brakeman-lib 4.5.0 → 4.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 142b7260d9ae378b1dd4126d00979b892c6931b601865e20a883a0e8444cd225
-  data.tar.gz: 53d73341cd37a589a8483c9bdf59be6f5b8c350c48466e02479609c66d4da264
+  metadata.gz: 4335b21ba5c11b4a21f8f31f38f612f9153b7778d0c8c5fba9d1efbcfba6e16a
+  data.tar.gz: 257d1b9f190b517d0b16859acc438870478d54a9ce71ed09f1e8ba01365095ac
 SHA512:
-  metadata.gz: 6b555893cb7d94bddab5f9a3f824024050b098e08706fdb40e8a3f2ce9b7f3dc31bae1235bb998e71e09170eedcae508c3fae20900e58e57b0ce095e99ff5022
-  data.tar.gz: 78bb4ca1c4892027cec86157bf96dbf7ac8dcf84fde1a5585181304f72d575fd935a990cf8027985e5e756ce8cd4fe8bac40573911bd903434b886e1d1a3ca94
+  metadata.gz: 7055bf420077bac2ae9b4a5a86616d8aa2663efe81414b4688b22b1af6558b6f3aa563fe7292e5bf3b50a4159e770c5096ecc4d4b7e452953614809843baab58
+  data.tar.gz: e5f3c8e3d5d66a652f1c6e0d6b1727db400b7db0d07a9f37a43df256da2cb71710a5e86f244cfe9994d309af6e77925623fa1496a930875693fa836c9a56a492

data/CHANGES.md

@@ -1,3 +1,18 @@
+# 4.5.1 
+
+* Add `Brakeman::FilePath` to represent file paths
+* Handle trailing comma in block args
+* Properly handle empty partial name
+* Use relative paths for `__FILE__`
+* Convert `!!` calls to boolean value
+* Add optional check for `config.force_ssl`
+* Remove code for Ruby versions prior to 1.9
+* Check `link_to` with block for href XSS
+* Add SQL injection checks for `find_or_create_by` and friends
+* Add deserialization warning for `Oj.load/object_load`
+* Add initial Rails 6 support
+* Add SQL injection checks for `destroy_by`/`delete_by`
+
 # 4.5.0
 
 * Update `ruby_parser`, use `ruby_parser-legacy`

data/README.md

@@ -1,6 +1,6 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
-[![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
+[![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
 [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
 [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
@@ -47,25 +47,25 @@ Outside of Rails root:
 
 From a Rails application's root directory:
 
-    docker run -v "$(pwd)":/code brakeman
+    docker run -v "$(pwd)":/code presidentbeef/brakeman
 
 With a little nicer color:
 
-    docker run -v "$(pwd)":/code brakeman --color
+    docker run -v "$(pwd)":/code presidentbeef/brakeman --color
 
 For an HTML report:
 
-    docker run -v "$(pwd)":/code brakeman -o brakeman_results.html
+    docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
 
 Outside of Rails root (note that the output file is relative to path/to/rails/application):
 
-    docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html
+    docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
 
 # Compatibility
 
 Brakeman should work with any version of Rails from 2.3.x to 5.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
 
 # Basic Options
 

data/lib/brakeman.rb

@@ -55,6 +55,9 @@ module Brakeman
   #  * :print_report - if no output file specified, print to stdout (default: false)
   #  * :quiet - suppress most messages (default: true)
   #  * :rails3 - force Rails 3 mode (automatic)
+  #  * :rails4 - force Rails 4 mode (automatic)
+  #  * :rails5 - force Rails 5 mode (automatic)
+  #  * :rails6 - force Rails 6 mode (automatic)
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
@@ -99,6 +102,10 @@ module Brakeman
     elsif options[:rails5]
       options[:rails3] = true
       options[:rails4] = true
+    elsif options[:rails6]
+      options[:rails3] = true
+      options[:rails4] = true
+      options[:rails5] = true
     end
 
     options[:output_formats] = get_output_formats options

data/lib/brakeman/app_tree.rb

@@ -1,4 +1,5 @@
 require 'pathname'
+require 'brakeman/file_path'
 
 module Brakeman
   class AppTree
@@ -62,31 +63,37 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @gemspec = nil
+      @root_search_pattern = nil
     end
 
-    def expand_path(path)
-      File.expand_path(path, @root)
+    # Create a new Brakeman::FilePath
+    def file_path(path)
+      Brakeman::FilePath.from_app_tree(self, path)
     end
 
