brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/differ.rb

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
 
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
 
     warnings
   end
 
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning 
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-
-      true
+      warning[:fingerprint]
     end
   end
 end

data/lib/brakeman/file_parser.rb

@@ -5,16 +5,16 @@ module Brakeman
   class FileParser
     attr_reader :file_list
 
-    def initialize tracker, app_tree
+    def initialize tracker
       @tracker = tracker
       @timeout = @tracker.options[:parser_timeout]
-      @app_tree = app_tree
+      @app_tree = @tracker.app_tree
       @file_list = {}
     end
 
     def parse_files list, type
       read_files list, type do |path, contents|
-        if ast = parse_ruby(contents, path)
+        if ast = parse_ruby(contents, path.relative)
           ASTFile.new(path, ast)
         end
       end
@@ -24,7 +24,9 @@ module Brakeman
       @file_list[type] ||= []
 
       list.each do |path|
-        result = yield path, read_path(path)
+        file = @app_tree.file_path(path)
+
+        result = yield file, file.read
         if result
           @file_list[type] << result
         end
@@ -46,9 +48,5 @@ module Brakeman
         nil
       end
     end
-
-    def read_path path
-      @app_tree.read_path path
-    end
   end
 end

data/lib/brakeman/file_path.rb

@@ -0,0 +1,85 @@
+require 'pathname'
+
+module Brakeman
+  # Class to represent file paths within Brakeman.
+  # FilePath objects track both the relative and absolute paths
+  # to make it easier to manage paths.
+  class FilePath
+    attr_reader :absolute, :relative
+    @cache = {}
+
+    # Create a new FilePath using an AppTree object.
+    #
+    # Note that if the path is already a FilePath, that path will
+    # be returned unaltered.
+    #
+    # Additionally, paths are cached. If the absolute path already has
+    # a FilePath in the cache, that existing FilePath will be returned.
+    def self.from_app_tree app_tree, path
+      return path if path.is_a? Brakeman::FilePath
+
+      absolute = app_tree.expand_path(path).freeze
+
+      if fp = @cache[absolute]
+        return fp
+      end
+
+      relative = app_tree.relative_path(path).freeze
+
+      self.new(absolute, relative).tap { |fp| @cache[absolute] = fp }
+    end
+
+    # Create a new FilePath with the given absolute and relative paths.
+    def initialize absolute_path, relative_path
+      @absolute = absolute_path
+      @relative = relative_path
+    end
+
+    # Just the file name, no path
+    def basename
+      @basename ||= File.basename(self.relative)
+    end
+
+    # Read file from absolute path.
+    def read
+      File.read self.absolute
+    end
+
+    # Check if absolute path exists.
+    def exists?
+      File.exist? self.absolute
+    end
+
+    # Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
+    def <=> rhs
+      raise ArgumentError unless rhs.is_a? Brakeman::FilePath
+      self.relative <=> rhs.relative
+    end
+
+    # Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
+    def == rhs
+      return false unless rhs.is_a? Brakeman::FilePath
+
+      self.absolute == rhs.absolute
+    end
+
+    # Returns a string with the absolute path.
+    def to_str
+      self.absolute
+    end
+
+    # Returns a string with the absolute path.
+    def to_s
+      self.to_str
+    end
+
+    def hash
+      @hash ||= [@absolute, @relative].hash
+    end
+
+    def eql? rhs
+      @absolute == rhs.absolute and
+        @relative == rhs.relative
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -82,6 +82,13 @@ module Brakeman::Options
           options[:rails5] = true
         end
 
