RubyGems - brakeman-lib - Versions diffs - 4.3.1 → 4.4.0 - Mend

brakeman-lib 4.3.1 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGES.md +24 -1
data/README.md +35 -6
data/bin/brakeman +2 -0
data/lib/brakeman.rb +5 -3
data/lib/brakeman/app_tree.rb +15 -1
data/lib/brakeman/call_index.rb +7 -4
data/lib/brakeman/checks.rb +16 -8
data/lib/brakeman/checks/base_check.rb +2 -19
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
data/lib/brakeman/checks/check_content_tag.rb +4 -4
data/lib/brakeman/checks/check_create_with.rb +1 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +3 -3
data/lib/brakeman/checks/check_default_routes.rb +3 -3
data/lib/brakeman/checks/check_deserialize.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
data/lib/brakeman/checks/check_digest_dos.rb +4 -4
data/lib/brakeman/checks/check_escape_function.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +5 -4
data/lib/brakeman/checks/check_file_access.rb +13 -3
data/lib/brakeman/checks/check_file_disclosure.rb +1 -1
data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
data/lib/brakeman/checks/check_forgery_setting.rb +3 -3
data/lib/brakeman/checks/check_header_dos.rb +3 -3
data/lib/brakeman/checks/check_i18n_xss.rb +3 -3
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +3 -3
data/lib/brakeman/checks/check_json_parsing.rb +8 -11
data/lib/brakeman/checks/check_link_to.rb +3 -3
data/lib/brakeman/checks/check_link_to_href.rb +2 -2
data/lib/brakeman/checks/check_mail_to.rb +3 -3
data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +4 -4
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes.rb +3 -3
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
data/lib/brakeman/checks/check_number_to_currency.rb +4 -4
data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
data/lib/brakeman/checks/check_regex_dos.rb +1 -1
data/lib/brakeman/checks/check_render.rb +2 -2
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_render_inline.rb +1 -1
data/lib/brakeman/checks/check_response_splitting.rb +1 -1
data/lib/brakeman/checks/check_route_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +1 -1
data/lib/brakeman/checks/check_session_manipulation.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +1 -1
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +14 -10
data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
data/lib/brakeman/checks/check_sprockets_path_traversal.rb +39 -0
data/lib/brakeman/checks/check_sql.rb +1 -1
data/lib/brakeman/checks/check_sql_cves.rb +2 -2
data/lib/brakeman/checks/check_strip_tags.rb +10 -8
data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +7 -7
data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -1
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_weak_hash.rb +18 -19
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/format/style.css +8 -0
data/lib/brakeman/messages.rb +220 -0
data/lib/brakeman/options.rb +13 -0
data/lib/brakeman/parsers/template_parser.rb +2 -2
data/lib/brakeman/processors/alias_processor.rb +7 -0
data/lib/brakeman/processors/config_processor.rb +4 -1
data/lib/brakeman/processors/gem_processor.rb +30 -2
data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -1
data/lib/brakeman/processors/lib/rails3_route_processor.rb +0 -2
data/lib/brakeman/processors/lib/rails4_config_processor.rb +18 -0
data/lib/brakeman/processors/lib/render_helper.rb +5 -0
data/lib/brakeman/processors/lib/render_path.rb +15 -0
data/lib/brakeman/processors/library_processor.rb +1 -1
data/lib/brakeman/report/report_base.rb +17 -161
data/lib/brakeman/report/report_csv.rb +17 -0
data/lib/brakeman/report/report_html.rb +34 -31
data/lib/brakeman/report/report_json.rb +21 -0
data/lib/brakeman/report/report_markdown.rb +13 -6
data/lib/brakeman/report/report_table.rb +157 -0
data/lib/brakeman/report/report_tabs.rb +3 -1
data/lib/brakeman/report/report_text.rb +16 -0
data/lib/brakeman/scanner.rb +5 -1
data/lib/brakeman/tracker/config.rb +1 -1
data/lib/brakeman/util.rb +0 -17
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +9 -4
data/lib/brakeman/warning_codes.rb +1 -0
metadata +13 -10

data/lib/brakeman/checks/check_xml_dos.rb CHANGED

@@ -23,7 +23,7 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
     return if has_workaround?
-    message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+    message = msg(msg_version(version), " is vulnerable to denial of service via XML parsing ", msg_cve("CVE-2015-3227"), ". Upgrade to ", msg_version(fix_version))
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2015_3227,

data/lib/brakeman/checks/check_yaml_parsing.rb CHANGED

@@ -22,7 +22,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
                       "3.2.11"
                     end
-      message = "Rails #{rails_version} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+      message = msg(msg_version(rails_version), " has a remote code execution vulnerability. Upgrade to ", msg_version(new_version), " or disable XML parsing")
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0156,

