brakeman-lib 4.10.1 → 5.0.0.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9433874563193068795eb4d4a90dd176132b04130cf68a9689753caff3c9df1e
-  data.tar.gz: 19e73894774e624624edecd48c28dd53aa4da68e7482afe272fec48398551040
+  metadata.gz: d69b909ed56306516d662fbc2bd25c22c3886925a8a98ca81ea761f0bb3851ca
+  data.tar.gz: bb2f1fe108cccdefb21da6cce220489d0890659bfaf2a773e3e9201892db0f9b
 SHA512:
-  metadata.gz: fbbd606baa82361d62752a44a0c3a095083d8e3b89c213cad7e8bdc97341a7fd09c3973c80c50d58349dc5bc9e98fe2ca390710d2419636a81f40d6dd75add6f
-  data.tar.gz: 89331cbf5168e088bdac777e65b3ee4cbe3244792f64f3c13db084e00db0fc3ebf792801d7c1f7fcc2b3c929cafd83e27381ecd03550d69b761cb94cf228856b
+  metadata.gz: 004d9116ce3b94abe715744571e124b477b9e30acaa623e3e46dc28493e9829d9c7cee9a060024eb6aa8158336d0622e81fb68a43343e5a4dddf837c214e62c8
+  data.tar.gz: af6556b75109436f49a1087ace59aab6c235a82452d92159770fbd8248c56aa458d254307046e73b649563d7471c88a31b049257ad5305498963d815aa1f2439

data/CHANGES.md

@@ -1,10 +1,12 @@
-# 4.10.1 - 2020-12-24
-
-* Declare REXML as a dependency (Ruby 3.0 compatibility)
-* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
-* Prevent render loops when template names are absolute paths
-* Ensure RubyParser is passed file path as a String
-* Support new Haml 5.2.0 escaping method
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
 
 # 4.10.0 - 2020-09-28
 

data/README.md

@@ -76,7 +76,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
 
 Multiple output files can be specified:
 

data/lib/brakeman.rb

@@ -66,6 +66,7 @@ module Brakeman
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
   #  * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
@@ -191,6 +192,7 @@ module Brakeman
       :report_progress => true,
       :safe_methods => Set.new,
       :skip_checks => Set.new,
+      :skip_vendor => true,
     }
   end
 
@@ -239,6 +241,8 @@ module Brakeman
       [:to_junit]
     when :sarif, :to_sarif
       [:to_sarif]
+    when :sonar, :to_sonar
+      [:to_sonar]
     else
       [:to_text]
     end
@@ -270,6 +274,8 @@ module Brakeman
         :to_junit
       when /\.sarif$/i
         :to_sarif
+      when /\.sonar$/i
+        :to_sonar
       else
         :to_text
       end

data/lib/brakeman/app_tree.rb

@@ -21,6 +21,7 @@ module Brakeman
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
+      init_options[:skip_vendor] = options[:skip_vendor]
       new(root, init_options)
     end
 
@@ -62,6 +63,7 @@ module Brakeman
       @engine_paths = init_options[:engine_paths] || []
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
+      @skip_vendor = init_options[:skip_vendor]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -96,6 +98,10 @@ module Brakeman
       end
     end
 
+    def ruby_file_paths
+      find_paths(".").uniq
+    end
+
     def initializer_paths
       @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
     end
@@ -109,8 +115,8 @@ module Brakeman
     end
 
     def template_paths
-      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
-                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+      @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
+        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -163,7 +169,8 @@ module Brakeman
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
-      convert_to_file_paths(paths)
+      paths = convert_to_file_paths(paths)
+      reject_global_excludes(paths)
     end
 
     def select_only_files(paths)
@@ -182,6 +189,32 @@ module Brakeman
       end
     end
 
