brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/scanner.rb

@@ -1,5 +1,6 @@
 begin
   Brakeman.load_brakeman_dependency 'ruby_parser'
+  Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'
@@ -15,7 +16,6 @@ end
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
-  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
 
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -65,7 +65,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker, @app_tree
+    fp = Brakeman::FileParser.new tracker
 
     files = {
       :initializers => @app_tree.initializer_paths,
@@ -94,7 +94,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3] or options[:rails4] or options[:rails5]
+    if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -110,15 +110,15 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
   end
 
   def process_config_file file
-    path = "config/#{file}"
+    path = @app_tree.file_path("config/#{file}")
 
-    if @app_tree.exists?(path)
-      @processor.process_config(parse_ruby(@app_tree.read(path)), path)
+    if path.exists?
+      @processor.process_config(parse_ruby_file(path), path)
     end
 
   rescue => e
@@ -131,20 +131,25 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
+      file = @app_tree.file_path("Gemfile")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
+      file = @app_tree.file_path("gems.rb")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     end
 
     if @app_tree.exists? "Gemfile.lock"
-      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+      file = @app_tree.file_path("Gemfile.lock")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     elsif @app_tree.exists? "gems.locked"
-      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+      file = @app_tree.file_path("gems.locked")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     end
 
     if @app_tree.gemspec
-      gem_files[:gemspec] = { :src => parse_ruby(@app_tree.read(@app_tree.gemspec)), :file => @app_tree.gemspec }
+      gem_files[:gemspec] = { :src => parse_ruby_file(@app_tree.gemspec), :file => @app_tree.gemspec }
     end
 
     if not gem_files.empty?
@@ -214,10 +219,10 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      begin
-        @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
-      rescue => e
-        tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
+      file = @app_tree.file_path("config/routes.rb")
+      if routes_sexp = parse_ruby_file(file)
+        @processor.process_routes routes_sexp
+      else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
         options[:assume_all_routes] = true
       end
@@ -316,8 +321,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
 
-  def parse_ruby input
-    RubyParser.new.parse input
+  def parse_ruby_file file
+    fp = Brakeman::FileParser.new(self.tracker)
+    fp.parse_ruby(file.read, file)
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter
+    :duration, :ignored_filter, :app_tree
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -34,7 +34,7 @@ class Brakeman::Tracker
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
-    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
     @routes = {}
     @initializers = {}
     @errors = []
@@ -61,13 +61,17 @@ class Brakeman::Tracker
     Brakeman.debug exception
     Brakeman.debug backtrace
 
-    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+    @errors << {
+      :exception => exception,
+      :error => exception.to_s.gsub("\n", " "),
+      :backtrace => backtrace
+    }
   end
 
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks
-    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+    @checks = Brakeman::Checks.run_checks(self)
 
     @end_time = Time.now
     @duration = @end_time - @start_time
@@ -168,7 +172,7 @@ class Brakeman::Tracker
 
   #Returns a Report with this Tracker's information
   def report
-    Brakeman::Report.new(@app_tree, self)
+    Brakeman::Report.new(self)
   end
 
   def warnings
@@ -223,6 +227,10 @@ class Brakeman::Tracker
       finder.process_source template.src, :template => template, :file => template.file
     end
 
+    self.initializers.each do |file_name, src|
+      finder.process_all_source src, :file => file_name
+    end
+
     @call_index = Brakeman::CallIndex.new finder.calls
   end
 
@@ -233,8 +241,8 @@ class Brakeman::Tracker
   #
   #This will limit reindexing to the given sets
   def reindex_call_sites locations
-    #If reindexing templates, models, and controllers, just redo
-    #everything
+    #If reindexing templates, models, controllers,
+    #just redo everything.
     if locations.length == 3
       return index_call_sites
     end
@@ -256,6 +264,12 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        @call_index.remove_indexes_by_file file_name
+      end
+    end
+
     @call_index.remove_indexes_by_class classes_to_reindex
 
     finder = Brakeman::FindAllCalls.new self
@@ -275,6 +289,12 @@ class Brakeman::Tracker
       end
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        finder.process_all_source src, :file => file_name
+      end
+    end
+
     @call_index.index_calls finder.calls
   end
 
