RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.5.1 - Mend

brakeman-lib 4.5.0 → 4.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

checksums.yaml +4 -4
data/CHANGES.md +15 -0
data/README.md +6 -6
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +9 -9
data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +52 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_json_parsing.rb +5 -0
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +10 -10
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/file_parser.rb +6 -8
data/lib/brakeman/file_path.rb +71 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/template_parser.rb +3 -3
data/lib/brakeman/processor.rb +3 -4
data/lib/brakeman/processors/alias_processor.rb +12 -6
data/lib/brakeman/processors/base_processor.rb +8 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +5 -9
data/lib/brakeman/processors/haml_template_processor.rb +5 -0
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +4 -5
data/lib/brakeman/processors/template_processor.rb +4 -4
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +2 -2
data/lib/brakeman/rescanner.rb +9 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +4 -4
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +6 -0
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +23 -13
data/lib/brakeman/warning_codes.rb +1 -0
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +20 -10

data/lib/brakeman/parsers/template_parser.rb CHANGED

@@ -13,7 +13,7 @@ module Brakeman
     end
     def parse_template path, text
-      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = path.relative.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
       type = :erb if type == :rhtml
       name = template_path_to_name path
       Brakeman.debug "Parsing #{path}"
@@ -63,7 +63,7 @@ module Brakeman
         else
           ERB.new(text, nil, '-').src
         end
-        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src.sub!(/^#.*\n/, '')
         src
       end
     end
@@ -95,7 +95,7 @@ module Brakeman
     end
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker, nil)
+      fp = Brakeman::FileParser.new(tracker)
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processor.rb CHANGED

@@ -13,8 +13,7 @@ module Brakeman
     include Util
     def initialize(app_tree, options)
-      @app_tree = app_tree
-      @tracker = Tracker.new(@app_tree, self, options)
+      @tracker = Tracker.new(app_tree, self, options)
     end
     def tracked_events
@@ -39,7 +38,7 @@ module Brakeman
     #Process controller source. +file_name+ is used for reporting
     def process_controller src, file_name
       if contains_class? src
-        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+        ControllerProcessor.new(@tracker).process_controller src, file_name
       else
         LibraryProcessor.new(@tracker).process_library src, file_name
       end
@@ -48,7 +47,7 @@ module Brakeman
     #Process variable aliasing in controller source and save it in the
     #tracker.
     def process_controller_alias name, src, only_method = nil, file = nil
-      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+      ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src, file
     end
     #Process a model source

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -20,19 +20,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #The recommended usage is:
   #
   # AliasProcessor.new.process_safely src
-  def initialize tracker = nil, file_name = nil
+  def initialize tracker = nil, current_file = nil
     super()
     @env = SexpProcessor::Environment.new
     @inside_if = false
     @ignore_ifs = nil
     @exp_context = []
-    @current_module = nil
     @tracker = tracker #set in subclass as necessary
     @helper_method_cache = {}
     @helper_method_info = Hash.new({})
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
-    @file_name = file_name
+    @current_file = current_file
     set_env_defaults
   end
@@ -44,8 +43,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   #This method returns a new Sexp with variables replaced with their values,
   #where possible.
-  def process_safely src, set_env = nil, file_name = nil
-    @file_name = file_name
+  def process_safely src, set_env = nil, current_file = @current_file
+    @current_file = current_file
     @env = set_env || SexpProcessor::Environment.new
     @result = src.deep_clone
     process @result
@@ -270,6 +269,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
+    when :!
+      #  Convert `!!a` to boolean
+      if call? target and target.method == :!
+        exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
+      end
     end
     exp
@@ -368,6 +372,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           elsif e.is_a? Symbol
             local = Sexp.new(:lvar, e)
             env.current[local] = local
+          elsif e.nil? # trailing comma, argument destructuring
+            next # Punt for now
           else
             raise "Unexpected value in block args: #{e.inspect}"
           end
@@ -693,7 +699,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if @tracker
       @tracker.add_constant exp.lhs,
         exp.rhs,
-        :file => current_file_name,
+        :file => @current_file,
         :module => @current_module,
         :class => @current_class,
         :method => @current_method

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -15,11 +15,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     super()
     @last = nil
     @tracker = tracker
-    @current_template = @current_module = @current_class = @current_method = @file_name = nil
+    @app_tree = tracker.app_tree if tracker
+    @current_template = @current_module = @current_class = @current_method = @current_file = nil
   end
-  def process_file exp, file_name
-    @file_name = file_name
+  def process_file exp, current_file
+    @current_file = current_file
     process exp
   end
@@ -182,7 +183,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     if @tracker
       @tracker.add_constant exp.lhs,
         exp.rhs,
-        :file => current_file_name,
+        :file => current_file,
         :module => @current_module,
         :class => @current_class,
         :method => @current_method
@@ -234,8 +235,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
       value = Sexp.new(:lit, first_arg.to_sym)
-		elsif first_arg.nil?
-			type = :default
+    elsif first_arg.nil?
+      type = :default
     elsif not hash? first_arg
       type = :action
       value = first_arg
@@ -287,7 +288,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
     type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
     ast = ast.deep_clone(value.line)
-    @tracker.processor.process_template(template_name, ast, type, nil, @file_name)
+    @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
     return s(:lit, template_name), options

