RubyGems - brakeman-lib - Versions diffs - 4.3.1 → 4.4.0 - Mend

brakeman-lib 4.3.1 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGES.md +24 -1
data/README.md +35 -6
data/bin/brakeman +2 -0
data/lib/brakeman.rb +5 -3
data/lib/brakeman/app_tree.rb +15 -1
data/lib/brakeman/call_index.rb +7 -4
data/lib/brakeman/checks.rb +16 -8
data/lib/brakeman/checks/base_check.rb +2 -19
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
data/lib/brakeman/checks/check_content_tag.rb +4 -4
data/lib/brakeman/checks/check_create_with.rb +1 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +3 -3
data/lib/brakeman/checks/check_default_routes.rb +3 -3
data/lib/brakeman/checks/check_deserialize.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
data/lib/brakeman/checks/check_digest_dos.rb +4 -4
data/lib/brakeman/checks/check_escape_function.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +5 -4
data/lib/brakeman/checks/check_file_access.rb +13 -3
data/lib/brakeman/checks/check_file_disclosure.rb +1 -1
data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
data/lib/brakeman/checks/check_forgery_setting.rb +3 -3
data/lib/brakeman/checks/check_header_dos.rb +3 -3
data/lib/brakeman/checks/check_i18n_xss.rb +3 -3
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +3 -3
data/lib/brakeman/checks/check_json_parsing.rb +8 -11
data/lib/brakeman/checks/check_link_to.rb +3 -3
data/lib/brakeman/checks/check_link_to_href.rb +2 -2
data/lib/brakeman/checks/check_mail_to.rb +3 -3
data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +4 -4
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes.rb +3 -3
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
data/lib/brakeman/checks/check_number_to_currency.rb +4 -4
data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
data/lib/brakeman/checks/check_regex_dos.rb +1 -1
data/lib/brakeman/checks/check_render.rb +2 -2
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_render_inline.rb +1 -1
data/lib/brakeman/checks/check_response_splitting.rb +1 -1
data/lib/brakeman/checks/check_route_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +1 -1
data/lib/brakeman/checks/check_session_manipulation.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +1 -1
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +14 -10
data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
data/lib/brakeman/checks/check_sprockets_path_traversal.rb +39 -0
data/lib/brakeman/checks/check_sql.rb +1 -1
data/lib/brakeman/checks/check_sql_cves.rb +2 -2
data/lib/brakeman/checks/check_strip_tags.rb +10 -8
data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +7 -7
data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -1
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_weak_hash.rb +18 -19
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/format/style.css +8 -0
data/lib/brakeman/messages.rb +220 -0
data/lib/brakeman/options.rb +13 -0
data/lib/brakeman/parsers/template_parser.rb +2 -2
data/lib/brakeman/processors/alias_processor.rb +7 -0
data/lib/brakeman/processors/config_processor.rb +4 -1
data/lib/brakeman/processors/gem_processor.rb +30 -2
data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -1
data/lib/brakeman/processors/lib/rails3_route_processor.rb +0 -2
data/lib/brakeman/processors/lib/rails4_config_processor.rb +18 -0
data/lib/brakeman/processors/lib/render_helper.rb +5 -0
data/lib/brakeman/processors/lib/render_path.rb +15 -0
data/lib/brakeman/processors/library_processor.rb +1 -1
data/lib/brakeman/report/report_base.rb +17 -161
data/lib/brakeman/report/report_csv.rb +17 -0
data/lib/brakeman/report/report_html.rb +34 -31
data/lib/brakeman/report/report_json.rb +21 -0
data/lib/brakeman/report/report_markdown.rb +13 -6
data/lib/brakeman/report/report_table.rb +157 -0
data/lib/brakeman/report/report_tabs.rb +3 -1
data/lib/brakeman/report/report_text.rb +16 -0
data/lib/brakeman/scanner.rb +5 -1
data/lib/brakeman/tracker/config.rb +1 -1
data/lib/brakeman/util.rb +0 -17
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +9 -4
data/lib/brakeman/warning_codes.rb +1 -0
metadata +13 -10