+    EXCLUDED_PATHS = %w[
+      /generators/
+      lib/tasks/
+      lib/templates/
+      db/
+      spec/
+      test/
+      tmp/
+      public/
+      log/
+    ]
+
+    def reject_global_excludes(paths)
+      paths.reject do |path|
+        relative_path = path.relative
+
+        if @skip_vendor and relative_path.include? 'vendor/'
+          true
+        else
+          EXCLUDED_PATHS.any? do |excluded|
+            relative_path.include? excluded
+          end
+        end
+      end
+    end
+
     def match_path files, path
       absolute_path = Pathname.new(path)
       # relative root never has a leading separator. But, we use a leading

data/lib/brakeman/checks/check_execute.rb

@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.sexp_body.sexp_body)
+        if res = dangerous?(e.values[1..-1])
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call.sexp_body
+    components = call[1..-1]
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/checks/check_unsafe_reflection_methods.rb

@@ -0,0 +1,68 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe reflection to access methods"
+
+  def run_check
+    check_method
+    check_tap
+    check_to_proc
+  end
+
+  def check_method
+    tracker.find_call(method: :method, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_tap
+    tracker.find_call(method: :tap, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      # Argument is passed like a.tap(&argument)
+      if node_type? argument, :block_pass
+        argument = argument.value
+      end
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_to_proc
+    tracker.find_call(method: :to_proc, nested: true).each do |result|
+      target = result[:call].target
+
+      if user_input = include_user_input?(target)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def warn_unsafe_reflection result, input
+    return unless original? result
+    method = result[:call].method
+
+    confidence = if input.type == :params
+      :high
+    else
+      :medium
+    end
+
+    message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+
+    warn :result => result,
+      :warning_type => "Remote Code Execution",
+      :warning_code => :unsafe_method_reflection,
+      :message => message,
+      :user_input => input,
+      :confidence => confidence
+  end
+end

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -0,0 +1,75 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for uses of `request.get?` that might have unintentional behavior"
+
+  #Process calls
+  def run_check
+    calls = tracker.find_call(target: :request, methods: [:get?])
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    @current_result = result
+    @matched_call = result[:call]
+    klass = tracker.find_class(result[:location][:class])
+
+    # TODO: abstract into tracker.find_location ?
+    if klass.nil?
+      Brakeman.debug "No class found: #{result[:location][:class]}"
+      return
+    end
+
+    method = klass.get_method(result[:location][:method])
+
+    if method.nil?
+      Brakeman.debug "No method found: #{result[:location][:method]}"
+      return
+    end
+
+    process method[:src]
+  end
+
+  def process_if exp
+    if exp.condition == @matched_call
+      # Found `if request.get?`
+
+      # Do not warn if there is an `elsif` clause
+      if node_type? exp.else_clause, :if
+        return exp
+      end
+
+      warn_about_result @current_result, exp
+    end
+
+    exp
+  end
+
+  def warn_about_result result, code
+    return unless original? result
+
+    confidence = :weak
+    message = msg('Potential HTTP verb confusion. ',
+                  msg_code('HEAD'),
+                  ' is routed like ',
+                  msg_code('GET'),
+                  ' but ',
+                  msg_code('request.get?'),
+                  ' will return ',
+                  msg_code('false')
+                 )
+
+    warn :result => result,
+      :warning_type => "HTTP Verb Confusion",
+      :warning_code => :http_verb_confusion,
+      :message => message,
+      :code => code,
+      :user_input => result[:call],
+      :confidence => confidence
+  end
+end

data/lib/brakeman/file_parser.rb

@@ -3,55 +3,51 @@ module Brakeman
 
   # This class handles reading and parsing files.
   class FileParser
-    attr_reader :file_list
+    attr_reader :file_list, :errors
 
-    def initialize tracker
-      @tracker = tracker
-      @timeout = @tracker.options[:parser_timeout]
-      @app_tree = @tracker.app_tree
-      @file_list = {}
+    def initialize app_tree, timeout
+      @app_tree = app_tree
+      @timeout = timeout
+      @file_list = []
+      @errors = []
     end
 
-    def parse_files list, type
-      read_files list, type do |path, contents|
+    def parse_files list
+      read_files list do |path, contents|
         if ast = parse_ruby(contents, path.relative)
           ASTFile.new(path, ast)
         end
       end
     end
 
-    def read_files list, type
-      @file_list[type] ||= []
-
+    def read_files list
       list.each do |path|
         file = @app_tree.file_path(path)
 
         result = yield file, file.read
+
         if result
-          @file_list[type] << result
+          @file_list << result
         end
       end
     end
 
