brakeman-lib 4.2.1 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7070db1a411e9196bbb90fe7a34209ecd8cf15210e5fa21be1442c668e8f00d0
-  data.tar.gz: 940132f27d3803e1fa445d51c869cf426a712d065892f49b6e138222dc66ba71
+  metadata.gz: b66e4adfac1e60bdf4c0f7ba2962202120f879e0b15a456e8c6672ecd1320ad4
+  data.tar.gz: 9517cdd9c93e736e9fb8d4cf29c4aab8c9c232fc4166f52111b653982213e2e2
 SHA512:
-  metadata.gz: dfbb4f4f11b1e8b00a206a6185e3e58862061f954a43cdf611fb38d6bd97b0e04ef6439adcc68b6ea6dc1675b5853f8a9af03c378be3d7cc6d9f4f49a61f5d5d
-  data.tar.gz: 77cb923ae34ee9a094200e1dc08a120ca001b4f646907fcb896bc147694041c989bfea7dc3023d876c0ee1461bedd5dc35cae53b94ef36ee6971baff980ceaae
+  metadata.gz: 6cb3584795f515314616a5f2e1116feba305333672e599b1b4f9d492fe40895f3d6067e13ad6431f5fc5fd3dfce636fbe39644e2f366b61a9ab12b4030ec4592
+  data.tar.gz: 455f61c1c33200355090cf541e57109416199b6bfe898c69cb972b537374cf315d485422b2065464a4a7519c5bb0e7f446d0f10356a959e9e0c8d776fcc5fb13

data/CHANGES.md

@@ -1,3 +1,32 @@
+# 4.3.1
+
+* Ignore `Object#freeze`, use the target instead
+* Ignore `foreign_key` calls in SQL
+* Handle `included` calls outside of classes/modules
+* Add `:BRAKEMAN_SAFE_LITERAL` to represent known-safe literals
+* Handle `Array#map` and `Array#each` over literal arrays
+* Use safe literal when accessing literal hash with unknown key
+* Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
+* Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
+* Improve handling of conditionals in shell commands (Jacob Evenlyn)
+* Fix error when setting line number in implicit renders
+
+# 4.3.0
+
+* Check exec-type calls even if they are targets
+* Convert `Array#join` to string interpolation
+* `BaseCheck#include_interp?` should return first string interpolation
+* Add `--parser-timeout` option
+* Track parent calls in CallIndex
+* Warn about dangerous `link_to` href with `sanitize()`
+* Ignore `params#to_h` and `params#to_hash` in SQL checks
+* Change "".freeze to just ""
+* Ignore `Process.pid` in system calls
+* Index Kernel#\` calls even if they are targets
+* Code Climate: omit leading dot from `only_files` (Todd Mazierski)
+* `--color` can be used to force color output
+* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
+
 # 4.2.1
 
 * Add warning for CVE-2018-3741

data/README.md

@@ -82,9 +82,9 @@ If Brakeman is running a bit slow, try
 
 This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
 
-By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
+By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
 
-    brakeman -z
+    brakeman --no-exit-on-warn --no-exit-on-error
 
 To skip certain files or directories that Brakeman may have trouble parsing, use:
 

data/lib/brakeman.rb

@@ -51,6 +51,7 @@ module Brakeman
   #  * :output_files - files for output
   #  * :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
   #  * :parallel_checks - run checks in parallel (default: true)
+  #  * :parser_timeout - set timeout for parsing an individual file (default: 10 seconds)
   #  * :print_report - if no output file specified, print to stdout (default: false)
   #  * :quiet - suppress most messages (default: true)
   #  * :rails3 - force Rails 3 mode (automatic)
@@ -174,6 +175,7 @@ module Brakeman
       :output_color => true,
       :pager => true,
       :parallel_checks => true,
+      :parser_timeout => 10,
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
@@ -376,7 +378,7 @@ module Brakeman
 
   def self.write_report_to_files tracker, output_files
     require 'fileutils'
-    tracker.options[:output_color] = false
+    tracker.options[:output_color] = false unless tracker.options[:output_color] == :force
 
     output_files.each_with_index do |output_file, idx|
       dir = File.dirname(output_file)
@@ -393,7 +395,7 @@ module Brakeman
   private_class_method :write_report_to_files
 
   def self.write_report_to_formats tracker, output_formats
-    unless $stdout.tty?
+    unless $stdout.tty? or tracker.options[:output_color] == :force
       tracker.options[:output_color] = false
     end
 

data/lib/brakeman/checks/base_check.rb

@@ -119,7 +119,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    @string_interp = Match.new(:interp, exp)
+    unless @string_interp # don't overwrite existing value
+      @string_interp = Match.new(:interp, exp)
+    end
+
     process_default exp
   end
 

data/lib/brakeman/checks/check_execute.rb

@@ -15,7 +15,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
   SAFE_VALUES = [s(:const, :RAILS_ROOT),
                   s(:call, s(:const, :Rails), :root),
-                  s(:call, s(:const, :Rails), :env)]
+                  s(:call, s(:const, :Rails), :env),
+                  s(:call, s(:const, :Process), :pid)]
 
