brakeman-lib 4.10.1 → 5.0.4

data/lib/brakeman/report/report_base.rb

@@ -11,8 +11,6 @@ class Brakeman::Report::Base
 
   attr_reader :tracker, :checks
 
-  TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-
   def initialize tracker
     @app_tree = tracker.app_tree
     @tracker = tracker

data/lib/brakeman/report/report_csv.rb

@@ -1,72 +1,49 @@
 require 'csv'
-require "brakeman/report/report_table"
 
-class Brakeman::Report::CSV < Brakeman::Report::Table
+class Brakeman::Report::CSV < Brakeman::Report::Base
   def generate_report
-    output = csv_header
-    output << "\nSUMMARY\n"
-
-    output << table_to_csv(generate_overview) << "\n"
-
-    output << table_to_csv(generate_warning_overview) << "\n"
-
-    #Return output early if only summarizing
-    if tracker.options[:summary_only]
-      return output
-    end
-
-    if tracker.options[:report_routes] or tracker.options[:debug]
-      output << "CONTROLLERS\n"
-      output << table_to_csv(generate_controllers) << "\n"
-    end
-
-    if tracker.options[:debug]
-      output << "TEMPLATES\n\n"
-      output << table_to_csv(generate_templates) << "\n"
+    headers = [
+      "Confidence",
+      "Warning Type",
+      "File",
+      "Line",
+      "Message",
+      "Code",
+      "User Input",
+      "Check Name",
+      "Warning Code",
+      "Fingerprint",
+      "Link"
+    ]
+
+    rows = tracker.filtered_warnings.sort_by do |w|
+      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+    end.map do |warning|
+      generate_row(headers, warning)
     end
 
-    res = generate_errors
-    output << "ERRORS\n" << table_to_csv(res) << "\n" if res
-
-    res = generate_warnings
-    output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
+    table = CSV::Table.new(rows)
 
-    output << "Controller Warnings\n"
-    res = generate_controller_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    output << "Model Warnings\n"
-    res = generate_model_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    res = generate_template_warnings
-    output << "Template Warnings\n"
-    output << table_to_csv(res) << "\n" if res
-
-    output
+    table.to_csv
   end
 
-  #Generate header for CSV output
-  def csv_header
-    header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
-    "BRAKEMAN REPORT\n\n" + header
+  def generate_row headers, warning
+    CSV::Row.new headers, warning_row(warning)
   end
 
-  # rely on Terminal::Table to build the structure, extract the data out in CSV format
-  def table_to_csv table
-    return "" unless table
-
-    Brakeman.load_brakeman_dependency 'terminal-table'
-    headings = table.headings
-    if headings.is_a? Array
-      headings = headings.first
-    end
-
-    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
-    table.rows.each do |row|
-      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
-    end
-    output
+  def warning_row warning
+    [
+      warning.confidence_name,
+      warning.warning_type,
+      warning_file(warning),
+      warning.line,
+      warning.message,
+      warning.code && warning.format_code(false),
+      warning.user_input && warning.format_user_input(false),
+      warning.check_name,
+      warning.warning_code,
+      warning.fingerprint,
+      warning.link,
+    ]
   end
 end

data/lib/brakeman/report/report_junit.rb

@@ -47,7 +47,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
       warning.add_attribute 'brakeman:file', warning_file(w)
       warning.add_attribute 'brakeman:line', w.line
       warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:confidence', w.confidence_name 
       warning.add_attribute 'brakeman:code', w.format_code
       warning.add_text w.to_s
     }
@@ -88,7 +88,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
           failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
           failure.add_attribute 'brakeman:file', warning_file(warning)
           failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:confidence', warning.confidence_name 
           failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }

data/lib/brakeman/report/report_sarif.rb

@@ -27,7 +27,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
-      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_name = warning.check_name
       check_description = render_message check_descriptions[check_name]
       {
         :id => rule_id,

data/lib/brakeman/report/report_sonar.rb

@@ -0,0 +1,38 @@
+class Brakeman::Report::Sonar < Brakeman::Report::Base
+  def generate_report
+    report_object = {
+      issues: all_warnings.map { |warning| issue_json(warning) }
+    }
+    return JSON.pretty_generate report_object
+  end
+  
+  private
+  
+  def issue_json(warning)
+    {
+      engineId: "Brakeman",
+      ruleId: warning.warning_code,
+      type: "VULNERABILITY",
+      severity: severity_level_for(warning.confidence),
+      primaryLocation: {
+        message: warning.message,
+        filePath: warning.file.relative,
+        textRange: {
+          "startLine": warning.line || 1,
+          "endLine": warning.line || 1,
+        }
+      },
+      effortMinutes: (4 - warning.confidence) * 15
+    }
+  end
+
+  def severity_level_for(confidence)
+    if confidence == 0
+      "CRITICAL"
+    elsif confidence == 1
+      "MAJOR"
+    else
+      "MINOR"
+    end
+  end
+end

data/lib/brakeman/report/report_tabs.rb

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
       end.join "\n"
 
     end.join "\n"

data/lib/brakeman/report/report_text.rb

@@ -160,7 +160,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     when :category
       label('Category', w.warning_type.to_s)
     when :check
-      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+      label('Check', w.check_name)
     when :message
       label('Message', w.message)
     when :code

data/lib/brakeman/rescanner.rb

@@ -132,10 +132,11 @@ class Brakeman::Rescanner < Brakeman::Scanner
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
     template_parser.parse_template path, path.read
-    process_template fp.file_list[:templates].first
+    tracker.add_errors(fp.errors)
+    process_template fp.file_list.first
 