+        opts.on "-6", "--rails6", "Force Rails 6 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 

data/lib/brakeman/parsers/haml_embedded.rb

@@ -0,0 +1,44 @@
+module Brakeman
+  module FakeHamlFilter
+    # Copied from Haml 4 - force delayed compilation
+    def compile(compiler, text)
+      filter = self
+      compiler.instance_eval do
+        text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+          escapes = $1.size
+          next s if escapes % 2 == 0
+          ("\\" * (escapes - 1)) + "\n"
+        end
+        # We need to add a newline at the beginning to get the
+        # filter lines to line up (since the Haml filter contains
+        # a line that doesn't show up in the source, namely the
+        # filter name). Then we need to escape the trailing
+        # newline so that the whole filter block doesn't take up
+        # too many.
+        text = "\n" + text.sub(/\n"\Z/, "\\n\"")
+        push_script <<RUBY.rstrip, :escape_html => false
+find_and_preserve(#{filter.inspect}.render_with_options(#{text}, _hamlout.options))
+RUBY
+        return
+      end
+    end
+  end
+end
+
+# Fake CoffeeScript filter for Haml
+module Haml::Filters::Coffee
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Markdown filter for Haml
+module Haml::Filters::Markdown
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Sass filter for Haml
+module Haml::Filters::Sass
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end

data/lib/brakeman/parsers/slim_embedded.rb

@@ -0,0 +1,44 @@
+# Fake filters for Slim
+module Slim
+  class Embedded
+    class TiltEngine
+      def on_slim_embedded(engine, body, attrs)
+        # Override this method to avoid Slim trying to load sass/scss and failing
+        case engine
+        when :sass, :scss, :coffee
+          tilt_engine = nil # Doesn't really matter, ignored below
+        else
+          # Original Slim code
+          tilt_engine = Tilt[engine] || raise(Temple::FilterError, "Tilt engine #{engine} is not available.")
+        end
+
+        tilt_options = options[engine.to_sym] || {}
+        tilt_options[:default_encoding] ||= 'utf-8'
+
+        [:multi, tilt_render(tilt_engine, tilt_options, collect_text(body)), collect_newlines(body)]
+      end
+    end
+
+    class SassEngine
+      protected
+
+      def tilt_render(tilt_engine, tilt_options, text)
+        [:dynamic,
+         "BrakemanFilter.render(#{text.inspect}, #{self.class})"]
+      end
+    end
+
+    class CoffeeEngine < TiltEngine
+      protected
+
+      def tilt_render(tilt_engine, tilt_options, text)
+        [:dynamic,
+         "BrakemanFilter.render(#{text.inspect}, #{self.class})"]
+      end
+    end
+
+    # Override the engine for CoffeeScript, because Slim doesn't have
+    # one, it just uses Tilt's
+    register :coffee, JavaScriptEngine, engine: CoffeeEngine
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -13,7 +13,7 @@ module Brakeman
     end
 
     def parse_template path, text
-      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = path.relative.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
       type = :erb if type == :rhtml
       name = template_path_to_name path
       Brakeman.debug "Parsing #{path}"
@@ -63,7 +63,7 @@ module Brakeman
         else
           ERB.new(text, nil, '-').src
         end
-        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src.sub!(/^#.*\n/, '')
         src
       end
     end
@@ -75,21 +75,21 @@ module Brakeman
 
     def parse_haml path, text
       Brakeman.load_brakeman_dependency 'haml'
-      Brakeman.load_brakeman_dependency 'sass'
+      require_relative 'haml_embedded'
 
       Haml::Engine.new(text,
                        :filename => path,
-                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+                       :escape_html => tracker.config.escape_html?,
+                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                      ).precompiled.gsub(/([^\\])\\n/, '\1')
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
-    rescue Sass::SyntaxError => e
-      tracker.error e, "While processing #{path}"
-      nil
     end
 
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+      require_relative 'slim_embedded'
 
       Slim::Template.new(path,
                          :disable_capture => true,
@@ -97,7 +97,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker, nil)
+      fp = Brakeman::FileParser.new(tracker)
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processor.rb