-    def read(path)
-      File.read(File.join(@root, path))
+    # Should only be used by Brakeman::FilePath.
+    # Use AppTree#file_path(path).absolute instead.
+    def expand_path(path)
+      File.expand_path(path, @root)
     end
 
-    # This variation requires full paths instead of paths based
-    # off the project root. I'd prefer to get all the code outside
-    # of AppTree using project-root based paths (e.g. app/models/user.rb)
-    # instead of full paths, but I suspect it's an incompatible change.
-    def read_path(path)
-      File.read(path)
+    # Should only be used by Brakeman::FilePath
+    # Use AppTree#file_path(path).relative instead.
+    def relative_path(path)
+      pname = Pathname.new path
+      if path and not path.empty? and pname.absolute?
+        pname.relative_path_from(Pathname.new(self.root)).to_s
+      else
+        path
+      end
     end
 
     def exists?(path)
-      File.exist?(File.join(@root, path))
-    end
-
-    # This is a pair for #read_path. Again, would like to kill these
-    def path_exists?(path)
-      File.exist?(path)
+      if path.is_a? Brakeman::FilePath
+        path.exists?
+      else
+        File.exist?(File.join(@root, path))
+      end
     end
 
     def initializer_paths
@@ -111,7 +118,7 @@ module Brakeman
     end
 
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
+      @lib_files ||= find_paths("lib").reject { |path| path.relative.include? "/generators/" or path.relative.include? "lib/tasks/" or path.relative.include? "lib/templates/" } +
                      find_additional_lib_paths +
                      find_helper_paths +
                      find_job_paths
@@ -125,7 +132,7 @@ module Brakeman
       if gemspecs.length > 1 or gemspecs.empty?
         @gemspec = false
       else
-        @gemspec = File.basename(gemspecs.first)
+        @gemspec = file_path(File.basename(gemspecs.first))
       end
     end
 
@@ -155,7 +162,8 @@ module Brakeman
 
     def select_files(paths)
       paths = select_only_files(paths)
-      reject_skipped_files(paths)
+      paths = reject_skipped_files(paths)
+      convert_to_file_paths(paths)
     end
 
     def select_only_files(paths)
@@ -190,8 +198,8 @@ module Brakeman
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
 
-      abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
-      rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+      abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
+      rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
 
       roots = ([@root] + abs).join(",")
       rel_engines = (rel + [""]).join("/,")
@@ -199,7 +207,11 @@ module Brakeman
     end
 
     def prioritize_concerns paths
-      paths.partition { |path| path.include? "concerns" }.flatten
+      paths.partition { |path| path.relative.include? "concerns" }.flatten
+    end
+
+    def convert_to_file_paths paths
+      paths.map { |path| file_path(path) }
     end
   end
 end

data/lib/brakeman/checks.rb

@@ -109,13 +109,13 @@ class Brakeman::Checks
 
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
-  def self.run_checks(app_tree, tracker)
+  def self.run_checks(tracker)
     checks = self.checks_to_run(tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    self.actually_run_checks(checks, check_runner, tracker)
   end
 
-  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+  def self.actually_run_checks(checks, check_runner, tracker)
     threads = [] # Results for parallel
     results = [] # Results for sequential
     parallel = tracker.options[:parallel_checks]
@@ -127,10 +127,10 @@ class Brakeman::Checks
 
       if parallel
         threads << Thread.new do
-          self.run_a_check(c, error_mutex, app_tree, tracker)
+          self.run_a_check(c, error_mutex, tracker)
         end
       else
-        results << self.run_a_check(c, error_mutex, app_tree, tracker)
+        results << self.run_a_check(c, error_mutex, tracker)
       end
 
       #Maintain list of which checks were run
@@ -196,8 +196,8 @@ class Brakeman::Checks
     end
   end
 
-  def self.run_a_check klass, mutex, app_tree, tracker
-    check = klass.new(app_tree, tracker)
+  def self.run_a_check klass, mutex, tracker
+    check = klass.new(tracker)
 
     begin
       check.run_check

data/lib/brakeman/checks/base_check.rb

@@ -27,9 +27,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   #Initialize Check with Checks.
-  def initialize(app_tree, tracker)
+  def initialize(tracker)
     super()
-    @app_tree = app_tree
+    @app_tree = tracker.app_tree
     @results = [] #only to check for duplicates
     @warnings = []
     @tracker = tracker
@@ -143,11 +143,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def warn options
     extra_opts = { :check => self.class.to_s }
 