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -13,7 +13,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
-    @intializer_env = nil
+    @initializer_env = nil
   end
   def process_library src, file_name = nil

data/lib/brakeman/report/report_base.rb CHANGED

@@ -22,18 +22,25 @@ class Brakeman::Report::Base
     @warnings_summary = nil
   end
-  #Generate table of how many warnings of each warning type were reported
-  def generate_warning_overview
-    types = warnings_summary.keys
-    types.delete :high_confidence
-    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
-    locals = {:types => types, :warnings_summary => warnings_summary}
+  #Return summary of warnings in hash and store in @warnings_summary
+  def warnings_summary
+    return @warnings_summary if @warnings_summary
+    summary = Hash.new(0)
+    high_confidence_warnings = 0
+    [all_warnings].each do |warnings|
+      warnings.each do |warning|
+        summary[warning.warning_type.to_s] += 1
+        high_confidence_warnings += 1 if warning.confidence == 0
+      end
+    end
-    render_array('warning_overview', ['Warning Type', 'Total'], values, locals)
+    summary[:high_confidence] = high_confidence_warnings
+    @warnings_summary = summary
   end
-  #Generate table of controllers and routes found for those controllers
-  def generate_controllers
+  def controller_information
     controller_rows = []
     tracker.controllers.keys.map{|k| k.to_s}.sort.each do |name|
@@ -67,148 +74,7 @@ class Brakeman::Report::Base
       }
     end
-    cols = ['Name', 'Parent', 'Includes', 'Routes']
-    locals = {:controller_rows => controller_rows}
-    values = controller_rows.collect{|row| row.values_at(*cols) }
-    render_array('controller_overview', cols, values, locals)
-  end
-  #Generate table of errors or return nil if no errors
-  def generate_errors
-    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
-    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
-  end
-  def generate_obsolete
-    values = tracker.unused_fingerprints.collect{|fingerprint| [fingerprint] }
-    render_array('obsolete_ignore_entries', ['fingerprint'], values, {:tracker => tracker})
-  end
-  def generate_warnings
-    render_warnings generic_warnings,
-                    :warning,
-                    'security_warnings',
-                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
-                    'Class'
-  end
-  #Generate table of template warnings or return nil if no warnings
-  def generate_template_warnings
-    render_warnings template_warnings,
-                    :template,
-                    'view_warnings',
-                    ['Confidence', 'Template', 'Warning Type', 'Message'],
-                    'Template'
-  end
-  #Generate table of model warnings or return nil if no warnings
-  def generate_model_warnings
-    render_warnings model_warnings,
-                    :model,
-                    'model_warnings',
-                    ['Confidence', 'Model', 'Warning Type', 'Message'],
-                    'Model'
-  end
-  #Generate table of controller warnings or nil if no warnings
-  def generate_controller_warnings
-    render_warnings controller_warnings,
-                    :controller,
-                    'controller_warnings',
-                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
-                    'Controller'
-  end
-  def generate_ignored_warnings
-    render_warnings ignored_warnings,
-                    :ignored,
-                    'ignored_warnings',
-                    ['Confidence', 'Warning Type', 'File', 'Message'],
-                    'Warning Type'
-  end
-  def render_warnings warnings, type, template, cols, sort_col
-    unless warnings.empty?
-      rows = sort(convert_to_rows(warnings, type), sort_col)
-      values = rows.collect { |row| row.values_at(*cols) }
-      locals = { :warnings => rows }
-      render_array(template, cols, values, locals)
-    else
-      nil
-    end
-  end
-  def convert_to_rows warnings, type = :warning
-    warnings.map do |warning|
-      w = warning.to_row type
-      case type
-      when :warning
-        convert_warning w, warning
-      when :template
-        convert_template_warning w, warning
-      when :model
-        convert_model_warning w, warning
-      when :controller
-        convert_controller_warning w, warning
-      when :ignored
-        convert_ignored_warning w, warning
-      end
-    end
-  end
-  def convert_warning warning, original
-    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
-    warning["Message"] = text_message original, warning["Message"]
-    warning
-  end
-  def convert_template_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_model_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_controller_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_ignored_warning warning, original
-    convert_warning warning, original
-  end
-  def sort rows, sort_col
-    stabilizer = 0
-    rows.sort_by do |row|
-      stabilizer += 1
-      row.values_at("Confidence", "Warning Type", sort_col) << stabilizer
-    end
-  end
-  #Return summary of warnings in hash and store in @warnings_summary
-  def warnings_summary
-    return @warnings_summary if @warnings_summary
-    summary = Hash.new(0)
-    high_confidence_warnings = 0
-    [all_warnings].each do |warnings|
-      warnings.each do |warning|
-        summary[warning.warning_type.to_s] += 1
-        high_confidence_warnings += 1 if warning.confidence == 0
-      end
-    end
-    summary[:high_confidence] = high_confidence_warnings
-    @warnings_summary = summary
+    controller_rows
   end
   def all_warnings
@@ -279,14 +145,4 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
-  #Escape warning message and highlight user input in text output
-  def text_message warning, message
-    if @highlight_user_input and warning.user_input
-      user_input = warning.format_user_input
-      message.gsub(user_input, "+#{user_input}+")
-    else
-      message
-    end
-  end
 end