data/lib/brakeman/format/style.css CHANGED

@@ -131,3 +131,11 @@ p {
  div.template_name:hover {
    background-color: white;
  }
+ span.code {
+   font-family: monospace;
+ }
+ span.filename {
+   font-family: monospace;
+ }

data/lib/brakeman/messages.rb ADDED

@@ -0,0 +1,220 @@
+module Brakeman
+  module Messages
+    # Create a new message from a list of messages.
+    # Strings are converted to Brakeman::Messages::Plain objects.
+    def msg *args
+      parts = args.map do |a|
+        if a.is_a? String
+          Plain.new(a)
+        else
+          a
+        end
+      end
+      Message.new(*parts)
+    end
+    # Create a new code message fragment
+    def msg_code code
+      Code.new code
+    end
+    # Create a new message fragment with a CVE identifier
+    def msg_cve cve
+      CVE.new cve
+    end
+    # Create a new message fragment representing a file name
+    def msg_file str
+      Messages::FileName.new str
+    end
+    # Create a new message fragment from a user input type (e.g. `:params`).
+    # The input type will be converted to a friendly version (e.g. "parameter value").
+    def msg_input input
+      Input.new input
+    end
+    # Create a new message fragment which will not be modified during output
+    def msg_lit str
+      Literal.new str
+    end
+    # Create a new plain string message fragment
+    def msg_plain str
+      Plain.new str
+    end
+    # Create a message fragment representing the version of a library
+    def msg_version version, lib = "Rails"
+      Version.new version, lib
+    end
+  end
+end
+# Class to represent a list of message types
+class Brakeman::Messages::Message
+  def initialize *args
+    @parts = args.map do |a|
+      case a
+      when String, Symbol
+        Brakeman::Messages::Plain.new(a.to_s)
+      else
+        a
+      end
+    end
+  end
+  def << msg
+    if msg.is_a? String
+      @parts << Brakeman::Messages::Plain.new(msg)
+    else
+      @parts << msg
+    end
+  end
+  def to_s
+    output = @parts.map(&:to_s).join
+    case @parts.first
+    when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
+    else
+      output[0] = output[0].capitalize
+    end
+    output
+  end
+  def to_html
+    require 'cgi'
+    output = @parts.map(&:to_html).join
+    case @parts.first
+    when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
+    else
+      output[0] = output[0].capitalize
+    end
+    output
+  end
+end
+class Brakeman::Messages::Code
+  def initialize code
+    @code = code.to_s
+  end
+  def to_s
+    "`#{@code}`"
+  end
+  def to_html
+    "<span class=\"code\">#{CGI.escapeHTML(@code)}</span>"
+  end
+end
+class Brakeman::Messages::CVE
+  def initialize cve
+    @cve = cve
+  end
+  def to_s
+    "(#{@cve})"
+  end
+  def to_html
+    "(<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@cve}\" target=\"_blank\" rel=\"noreferrer\">#{@cve}</a>)"
+  end
+end
+class Brakeman::Messages::FileName
+  def initialize file
+    @file = file
+  end
+  def to_s
+    "`#{@file}`"
+  end
+  def to_html
+    "<span class=\"filename\">#{CGI.escapeHTML(@file)}</span>"
+  end
+end
+class Brakeman::Messages::Input
+  def initialize input
+    @input = input
+    @value = friendly_type_of(@input)
+  end
+  def friendly_type_of input_type
+    if input_type.is_a? Brakeman::BaseCheck::Match
+      input_type = input_type.type
+    end
+    case input_type
+    when :params
+      "parameter value"
+    when :cookies
+      "cookie value"
+    when :request
+      "request value"
+    when :model
+      "model attribute"
+    else
+      "user input"
+    end
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    self.to_s
+  end
+end
+class Brakeman::Messages::Literal
+  def initialize value
+    @value = value.to_s
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    @value
+  end
+end
+class Brakeman::Messages::Plain
+  def initialize string
+    @value = string
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    CGI.escapeHTML(@value)
+  end
+end
+class Brakeman::Messages::Version
+  def initialize version, lib
+    @version = version
+    @library = lib
+  end
+  def to_s
+    "#{@library} #{@version}"
+  end
+  def to_html
+    CGI.escapeHTML(self.to_s)
+  end
+end

data/lib/brakeman/options.rb CHANGED

@@ -169,6 +169,19 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
+        opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
+          checks.map! do |check|
+            if check.start_with? "Check"
+              check
+            else
+              "Check" << check
+            end
+          end
+          options[:enable_checks] ||= Set.new
+          options[:enable_checks].merge checks
+        end
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"