@@ -359,4 +379,12 @@ class Brakeman::Tracker
   def reset_routes
     @routes = {}
   end
+
+  def reset_initializer path
+    @initializers.delete_if do |file, src|
+      path.relative.include? file
+    end
+
+    @call_index.remove_indexes_by_file path
+  end
 end

data/lib/brakeman/tracker/collection.rb

@@ -9,13 +9,14 @@ module Brakeman
     def initialize name, parent, file_name, src, tracker
       @name = name
       @parent = parent
-      @file_name = file_name
-      @files = [ file_name ]
-      @src = { file_name => src }
+      @files = []
+      @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @options = {}
       @tracker = tracker
+
+      add_file file_name, src
     end
 
     def ancestor? parent, seen={}

data/lib/brakeman/tracker/config.rb

@@ -4,10 +4,8 @@ module Brakeman
   class Config
     include Util
 
-    attr_reader :rails, :tracker
-    attr_accessor :rails_version, :ruby_version
+    attr_reader :gems, :rails, :ruby_version, :tracker
     attr_writer :erubis, :escape_html
-    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -19,16 +17,9 @@ module Brakeman
       @ruby_version = ""
     end
 
-    def allow_forgery_protection?
-      @rails[:action_controller] and
-        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
-    end
-
     def default_protect_from_forgery?
-      if version_between? "5.2.0", "9.9.9"
-        if @rails[:action_controller] and
-            @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)
-
+      if version_between? "5.2.0.beta1", "9.9.9"
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
           return false
         else
           return true
@@ -48,17 +39,21 @@ module Brakeman
 
     def escape_html_entities_in_json?
       #TODO add version-specific information here
-      @rails[:active_support] and
-        true? @rails[:active_support][:escape_html_entities_in_json]
+      true? @rails.dig(:active_support, :escape_html_entities_in_json)
+    end
+
+    def escape_filter_interpolations?
+      # TODO see if app is actually turning this off itself
+      has_gem?(:haml) and
+        version_between? "5.0.0", "5.99", gem_version(:haml)
     end
 
     def whitelist_attributes?
-      @rails[:active_record] and
-        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+      @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
     end
 
     def gem_version name
-      @gems[name] and @gems[name][:version]
+      extract_version @gems.dig(name, :version)
     end
 
     def add_gem name, version, file, line
@@ -78,11 +73,16 @@ module Brakeman
       @gems[name]
     end
 
-    def set_rails_version
-      # Ignore ~>, etc. when using values from Gemfile
-      version = gem_version(:rails) || gem_version(:railties)
-      if version and version.match(/(\d+\.\d+(\.\d+.*)?)/)
-        @rails_version = $1
+    def set_rails_version version = nil
+      version = if version
+                  # Only used by Rails2ConfigProcessor right now
+                  extract_version(version)
+                else
+                  gem_version(:rails) || gem_version(:railties)
+                end
+
+      if version
+        @rails_version = version
 
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
@@ -97,6 +97,12 @@ module Brakeman
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             Brakeman.notify "[Notice] Detected Rails 5 application"
+          elsif @rails_version.start_with? "6"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            Brakeman.notify "[Notice] Detected Rails 6 application"
           end
         end
       end
@@ -107,12 +113,20 @@ module Brakeman
       end
     end
 
+    def rails_version
+      # This needs to be here because Util#rails_version calls Tracker::Config#rails_version
+      # but Tracker::Config includes Util...
+      @rails_version
+    end
+
     def set_ruby_version version
+      @ruby_version = extract_version(version)
+    end
+
+    def extract_version version
       return unless version.is_a? String
 
-      if version =~ /(\d+\.\d+\.\d+)/
-        self.ruby_version = $1
-      end
+      version[/\d+\.\d+(\.\d+.*)?/]
     end
 
     #Returns true if low_version <= RAILS_VERSION <= high_version
@@ -122,33 +136,15 @@ module Brakeman
       current_version ||= rails_version
       return false unless current_version
 
-      version = current_version.split(".").map!(&:to_i)
-      low_version = low_version.split(".").map!(&:to_i)
-      high_version = high_version.split(".").map!(&:to_i)
-
-      version.each_with_index do |v, i|
-        if v < low_version.fetch(i, 0)
-          return false
-        elsif v > low_version.fetch(i, 0)
-          break
-        end
-      end
+      low = Gem::Version.new(low_version)
+      high = Gem::Version.new(high_version)
+      current = Gem::Version.new(current_version)
 
-      version.each_with_index do |v, i|
-        if v > high_version.fetch(i, 0)
-          return false
-        elsif v < high_version.fetch(i, 0)
-          break
-        end
-      end
-
-      true
+      current.between?(low, high)
     end
 
     def session_settings
-      @rails[:action_controller] &&
-        @rails[:action_controller][:session]
+      @rails.dig(:action_controller, :session)
     end
-
   end
 end

data/lib/brakeman/tracker/constants.rb

@@ -49,7 +49,7 @@ module Brakeman
     include Brakeman::Util
 
     def initialize
-      @constants = Hash.new { |h, k| h[k] = [] }
+      @constants = {}
     end
 
     def size
@@ -103,6 +103,7 @@ module Brakeman
       end
 
       base_name = Constants.get_constant_base_name(name)
+      @constants[base_name] ||= []
       @constants[base_name] << Constant.new(name, value, context)
     end
 

data/lib/brakeman/util.rb

@@ -94,11 +94,21 @@ module Brakeman::Util
   # end
   # names #["bob"]
   def hash_iterate hash
+    hash = remove_kwsplat(hash)
+
     1.step(hash.length - 1, 2) do |i|
       yield hash[i], hash[i + 1]
     end
   end
 