data/lib/brakeman/report/report_csv.rb CHANGED

@@ -52,4 +52,21 @@ class Brakeman::Report::CSV < Brakeman::Report::Table
     header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
     "BRAKEMAN REPORT\n\n" + header
   end
+  # rely on Terminal::Table to build the structure, extract the data out in CSV format
+  def table_to_csv table
+    return "" unless table
+    Brakeman.load_brakeman_dependency 'terminal-table'
+    headings = table.headings
+    if headings.is_a? Array
+      headings = headings.first
+    end
+    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
+    table.rows.each do |row|
+      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
+    end
+    output
+  end
 end

data/lib/brakeman/report/report_html.rb CHANGED

@@ -1,9 +1,10 @@
 require 'cgi'
+require 'brakeman/report/report_table.rb'
-class Brakeman::Report::HTML < Brakeman::Report::Base
+class Brakeman::Report::HTML < Brakeman::Report::Table
   HTML_CONFIDENCE = [ "<span class='high-confidence'>High</span>",
-    "<span class='med-confidence'>Medium</span>",
-    "<span class='weak-confidence'>Weak</span>" ]
+                      "<span class='med-confidence'>Medium</span>",
+                      "<span class='weak-confidence'>Weak</span>" ]
   def initialize *args
     super
@@ -66,20 +67,18 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   end
   def convert_warning warning, original
-    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
+    warning["Confidence"] = HTML_CONFIDENCE[original.confidence]
     warning["Message"] = with_context original, warning["Message"]
     warning["Warning Type"] = with_link original, warning["Warning Type"]
     warning
   end
   def with_link warning, message
-    "<a rel=\"no-referrer\" href=\"#{warning.link}\">#{message}</a>"
+    "<a rel=\"noreferrer\" href=\"#{warning.link}\">#{message}</a>"
   end
   def convert_template_warning warning, original
-    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
-    warning["Message"] = with_context original, warning["Message"]
-    warning["Warning Type"] = with_link original, warning["Warning Type"]
+    warning = convert_warning warning, original
     warning["Called From"] = original.called_from
     warning["Template Name"] = original.template.name
     warning
@@ -113,29 +112,16 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
+    @element_id += 1
     context = context_for(@app_tree, warning)
-    full_message = nil
-    if tracker.options[:message_limit] and tracker.options[:message_limit] > 0 and message.length > tracker.options[:message_limit]
-      full_message = html_message(warning, message)
-      message = message[0..tracker.options[:message_limit]] << "..."
-    end
     message = html_message(warning, message)
-    return message if context.empty? and not full_message
-    @element_id += 1
     code_id = "context#@element_id"
     message_id = "message#@element_id"
     full_message_id = "full_message#@element_id"
     alt = false
     output = "<div class='warning_message' onClick=\"toggle('#{code_id}');toggle('#{message_id}');toggle('#{full_message_id}')\" >" <<
-    if full_message
-      "<span id='#{message_id}' style='display:block' >#{message}</span>" <<
-      "<span id='#{full_message_id}' style='display:none'>#{full_message}</span>"
-    else
-      message
-    end <<
+    message <<
