brakeman-lib 4.4.0 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (97) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +63 -0
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +75 -56
  9. data/lib/brakeman/checks/check_content_tag.rb +12 -0
  10. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  11. data/lib/brakeman/checks/check_cross_site_scripting.rb +15 -10
  12. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  13. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  14. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  15. data/lib/brakeman/checks/check_evaluation.rb +0 -1
  16. data/lib/brakeman/checks/check_execute.rb +44 -1
  17. data/lib/brakeman/checks/check_file_access.rb +7 -1
  18. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  19. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  20. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  21. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  22. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  23. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  24. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  25. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  26. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  27. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  28. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  29. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  30. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +54 -0
  31. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  32. data/lib/brakeman/checks/check_secrets.rb +1 -1
  33. data/lib/brakeman/checks/check_send.rb +0 -1
  34. data/lib/brakeman/checks/check_session_manipulation.rb +0 -1
  35. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  36. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  37. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  38. data/lib/brakeman/checks/check_sql.rb +27 -20
  39. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  40. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  41. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  42. data/lib/brakeman/differ.rb +16 -28
  43. data/lib/brakeman/file_parser.rb +6 -8
  44. data/lib/brakeman/file_path.rb +85 -0
  45. data/lib/brakeman/options.rb +7 -0
  46. data/lib/brakeman/parsers/haml_embedded.rb +44 -0
  47. data/lib/brakeman/parsers/slim_embedded.rb +44 -0
  48. data/lib/brakeman/parsers/template_parser.rb +8 -8
  49. data/lib/brakeman/processor.rb +4 -5
  50. data/lib/brakeman/processors/alias_processor.rb +49 -7
  51. data/lib/brakeman/processors/base_processor.rb +10 -7
  52. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  53. data/lib/brakeman/processors/controller_processor.rb +9 -13
  54. data/lib/brakeman/processors/gem_processor.rb +10 -2
  55. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  56. data/lib/brakeman/processors/lib/call_conversion_helper.rb +4 -0
  57. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  58. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  59. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  60. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  61. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  62. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  63. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  64. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  65. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  66. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  67. data/lib/brakeman/processors/library_processor.rb +5 -5
  68. data/lib/brakeman/processors/model_processor.rb +4 -5
  69. data/lib/brakeman/processors/output_processor.rb +5 -0
  70. data/lib/brakeman/processors/slim_template_processor.rb +16 -0
  71. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  72. data/lib/brakeman/processors/template_processor.rb +14 -10
  73. data/lib/brakeman/report.rb +3 -3
  74. data/lib/brakeman/report/ignore/config.rb +2 -3
  75. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  76. data/lib/brakeman/report/pager.rb +1 -0
  77. data/lib/brakeman/report/report_base.rb +51 -6
  78. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  79. data/lib/brakeman/report/report_hash.rb +1 -1
  80. data/lib/brakeman/report/report_html.rb +2 -2
  81. data/lib/brakeman/report/report_json.rb +1 -24
  82. data/lib/brakeman/report/report_table.rb +20 -4
  83. data/lib/brakeman/report/report_tabs.rb +1 -1
  84. data/lib/brakeman/report/report_text.rb +2 -2
  85. data/lib/brakeman/rescanner.rb +13 -12
  86. data/lib/brakeman/scanner.rb +24 -18
  87. data/lib/brakeman/tracker.rb +35 -7
  88. data/lib/brakeman/tracker/collection.rb +4 -3
  89. data/lib/brakeman/tracker/config.rb +44 -48
  90. data/lib/brakeman/tracker/constants.rb +2 -1
  91. data/lib/brakeman/util.rb +18 -147
  92. data/lib/brakeman/version.rb +1 -1
  93. data/lib/brakeman/warning.rb +27 -13
  94. data/lib/brakeman/warning_codes.rb +4 -0
  95. data/lib/ruby_parser/bm_sexp.rb +1 -1
  96. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  97. metadata +58 -43
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.4.0"
2
+ Version = "4.7.0"
3
3
  end
@@ -9,7 +9,7 @@ class Brakeman::Warning
9
9
  :line, :method, :model, :template, :user_input, :user_input_type,
10
10
  :warning_code, :warning_set, :warning_type
11
11
 
12
- attr_accessor :code, :context, :file, :message, :relative_path
12
+ attr_accessor :code, :context, :file, :message
13
13
 
