoped_find.rb
305
334
  - lib/brakeman/checks/check_validation_regex.rb
335
+ - lib/brakeman/checks/check_verb_confusion.rb
306
336
  - lib/brakeman/checks/check_weak_hash.rb
307
337
  - lib/brakeman/checks/check_without_protection.rb
308
338
  - lib/brakeman/checks/check_xml_dos.rb
@@ -333,6 +363,7 @@ files:
333
363
  - lib/brakeman/processors/haml_template_processor.rb
334
364
  - lib/brakeman/processors/lib/basic_processor.rb
335
365
  - lib/brakeman/processors/lib/call_conversion_helper.rb
366
+ - lib/brakeman/processors/lib/file_type_detector.rb
336
367
  - lib/brakeman/processors/lib/find_all_calls.rb
337
368
  - lib/brakeman/processors/lib/find_call.rb
338
369
  - lib/brakeman/processors/lib/find_return_value.rb
@@ -363,12 +394,14 @@ files:
363
394
  - lib/brakeman/report/report_base.rb
364
395
  - lib/brakeman/report/report_codeclimate.rb
365
396
  - lib/brakeman/report/report_csv.rb
397
+ - lib/brakeman/report/report_github.rb
366
398
  - lib/brakeman/report/report_hash.rb
367
399
  - lib/brakeman/report/report_html.rb
368
400
  - lib/brakeman/report/report_json.rb
369
401
  - lib/brakeman/report/report_junit.rb
370
402
  - lib/brakeman/report/report_markdown.rb
371
403
  - lib/brakeman/report/report_sarif.rb
404
+ - lib/brakeman/report/report_sonar.rb
372
405
  - lib/brakeman/report/report_table.rb
373
406
  - lib/brakeman/report/report_tabs.rb
374
407
  - lib/brakeman/report/report_text.rb
@@ -391,6 +424,7 @@ files:
391
424
  - lib/brakeman/tracker/constants.rb
392
425
  - lib/brakeman/tracker/controller.rb
393
426
  - lib/brakeman/tracker/library.rb
427
+ - lib/brakeman/tracker/method_info.rb
394
428
  - lib/brakeman/tracker/model.rb
395
429
  - lib/brakeman/tracker/template.rb
396
430
  - lib/brakeman/util.rb
@@ -418,7 +452,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
418
452
  requirements:
419
453
  - - ">="
420
454
  - !ruby/object:Gem::Version
421
- version: '0'
455
+ version: 2.4.0
422
456
  required_rubygems_version: !ruby/object:Gem::Requirement
423
457
  requirements:
424
458
  - - ">="