RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.5.1 - Mend

brakeman-lib 4.5.0 → 4.5.1

Files changed (71) hide show

checksums.yaml +4 -4
data/CHANGES.md +15 -0
data/README.md +6 -6
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +9 -9
data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +52 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_json_parsing.rb +5 -0
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +10 -10
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/file_parser.rb +6 -8
data/lib/brakeman/file_path.rb +71 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/template_parser.rb +3 -3
data/lib/brakeman/processor.rb +3 -4
data/lib/brakeman/processors/alias_processor.rb +12 -6
data/lib/brakeman/processors/base_processor.rb +8 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +5 -9
data/lib/brakeman/processors/haml_template_processor.rb +5 -0
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +4 -5
data/lib/brakeman/processors/template_processor.rb +4 -4
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +2 -2
data/lib/brakeman/rescanner.rb +9 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +4 -4
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +6 -0
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +23 -13
data/lib/brakeman/warning_codes.rb +1 -0
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +20 -10

data/lib/brakeman/parsers/template_parser.rb CHANGED

@@ -13,7 +13,7 @@ module Brakeman
     end
     def parse_template path, text
-      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = path.relative.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
       type = :erb if type == :rhtml
       name = template_path_to_name path
       Brakeman.debug "Parsing #{path}"
@@ -63,7 +63,7 @@ module Brakeman
         else
           ERB.new(text, nil, '-').src
         end
-        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src.sub!(/^#.*\n/, '')
         src
       end
     end
@@ -95,7 +95,7 @@ module Brakeman
     end
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker, nil)
+      fp = Brakeman::FileParser.new(tracker)
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processor.rb CHANGED

@@ -13,8 +13,7 @@ module Brakeman
     include Util
     def initialize(app_tree, options)
-      @app_tree = app_tree
-      @tracker = Tracker.new(@app_tree, self, options)
+      @tracker = Tracker.new(app_tree, self, options)
     end
     def tracked_events
@@ -39,7 +38,7 @@ module Brakeman
     #Process controller source. +file_name+ is used for reporting
     def process_controller src, file_name
       if contains_class? src
-        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+        ControllerProcessor.new(@tracker).process_controller src, file_name
       else
         LibraryProcessor.new(@tracker).process_library src, file_name
       end
@@ -48,7 +47,7 @@ module Brakeman
     #Process variable aliasing in controller source and save it in the
     #tracker.
     def process_controller_alias name, src, only_method = nil, file = nil
-      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+      ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src, file
     end
     #Process a model source

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -20,19 +20,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #The recommended usage is:
   #
   # AliasProcessor.new.process_safely src
-  def initialize tracker = nil, file_name = nil
+  def initialize tracker = nil, current_file = nil
     super()
     @env = SexpProcessor::Environment.new
     @inside_if = false
     @ignore_ifs = nil
     @exp_context = []
-    @current_module = nil
     @tracker = tracker #set in subclass as necessary
     @helper_method_cache = {}
     @helper_method_info = Hash.new({})
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
-    @file_name = file_name
+    @current_file = current_file
     set_env_defaults
   end
@@ -44,8 +43,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   #This method returns a new Sexp with variables replaced with their values,
   #where possible.
-  def process_safely src, set_env = nil, file_name = nil
-    @file_name = file_name
+  def process_safely src, set_env = nil, current_file = @current_file
+    @current_file = current_file
     @env = set_env || SexpProcessor::Environment.new
     @result = src.deep_clone
     process @result
@@ -270,6 +269,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
+    when :!
+      #  Convert `!!a` to boolean
+      if call? target and target.method == :!
+        exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
+      end
     end
     exp
@@ -368,6 +372,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           elsif e.is_a? Symbol
             local = Sexp.new(:lvar, e)
             env.current[local] = local
+          elsif e.nil? # trailing comma, argument destructuring
+            next # Punt for now
           else
             raise "Unexpected value in block args: #{e.inspect}"
           end
@@ -693,7 +699,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if @tracker
       @tracker.add_constant exp.lhs,
         exp.rhs,
-        :file => current_file_name,
+        :file => @current_file,
         :module => @current_module,
         :class => @current_class,
         :method => @current_method

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -15,11 +15,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     super()
     @last = nil
     @tracker = tracker
-    @current_template = @current_module = @current_class = @current_method = @file_name = nil
+    @app_tree = tracker.app_tree if tracker
+    @current_template = @current_module = @current_class = @current_method = @current_file = nil
   end
-  def process_file exp, file_name
-    @file_name = file_name
+  def process_file exp, current_file
+    @current_file = current_file
     process exp
   end
@@ -182,7 +183,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     if @tracker
       @tracker.add_constant exp.lhs,
         exp.rhs,
-        :file => current_file_name,
+        :file => current_file,
         :module => @current_module,
         :class => @current_class,
         :method => @current_method
@@ -234,8 +235,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
       value = Sexp.new(:lit, first_arg.to_sym)
-		elsif first_arg.nil?
-			type = :default
+    elsif first_arg.nil?
+      type = :default
     elsif not hash? first_arg
       type = :action
       value = first_arg
@@ -287,7 +288,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
     type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
     ast = ast.deep_clone(value.line)
-    @tracker.processor.process_template(template_name, ast, type, nil, @file_name)
+    @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
     return s(:lit, template_name), options

