brakeman-lib 4.4.0 → 4.7.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (97) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +63 -0
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +75 -56
  9. data/lib/brakeman/checks/check_content_tag.rb +12 -0
  10. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  11. data/lib/brakeman/checks/check_cross_site_scripting.rb +15 -10
  12. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  13. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  14. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  15. data/lib/brakeman/checks/check_evaluation.rb +0 -1
  16. data/lib/brakeman/checks/check_execute.rb +44 -1
  17. data/lib/brakeman/checks/check_file_access.rb +7 -1
  18. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  19. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  20. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  21. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  22. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  23. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  24. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  25. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  26. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  27. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  28. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  29. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  30. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +54 -0
  31. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  32. data/lib/brakeman/checks/check_secrets.rb +1 -1
  33. data/lib/brakeman/checks/check_send.rb +0 -1
  34. data/lib/brakeman/checks/check_session_manipulation.rb +0 -1
  35. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  36. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  37. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  38. data/lib/brakeman/checks/check_sql.rb +27 -20
  39. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  40. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  41. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  42. data/lib/brakeman/differ.rb +16 -28
  43. data/lib/brakeman/file_parser.rb +6 -8
  44. data/lib/brakeman/file_path.rb +85 -0
  45. data/lib/brakeman/options.rb +7 -0
  46. data/lib/brakeman/parsers/haml_embedded.rb +44 -0
  47. data/lib/brakeman/parsers/slim_embedded.rb +44 -0
  48. data/lib/brakeman/parsers/template_parser.rb +8 -8
  49. data/lib/brakeman/processor.rb +4 -5
  50. data/lib/brakeman/processors/alias_processor.rb +49 -7
  51. data/lib/brakeman/processors/base_processor.rb +10 -7
  52. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  53. data/lib/brakeman/processors/controller_processor.rb +9 -13
  54. data/lib/brakeman/processors/gem_processor.rb +10 -2
  55. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  56. data/lib/brakeman/processors/lib/call_conversion_helper.rb +4 -0
  57. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  58. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  59. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  60. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  61. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  62. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  63. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  64. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  65. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  66. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  67. data/lib/brakeman/processors/library_processor.rb +5 -5
  68. data/lib/brakeman/processors/model_processor.rb +4 -5
  69. data/lib/brakeman/processors/output_processor.rb +5 -0
  70. data/lib/brakeman/processors/slim_template_processor.rb +16 -0
  71. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  72. data/lib/brakeman/processors/template_processor.rb +14 -10
  73. data/lib/brakeman/report.rb +3 -3
  74. data/lib/brakeman/report/ignore/config.rb +2 -3
  75. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  76. data/lib/brakeman/report/pager.rb +1 -0
  77. data/lib/brakeman/report/report_base.rb +51 -6
  78. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  79. data/lib/brakeman/report/report_hash.rb +1 -1
  80. data/lib/brakeman/report/report_html.rb +2 -2
  81. data/lib/brakeman/report/report_json.rb +1 -24
  82. data/lib/brakeman/report/report_table.rb +20 -4
  83. data/lib/brakeman/report/report_tabs.rb +1 -1
  84. data/lib/brakeman/report/report_text.rb +2 -2
  85. data/lib/brakeman/rescanner.rb +13 -12
  86. data/lib/brakeman/scanner.rb +24 -18
  87. data/lib/brakeman/tracker.rb +35 -7
  88. data/lib/brakeman/tracker/collection.rb +4 -3
  89. data/lib/brakeman/tracker/config.rb +44 -48
  90. data/lib/brakeman/tracker/constants.rb +2 -1
  91. data/lib/brakeman/util.rb +18 -147
  92. data/lib/brakeman/version.rb +1 -1
  93. data/lib/brakeman/warning.rb +27 -13
  94. data/lib/brakeman/warning_codes.rb +4 -0
  95. data/lib/ruby_parser/bm_sexp.rb +1 -1
  96. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  97. metadata +58 -43
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.4.0"
2
+ Version = "4.7.0"
3
3
  end
@@ -9,7 +9,7 @@ class Brakeman::Warning
9
9
  :line, :method, :model, :template, :user_input, :user_input_type,
10
10
  :warning_code, :warning_set, :warning_type
11
11
 
12
- attr_accessor :code, :context, :file, :message, :relative_path
12
+ attr_accessor :code, :context, :file, :message
13
13
 