-    warning = Brakeman::Warning.new(options.merge(extra_opts))
-    warning.file = file_for warning
-    warning.relative_path = relative_path(warning.file)
+    if options[:file]
+      options[:file] = @app_tree.file_path(options[:file])
+    end
 
-    @warnings << warning
+    @warnings << Brakeman::Warning.new(options.merge(extra_opts))
   end
 
   #Run _exp_ through OutputProcessor to get a nice String.
@@ -476,11 +476,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     if gem_name and info = tracker.config.get_gem(gem_name)
       info
     elsif @app_tree.exists?("Gemfile")
-      "Gemfile"
+      @app_tree.file_path "Gemfile"
     elsif @app_tree.exists?("gems.rb")
-      "gems.rb"
+      @app_tree.file_path "gems.rb"
     else
-      "config/environment.rb"
+      @app_tree.file_path "config/environment.rb"
     end
   end
 

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -33,6 +33,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
 
+  def initialize *args
+    super
+    @matched = @mark = false
+  end
+
   #Run check
   def run_check
     setup

data/lib/brakeman/checks/check_default_routes.rb

@@ -6,6 +6,11 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
 
   @description = "Checks for default routes"
 
+  def initialize *args
+    super
+    @actions_allowed_on_controller = nil
+  end
+
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check

data/lib/brakeman/checks/check_deserialize.rb

@@ -9,6 +9,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_yaml
     check_csv
     check_marshal
+    check_oj
   end
 
   def check_yaml
@@ -23,6 +24,26 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     check_methods :Marshal, :load, :restore
   end
 
+  def check_oj
+    check_methods :Oj, :object_load # Always unsafe, regardless of mode
+
+    unsafe_mode = :object
+    safe_default = oj_safe_default?
+
+    tracker.find_call(:target => :Oj, :method => :load).each do |result|
+      call = result[:call]
+      options = call.second_arg
+
+      if options and hash? options and mode = hash_access(options, :mode)
+        if symbol? mode and mode.value == unsafe_mode
+          check_deserialize result, :Oj
+        end
+      elsif not safe_default
+        check_deserialize result, :Oj
+      end
+    end
+  end
+
   def check_methods target, *methods
     tracker.find_call(:target => target, :methods => methods ).each do |result|
       check_deserialize result, target
@@ -53,4 +74,35 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
         :link_path => "unsafe_deserialization"
     end
   end
+
+  private
+
+  def oj_safe_default?
+    safe_default = false
+
+    # TODO: Can we just index initializers already??
+    if tracker.check_initializers(:Oj, :mimic_JSON).any?
+      safe_default = true
+    end
+
+    if result = tracker.check_initializers(:Oj, :default_options=).first
+      options = result.call.first_arg
+
+      if oj_safe_mode? options
+        safe_default = true
+      end
+    end
+
+    safe_default
+  end
+
+  def oj_safe_mode? options
+    if hash? options and mode = hash_access(options, :mode)
+      if symbol? mode and mode != :object
+        return true
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -43,6 +43,6 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
   end
 
   def potentially_dangerous? method_name
-    method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
+    method_name.match(/^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/)
   end
 end

data/lib/brakeman/checks/check_force_ssl.rb

@@ -0,0 +1,27 @@
+class Brakeman::CheckForceSSL < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Check that force_ssl setting is enabled in production"
+
+  def run_check
+    return if tracker.config.rails.empty? or tracker.config.rails_version.nil?
+    return if tracker.config.rails_version < "3.1.0"
+
+    force_ssl = tracker.config.rails[:force_ssl]
+
+    if false? force_ssl or force_ssl.nil?
+      line = if sexp? force_ssl
+               force_ssl.line
+             else
+               1
+             end
+
+      warn :warning_type => "Missing Encryption",
+        :warning_code => :force_ssl_disabled,
+        :message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
+        :confidence => :high,
+        :file => "config/environments/production.rb",
+        :line => line
+    end
+  end
+end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
 
+  def initialize *args
+    super
+    @uses_json_parse = nil
+  end
+
   def run_check
     check_cve_2013_0333
     check_cve_2013_0269

data/lib/brakeman/checks/check_link_to_href.rb

@@ -34,7 +34,12 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
-    url_arg = process call.second_arg
+
+    url_arg = if result[:block]
+                process call.first_arg
+              else
+                process call.second_arg
+              end
 
     if check_argument? url_arg
       url_arg = url_arg.first_arg

data/lib/brakeman/checks/check_mail_to.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0446,
         :message => message,
         :confidence => :high,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment, # Probably ignored now
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end