14
14
  TEXT_CONFIDENCE = {
15
15
  0 => "High",
@@ -34,11 +34,11 @@ class Brakeman::Warning
34
34
  :file => :@file,
35
35
  :gem_info => :@gem_info,
36
36
  :line => :@line,
37
+ :link => :@link,
37
38
  :link_path => :@link_path,
38
39
  :message => :@message,
39
40
  :method => :@method,
40
41
  :model => :@model,
41
- :relative_path => :@relative_path,
42
42
  :template => :@template,
43
43
  :user_input => :@user_input,
44
44
  :warning_set => :@warning_set,
@@ -100,9 +100,11 @@ class Brakeman::Warning
100
100
  unless @warning_set
101
101
  if self.model
102
102
  @warning_set = :model
103
+ @file ||= self.model.file
103
104
  elsif self.template
104
105
  @warning_set = :template
105
106
  @called_from = self.template.render_path
107
+ @file ||= self.template.file
106
108
  elsif self.controller
107
109
  @warning_set = :controller
108
110
  else
@@ -112,6 +114,8 @@ class Brakeman::Warning
112
114
 
113
115
  if options[:warning_code]
114
116
  @warning_code = Brakeman::WarningCodes.code options[:warning_code]
117
+ else
118
+ @warning_code = nil
115
119
  end
116
120
 
117
121
  Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
@@ -221,7 +225,7 @@ class Brakeman::Warning
221
225
  when :template
222
226
  @row["Template"] = self.view_name.to_s
223
227
  when :model
224
- @row["Model"] = self.model.to_s
228
+ @row["Model"] = self.model.name.to_s
225
229
  when :controller
226
230
  @row["Controller"] = self.controller.to_s
227
231
  when :warning
@@ -235,7 +239,7 @@ class Brakeman::Warning
235
239
  def to_s
236
240
  output = "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
237
241
  output << " near line #{self.line}" if self.line
238
- output << " in #{self.file}" if self.file
242
+ output << " in #{self.file.relative}" if self.file
239
243
  output << ": #{self.format_code}" if self.code
240
244
 
241
245
  output
@@ -247,37 +251,47 @@ class Brakeman::Warning
247
251
  warning_code_string = sprintf("%03d", @warning_code)
248
252
  code_string = @code.inspect
249
253
 
250
- Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
254
+ Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
251
255
  end
252
256
 
253
257
  def location include_renderer = true
254
258
  case @warning_set
255
259
  when :template
256
- location = { :type => :template, :template => self.view_name(include_renderer) }
260
+ { :type => :template, :template => self.view_name(include_renderer) }
257
261
  when :model
258
- location = { :type => :model, :model => self.model }
262
+ { :type => :model, :model => self.model.name }
259
263
  when :controller
260
- location = { :type => :controller, :controller => self.controller }
264
+ { :type => :controller, :controller => self.controller }
261
265
  when :warning
262
266
  if self.class
263
- location = { :type => :method, :class => self.class, :method => self.method }
267
+ { :type => :method, :class => self.class, :method => self.method }
264
268
  else
265
- location = nil
269
+ nil
266
270
  end
267
271
  end
268
272
  end
269
273
 
270
- def to_hash
274
+ def relative_path
275
+ self.file.relative
276
+ end
277
+
278
+ def to_hash absolute_paths: true
279
+ if self.called_from and not absolute_paths
280
+ render_path = self.called_from.with_relative_paths
281
+ else
282
+ render_path = self.called_from
283
+ end
284
+
271
285
  { :warning_type => self.warning_type,
272
286
  :warning_code => @warning_code,
273
287
  :fingerprint => self.fingerprint,
274
288
  :check_name => self.check.gsub(/^Brakeman::Check/, ''),
275
289
  :message => self.message.to_s,
276
- :file => self.file,
290
+ :file => (absolute_paths ? self.file.absolute : self.file.relative),
277
291
  :line => self.line,
278
292
  :link => self.link,
279
293
  :code => (@code && self.format_code(false)),
280
- :render_path => self.called_from,
294
+ :render_path => render_path,
281
295
  :location => self.location(false),
282
296
  :user_input => (@user_input && self.format_user_input(false)),
283
297
  :confidence => TEXT_CONFIDENCE[self.confidence]
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
110
110
  :CVE_2018_8048 => 106,
111
111
  :CVE_2018_3741 => 107,
112
112
  :CVE_2018_3760 => 108,
113
+ :force_ssl_disabled => 109,
114
+ :unsafe_cookie_serialization => 110,
115
+ :reverse_tabnabbing => 111,
116
+ :custom_check => 9090,
113
117
  }
114
118
 