   SHELL_ESCAPES = [:escape, :shellescape, :join]
 
@@ -32,7 +33,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
       :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
         :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
-        :popen3, :spawn, :syscall, :system]
+        :popen3, :spawn, :syscall, :system], :nested => true
 
     Brakeman.debug "Processing system calls"
     calls.each do |result|
@@ -142,7 +143,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       next if SAFE_VALUES.include? e
       next if shell_escape? e
 
-      if node_type? e, :or, :evstr, :dstr
+      if node_type? e, :if
+        # If we're in a conditional, evaluate the `then` and `else` clauses to
+        # see if they're dangerous.
+        if res = dangerous?(e.values[1..-1])
+          return res
+        end
+      elsif node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
         end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -71,14 +71,15 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     end
   end
 
+  CHECK_INSIDE_METHODS = [:url_for, :h, :sanitize]
+
   def check_argument? url_arg
     return unless call? url_arg
 
     target = url_arg.target
     method = url_arg.method
 
-    method == :url_for or
-      method == :h or
+    CHECK_INSIDE_METHODS.include? method or
       cgi_escaped? target, method
   end
 

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -46,12 +46,6 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
       message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
 
-      if include_user_input? result[:call]
-        confidence = :high
-      else
-        confidence = :medium
-      end
-
       warn :result => result,
         :warning_type => "Cross-Site Scripting",
         :warning_code => code,
@@ -87,7 +81,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
       warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2018_8048,
         :message => message,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment(:loofah),
         :confidence => confidence,
         :link_path => "https://github.com/flavorjones/loofah/issues/144"
     end
@@ -111,7 +105,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
     warn :warning_type => "Cross-Site Scripting",
       :warning_code => cve.tr('-', '_').to_sym,
       :message => message,
-      :gem_info => gemfile_or_environment,
+      :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
       :confidence => confidence,
       :link_path => link
   end

data/lib/brakeman/checks/check_sql.rb

@@ -290,7 +290,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys].include? arg.method
         # Model.where(params[:where])
         arg
       end
@@ -404,6 +404,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       nil
     elsif call? value and value.method == :to_s
       unsafe_string_interp? value.target
+    elsif call? value and safe_literal_target? value
+      nil
     else
       case value.node_type
       when :or
@@ -576,7 +578,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash
+    :where_values_hash, :foreign_key
   ]
 
   def safe_value? exp

data/lib/brakeman/codeclimate/engine_configuration.rb

@@ -87,9 +87,9 @@ module Brakeman
 
       def stripped_include_path(prefix, subprefixes, path)
         if path.start_with?(prefix)
-          path.sub(%r{^#{prefix}/?}, "./")
+          path.sub(%r{^#{prefix}/?}, "/")
         elsif subprefixes.any? { |subprefix| path =~ %r{^#{subprefix}/?$} }
-          "./"
+          "/"
         end
       end
     end

data/lib/brakeman/file_parser.rb

@@ -7,6 +7,7 @@ module Brakeman
 
     def initialize tracker, app_tree
       @tracker = tracker
+      @timeout = @tracker.options[:parser_timeout]
       @app_tree = app_tree
       @file_list = {}
     end
@@ -33,10 +34,13 @@ module Brakeman
     def parse_ruby input, path
       begin
         Brakeman.debug "Parsing #{path}"
-        RubyParser.new.parse input, path
+        RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         @tracker.error e, "Could not parse #{path}"
         nil
+      rescue Timeout::Error => e
+        @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
+        nil
       rescue => e
         @tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
         nil

data/lib/brakeman/options.rb

@@ -127,6 +127,10 @@ module Brakeman::Options
           options[:branch_limit] = limit
         end
 
