brakeman-lib 4.4.0 → 4.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bcbe25d591f6a58b5aa50a84f07d66139df4de6ff9ec635f37bfddf6dcefce5b
-  data.tar.gz: eab5e03f499218467a5c45cc33c629e04e8e8743526b9a8f3add8a314d7d8e10
+  metadata.gz: e29d6575b47438b336589ce753da72098ad1b7465a4bb78625d5c666d8c1d0a3
+  data.tar.gz: 073d249eb7c1915c3c3be01345c25d050127eec929ff2dd77e276433f94606c1
 SHA512:
-  metadata.gz: ea3d52f2efefe107a2673b9a6c574c864cc3908fdc908bca688f3b465ed0c4a47e02513dfe2f4da7dfe94c1c576df1b9bb20e4b865d2308a8db0a05435cc911c
-  data.tar.gz: 130d5925f04b78320ee0e052a66baadf7eb6094f9572758f6013aa22af03e2031c3109df49dd72a62d974f05add592bdf6309ccbae8d03cdec600397b4ae3044
+  metadata.gz: 87488f856d5b69554147a900ea4a5e0f8826b8a4a1ca95090c472f279d3014a80d28acfa36e131b07c2a9d78a80ec807fa20b45f7e2c133575da164b8ccf3506
+  data.tar.gz: b73fe208fc26c26428b4883aa36e2b0c310f7b271fe9db0111cd5fc23d3fc040b8f90c0875f4736724685515ee6c3a6d20faf4cb1246042fab0fe66a6de41c61

data/CHANGES.md

@@ -1,3 +1,66 @@
+# 4.7.0
+
+* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
+* Ignore interpolation in `%W[]`
+* Fix `version_between?` (Andrey Glushkov)
+* Add support for `ruby_parser` 3.14.0
+* Ignore `form_for` for XSS check
+* Update Haml support to Haml 5.x
+* Catch shell injection from `-c` shell commands (Jacob Evelyn)
+* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
+
+# 4.6.1
+
+* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
+
+# 4.6.0
+
+* Skip calls to `dup`
+* Add reverse tabnabbing check (Linos Giannopoulos)
+* Better handling of gems with no version declared
+* Warn people that Haml 5 is not fully supported (Jared Beck)
+* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
+* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
+* Restore `Warning#relative_path`
+* Add check for cookie serialization with Marshal
+* Index calls in initializers
+* Improve template output handling in conditional branches
+* Avoid assigning `nil` line numbers to `Sexp`s
+* Add special warning code for custom checks
+* Add call matching by regular expression
+
+# 4.5.1 
+
+* Add `Brakeman::FilePath` to represent file paths
+* Handle trailing comma in block args
+* Properly handle empty partial name
+* Use relative paths for `__FILE__`
+* Convert `!!` calls to boolean value
+* Add optional check for `config.force_ssl`
+* Remove code for Ruby versions prior to 1.9
+* Check `link_to` with block for href XSS
+* Add SQL injection checks for `find_or_create_by` and friends
+* Add deserialization warning for `Oj.load/object_load`
+* Add initial Rails 6 support
+* Add SQL injection checks for `destroy_by`/`delete_by`
+
+# 4.5.0
+
+* Update `ruby_parser`, use `ruby_parser-legacy`
+* More thoroughly handle `Shellwords` escaping
+* Handle non-integer version number comparisons
+* Use `FileParser` in `Scanner` to parse files
+* Add original exception to `Tracker#errors` list
+* Add support for CoffeeScript in Slim templates
+* Improve support for embedded template "filters"
+* Remove Sass dependency
+* Set location information in `CheckContentTag`
+* Stop swallowing exceptions in `AliasProcessor`
+* Avoid joining strings with different encodings
+* Handle `**` inside Hash literals
+* Better handling of splat/kwsplat arguments
+* Improve "user input" reported for SQL injection
+
 # 4.4.0
 
 * Set default encoding to UTF-8

data/README.md

@@ -1,7 +1,6 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
-[![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
-[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
+[![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
 [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
@@ -47,25 +46,25 @@ Outside of Rails root:
 
 From a Rails application's root directory:
 
-    docker run -v "$(pwd)":/code brakeman
+    docker run -v "$(pwd)":/code presidentbeef/brakeman
 
 With a little nicer color:
 
-    docker run -v "$(pwd)":/code brakeman --color
+    docker run -v "$(pwd)":/code presidentbeef/brakeman --color
 
 For an HTML report:
 
-    docker run -v "$(pwd)":/code brakeman -o brakeman_results.html
+    docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
 
 Outside of Rails root (note that the output file is relative to path/to/rails/application):
 
-    docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html
+    docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
 
 # Compatibility
 
 Brakeman should work with any version of Rails from 2.3.x to 5.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
 