115
119
  def self.code name
@@ -40,7 +40,7 @@ class Sexp
40
40
  s.line(line)
41
41
  else
42
42
  s.original_line = self.original_line
43
- s.line(self.line)
43
+ s.line(self.line) if self.line
44
44
  end
45
45
 
46
46
  s
@@ -45,6 +45,7 @@ class Brakeman::SexpProcessor
45
45
  @expected = Sexp
46
46
  @processors = self.class.processors
47
47
  @context = []
48
+ @current_class = @current_module = @current_method = @visibility = nil
48
49
 
49
50
  if @processors.empty?
50
51
  public_methods.each do |name|
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.4.0
4
+ version: 4.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - brakeman-public_cert.pem
12
- date: 2019-01-17 00:00:00.000000000 Z
12
+ date: 2019-10-16 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: minitest
@@ -25,20 +25,62 @@ dependencies:
25
25
  - - ">="
26
26
  - !ruby/object:Gem::Version
27
27
  version: '0'
28
+ - !ruby/object:Gem::Dependency
29
+ name: minitest-ci
30
+ requirement: !ruby/object:Gem::Requirement
31
+ requirements:
32
+ - - ">="
33
+ - !ruby/object:Gem::Version
34
+ version: '0'
35
+ type: :development
36
+ prerelease: false
37
+ version_requirements: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - ">="
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ - !ruby/object:Gem::Dependency
43
+ name: simplecov
44
+ requirement: !ruby/object:Gem::Requirement
45
+ requirements:
46
+ - - ">="
47
+ - !ruby/object:Gem::Version
48
+ version: '0'
49
+ type: :development
50
+ prerelease: false
51
+ version_requirements: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - ">="
54
+ - !ruby/object:Gem::Version
55
+ version: '0'
28
56
  - !ruby/object:Gem::Dependency
29
57
  name: ruby_parser
30
58
  requirement: !ruby/object:Gem::Requirement
31
59
  requirements:
32
60
  - - "~>"
33
61
  - !ruby/object:Gem::Version
34
- version: '3.12'
62
+ version: '3.13'
63
+ type: :runtime
64
+ prerelease: false
65
+ version_requirements: !ruby/object:Gem::Requirement
66
+ requirements:
67
+ - - "~>"
68
+ - !ruby/object:Gem::Version
69
+ version: '3.13'
70
+ - !ruby/object:Gem::Dependency
71
+ name: ruby_parser-legacy
72
+ requirement: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - "~>"
75
+ - !ruby/object:Gem::Version
76
+ version: '1.0'
35
77
  type: :runtime
36
78
  prerelease: false
37
79
  version_requirements: !ruby/object:Gem::Requirement
38
80
  requirements:
39
81
  - - "~>"
40
82
  - !ruby/object:Gem::Version
41
- version: '3.12'
83
+ version: '1.0'
42
84
  - !ruby/object:Gem::Dependency
43
85
  name: sexp_processor
44
86
  requirement: !ruby/object:Gem::Requirement
@@ -99,20 +141,14 @@ dependencies:
99
141
  name: highline
100
142
  requirement: !ruby/object:Gem::Requirement
101
143
  requirements:
102
- - - ">="
103
- - !ruby/object:Gem::Version
104
- version: 1.6.20
105
- - - "<"
144
+ - - "~>"
106
145
  - !ruby/object:Gem::Version
107
146
  version: '2.0'
108
147
  type: :runtime
109
148
  prerelease: false
110
149
  version_requirements: !ruby/object:Gem::Requirement
111
150
  requirements:
112
- - - ">="
113
- - !ruby/object:Gem::Version
114
- version: 1.6.20
115
- - - "<"
151
+ - - "~>"
116
152
  - !ruby/object:Gem::Version
117
153
  version: '2.0'
118
154
  - !ruby/object:Gem::Dependency
@@ -131,44 +167,18 @@ dependencies:
131
167
  version: '2.6'
132
168
  - !ruby/object:Gem::Dependency
133
169
  name: haml
134
- requirement: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - ">="
137
- - !ruby/object:Gem::Version
138
- version: '3.0'
139
- - - "<"
140
- - !ruby/object:Gem::Version
141
- version: '5.0'