+        opts.on "--parser-timeout SECONDS", Integer, "Set parse timeout (Default: 10)" do |timeout|
+          options[:parser_timeout] = timeout
+        end
+
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -229,7 +233,11 @@ module Brakeman::Options
         end
 
         opts.on "--[no-]color", "Use ANSI colors in report (Default)" do |color|
-          options[:output_color] = color
+          if color
+            options[:output_color] = :force
+          else
+            options[:output_color] = color
+          end
         end
 
         opts.on "-m", "--routes", "Report controller information" do

data/lib/brakeman/parsers/template_parser.rb

@@ -58,7 +58,11 @@ module Brakeman
         Brakeman::ScannerErubis.new(text, :filename => path).src
       else
         require 'erb'
-        src = ERB.new(text, nil, path).src
+        src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+          ERB.new(text, trim_mode: path).src
+        else
+          ERB.new(text, nil, path).src
+        end
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src
       end
@@ -93,7 +97,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(nil, nil)
+      fp = Brakeman::FileParser.new(tracker, nil)
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processors/alias_processor.rb

@@ -2,6 +2,7 @@ require 'brakeman/util'
 require 'ruby_parser/bm_sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/processors/lib/safe_call_helper'
+require 'brakeman/processors/lib/call_conversion_helper'
 
 #Returns an s-expression with aliases replaced with their value.
 #This does not preserve semantics (due to side effects, etc.), but it makes
@@ -10,6 +11,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::SafeCallHelper
   include Brakeman::Util
+  include Brakeman::CallConversionHelper
 
   attr_reader :result, :tracker
 
@@ -122,7 +124,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     if hash? t
-      if v = hash_access(t, exp.first_arg)
+      if v = process_hash_access(t, exp.first_arg)
         v.deep_clone(exp.line)
       else
         case t.node_type
@@ -197,55 +199,24 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false)
     end
 
-
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
     when :+
       if array? target and array? first_arg
-        joined = join_arrays target, first_arg
-        joined.line(exp.line)
-        exp = joined
+        exp = join_arrays(target, first_arg, exp)
       elsif string? first_arg
-        if string? target # "blah" + "blah"
-          joined = join_strings target, first_arg
-          joined.line(exp.line)
-          exp = joined
-        elsif call? target and target.method == :+ and string? target.first_arg
-          joined = join_strings target.first_arg, first_arg
-          joined.line(exp.line)
-          target.first_arg = joined
-          exp = target
-        end
+        exp = join_strings(target, first_arg, exp)
       elsif number? first_arg
-        if number? target
-          exp = Sexp.new(:lit, target.value + first_arg.value)
-        elsif call? target and target.method == :+ and number? target.first_arg
-          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
-          exp = target
-        end
-      end
-    when :-
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value - first_arg.value)
-      end
-    when :*
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value * first_arg.value)
-      end
-    when :/
-      if number? target and number? first_arg
-        unless first_arg.value == 0 and not target.value.is_a? Float
-          exp = Sexp.new(:lit, target.value / first_arg.value)
-        end
+        exp = math_op(:+, target, first_arg, exp)
       end
+    when :-, :*, :/
+      exp = math_op(method, target, first_arg, exp)
     when :[]
       if array? target
-        temp_exp = process_array_access target, exp.args
-        exp = temp_exp if temp_exp
+        exp = process_array_access(target, exp.args, exp)
       elsif hash? target
-        temp_exp = process_hash_access target, first_arg
-        exp = temp_exp if temp_exp
+        exp = process_hash_access(target, first_arg, exp)
       end
     when :merge!, :update
       if hash? target and hash? first_arg
@@ -287,37 +258,115 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
       end
+    when :freeze
+      unless target.nil?
+        exp = target
+      end
+    when :join
+      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
+        exp = process_array_join(target, first_arg)
+      end
     end
 
     exp
   end
 
+  # Painful conversion of Array#join into string interpolation
+  def process_array_join array, join_str
+    result = s()
+
+    join_value = if string? join_str
+                   join_str.value
+                 else
+                   nil
+                 end
+
+    array[1..-2].each do |e|
+      result << join_item(e, join_value)
+    end
+
+    result << join_item(array.last, nil)
+
+    # Combine the strings at the beginning because that's what RubyParser does
+    combined_first = ""
+    result.each do |e|
+      if string? e
+        combined_first << e.value
+      elsif e.is_a? String
+        combined_first << e
+      else
+        break
+      end
+    end
+
+    # Remove the strings at the beginning
+    result.reject! do |e|
+      if e.is_a? String or string? e
+        true
+      else
+        break
+      end
+    end
+
+    result.unshift combined_first
+
+    # Have to fix up strings that follow interpolation
+    result.reduce(s(:dstr)) do |memo, e|
+      if string? e and node_type? memo.last, :evstr
+        e.value = "#{join_value}#{e.value}"
+      elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
+        memo << s(:str, join_value)
+      end
+
+      memo << e
+    end
+  end
+
+  def join_item item, join_value
+    if item.is_a? String
+      "#{item}#{join_value}"
+    elsif string? item or symbol? item or number? item
+      s(:str, "#{item.value}#{join_value}")
+    else
+      s(:evstr, item)
+    end
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
     if array_detect_all_literals? exp[1]
-      return exp.block_call.target[1]
+      return safe_literal(exp.line)
     end
 