 # Basic Options
 

data/lib/brakeman.rb

@@ -55,6 +55,9 @@ module Brakeman
   #  * :print_report - if no output file specified, print to stdout (default: false)
   #  * :quiet - suppress most messages (default: true)
   #  * :rails3 - force Rails 3 mode (automatic)
+  #  * :rails4 - force Rails 4 mode (automatic)
+  #  * :rails5 - force Rails 5 mode (automatic)
+  #  * :rails6 - force Rails 6 mode (automatic)
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
@@ -99,6 +102,10 @@ module Brakeman
     elsif options[:rails5]
       options[:rails3] = true
       options[:rails4] = true
+    elsif options[:rails6]
+      options[:rails3] = true
+      options[:rails4] = true
+      options[:rails5] = true
     end
 
     options[:output_formats] = get_output_formats options

data/lib/brakeman/app_tree.rb

@@ -1,4 +1,5 @@
 require 'pathname'
+require 'brakeman/file_path'
 
 module Brakeman
   class AppTree
@@ -62,31 +63,37 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @gemspec = nil
+      @root_search_pattern = nil
     end
 
-    def expand_path(path)
-      File.expand_path(path, @root)
+    # Create a new Brakeman::FilePath
+    def file_path(path)
+      Brakeman::FilePath.from_app_tree(self, path)
     end
 
-    def read(path)
-      File.read(File.join(@root, path))
+    # Should only be used by Brakeman::FilePath.
+    # Use AppTree#file_path(path).absolute instead.
+    def expand_path(path)
+      File.expand_path(path, @root)
     end
 
-    # This variation requires full paths instead of paths based
-    # off the project root. I'd prefer to get all the code outside
-    # of AppTree using project-root based paths (e.g. app/models/user.rb)
-    # instead of full paths, but I suspect it's an incompatible change.
-    def read_path(path)
-      File.read(path)
+    # Should only be used by Brakeman::FilePath
+    # Use AppTree#file_path(path).relative instead.
+    def relative_path(path)
+      pname = Pathname.new path
+      if path and not path.empty? and pname.absolute?
+        pname.relative_path_from(Pathname.new(self.root)).to_s
+      else
+        path
+      end
     end
 
     def exists?(path)
-      File.exist?(File.join(@root, path))
-    end
-
-    # This is a pair for #read_path. Again, would like to kill these
-    def path_exists?(path)
-      File.exist?(path)
+      if path.is_a? Brakeman::FilePath
+        path.exists?
+      else
+        File.exist?(File.join(@root, path))
+      end
     end
 
     def initializer_paths
@@ -111,7 +118,7 @@ module Brakeman
     end
 
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
+      @lib_files ||= find_paths("lib").reject { |path| path.relative.include? "/generators/" or path.relative.include? "lib/tasks/" or path.relative.include? "lib/templates/" } +
                      find_additional_lib_paths +
                      find_helper_paths +
                      find_job_paths
@@ -125,7 +132,7 @@ module Brakeman
       if gemspecs.length > 1 or gemspecs.empty?
         @gemspec = false
       else
-        @gemspec = File.basename(gemspecs.first)
+        @gemspec = file_path(File.basename(gemspecs.first))
       end
     end
 
@@ -155,7 +162,8 @@ module Brakeman
 
     def select_files(paths)
       paths = select_only_files(paths)
-      reject_skipped_files(paths)
+      paths = reject_skipped_files(paths)
+      convert_to_file_paths(paths)
     end
 
     def select_only_files(paths)
@@ -190,8 +198,8 @@ module Brakeman
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
 
-      abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
-      rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+      abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
+      rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
 
       roots = ([@root] + abs).join(",")
       rel_engines = (rel + [""]).join("/,")
@@ -199,7 +207,11 @@ module Brakeman
     end
 
     def prioritize_concerns paths
-      paths.partition { |path| path.include? "concerns" }.flatten
+      paths.partition { |path| path.relative.include? "concerns" }.flatten
+    end
+
+    def convert_to_file_paths paths
+      paths.map { |path| file_path(path) }
     end
   end
 end

data/lib/brakeman/call_index.rb

@@ -27,7 +27,7 @@ class Brakeman::CallIndex
     if options[:chained]
       return find_chain options
     #Find by narrowest category
-    elsif target and method and target.is_a? Array and method.is_a? Array
+    elsif target.is_a? Array and method.is_a? Array
       if target.length > method.length
         calls = filter_by_target calls_by_methods(method), target
       else
@@ -35,6 +35,12 @@ class Brakeman::CallIndex
         calls = filter_by_method calls, method
       end
 
+    elsif target.is_a? Regexp and method
+      calls = filter_by_target(calls_by_method(method), target)
+
+    elsif method.is_a? Regexp and target
+      calls = filter_by_method(calls_by_target(target), method)
+
     #Find by target, then by methods, if provided
     elsif target
       calls = calls_by_target target
@@ -85,6 +91,16 @@ class Brakeman::CallIndex
     end
   end
 