data/lib/brakeman/processors/controller_alias_processor.rb CHANGED

@@ -11,22 +11,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #If only_method is specified, only that method will be processed,
   #other methods will be skipped.
   #This is for rescanning just a single action.
-  def initialize app_tree, tracker, only_method = nil
+  def initialize tracker, only_method = nil
     super tracker
-    @app_tree = app_tree
+    @app_tree = tracker.app_tree
     @only_method = only_method
     @rendered = false
     @current_class = @current_module = @current_method = nil
     @method_cache = {} #Cache method lookups
   end
-  def process_controller name, src, file_name
+  def process_controller name, src, current_file
     if not node_type? src, :class
       Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
       return
     else
       @current_class = name
-      @file_name = file_name
+      @current_file = @app_tree.file_path(current_file)
       process_default src
@@ -37,6 +37,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Process modules mixed into the controller, in case they contain actions.
   def process_mixins
     controller = @tracker.controllers[@current_class]
+    original_file = @current_file
     controller.includes.each do |i|
       mixin = @tracker.libs[i]
@@ -49,7 +50,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       methods.each do |name|
         #Need to process the method like it was in a controller in order
         #to get the renders set
-        processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
+        processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
         method = mixin.get_method(name)[:src].deep_clone
         if node_type? method, :defn
@@ -59,11 +60,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
           method = processor.process method
         end
-        @file_name = mixin.file
+        @current_file = mixin.file
         #Then process it like any other method in the controller
         process method
       end
     end
+  ensure
+    @current_file = original_file
   end
   #Skip it, must be an inner class
@@ -187,7 +190,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       end
     end
-    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file_name))
+    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, @current_file)
     super name, args, render_path, line
   end

data/lib/brakeman/processors/controller_processor.rb CHANGED

@@ -8,20 +8,16 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
-  def initialize app_tree, tracker
+  def initialize tracker, current_file = nil
     super(tracker)
-    @app_tree = app_tree
-    @current_class = nil
-    @current_method = nil
-    @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = current_file
     @concerns = Set.new
   end
   #Use this method to process a Controller
-  def process_controller src, file_name = nil
-    @file_name = file_name
+  def process_controller src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -35,7 +31,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #a real controller, so we can't take this shortcut.
     if @current_class and @current_class.name.to_s.end_with? "Controller"
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -7,6 +7,11 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  def initialize *args
+    super
+    @javascript = false
+  end
   #Processes call, looking for template output
   def process_call exp
     target = exp.target

data/lib/brakeman/processors/lib/module_helper.rb CHANGED

@@ -13,9 +13,9 @@ module Brakeman::ModuleHelper
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
+      @current_module.add_file @current_file, exp
     else
-      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_module = tracker_class.new name, parent, @current_file, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -45,9 +45,9 @@ module Brakeman::ModuleHelper
     if collection[name]
       @current_class = collection[name]
-      @current_class.add_file @file_name, exp
+      @current_class.add_file @current_file, exp
     else
-      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_class = tracker_class.new name, parent, @current_file, exp, @tracker
       collection[name] = @current_class
     end
@@ -85,9 +85,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res
   end
@@ -101,9 +101,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res

data/lib/brakeman/processors/lib/processor_helper.rb CHANGED

@@ -73,10 +73,10 @@ module Brakeman::ProcessorHelper
     end
   end
-  def current_file_name
+  def current_file
     case
-    when @file_name
-      @file_name
+    when @current_file
+      @current_file
     when @current_class.is_a?(Brakeman::Collection)
       @current_class.file
     when @current_module.is_a?(Brakeman::Collection)

data/lib/brakeman/processors/lib/rails2_config_processor.rb CHANGED

@@ -27,9 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED

@@ -16,7 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   #Call this with parsed route file information.
@@ -24,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb CHANGED

@@ -24,9 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED

@@ -17,11 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   def process_routes exp
-    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   def process_call exp

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -36,7 +36,7 @@ module Brakeman::RenderHelper
   #Determines file name for partial and then processes it
   def process_partial name, args, line
-    if name == "" or !(string? name or symbol? name)
+    if !(string? name or symbol? name) or name.value == ""
       return
     end
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template.type, called_from
+      @tracker.processor.process_template name, src, template.type, called_from, template.file
     end
   end

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -83,7 +83,7 @@ module Brakeman
     end
     def map &block
-      @path.map &block
+      @path.map(&block)
     end
     def to_a
@@ -114,6 +114,23 @@ module Brakeman
       JSON.generate(@path)
     end
+    def with_relative_paths
+      @path.map do |loc|
+        r = loc.dup
+        if r[:file]
+          r[:file] = r[:file].relative
+        end
+        if r[:rendered] and r[:rendered][:file]
+          r[:rendered] = r[:rendered].dup
+          r[:rendered][:file] = r[:rendered][:file].relative
+        end
+        r
+      end
+    end
     def initialize_copy original
       @path = original.path.dup
       self

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -9,15 +9,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
-    @file_name = nil
+    @current_file = nil
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
     @initializer_env = nil
   end
-  def process_library src, file_name = nil
-    @file_name = file_name
+  def process_library src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -41,10 +41,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
+      @current_class.add_method :public, exp.method_name, exp, @current_file
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
+      @current_module.add_method :public, exp.method_name, exp, @current_file
     end
     exp