14
14
  TEXT_CONFIDENCE = {
15
15
  0 => "High",
@@ -34,11 +34,11 @@ class Brakeman::Warning
34
34
  :file => :@file,
35
35
  :gem_info => :@gem_info,
36
36
  :line => :@line,
37
+ :link => :@link,
37
38
  :link_path => :@link_path,
38
39
  :message => :@message,
39
40
  :method => :@method,
40
41
  :model => :@model,
41
- :relative_path => :@relative_path,
42
42
  :template => :@template,
43
43
  :user_input => :@user_input,
44
44
  :warning_set => :@warning_set,
@@ -100,9 +100,11 @@ class Brakeman::Warning
100
100
  unless @warning_set
101
101
  if self.model
102
102
  @warning_set = :model
103
+ @file ||= self.model.file
103
104
  elsif self.template
104
105
  @warning_set = :template
105
106
  @called_from = self.template.render_path
107
+ @file ||= self.template.file
106
108
  elsif self.controller
107
109
  @warning_set = :controller
108
110
  else
@@ -112,6 +114,8 @@ class Brakeman::Warning
112
114
 
113
115
  if options[:warning_code]
114
116
  @warning_code = Brakeman::WarningCodes.code options[:warning_code]
117
+ else
118
+ @warning_code = nil
115
119
  end
116
120
 
117
121
  Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
@@ -221,7 +225,7 @@ class Brakeman::Warning
221
225
  when :template
222
226
  @row["Template"] = self.view_name.to_s
223
227
  when :model
224
- @row["Model"] = self.model.to_s
228
+ @row["Model"] = self.model.name.to_s
225
229
  when :controller
226
230
  @row["Controller"] = self.controller.to_s
227
231
  when :warning
@@ -235,7 +239,7 @@ class Brakeman::Warning
235
239
  def to_s
236
240
  output = "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
237
241
  output << " near line #{self.line}" if self.line
238
- output << " in #{self.file}" if self.file
242
+ output << " in #{self.file.relative}" if self.file
239
243
  output << ": #{self.format_code}" if self.code
240
244
 
241
245
  output
@@ -247,37 +251,47 @@ class Brakeman::Warning
247
251
  warning_code_string = sprintf("%03d", @warning_code)
248
252
  code_string = @code.inspect
249
253
 
250
- Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
254
+ Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
251
255
  end
252
256
 
253
257
  def location include_renderer = true
254
258
  case @warning_set
255
259
  when :template
256
- location = { :type => :template, :template => self.view_name(include_renderer) }
260
+ { :type => :template, :template => self.view_name(include_renderer) }
257
261
  when :model
258
- location = { :type => :model, :model => self.model }
262
+ { :type => :model, :model => self.model.name }
259
263
  when :controller
260
- location = { :type => :controller, :controller => self.controller }
264
+ { :type => :controller, :controller => self.controller }
261
265
  when :warning
262
266
  if self.class
263
- location = { :type => :method, :class => self.class, :method => self.method }
267
+ { :type => :method, :class => self.class, :method => self.method }
264
268
  else
265
- location = nil
269
+ nil
266
270
  end
267
271
  end
268
272
  end
269
273
 
270
- def to_hash
274
+ def relative_path
275
+ self.file.relative
276
+ end
277
+
278
+ def to_hash absolute_paths: true
279
+ if self.called_from and not absolute_paths
280
+ render_path = self.called_from.with_relative_paths
281
+ else
282
+ render_path = self.called_from
283
+ end
284
+
271
285
  { :warning_type => self.warning_type,
272
286
  :warning_code => @warning_code,
273
287
  :fingerprint => self.fingerprint,
274
288
  :check_name => self.check.gsub(/^Brakeman::Check/, ''),
275
289
  :message => self.message.to_s,
276
- :file => self.file,
290
+ :file => (absolute_paths ? self.file.absolute : self.file.relative),
277
291
  :line => self.line,
278
292
  :link => self.link,
279
293
  :code => (@code && self.format_code(false)),
280
- :render_path => self.called_from,
294
+ :render_path => render_path,
281
295
  :location => self.location(false),
282
296
  :user_input => (@user_input && self.format_user_input(false)),
283
297
  :confidence => TEXT_CONFIDENCE[self.confidence]
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
110
110
  :CVE_2018_8048 => 106,
111
111
  :CVE_2018_3741 => 107,
112
112
  :CVE_2018_3760 => 108,
113
+ :force_ssl_disabled => 109,
114
+ :unsafe_cookie_serialization => 110,
115
+ :reverse_tabnabbing => 111,
116
+ :custom_check => 9090,
113
117
  }
114
118
 