     "<table id='#{code_id}' class='context' style='display:none'>" <<
     "<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
@@ -199,18 +185,35 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   #Escape warning message and highlight user input in HTML output
   def html_message warning, message
-    message = CGI.escapeHTML(message)
+    message = message.to_html
     if warning.file
-      github_url = github_url warning.file, warning.line
-      message.gsub!(/(near line \d+)/, "<a href=\"#{github_url}\" target='_blank'>\\1</a>") if github_url
+      if github_url = github_url(warning.file, warning.line)
+        message << " <a href=\"#{github_url}\" target='_blank'>near line #{warning.line}</a>"
+      elsif warning.line
+        message << " near line #{warning.line}"
+      end
     end
-    if @highlight_user_input and warning.user_input
-      user_input = CGI.escapeHTML(warning.format_user_input)
-      message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
-    end
+    if warning.code
+      code = warning.format_with_user_input do |_, user_input|
+        "[BMP_UI]#{user_input}[/BMP_UI]"
+      end
+      code = "<span class=\"code\">#{CGI.escapeHTML(code).gsub("[BMP_UI]", "<span class=\"user_input\">").gsub("[/BMP_UI]", "</span>")}</span>"
+      full_message = "#{message}: #{code}"
-    message
+      if warning.code.mass > 20
+        message_id = "message#@element_id"
+        full_message_id = "full_message#@element_id"
+        "<span id='#{message_id}' style='display:block'>#{message}: ...</span>" <<
+        "<span id='#{full_message_id}' style='display:none'>#{full_message}</span>"
+      else
+        full_message
+      end
+    else
+      message
+    end
   end
 end

data/lib/brakeman/report/report_json.rb CHANGED

@@ -38,8 +38,29 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
   def convert_to_hashes warnings
     warnings.map do |w|
       hash = w.to_hash
+      hash[:render_path] = convert_render_path hash[:render_path]
       hash[:file] = warning_file w
       hash
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
+  def convert_render_path render_path
+    return unless render_path and not @tracker.options[:absolute_paths]
+    render_path.map do |r|
+      r = r.dup
+      if r[:file]
+        r[:file] = relative_path(r[:file])
+      end
+      if r[:rendered] and r[:rendered][:file]
+        r[:rendered] = r[:rendered].dup
+        r[:rendered][:file] = relative_path(r[:rendered][:file])
+      end
+      r
+    end
+  end
 end

data/lib/brakeman/report/report_markdown.rb CHANGED

@@ -92,16 +92,23 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
   # Escape and code format warning message
   def markdown_message warning, message
+    message = message.to_s
     if warning.file
       github_url = github_url warning.file, warning.line
-      message.gsub!(/(near line \d+)/, "[\\1](#{github_url})") if github_url
+      if github_url
+        message << " near line [#{warning.line}](#{github_url})"
+      elsif warning.line
+        message << " near line #{warning.line}"
+      end
     end
     if warning.code
-      code = warning.format_code
-      message.gsub(code, "`#{code.gsub('`','``').gsub(/\A``|``\z/, '` `')}`")
-    else
-      message
+      code = warning.format_code.gsub('`','``').gsub(/\A``|``\z/, '` `')
+      message << ": `#{code}`"
     end
-  end
+    message
+  end
 end