142
- type: :runtime
143
- prerelease: false
144
- version_requirements: !ruby/object:Gem::Requirement
145
- requirements:
146
- - - ">="
147
- - !ruby/object:Gem::Version
148
- version: '3.0'
149
- - - "<"
150
- - !ruby/object:Gem::Version
151
- version: '5.0'
152
- - !ruby/object:Gem::Dependency
153
- name: sass
154
170
  requirement: !ruby/object:Gem::Requirement
155
171
  requirements:
156
172
  - - "~>"
157
173
  - !ruby/object:Gem::Version
158
- version: '3.0'
159
- - - "<"
160
- - !ruby/object:Gem::Version
161
- version: 3.5.0
174
+ version: '5.1'
162
175
  type: :runtime
163
176
  prerelease: false
164
177
  version_requirements: !ruby/object:Gem::Requirement
165
178
  requirements:
166
179
  - - "~>"
167
180
  - !ruby/object:Gem::Version
168
- version: '3.0'
169
- - - "<"
170
- - !ruby/object:Gem::Version
171
- version: 3.5.0
181
+ version: '5.1'
172
182
  - !ruby/object:Gem::Dependency
173
183
  name: slim
174
184
  requirement: !ruby/object:Gem::Requirement
@@ -210,6 +220,7 @@ files:
210
220
  - lib/brakeman/checks/check_basic_auth.rb
211
221
  - lib/brakeman/checks/check_basic_auth_timing_attack.rb
212
222
  - lib/brakeman/checks/check_content_tag.rb
223
+ - lib/brakeman/checks/check_cookie_serialization.rb
213
224
  - lib/brakeman/checks/check_create_with.rb
214
225
  - lib/brakeman/checks/check_cross_site_scripting.rb
215
226
  - lib/brakeman/checks/check_default_routes.rb
@@ -224,6 +235,7 @@ files:
224
235
  - lib/brakeman/checks/check_file_access.rb
225
236
  - lib/brakeman/checks/check_file_disclosure.rb
226
237
  - lib/brakeman/checks/check_filter_skipping.rb
238
+ - lib/brakeman/checks/check_force_ssl.rb
227
239
  - lib/brakeman/checks/check_forgery_setting.rb
228
240
  - lib/brakeman/checks/check_header_dos.rb
229
241
  - lib/brakeman/checks/check_i18n_xss.rb
@@ -249,6 +261,7 @@ files:
249
261
  - lib/brakeman/checks/check_render_dos.rb
250
262
  - lib/brakeman/checks/check_render_inline.rb
251
263
  - lib/brakeman/checks/check_response_splitting.rb
264
+ - lib/brakeman/checks/check_reverse_tabnabbing.rb
252
265
  - lib/brakeman/checks/check_route_dos.rb
253
266
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
254
267
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -281,12 +294,15 @@ files:
281
294
  - lib/brakeman/commandline.rb
282
295
  - lib/brakeman/differ.rb
283
296
  - lib/brakeman/file_parser.rb
297
+ - lib/brakeman/file_path.rb
284
298
  - lib/brakeman/format/style.css
285
299
  - lib/brakeman/messages.rb
286
300
  - lib/brakeman/options.rb
301
+ - lib/brakeman/parsers/haml_embedded.rb
287
302
  - lib/brakeman/parsers/rails2_erubis.rb
288
303
  - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
289
304
  - lib/brakeman/parsers/rails3_erubis.rb
305
+ - lib/brakeman/parsers/slim_embedded.rb
290
306
  - lib/brakeman/parsers/template_parser.rb
291
307
  - lib/brakeman/processor.rb
292
308
  - lib/brakeman/processors/alias_processor.rb
@@ -366,7 +382,7 @@ files:
366
382
  - lib/ruby_parser/bm_sexp_processor.rb
367
383
  homepage: http://brakemanscanner.org
368
384
  licenses:
369
- - CC-BY-NC-SA-4.0
385
+ - Brakeman Public Use License
370
386
  metadata: {}
371
387
  post_install_message:
372
388
  rdoc_options: []
@@ -383,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
383
399
  - !ruby/object:Gem::Version
384
400
  version: '0'
385
401
  requirements: []
386
- rubyforge_project:
387
- rubygems_version: 2.7.8
402
+ rubygems_version: 3.0.3
388
403
  signing_key:
389
404
  specification_version: 4
390
405
  summary: Security vulnerability scanner for Ruby on Rails.