     @processor.process_template_alias tracker.templates[template_name]
 
@@ -390,9 +391,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker)
-    file_parser.parse_files paths, :rescan
-    file_parser.file_list[:rescan]
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser.parse_files paths
+    tracker.add_errors(file_parser.errors)
+    file_parser.file_list
   end
 end
 

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/app_tree'
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
+  require 'brakeman/processors/lib/file_type_detector'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -23,7 +24,10 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
-      raise Brakeman::NoApplication, "Please supply the path to a Rails application (looking in #{@app_tree.root})."
+      message = "Please supply the path to a Rails application (looking in #{@app_tree.root}).\n" <<
+                "  Use `--force` to run a scan anyway."
+
+      raise Brakeman::NoApplication, message
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
@@ -43,6 +47,8 @@ class Brakeman::Scanner
     process_config
     Brakeman.notify "Parsing files..."
     parse_files
+    Brakeman.notify "Detecting file types..."
+    detect_file_types
     Brakeman.notify "Processing initializers..."
     process_initializers
     Brakeman.notify "Processing libs..."
@@ -65,29 +71,47 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker
-
-    files = {
-      :initializers => @app_tree.initializer_paths,
-      :controllers => @app_tree.controller_paths,
-      :models => @app_tree.model_paths
-    }
-
-    unless options[:skip_libs]
-      files[:libs] = @app_tree.lib_paths
-    end
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
 
-    files.each do |name, paths|
-      fp.parse_files paths, name
-    end
+    fp.parse_files tracker.app_tree.ruby_file_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
+    fp.read_files(@app_tree.template_paths) do |path, contents|
       template_parser.parse_template path, contents
     end
 
-    @file_list = fp.file_list
+    # Collect errors raised during parsing
+    tracker.add_errors(fp.errors)
+
+    @parsed_files = fp.file_list
+  end
+
+  def detect_file_types
+    @file_list = {
+      controllers: [],
+      initializers: [],
+      libs: [],
+      models: [],
+      templates: [],
+    }
+
+    detector = Brakeman::FileTypeDetector.new
+
+    @parsed_files.each do |file|
+      if file.is_a? Brakeman::TemplateParser::TemplateFile
+        @file_list[:templates] << file
+      else
+        type = detector.detect_type(file)
+        unless type == :skip
+          if @file_list[type].nil?
+            raise type.to_s
+          else
+            @file_list[type] << file
+          end
+        end
+      end
+    end
   end
 
   #Process config/environment.rb and config/gems.rb
@@ -115,6 +139,8 @@ class Brakeman::Scanner
     if @app_tree.exists? ".ruby-version"
       tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
+
+    tracker.config.load_rails_defaults
   end
 
   def process_config_file file
@@ -325,7 +351,7 @@ class Brakeman::Scanner
   end
 
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(self.tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
   end
 end

data/lib/brakeman/tracker.rb

@@ -68,6 +68,12 @@ class Brakeman::Tracker
     }
   end
 
+  def add_errors exceptions
+    exceptions.each do |e|
+      error(e)
+    end
+  end
+
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks

data/lib/brakeman/tracker/config.rb

@@ -149,5 +149,78 @@ module Brakeman
     def session_settings
       @rails.dig(:action_controller, :session)
     end
+
+
+    # Set Rails config option value
+    # where path is an array of attributes, e.g.
+    #
+    #   :action_controller, :perform_caching
+    #
+    # then this will set
+    #
+    #   rails[:action_controller][:perform_caching] = value
+    def set_rails_config value, *path
+      config = self.rails
+
+      path[0..-2].each do |o|
+        config[o] ||= {}
+
+        option = config[o]
+
+        if not option.is_a? Hash
+          Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
+          return
+        end
+
+        config = option
+      end
+
+      config[path.last] = value
+    end
+
+    # Load defaults based on config.load_defaults value
+    # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
+    def load_rails_defaults
+      return unless number? tracker.config.rails[:load_defaults]
+
+      version = tracker.config.rails[:load_defaults].value
+      true_value = Sexp.new(:true)
+      false_value = Sexp.new(:false)
+
+      if version >= 5.0
+        set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
+        set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
+        set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
+        # Note: this may need to be changed, because ssl_options is a Hash
+        set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
+      end
+
+      if version >= 5.1
+        set_rails_config(false_value, :assets, :unknown_asset_fallback)
+        set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
+      end
+
+      if version >= 5.2
+        set_rails_config(true_value, :active_record, :cache_versioning)
+        set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
+        set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
+        set_rails_config(true_value, :active_support, :use_sha1_digests)
+        set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
+        set_rails_config(true_value, :action_view, :form_with_generates_ids)
+      end
+
+      if version >= 6.0
+        set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
+        set_rails_config(false_value, :action_view, :default_enforce_utf8)
+        set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
+        set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
+        set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
+        set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
+        set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
+        set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
+        set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
+        set_rails_config(true_value, :active_record, :collection_cache_versioning)
+      end
+    end
   end
 end

data/lib/brakeman/util.rb

@@ -368,8 +368,13 @@ module Brakeman::Util
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.relative.split("/")
+    names = path.relative.split('/')
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
-    names[(names.index("views") + 1)..-1].join("/").to_sym
+
+    if names.include? 'views'
+      names[(names.index('views') + 1)..-1]
+    else
+      names
+    end.join('/').to_sym
   end
 end