data/lib/brakeman/report/report_table.rb CHANGED

@@ -62,6 +62,96 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
+  #Generate table of how many warnings of each warning type were reported
+  def generate_warning_overview
+    types = warnings_summary.keys
+    types.delete :high_confidence
+    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
+    locals = {:types => types, :warnings_summary => warnings_summary}
+    render_array('warning_overview', ['Warning Type', 'Total'], values, locals)
+  end
+  #Generate table of controllers and routes found for those controllers
+  def generate_controllers
+    controller_rows = controller_information
+    cols = ['Name', 'Parent', 'Includes', 'Routes']
+    locals = {:controller_rows => controller_rows}
+    values = controller_rows.collect{|row| row.values_at(*cols) }
+    render_array('controller_overview', cols, values, locals)
+  end
+  #Generate table of errors or return nil if no errors
+  def generate_errors
+    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
+    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
+  end
+  def generate_obsolete
+    values = tracker.unused_fingerprints.collect{|fingerprint| [fingerprint] }
+    render_array('obsolete_ignore_entries', ['fingerprint'], values, {:tracker => tracker})
+  end
+  def generate_warnings
+    render_warnings generic_warnings,
+                    :warning,
+                    'security_warnings',
+                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
+                    'Class'
+  end
+  #Generate table of template warnings or return nil if no warnings
+  def generate_template_warnings
+    render_warnings template_warnings,
+                    :template,
+                    'view_warnings',
+                    ['Confidence', 'Template', 'Warning Type', 'Message'],
+                    'Template'
+  end
+  #Generate table of model warnings or return nil if no warnings
+  def generate_model_warnings
+    render_warnings model_warnings,
+                    :model,
+                    'model_warnings',
+                    ['Confidence', 'Model', 'Warning Type', 'Message'],
+                    'Model'
+  end
+  #Generate table of controller warnings or nil if no warnings
+  def generate_controller_warnings
+    render_warnings controller_warnings,
+                    :controller,
+                    'controller_warnings',
+                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
+                    'Controller'
+  end
+  def generate_ignored_warnings
+    render_warnings ignored_warnings,
+                    :ignored,
+                    'ignored_warnings',
+                    ['Confidence', 'Warning Type', 'File', 'Message'],
+                    'Warning Type'
+  end
+  def render_warnings warnings, type, template, cols, sort_col
+    unless warnings.empty?
+      rows = sort(convert_to_rows(warnings, type), sort_col)
+      values = rows.collect { |row| row.values_at(*cols) }
+      locals = { :warnings => rows }
+      render_array(template, cols, values, locals)
+    else
+      nil
+    end
+  end
   #Generate listings of templates and their output
   def generate_templates
     out_processor = Brakeman::OutputProcessor.new
@@ -92,6 +182,44 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     output
   end
+  def convert_to_rows warnings, type = :warning
+    warnings.map do |warning|
+      w = warning.to_row type
+      case type
+      when :warning
+        convert_warning w, warning
+      when :ignored
+        convert_ignored_warning w, warning
+      when :template
+        convert_template_warning w, warning
+      else
+        convert_warning w, warning
+      end
+    end
+  end
+  def convert_warning warning, original
+    warning
+  end
+  def convert_ignored_warning warning, original
+    convert_warning warning, original
+  end
+  def convert_template_warning warning, original
+    convert_warning warning, original
+  end
+  def sort rows, sort_col
+    stabilizer = 0
+    rows.sort_by do |row|
+      stabilizer += 1
+      row.values_at("Confidence", "Warning Type", sort_col) << stabilizer
+    end
+  end
   def render_array template, headings, value_array, locals
     return if value_array.empty?
@@ -100,6 +228,35 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
+  def convert_warning warning, original
+    warning["Message"] = text_message original, warning["Message"]
+    warning
+  end
+  #Escape warning message and highlight user input in text output
+  def text_message warning, message
+    message = message.to_s
+    if warning.line
+      message << " near line #{warning.line}"
+    end
+    if warning.code
+      if @highlight_user_input and warning.user_input
+        code = warning.format_with_user_input do |user_input, user_input_string|
+          "+#{user_input_string}+"
+        end
+      else
+        code = warning.format_code
+      end
+      message << ": #{code}"
+    end
+    message
+  end
   #Generate header for text output
   def text_header
     <<-HEADER