data/lib/brakeman/processors/controller_alias_processor.rb CHANGED

@@ -11,22 +11,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #If only_method is specified, only that method will be processed,
   #other methods will be skipped.
   #This is for rescanning just a single action.
-  def initialize app_tree, tracker, only_method = nil
+  def initialize tracker, only_method = nil
     super tracker
-    @app_tree = app_tree
+    @app_tree = tracker.app_tree
     @only_method = only_method
     @rendered = false
     @current_class = @current_module = @current_method = nil
     @method_cache = {} #Cache method lookups
   end
-  def process_controller name, src, file_name
+  def process_controller name, src, current_file
     if not node_type? src, :class
       Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
       return
     else
       @current_class = name
-      @file_name = file_name
+      @current_file = @app_tree.file_path(current_file)
       process_default src
@@ -37,6 +37,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Process modules mixed into the controller, in case they contain actions.
   def process_mixins
     controller = @tracker.controllers[@current_class]
+    original_file = @current_file
     controller.includes.each do |i|
       mixin = @tracker.libs[i]
@@ -49,7 +50,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       methods.each do |name|
         #Need to process the method like it was in a controller in order
         #to get the renders set
-        processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
+        processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
         method = mixin.get_method(name)[:src].deep_clone
         if node_type? method, :defn
@@ -59,11 +60,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
           method = processor.process method
         end
-        @file_name = mixin.file
+        @current_file = mixin.file
         #Then process it like any other method in the controller
         process method
       end
     end
+  ensure
+    @current_file = original_file
   end
   #Skip it, must be an inner class
@@ -187,7 +190,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       end
     end
-    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file_name))
+    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, @current_file)
     super name, args, render_path, line
   end

data/lib/brakeman/processors/controller_processor.rb CHANGED

@@ -8,20 +8,16 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
-  def initialize app_tree, tracker
+  def initialize tracker, current_file = nil
     super(tracker)
-    @app_tree = app_tree
-    @current_class = nil
-    @current_method = nil
-    @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = current_file
     @concerns = Set.new
   end
   #Use this method to process a Controller
-  def process_controller src, file_name = nil
-    @file_name = file_name
+  def process_controller src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -35,7 +31,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #a real controller, so we can't take this shortcut.
     if @current_class and @current_class.name.to_s.end_with? "Controller"
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -7,6 +7,11 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  def initialize *args
+    super
+    @javascript = false
+  end
   #Processes call, looking for template output
   def process_call exp
     target = exp.target

data/lib/brakeman/processors/lib/module_helper.rb CHANGED

@@ -13,9 +13,9 @@ module Brakeman::ModuleHelper
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
+      @current_module.add_file @current_file, exp
     else
-      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_module = tracker_class.new name, parent, @current_file, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -45,9 +45,9 @@ module Brakeman::ModuleHelper
     if collection[name]
       @current_class = collection[name]
-      @current_class.add_file @file_name, exp
+      @current_class.add_file @current_file, exp
     else
-      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_class = tracker_class.new name, parent, @current_file, exp, @tracker
       collection[name] = @current_class
     end
@@ -85,9 +85,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res
   end
@@ -101,9 +101,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res

data/lib/brakeman/processors/lib/processor_helper.rb CHANGED

@@ -73,10 +73,10 @@ module Brakeman::ProcessorHelper
     end
   end
-  def current_file_name
+  def current_file
     case
-    when @file_name
-      @file_name
+    when @current_file
+      @current_file
     when @current_class.is_a?(Brakeman::Collection)
       @current_class.file
     when @current_module.is_a?(Brakeman::Collection)

data/lib/brakeman/processors/lib/rails2_config_processor.rb CHANGED

@@ -27,9 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED

@@ -16,7 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   #Call this with parsed route file information.
@@ -24,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb CHANGED

@@ -24,9 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED

@@ -17,11 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   def process_routes exp
-    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   def process_call exp

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -36,7 +36,7 @@ module Brakeman::RenderHelper
   #Determines file name for partial and then processes it
   def process_partial name, args, line
-    if name == "" or !(string? name or symbol? name)
+    if !(string? name or symbol? name) or name.value == ""
       return
     end
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template.type, called_from
+      @tracker.processor.process_template name, src, template.type, called_from, template.file
     end
   end

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -83,7 +83,7 @@ module Brakeman
     end
     def map &block
-      @path.map &block
+      @path.map(&block)
     end
     def to_a
@@ -114,6 +114,23 @@ module Brakeman
       JSON.generate(@path)
     end
+    def with_relative_paths
+      @path.map do |loc|
+        r = loc.dup
+        if r[:file]
+          r[:file] = r[:file].relative
+        end
+        if r[:rendered] and r[:rendered][:file]
+          r[:rendered] = r[:rendered].dup
+          r[:rendered][:file] = r[:rendered][:file].relative
+        end
+        r
+      end
+    end
     def initialize_copy original
       @path = original.path.dup
       self

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -9,15 +9,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
-    @file_name = nil
+    @current_file = nil
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
     @initializer_env = nil
   end
-  def process_library src, file_name = nil
-    @file_name = file_name
+  def process_library src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -41,10 +41,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
+      @current_class.add_method :public, exp.method_name, exp, @current_file
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
+      @current_module.add_method :public, exp.method_name, exp, @current_file
     end
     exp