+  def remove_indexes_by_file file
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          call[:location][:file] == file
+        end
+      end
+    end
+  end
+
   def index_calls calls
     calls.each do |call|
       @calls_by_method[call[:method]] ||= []
@@ -116,8 +132,11 @@ class Brakeman::CallIndex
   end
 
   def calls_by_target target
-    if target.is_a? Array
+    case target
+    when Array
       calls_by_targets target
+    when Regexp
+      calls_by_targets_regex target
     else
       @calls_by_target[target] || []
     end
@@ -133,10 +152,24 @@ class Brakeman::CallIndex
     calls
   end
 
+  def calls_by_targets_regex targets_regex
+    calls = []
+
+    @calls_by_target.each do |key, value|
+      case key
+      when String, Symbol
+        calls.concat value if key.match targets_regex
+      end
+    end
+
+    calls
+  end
+
   def calls_by_method method
-    if method.is_a? Array
+    case method
+    when Array
       calls_by_methods method
-    elsif method.is_a? Regexp
+    when Regexp
       calls_by_methods_regex method
     else
       @calls_by_method[method.to_sym] || []
@@ -156,26 +189,28 @@ class Brakeman::CallIndex
 
   def calls_by_methods_regex methods_regex
     calls = []
+
     @calls_by_method.each do |key, value|
-      calls.concat value if key.to_s.match methods_regex
+      calls.concat value if key.match methods_regex
     end
-    calls
-  end
 
-  def calls_with_no_target
-    @calls_by_target[nil]
+    calls
   end
 
   def filter calls, key, value
-    if value.is_a? Array
+    case value
+    when Array
       values = Set.new value
 
       calls.select do |call|
         values.include? call[key]
       end
-    elsif value.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[key].to_s.match value
+        case call[key]
+        when String, Symbol
+          call[key].match value
+        end
       end
     else
       calls.select do |call|
@@ -197,15 +232,19 @@ class Brakeman::CallIndex
   end
 
   def filter_by_chain calls, target
-    if target.is_a? Array
+    case target
+    when Array
       targets = Set.new target
 
       calls.select do |call|
         targets.include? call[:chain].first
       end
-    elsif target.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[:chain].first.to_s.match target
+        case call[:chain].first
+        when String, Symbol
+          call[:chain].first.match target
+        end
       end
     else
       calls.select do |call|

data/lib/brakeman/checks.rb

@@ -109,13 +109,13 @@ class Brakeman::Checks
 
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
-  def self.run_checks(app_tree, tracker)
+  def self.run_checks(tracker)
     checks = self.checks_to_run(tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    self.actually_run_checks(checks, check_runner, tracker)
   end
 
-  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+  def self.actually_run_checks(checks, check_runner, tracker)
     threads = [] # Results for parallel
     results = [] # Results for sequential
     parallel = tracker.options[:parallel_checks]
@@ -127,10 +127,10 @@ class Brakeman::Checks
 
       if parallel
         threads << Thread.new do
-          self.run_a_check(c, error_mutex, app_tree, tracker)
+          self.run_a_check(c, error_mutex, tracker)
         end
       else
-        results << self.run_a_check(c, error_mutex, app_tree, tracker)
+        results << self.run_a_check(c, error_mutex, tracker)
       end
 
       #Maintain list of which checks were run
@@ -196,8 +196,8 @@ class Brakeman::Checks
     end
   end
 
-  def self.run_a_check klass, mutex, app_tree, tracker
-    check = klass.new(app_tree, tracker)
+  def self.run_a_check klass, mutex, tracker
+    check = klass.new(tracker)
 
     begin
       check.run_check

data/lib/brakeman/checks/base_check.rb

@@ -27,9 +27,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   #Initialize Check with Checks.
-  def initialize(app_tree, tracker)
+  def initialize(tracker)
     super()
-    @app_tree = app_tree
+    @app_tree = tracker.app_tree
     @results = [] #only to check for duplicates
     @warnings = []
     @tracker = tracker
@@ -39,24 +39,15 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = nil
     @mass_assign_disabled = nil
     @has_user_input = nil
+    @in_array = false
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
   #Add result to result list, which is used to check for duplicates
-  def add_result result, location = nil
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
-    location = location[:name] if location.is_a? Hash
-    location = location.name if location.is_a? Brakeman::Collection
-    location = location.to_sym
-
-    if result.is_a? Hash
-      line = result[:call].original_line || result[:call].line
-    elsif sexp? result
-      line = result.original_line || result.line
-    else
-      raise ArgumentError
-    end
+  def add_result result
+    location = get_location result
+    location, line = get_location result
 
     @results << [line, location, result]
   end
@@ -119,9 +110,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     exp
   end
 