-    # _path_ can be a string or a Brakeman::FilePath
     def parse_ruby input, path
-      if path.is_a? Brakeman::FilePath
-        path = path.relative
-      end
-
       begin
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        @tracker.error e, "Could not parse #{path}"
-        nil
+        error e.exception(e.message + "\nCould not parse #{path}")
       rescue Timeout::Error => e
-        @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
-        nil
+        error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
       rescue => e
-        @tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
-        nil
+        error e.exception(e.message + "\nWhile processing #{path}")
       end
     end
+
+    def error exception
+      @errors << exception
+      nil
+    end
   end
 end

data/lib/brakeman/options.rb

@@ -166,6 +166,10 @@ module Brakeman::Options
           options[:only_files].merge files
         end
 
+        opts.on "--[no-]skip-vendor", "Skip processing vendor directory (Default)" do |skip|
+          options[:skip_vendor] = skip
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end
@@ -229,7 +233,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/parsers/template_parser.rb

@@ -9,7 +9,6 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
-      @file_parser.file_list[:templates] ||= []
     end
 
     def parse_template path, text
@@ -33,7 +32,7 @@ module Brakeman
               end
 
         if src and ast = @file_parser.parse_ruby(src, path)
-          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+          @file_parser.file_list << TemplateFile.new(path, ast, name, type)
         end
       rescue Racc::ParseError => e
         tracker.error e, "Could not parse #{path}"
@@ -97,7 +96,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker)
+      fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processors/alias_processor.rb

@@ -236,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -941,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args.sexp_body
+      exp.arglist = args[1..-1]
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block.sexp_body
+      block_inner = exp.block[1..-1]
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -0,0 +1,64 @@
+module Brakeman
+  class FileTypeDetector < BaseProcessor
+    def initialize
+      super(nil)
+      reset
+    end
+
+    def detect_type(file)
+      reset
+      process(file.ast)
+
+      if @file_type.nil?
+        @file_type = guess_from_path(file.path.relative)
+      end
+
+      @file_type || :libs
+    end
+
+    MODEL_CLASSES = [
+      :'ActiveRecord::Base',
+      :ApplicationRecord
+    ]
+
+    def process_class exp
+      name = class_name(exp.class_name)
+      parent = class_name(exp.parent_name)
+
+      if name.match(/Controller$/)
+        @file_type = :controllers
+        return exp
+      elsif MODEL_CLASSES.include? parent
+        @file_type = :models
+        return exp
+      end
+
+      super
+    end
+
+    def guess_from_path path
+      case
+      when path.include?('app/models')
+        :models
+      when path.include?('app/controllers')
+        :controllers
+      when path.include?('config/initializers')
+        :initializers
+      when path.include?('lib/')
+        :libs
+      when path.match?(%r{config/environments/(?!production\.rb)$})
+        :skip
+      when path.match?(%r{environments/production\.rb$})
+        :skip
+      when path.match?(%r{application\.rb$})
+        :skip
+      end
+    end
+
+    private
+
+    def reset
+      @file_type = nil
+    end
+  end
+end

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp.sexp_body(3)
+    block = process_rlist exp[3..-1]
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,11 +20,6 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
-    # Strip forward slash from beginning of template path.
-    # This also happens in RenderHelper#process_template but
-    # we need it here too to accurately avoid circular renders below.
-    name = name.to_s.gsub(/^\//, "")
-
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report.rb

@@ -45,6 +45,9 @@ class Brakeman::Report
       Brakeman::Report::JUnit
     when :to_sarif
       return self.to_sarif
+    when :to_sonar
+      require_report 'sonar'
+      Brakeman::Report::Sonar
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -69,6 +72,11 @@ class Brakeman::Report
     generate Brakeman::Report::JSON
   end
 