@@ -13,8 +13,7 @@ module Brakeman
     include Util
 
     def initialize(app_tree, options)
-      @app_tree = app_tree
-      @tracker = Tracker.new(@app_tree, self, options)
+      @tracker = Tracker.new(app_tree, self, options)
     end
 
     def tracked_events
@@ -39,7 +38,7 @@ module Brakeman
     #Process controller source. +file_name+ is used for reporting
     def process_controller src, file_name
       if contains_class? src
-        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+        ControllerProcessor.new(@tracker).process_controller src, file_name
       else
         LibraryProcessor.new(@tracker).process_library src, file_name
       end
@@ -48,7 +47,7 @@ module Brakeman
     #Process variable aliasing in controller source and save it in the
     #tracker.
     def process_controller_alias name, src, only_method = nil, file = nil
-      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+      ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src, file
     end
 
     #Process a model source
@@ -91,7 +90,7 @@ module Brakeman
     def process_initializer file_name, src
       res = BaseProcessor.new(@tracker).process_file src, file_name
       res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
-      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+      @tracker.initializers[file_name] = res
     end
 
     #Process source for a library file

data/lib/brakeman/processors/alias_processor.rb

@@ -20,19 +20,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #The recommended usage is:
   #
   # AliasProcessor.new.process_safely src
-  def initialize tracker = nil, file_name = nil
+  def initialize tracker = nil, current_file = nil
     super()
     @env = SexpProcessor::Environment.new
     @inside_if = false
     @ignore_ifs = nil
     @exp_context = []
-    @current_module = nil
     @tracker = tracker #set in subclass as necessary
     @helper_method_cache = {}
     @helper_method_info = Hash.new({})
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
-    @file_name = file_name
+    @current_file = current_file
     set_env_defaults
   end
 
@@ -44,8 +43,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   #This method returns a new Sexp with variables replaced with their values,
   #where possible.
-  def process_safely src, set_env = nil, file_name = nil
-    @file_name = file_name
+  def process_safely src, set_env = nil, current_file = @current_file
+    @current_file = current_file
     @env = set_env || SexpProcessor::Environment.new
     @result = src.deep_clone
     process @result
@@ -66,7 +65,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     rescue => err
-      @tracker.error err if @tracker
+      if @tracker
+        @tracker.error err
+      else
+        raise err
+      end
     end
 
     result = replace(exp)
@@ -246,6 +249,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
         env[target_var] = target
         return first_arg
+      elsif new_string? target
+        env[target_var] = first_arg
+        return first_arg
       elsif array? target
         target << first_arg
         env[target_var] = target
@@ -262,10 +268,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       unless target.nil?
         exp = target
       end
+    when :dup
+      unless target.nil?
+        exp = target
+      end
     when :join
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
+    when :!
+      #  Convert `!!a` to boolean
+      if call? target and target.method == :!
+        exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
+      end
     end
 
     exp
@@ -364,6 +379,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           elsif e.is_a? Symbol
             local = Sexp.new(:lvar, e)
             env.current[local] = local
+          elsif e.nil? # trailing comma, argument destructuring
+            next # Punt for now
           else
             raise "Unexpected value in block args: #{e.inspect}"
           end
@@ -585,6 +602,24 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_hash exp
+    exp = process_default(exp)
+
+    # Handle { **kw }
+    if node_type? exp, :hash
+      if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
+        kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
+        exp = Sexp.new.concat(rest).line(exp.line)
+
+        kwsplats.each do |e|
+          exp = process_hash_merge! exp, e.value
+        end
+      end
+    end
+
+    exp
+  end
+
   #Merge values into hash when processing
   #
   # h.merge! :something => "value"
@@ -671,7 +706,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if @tracker
       @tracker.add_constant exp.lhs,
         exp.rhs,
-        :file => current_file_name,
+        :file => @current_file,
         :module => @current_module,
         :class => @current_class,
         :method => @current_method
@@ -1166,6 +1201,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     call? exp and exp.method == :raise
   end
 
+  STRING_NEW = s(:call, s(:const, :String), :new)
+
+  # String.new ?
+  def new_string? exp
+    exp == STRING_NEW
+  end
+
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same