+  def process_array exp
+    @in_array = true
+    process_default exp
+  ensure
+    @in_array = false
+  end
+
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    unless @string_interp # don't overwrite existing value
+    unless array_interp? exp or @string_interp # don't overwrite existing value
       @string_interp = Match.new(:interp, exp)
     end
 
@@ -130,6 +128,20 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   private
 
+  # Checking for
+  #
+  #   %W[#{a}]
+  #
+  # which will be parsed as
+  #
+  #    s(:array, s(:dstr, "", s(:evstr, s(:call, nil, :a))))
+  def array_interp? exp
+    @in_array and
+      string_interp? exp and
+      exp[1] == "".freeze and
+      exp.length == 3 # only one interpolated value
+  end
+
   def always_safe_method? meth
     @safe_input_attributes.include? meth or
       @comparison_ops.include? meth
@@ -143,11 +155,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def warn options
     extra_opts = { :check => self.class.to_s }
 
-    warning = Brakeman::Warning.new(options.merge(extra_opts))
-    warning.file = file_for warning
-    warning.relative_path = relative_path(warning.file)
+    if options[:file]
+      options[:file] = @app_tree.file_path(options[:file])
+    end
 
-    @warnings << warning
+    @warnings << Brakeman::Warning.new(options.merge(extra_opts))
   end
 
   #Run _exp_ through OutputProcessor to get a nice String.
@@ -170,8 +182,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @mass_assign_disabled = true
     else
       #Check for ActiveRecord::Base.send(:attr_accessible, nil)
-      tracker.check_initializers(:"ActiveRecord::Base", :attr_accessible).each do |result|
-        call = result.call
+      tracker.find_call(target: :"ActiveRecord::Base", method: :attr_accessible).each do |result|
+        call = result[:call]
+
         if call? call
           if call.first_arg == Sexp.new(:nil)
             @mass_assign_disabled = true
@@ -180,26 +193,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
       end
 
-      unless @mass_assign_disabled
-        tracker.check_initializers(:"ActiveRecord::Base", :send).each do |result|
-          call = result.call
-          if call? call
-            if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
-              @mass_assign_disabled = true
-              break
-            end
-          end
-        end
-      end
-
       unless @mass_assign_disabled
         #Check for
         #  class ActiveRecord::Base
         #    attr_accessible nil
         #  end
-        matches = tracker.check_initializers([], :attr_accessible)
-
-        matches.each do |result|
+        tracker.check_initializers([], :attr_accessible).each do |result|
           if result.module == "ActiveRecord" and result.result_class == :Base
             arg = result.call.first_arg
 
@@ -227,10 +226,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
 
       unless @mass_assign_disabled
-        matches = tracker.check_initializers(:"ActiveRecord::Base", [:send, :include])
-
-        matches.each do |result|
-          call = result.call
+        tracker.find_call(target: :"ActiveRecord::Base", method: [:send, :include]).each do |result|
+          call = result[:call]
           if call? call and (call.first_arg == forbidden_protection or call.second_arg == forbidden_protection)
             @mass_assign_disabled = true
           end
@@ -250,6 +247,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil
+    location, line = get_location result
+
+    @results.each do |r|
+      if r[0] == line and r[1] == location
+        if tracker.options[:combine_locations]
+          return true
+        elsif r[2] == result
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  def get_location result
     if result.is_a? Hash
       line = result[:call].original_line || result[:call].line
     elsif sexp? result
@@ -258,23 +271,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
 
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template] || result[:location][:file].to_s
 
     location = location[:name] if location.is_a? Hash
     location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
 
-    @results.each do |r|
-      if r[0] == line and r[1] == location
-        if tracker.options[:combine_locations]
-          return true
-        elsif r[2] == result
-          return true
-        end
-      end
-    end
-
-    false
+    return location, line
   end
 
   #Checks if an expression contains string interpolation.
@@ -348,6 +351,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       when :or
         has_immediate_user_input? exp.lhs or
         has_immediate_user_input? exp.rhs
+      when :splat, :kwsplat
+        exp.each_sexp do |e|
+          match = has_immediate_user_input?(e)
+          return match if match
+        end
+
+        false
+      when :hash
+        if kwsplat? exp
+          exp[1].each_sexp do |e|
+            match = has_immediate_user_input?(e)
+            return match if match
+          end
+
+          false
+        end
       else
         false
       end
@@ -460,11 +479,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     if gem_name and info = tracker.config.get_gem(gem_name)
       info
     elsif @app_tree.exists?("Gemfile")
-      "Gemfile"
+      @app_tree.file_path "Gemfile"
     elsif @app_tree.exists?("gems.rb")
-      "gems.rb"
+      @app_tree.file_path "gems.rb"
     else
-      "config/environment.rb"
+      @app_tree.file_path "config/environment.rb"
     end
   end