115
119
  def self.code name
@@ -40,7 +40,7 @@ class Sexp
40
40
  s.line(line)
41
41
  else
42
42
  s.original_line = self.original_line
43
- s.line(self.line)
43
+ s.line(self.line) if self.line
44
44
  end
45
45
 
46
46
  s
@@ -45,6 +45,7 @@ class Brakeman::SexpProcessor
45
45
  @expected = Sexp
46
46
  @processors = self.class.processors
47
47
  @context = []
48
+ @current_class = @current_module = @current_method = @visibility = nil
48
49
 
49
50
  if @processors.empty?
50
51
  public_methods.each do |name|
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.4.0
4
+ version: 4.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - brakeman-public_cert.pem
12
- date: 2019-01-17 00:00:00.000000000 Z
12
+ date: 2019-10-16 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: minitest
@@ -25,20 +25,62 @@ dependencies:
25
25
  - - ">="
26
26
  - !ruby/object:Gem::Version
27
27
  version: '0'
28
+ - !ruby/object:Gem::Dependency
29
+ name: minitest-ci
30
+ requirement: !ruby/object:Gem::Requirement
31
+ requirements:
32
+ - - ">="
33
+ - !ruby/object:Gem::Version
34
+ version: '0'
35
+ type: :development
36
+ prerelease: false
37
+ version_requirements: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - ">="
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ - !ruby/object:Gem::Dependency
43
+ name: simplecov
44
+ requirement: !ruby/object:Gem::Requirement
45
+ requirements:
46
+ - - ">="
47
+ - !ruby/object:Gem::Version
48
+ version: '0'
49
+ type: :development
50
+ prerelease: false
51
+ version_requirements: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - ">="
54
+ - !ruby/object:Gem::Version
55
+ version: '0'
28
56
  - !ruby/object:Gem::Dependency
29
57
  name: ruby_parser
30
58
  requirement: !ruby/object:Gem::Requirement
31
59
  requirements:
32
60
  - - "~>"
33
61
  - !ruby/object:Gem::Version
34
- version: '3.12'
62
+ version: '3.13'
63
+ type: :runtime
64
+ prerelease: false
65
+ version_requirements: !ruby/object:Gem::Requirement
66
+ requirements:
67
+ - - "~>"
68
+ - !ruby/object:Gem::Version
69
+ version: '3.13'
70
+ - !ruby/object:Gem::Dependency
71
+ name: ruby_parser-legacy
72
+ requirement: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - "~>"
75
+ - !ruby/object:Gem::Version
76
+ version: '1.0'
35
77
  type: :runtime
36
78
  prerelease: false
37
79
  version_requirements: !ruby/object:Gem::Requirement
38
80
  requirements:
39
81
  - - "~>"
40
82
  - !ruby/object:Gem::Version
41
- version: '3.12'
83
+ version: '1.0'
42
84
  - !ruby/object:Gem::Dependency
43
85
  name: sexp_processor
44
86
  requirement: !ruby/object:Gem::Requirement
@@ -99,20 +141,14 @@ dependencies:
99
141
  name: highline
100
142
  requirement: !ruby/object:Gem::Requirement
101
143
  requirements:
102
- - - ">="
103
- - !ruby/object:Gem::Version
104
- version: 1.6.20
105
- - - "<"
144
+ - - "~>"
106
145
  - !ruby/object:Gem::Version
107
146
  version: '2.0'
108
147
  type: :runtime
109
148
  prerelease: false
110
149
  version_requirements: !ruby/object:Gem::Requirement
111
150
  requirements:
112
- - - ">="
113
- - !ruby/object:Gem::Version
114
- version: 1.6.20
115
- - - "<"
151
+ - - "~>"
116
152
  - !ruby/object:Gem::Version
117
153
  version: '2.0'
118
154
  - !ruby/object:Gem::Dependency
@@ -131,44 +167,18 @@ dependencies:
131
167
  version: '2.6'
132
168
  - !ruby/object:Gem::Dependency
133
169
  name: haml
134
- requirement: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - ">="
137
- - !ruby/object:Gem::Version
138
- version: '3.0'
139
- - - "<"
140
- - !ruby/object:Gem::Version
141
- version: '5.0'