     @exp_context.pop
 
     env.scope do
-      exp.block_args.each do |e|
-        #Force block arg(s) to be local
-        if node_type? e, :lasgn
-          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
-        elsif node_type? e, :kwarg
-          env.current[Sexp.new(:lvar, e[1])] = e[2]
-        elsif node_type? e, :masgn, :shadow
-          e[1..-1].each do |var|
-            local = Sexp.new(:lvar, var)
+      call = exp.block_call
+      block_args = exp.block_args
+
+      if call? call and [:each, :map].include? call.method and all_literals? call.target and block_args.length == 2 and block_args.last.is_a? Symbol
+        # Iterating over an array of all literal values
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = safe_literal(exp.line)
+      else
+        block_args.each do |e|
+          #Force block arg(s) to be local
+          if node_type? e, :lasgn
+            env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
+          elsif node_type? e, :kwarg
+            env.current[Sexp.new(:lvar, e[1])] = e[2]
+          elsif node_type? e, :masgn, :shadow
+            e[1..-1].each do |var|
+              local = Sexp.new(:lvar, var)
+              env.current[local] = local
+            end
+          elsif e.is_a? Symbol
+            local = Sexp.new(:lvar, e)
             env.current[local] = local
+          else
+            raise "Unexpected value in block args: #{e.inspect}"
           end
-        elsif e.is_a? Symbol
-          local = Sexp.new(:lvar, e)
-          env.current[local] = local
-        else
-          raise "Unexpected value in block args: #{e.inspect}"
         end
       end
 
@@ -647,18 +696,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
     exp.first_arg.nil? and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   #Sets @inside_if = true
@@ -699,12 +744,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             # set x to "a" inside the true branch
             var = condition.first_arg
             previous_value = env.current[var]
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
           elsif i == 1 and array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
           else
             exp[branch_index] = process_if_branch branch
@@ -843,45 +888,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.or_depth >= @or_depth_limit
   end
 
-  #Process single integer access to an array.
-  #
-  #Returns the value inside the array, if possible.
-  def process_array_access target, args
-    if args.length == 1 and integer? args.first
-      index = args.first.value
-
-      #Have to do this because first element is :array and we have to skip it
-      target[1..-1][index]
-    else
-      nil
-    end
-  end
-
-  #Process hash access by returning the value associated
-  #with the given argument.
-  def process_hash_access target, index
-    hash_access(target, index)
-  end
-
-  #Join two array literals into one.
-  def join_arrays array1, array2
-    result = Sexp.new(:array)
-    result.concat array1[1..-1]
-    result.concat array2[1..-1]
-  end
-
-  #Join two string literals into one.
-  def join_strings string1, string2
-    result = Sexp.new(:str)
-    result.value = string1.value + string2.value
-
-    if result.value.length > 50
-      string1
-    else
-      result
-    end
-  end
-
   # Change x.send(:y, 1) to x.y(1)
   def collapse_send_call exp, first_arg
     # Handle try(&:id)

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -179,8 +179,11 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        line = meth[:src] && meth[:src].last && meth[:src].last.line
-        line += 1
+        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+          line += 1
+        else
+          line = 1
+        end
       end
     end
 