+  def to_sonar
+    require_report 'sonar'
+    generate Brakeman::Report::Sonar
+  end
+
   def to_table
     require_report 'table'
     generate Brakeman::Report::Table

data/lib/brakeman/report/report_sonar.rb

@@ -0,0 +1,38 @@
+class Brakeman::Report::Sonar < Brakeman::Report::Base
+  def generate_report
+    report_object = {
+      issues: all_warnings.map { |warning| issue_json(warning) }
+    }
+    return JSON.pretty_generate report_object
+  end
+  
+  private
+  
+  def issue_json(warning)
+    {
+      engineId: "Brakeman",
+      ruleId: warning.warning_code,
+      type: "VULNERABILITY",
+      severity: severity_level_for(warning.confidence),
+      primaryLocation: {
+        message: warning.message,
+        filePath: warning.file.relative,
+        textRange: {
+          "startLine": warning.line || 1,
+          "endLine": warning.line || 1,
+        }
+      },
+      effortMinutes: (4 - warning.confidence) * 15
+    }
+  end
+
+  def severity_level_for(confidence)
+    if confidence == 0
+      "CRITICAL"
+    elsif confidence == 1
+      "MAJOR"
+    else
+      "MINOR"
+    end
+  end
+end

data/lib/brakeman/rescanner.rb

@@ -132,10 +132,11 @@ class Brakeman::Rescanner < Brakeman::Scanner
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
     template_parser.parse_template path, path.read
-    process_template fp.file_list[:templates].first
+    tracker.add_errors(fp.errors)
+    process_template fp.file_list.first
 
     @processor.process_template_alias tracker.templates[template_name]
 
@@ -390,9 +391,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker)
-    file_parser.parse_files paths, :rescan
-    file_parser.file_list[:rescan]
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser.parse_files paths
+    tracker.add_errors(file_parser.errors)
+    file_parser.file_list
   end
 end
 

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/app_tree'
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
+  require 'brakeman/processors/lib/file_type_detector'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -23,7 +24,10 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
-      raise Brakeman::NoApplication, "Please supply the path to a Rails application (looking in #{@app_tree.root})."
+      message = "Please supply the path to a Rails application (looking in #{@app_tree.root}).\n" <<
+                "  Use `--force` to run a scan anyway - for example if there are many applications in one directory."
+
+      raise Brakeman::NoApplication, message
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
@@ -43,6 +47,8 @@ class Brakeman::Scanner
     process_config
     Brakeman.notify "Parsing files..."
     parse_files
+    Brakeman.notify "Detecting file types..."
+    detect_file_types
     Brakeman.notify "Processing initializers..."
     process_initializers
     Brakeman.notify "Processing libs..."
@@ -65,29 +71,47 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker
-
-    files = {
-      :initializers => @app_tree.initializer_paths,
-      :controllers => @app_tree.controller_paths,
-      :models => @app_tree.model_paths
-    }
-
-    unless options[:skip_libs]
-      files[:libs] = @app_tree.lib_paths
-    end
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
 
-    files.each do |name, paths|
-      fp.parse_files paths, name
-    end
+    fp.parse_files tracker.app_tree.ruby_file_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
+    fp.read_files(@app_tree.template_paths) do |path, contents|
       template_parser.parse_template path, contents
     end
 
-    @file_list = fp.file_list
+    # Collect errors raised during parsing
+    tracker.add_errors(fp.errors)
+
+    @parsed_files = fp.file_list
+  end
+
+  def detect_file_types
+    @file_list = {
+      controllers: [],
+      initializers: [],
+      libs: [],
+      models: [],
+      templates: [],
+    }
+
+    detector = Brakeman::FileTypeDetector.new
+
+    @parsed_files.each do |file|
+      if file.is_a? Brakeman::TemplateParser::TemplateFile
+        @file_list[:templates] << file
+      else
+        type = detector.detect_type(file)
+        unless type == :skip
+          if @file_list[type].nil?
+            raise type.to_s
+          else
+            @file_list[type] << file
+          end
+        end
+      end
+    end
   end
 
   #Process config/environment.rb and config/gems.rb
@@ -325,7 +349,7 @@ class Brakeman::Scanner
   end
 