142
- type: :runtime
143
- prerelease: false
144
- version_requirements: !ruby/object:Gem::Requirement
145
- requirements:
146
- - - ">="
147
- - !ruby/object:Gem::Version
148
- version: '3.0'
149
- - - "<"
150
- - !ruby/object:Gem::Version
151
- version: '5.0'
152
- - !ruby/object:Gem::Dependency
153
- name: sass
154
170
  requirement: !ruby/object:Gem::Requirement
155
171
  requirements:
156
172
  - - "~>"
157
173
  - !ruby/object:Gem::Version
158
- version: '3.0'
159
- - - "<"
160
- - !ruby/object:Gem::Version
161
- version: 3.5.0
174
+ version: '5.1'
162
175
  type: :runtime
163
176
  prerelease: false
164
177
  version_requirements: !ruby/object:Gem::Requirement
165
178
  requirements:
166
179
  - - "~>"
167
180
  - !ruby/object:Gem::Version
168
- version: '3.0'
169
- - - "<"
170
- - !ruby/object:Gem::Version
171
- version: 3.5.0
181
+ version: '5.1'
172
182
  - !ruby/object:Gem::Dependency
173
183
  name: slim
174
184
  requirement: !ruby/object:Gem::Requirement
@@ -210,6 +220,7 @@ files:
210
220
  - lib/brakeman/checks/check_basic_auth.rb
211
221
  - lib/brakeman/checks/check_basic_auth_timing_attack.rb
212
222
  - lib/brakeman/checks/check_content_tag.rb
223
+ - lib/brakeman/checks/check_cookie_serialization.rb
213
224
  - lib/brakeman/checks/check_create_with.rb
214
225
  - lib/brakeman/checks/check_cross_site_scripting.rb
215
226
  - lib/brakeman/checks/check_default_routes.rb
@@ -224,6 +235,7 @@ files:
224
235
  - lib/brakeman/checks/check_file_access.rb
225
236
  - lib/brakeman/checks/check_file_disclosure.rb
226
237
  - lib/brakeman/checks/check_filter_skipping.rb
238
+ - lib/brakeman/checks/check_force_ssl.rb
227
239
  - lib/brakeman/checks/check_forgery_setting.rb
228
240
  - lib/brakeman/checks/check_header_dos.rb
229
241
  - lib/brakeman/checks/check_i18n_xss.rb
@@ -249,6 +261,7 @@ files:
249
261
  - lib/brakeman/checks/check_render_dos.rb
250
262
  - lib/brakeman/checks/check_render_inline.rb
251
263
  - lib/brakeman/checks/check_response_splitting.rb
264
+ - lib/brakeman/checks/check_reverse_tabnabbing.rb
252
265
  - lib/brakeman/checks/check_route_dos.rb
253
266
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
254
267
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -281,12 +294,15 @@ files:
281
294
  - lib/brakeman/commandline.rb
282
295
  - lib/brakeman/differ.rb
283
296
  - lib/brakeman/file_parser.rb
297
+ - lib/brakeman/file_path.rb
284
298
  - lib/brakeman/format/style.css
285
299
  - lib/brakeman/messages.rb
286
300
  - lib/brakeman/options.rb
301
+ - lib/brakeman/parsers/haml_embedded.rb
287
302
  - lib/brakeman/parsers/rails2_erubis.rb
288
303
  - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
289
304
  - lib/brakeman/parsers/rails3_erubis.rb
305
+ - lib/brakeman/parsers/slim_embedded.rb
290
306
  - lib/brakeman/parsers/template_parser.rb
291
307
  - lib/brakeman/processor.rb
292
308
  - lib/brakeman/processors/alias_processor.rb
@@ -366,7 +382,7 @@ files:
366
382
  - lib/ruby_parser/bm_sexp_processor.rb
367
383
  homepage: http://brakemanscanner.org
368
384
  licenses:
369
- - CC-BY-NC-SA-4.0
385
+ - Brakeman Public Use License
370
386
  metadata: {}
371
387
  post_install_message:
372
388
  rdoc_options: []
@@ -383,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
383
399
  - !ruby/object:Gem::Version
384
400
  version: '0'
385
401
  requirements: []
386
- rubyforge_project:
387
- rubygems_version: 2.7.8
402
+ rubygems_version: 3.0.3
388
403
  signing_key:
389
404
  specification_version: 4
390
405
  summary: Security vulnerability scanner for Ruby on Rails.