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -0,0 +1,90 @@
+module Brakeman
+  module CallConversionHelper
+    def all_literals? exp, expected_type = :array
+      node_type? exp, expected_type and
+        exp.length > 1 and
+        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    end
+
+    # Join two array literals into one.
+    def join_arrays lhs, rhs, original_exp = nil
+      if array? lhs and array? rhs
+        result = Sexp.new(:array).line(lhs.line)
+        result.concat lhs[1..-1]
+        result.concat rhs[1..-1]
+        result
+      else
+        original_exp
+      end
+    end
+
+    # Join two string literals into one.
+    def join_strings lhs, rhs, original_exp = nil
+      if string? lhs and string? rhs
+        result = Sexp.new(:str).line(lhs.line)
+        result.value = lhs.value + rhs.value
+
+        if result.value.length > 50
+          # Avoid gigantic strings
+          lhs
+        else
+          result
+        end
+      elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
+        joined = join_strings lhs.first_arg, rhs
+        lhs.first_arg = joined
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    def math_op op, lhs, rhs, original_exp = nil
+      if number? lhs and number? rhs
+        if op == :/ and rhs.value == 0 and not lhs.value.is_a? Float
+          # Avoid division by zero
+          return original_exp
+        else
+          value = lhs.value.send(op, rhs.value)
+          Sexp.new(:lit, value).line(lhs.line)
+        end
+      elsif call? lhs and lhs.method == :+ and number? lhs.first_arg and number? rhs
+        # (x + 1) + 2 -> (x + 3)
+        lhs.first_arg = Sexp.new(:lit, lhs.first_arg.value + rhs.value).line(lhs.first_arg.line)
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    # Process single integer access to an array.
+    #
+    # Returns the value inside the array, if possible.
+    def process_array_access array, args, original_exp = nil
+      if args.length == 1 and integer? args.first
+        index = args.first.value
+
+        #Have to do this because first element is :array and we have to skip it
+        array[1..-1][index] or original_exp
+      else
+        original_exp
+      end
+    end
+
+    # Process hash access by returning the value associated
+    # with the given argument.
+    def process_hash_access hash, index, original_exp = nil
+      if value = hash_access(hash, index)
+        value # deep_clone?
+      elsif all_literals? hash, :hash
+        safe_literal(hash.line)
+      else
+        original_exp
+      end
+    end
+  end
+end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -19,6 +19,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_method = opts[:method]
     @current_template = opts[:template]
     @current_file = opts[:file]
+    @current_call = nil
     process exp
   end
 
@@ -111,7 +112,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :method => method_name,
                 :call => exp,
                 :nested => false,
-                :location => make_location }
+                :location => make_location,
+                :parent => @current_call }
   end
 
   #Gets the target of a call as a Symbol
@@ -189,7 +191,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def create_call_hash exp
     target = get_target exp.target
 
-    if call? target
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
       already_in_target = @in_target
       @in_target = true
       process target
@@ -199,13 +201,24 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     end
 
     method = exp.method
-    process_call_args exp
 
-    { :target => target,
+    call_hash = {
+      :target => target,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
-      :location => make_location }
+      :location => make_location,
+      :parent => @current_call
+    }
+
+    old_parent = @current_call
+    @current_call = call_hash
+
+    process_call_args exp
+
+    @current_call = old_parent
+
+    call_hash
   end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -64,7 +64,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     res = process_default exp
 
     if node_type? res, :iter and call? exp.block_call # sometimes this changes after processing
-      if exp.block_call.method == :included
+      if exp.block_call.method == :included and (@current_module or @current_class)
         (@current_module || @current_class).options[:included] = res.block
       end
     end

data/lib/brakeman/report/pager.rb

@@ -102,7 +102,9 @@ module Brakeman
     end
 
     def set_color
-      unless @tracker and less_options.include? "-R "
+      return unless @tracker
+
+      unless less_options.include? "-R " or @tracker.options[:output_color] == :force
         @tracker.options[:output_color] = false
       end
     end

data/lib/brakeman/util.rb

@@ -26,6 +26,8 @@ module Brakeman::Util
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 
+  SAFE_LITERAL = s(:lit, :BRAKEMAN_SAFE_LITERAL)
+
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #
   #Taken from ActiveSupport.
@@ -307,6 +309,22 @@ module Brakeman::Util
     call
   end
 
+  def safe_literal line = nil
+    s(:lit, :BRAKEMAN_SAFE_LITERAL).line(line || 0)
+  end
+
+  def safe_literal? exp
+    exp == SAFE_LITERAL
+  end
+
+  def safe_literal_target? exp
+    if call? exp
+      safe_literal_target? exp.target
+    else
+      safe_literal? exp
+    end
+  end
+
   def rails_version
     @tracker.config.rails_version
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.2.1"
+  Version = "4.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.2.1
+  version: 4.3.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2018-03-24 00:00:00.000000000 Z
+date: 2018-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -297,6 +297,7 @@ files:
 - lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
+- lib/brakeman/processors/lib/call_conversion_helper.rb
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
@@ -380,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.