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(self.tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
   end
 end

data/lib/brakeman/tracker.rb

@@ -68,6 +68,12 @@ class Brakeman::Tracker
     }
   end
 
+  def add_errors exceptions
+    exceptions.each do |e|
+      error(e)
+    end
+  end
+
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks

data/lib/brakeman/tracker/controller.rb

@@ -125,7 +125,7 @@ module Brakeman
         value = args[-1][2]
         case value.node_type
         when :array
-          filter[option] = value.sexp_body.map {|v| v[1] }
+          filter[option] = value[1..-1].map {|v| v[1] }
         when :lit, :str
           filter[option] = value[1]
         else

data/lib/brakeman/util.rb

@@ -321,7 +321,7 @@ module Brakeman::Util
       if node_type? current, :class
         return true
       elsif sexp? current
-        todo = current.sexp_body.concat todo
+        todo = current[1..-1].concat todo
       end
     end
 
@@ -334,7 +334,7 @@ module Brakeman::Util
     if args.empty? or args.first.empty?
       #nothing to do
     elsif node_type? args.first, :arglist
-      call.concat args.first.sexp_body
+      call.concat args.first[1..-1]
     elsif args.first.node_type.is_a? Sexp #just a list of args
       call.concat args.first
     else
@@ -368,8 +368,13 @@ module Brakeman::Util
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.relative.split("/")
+    names = path.relative.split('/')
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
-    names[(names.index("views") + 1)..-1].join("/").to_sym
+
+    if names.include? 'views'
+      names[(names.index('views') + 1)..-1]
+    else
+      names
+    end.join('/').to_sym
   end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.10.1"
+  Version = "5.0.0.pre1"
 end

data/lib/brakeman/warning_codes.rb

@@ -119,6 +119,8 @@ module Brakeman::WarningCodes
     :CVE_2020_8159 => 115,
     :CVE_2020_8166 => 116,
     :erb_template_injection => 117,
+    :http_verb_confusion => 118,
+    :unsafe_method_reflection => 119,
 
     :custom_check => 9090,
   }

data/lib/ruby_parser/bm_sexp.rb

@@ -175,7 +175,7 @@ class Sexp
     start_index = 3
 
     if exp.is_a? Sexp and exp.node_type == :arglist
-      exp = exp.sexp_body
+      exp = exp[1..-1]
     end
 
     exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
 
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
-      self.sexp_body(3).unshift :arglist
+      self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
-        self.sexp_body.unshift :arglist
+        self[1..-1].unshift :arglist
       else
         Sexp.new(:arglist)
       end
@@ -218,13 +218,13 @@ class Sexp
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
-        self.sexp_body(3)
+        self[3..-1]
       else
         Sexp.new
       end
     when :super, :zsuper
       if self[1]
-        self.sexp_body
+        self[1..-1]
       else
         Sexp.new
       end
@@ -512,7 +512,7 @@ class Sexp
     self.slice!(index..-1) #Remove old body
 
     if exp.first == :rlist
-      exp = exp.sexp_body
+      exp = exp[1..-1]
     end
 
     #Insert new body
@@ -529,11 +529,11 @@ class Sexp
 
     case self.node_type
     when :defn, :class
-      self.sexp_body(3)
+      self[3..-1]
     when :defs
-      self.sexp_body(4)
+      self[4..-1]
     when :module
-      self.sexp_body(2)
+      self[2..-1]
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.10.1
+  version: 5.0.0.pre1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-25 00:00:00.000000000 Z
+date: 2020-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -212,20 +212,6 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '4.1'
-- !ruby/object:Gem::Dependency
-  name: rexml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -315,8 +301,10 @@ files:
 - lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_unsafe_reflection_methods.rb
 - lib/brakeman/checks/check_unscoped_find.rb
 - lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_verb_confusion.rb
 - lib/brakeman/checks/check_weak_hash.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
@@ -347,6 +335,7 @@ files:
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
 - lib/brakeman/processors/lib/call_conversion_helper.rb
+- lib/brakeman/processors/lib/file_type_detector.rb
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
@@ -383,6 +372,7 @@ files:
 - lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_sarif.rb
+- lib/brakeman/report/report_sonar.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/report_text.rb
@@ -432,14 +422,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.2.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.