+  def remove_kwsplat exp
+    if exp.any? { |e| node_type? e, :kwsplat }
+      exp.reject { |e| node_type? e, :kwsplat }
+    else
+      exp
+    end
+  end
+
   #Insert value into Hash Sexp
   def hash_insert hash, key, value
     index = 1
@@ -264,6 +274,13 @@ module Brakeman::Util
     node_type? exp, :const, :colon2, :colon3
   end
 
+  def kwsplat? exp
+    exp.is_a? Sexp and
+      exp.node_type == :hash and
+      exp[1].is_a? Sexp and
+      exp[1].node_type == :kwsplat
+  end
+
   #Check if _exp_ is a Sexp.
   def sexp? exp
     exp.is_a? Sexp
@@ -329,158 +346,12 @@ module Brakeman::Util
     @tracker.config.rails_version
   end
 
-  #Return file name related to given warning. Uses +warning.file+ if it exists
-  def file_for warning, tracker = nil
-    if tracker.nil?
-      tracker = @tracker || self.tracker
-    end
-
-    if warning.file
-      File.expand_path warning.file, tracker.app_path
-    elsif warning.template and warning.template.file
-      warning.template.file
-    else
-      case warning.warning_set
-      when :controller
-        file_by_name warning.controller, :controller, tracker
-      when :template
-        file_by_name warning.template.name, :template, tracker
-      when :model
-        file_by_name warning.model, :model, tracker
-      when :warning
-        file_by_name warning.class, nil, tracker
-      else
-        nil
-      end
-    end
-  end
-
-  #Attempt to determine path to context file based on the reported name
-  #in the warning.
-  #
-  #For example,
-  #
-  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
-  def file_by_name name, type, tracker = nil
-    return nil unless name
-    string_name = name.to_s
-    name = name.to_sym
-
-    unless type
-      if string_name =~ /Controller$/
-        type = :controller
-      elsif camelize(string_name) == string_name # This is not always true
-        type = :model
-      else
-        type = :template
-      end
-    end
-
-    path = tracker.app_path
-
-    case type
-    when :controller
-      if tracker.controllers[name]
-        path = tracker.controllers[name].file
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :model
-      if tracker.models[name]
-        path = tracker.models[name].file
-      else
-        path += "/app/models/#{underscore(string_name)}.rb"
-      end
-    when :template
-      if tracker.templates[name] and tracker.templates[name].file
-        path = tracker.templates[name].file
-      elsif string_name.include? " "
-        name = string_name.split[0].to_sym
-        path = file_for tracker, name, :template
-      else
-        path = nil
-      end
-    end
-
-    path
-  end
-
-  #Return array of lines surrounding the warning location from the original
-  #file.
-  def context_for app_tree, warning, tracker = nil
-    file = file_for warning, tracker
-    context = []
-    return context unless warning.line and file and @app_tree.path_exists? file
-
-    current_line = 0
-    start_line = warning.line - 5
-    end_line = warning.line + 5
-
-    start_line = 1 if start_line < 0
-
-    File.open file do |f|
-      f.each_line do |line|
-        current_line += 1
-
-        next if line.strip == ""
-
-        if current_line > end_line
-          break
-        end
-
-        if current_line >= start_line
-          context << [current_line, line]
-        end
-      end
-    end
-
-    context
-  end
-
-  def relative_path file
-    pname = Pathname.new file
-    if file and not file.empty? and pname.absolute?
-      pname.relative_path_from(Pathname.new(@tracker.app_path)).to_s
-    else
-      file
-    end
-  end
-
   #Convert path/filename to view name
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.split("/")
+    names = path.relative.split("/")
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
-
-  def github_url file, line=nil
-    if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
-      url = "#{repo_url}/#{relative_path(file)}"
-      url << "#L#{line}" if line
-    else
-      nil
-    end
-  end
-
-  def truncate_table str
-    @terminal_width ||= if @tracker.options[:table_width]
-                          @tracker.options[:table_width]
-                        elsif $stdin && $stdin.tty?
-                          Brakeman.load_brakeman_dependency 'highline'
-                          ::HighLine.new.terminal_size[0]
-                        else
-                          80
-                        end
-    lines = str.lines
-
-    lines.map do |line|
-      if line.chomp.length > @terminal_width
-        line[0..(@terminal_width - 3)] + ">>\n"
-      else
-        line
-      end
-    end.join
-  end
 end