data/lib/brakeman/parsers/template_parser.rb CHANGED

@@ -59,9 +59,9 @@ module Brakeman
       else
         require 'erb'
         src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
-          ERB.new(text, trim_mode: path).src
+          ERB.new(text, trim_mode: '-').src
         else
-          ERB.new(text, nil, path).src
+          ERB.new(text, nil, '-').src
         end
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -731,6 +731,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp[2 + i] = process_if_branch branch
       end
     else
+      # Translate `if !...` into `unless ...`
+      # Technically they are different but that's only if someone overrides `!`
+      if call? condition and condition.method == :!
+        condition = condition.target
+        exps.reverse!
+      end
       was_inside = @inside_if
       @inside_if = true

data/lib/brakeman/processors/config_processor.rb CHANGED

@@ -1,11 +1,14 @@
 require 'brakeman/processors/base_processor'
 require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/rails4_config_processor.rb'
 require 'brakeman/processors/lib/rails3_config_processor.rb'
 require 'brakeman/processors/lib/rails2_config_processor.rb'
 class Brakeman::ConfigProcessor
   def self.new tracker
-    if tracker.options[:rails3]
+    if tracker.options[:rails4]
+      Brakeman::Rails4ConfigProcessor.new tracker
+    elsif tracker.options[:rails3]
       Brakeman::Rails3ConfigProcessor.new tracker
     else
       Brakeman::Rails2ConfigProcessor.new tracker

data/lib/brakeman/processors/gem_processor.rb CHANGED

@@ -10,8 +10,17 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def process_gems gem_files
     @gem_files = gem_files
-    @gemfile = gem_files[:gemfile][:file]
-    process gem_files[:gemfile][:src]
+    @gemfile = gem_files[:gemfile] && gem_files[:gemfile][:file]
+    @gemspec = gem_files[:gemspec] && gem_files[:gemspec][:file]
+    if @gemspec
+      process gem_files[:gemspec][:src]
+    end
+    if @gemfile
+      process gem_files[:gemfile][:src]
+    end
     if gem_files[:gemlock]
       process_gem_lock
@@ -41,11 +50,30 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
           @tracker.config.set_ruby_version version.value
         end
       end
+    elsif @inside_gemspec and exp.method == :add_dependency
+      if string? exp.first_arg and string? exp.last_arg
+        @tracker.config.add_gem exp.first_arg.value, exp.last_arg.value, @gemspec, exp.line
+      end
     end
     exp
   end
+  GEM_SPEC = s(:colon2, s(:const, :Gem), :Specification)
+  def process_iter exp
+    if exp.block_call.target == GEM_SPEC and exp.block_call.method == :new
+      @inside_gemspec = true
+      process exp.block if sexp? exp.block
+      exp
+    else
+      process_default exp
+    end
+  ensure
+    @inside_gemspec = false
+  end
   def process_gem_lock
     line_num = 1
     file = @gem_files[:gemlock][:file]

data/lib/brakeman/processors/lib/call_conversion_helper.rb CHANGED

@@ -9,7 +9,8 @@ module Brakeman
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
-        result = Sexp.new(:array).line(lhs.line)
+        result = Sexp.new(:array)
+        result.line(lhs.line || rhs.line)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED

@@ -183,8 +183,6 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
       else
         add_route route[1], route[0]
       end
-    elsif in_controller_block? and symbol? first_arg
-      add_route first_arg
     else hash? first_arg
       hash_iterate first_arg do |k, v|
         if string? k

data/lib/brakeman/processors/lib/rails4_config_processor.rb ADDED

@@ -0,0 +1,18 @@
+require 'brakeman/processors/lib/rails3_config_processor'
+class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
+  APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  # Look for Rails.application.configure do ... end
+  def process_iter exp
+    if exp.block_call == APPLICATION_CONFIG
+      @inside_config = true
+      process exp.block if sexp? exp.block
+      @inside_config = false
+    else
+      super
+    end
+    exp
+  end
+end

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -65,6 +65,11 @@ module Brakeman::RenderHelper
       return
     end
+    if called_from
+      # Track actual template that was rendered
+      called_from.last_template = template
+    end
     template_env = only_ivars(:include_request_vars)
     #Hash the environment and the source of the template to avoid

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -29,6 +29,17 @@ module Brakeman
       self
     end
+    def last_template= template
+      if @path.last
+        @path.last[:rendered] = {
+          name: template.name,
+          file: template.file,
+        }
+      else
+        Brakeman.debug "[Notice] No render path to add template information"
+      end
+    end
     def include_template? name
       name = name.to_sym
@@ -71,6 +82,10 @@ module Brakeman
       @path.length
     end
+    def map &block
+      @path.map &block
+    end
     def to_a
       @path.map do |loc|
         case loc[:type]