RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.5.1 - Mend

brakeman-lib 4.5.0 → 4.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

checksums.yaml +4 -4
data/CHANGES.md +15 -0
data/README.md +6 -6
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +9 -9
data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +52 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_json_parsing.rb +5 -0
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +10 -10
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/file_parser.rb +6 -8
data/lib/brakeman/file_path.rb +71 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/template_parser.rb +3 -3
data/lib/brakeman/processor.rb +3 -4
data/lib/brakeman/processors/alias_processor.rb +12 -6
data/lib/brakeman/processors/base_processor.rb +8 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +5 -9
data/lib/brakeman/processors/haml_template_processor.rb +5 -0
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +4 -5
data/lib/brakeman/processors/template_processor.rb +4 -4
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +2 -2
data/lib/brakeman/rescanner.rb +9 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +4 -4
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +6 -0
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +23 -13
data/lib/brakeman/warning_codes.rb +1 -0
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +20 -10

data/lib/brakeman/processors/model_processor.rb CHANGED

@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     @current_method = nil
     @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = nil
   end
   #Process model source
-  def process_model src, file_name = nil
-    @file_name = file_name
+  def process_model src, current_file = @current_file
+    @current_file = current_file
     process src
   end
   #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name(exp.class_name)
-    parent = class_name(exp.parent_name)
     #If inside an inner class we treat it as a library.
     if @current_class
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/output_processor.rb CHANGED

@@ -8,6 +8,11 @@ require 'brakeman/util'
 class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
+  def initialize *args
+    super
+    @user_input = nil
+  end
   #Copies +exp+ and then formats it.
   def format exp, user_input = nil, &block
     @user_input = user_input

data/lib/brakeman/processors/template_alias_processor.rb CHANGED

@@ -14,22 +14,21 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def initialize tracker, template, called_from = nil
     super tracker
     @template = template
+    @current_file = template.file
     @called_from = called_from
   end
   #Process template
-  def process_template name, args, _, line = nil, file_name = nil
-    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+  def process_template name, args, _, line = nil
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name), line
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name), line
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
     end
   end

data/lib/brakeman/processors/template_processor.rb CHANGED

@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Initializes template information.
-  def initialize tracker, template_name, called_from = nil, file_name = nil
-    super(tracker)
-    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
-    @file_name = file_name
+  def initialize tracker, template_name, called_from = nil, current_file = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
+    @current_file = @current_template.file
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym

data/lib/brakeman/report.rb CHANGED

@@ -8,8 +8,8 @@ class Brakeman::Report
   VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
   end
@@ -83,6 +83,6 @@ class Brakeman::Report
   alias to_s to_text
   def generate reporter
-    reporter.new(@app_tree, @tracker).generate_report
+    reporter.new(@tracker).generate_report
   end
 end

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -22,6 +22,7 @@ module Brakeman
     def filter_ignored
       @shown_warnings = []
       @ignored_warnings = []
+      @used_fingerprints = Set.new
       @new_warnings.each do |w|
         if ignored? w
@@ -112,9 +113,7 @@ module Brakeman
     def save_to_file warnings, file = @file
       warnings = warnings.map do |w|
         if w.is_a? Warning
-          w_hash = w.to_hash
-          w_hash[:file] = w.relative_path
-          w = w_hash
+          w = w.to_hash(absolute_paths: false)
         end
         w[:note] = @notes[w[:fingerprint]] || ""

data/lib/brakeman/report/ignore/interactive.rb CHANGED

@@ -280,9 +280,9 @@ q - Quit, do not update ignored warnings
         say warning.format_code
       end
-      if warning.relative_path
+      if warning.file
         label "File"
-        say warning.relative_path
+        say warning.file.relative
       end
       if warning.line

data/lib/brakeman/report/pager.rb CHANGED

@@ -4,6 +4,7 @@ module Brakeman
       @tracker = tracker
       @pager = pager
       @output = output
+      @less_available = @less_options = nil
     end
     def page_report report, format

data/lib/brakeman/report/report_base.rb CHANGED

@@ -13,8 +13,8 @@ class Brakeman::Report::Base
   TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
     @checks = tracker.checks
     @ignore_filter = tracker.ignored_filter
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
     Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
-  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+  def absolute_paths?
+    @tracker.options[:absolute_paths]
+  end
+  def warning_file warning
     return nil if warning.file.nil?
-    if absolute
-      warning.file
+    if absolute_paths?
+      warning.file.absolute
     else
-      relative_path warning.file
+      warning.file.relative
     end
   end
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning
+    file = warning.file
+    context = []
+    return context unless warning.line and file and file.exists?
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+    start_line = 1 if start_line < 0
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+        next if line.strip == ""
+        if current_line > end_line
+          break
+        end
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+    context
+  end
   def rails_version
     case
     when tracker.config.rails_version
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file
+      url = "#{repo_url}/#{file.relative}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
 end

data/lib/brakeman/report/report_codeclimate.rb CHANGED

@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
   end
   def file_path(warning)
-    fp = Pathname.new(warning.relative_path)
     if tracker.options[:path_prefix]
-      fp = Pathname.new(tracker.options[:path_prefix]) + fp
+      (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
+    else
+      warning.file
     end
-    fp.to_s
   end
 end

data/lib/brakeman/report/report_hash.rb CHANGED

@@ -11,7 +11,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
       report[meth] = self.send(meth)
       report[meth].each do |w|
         w.message = w.format_message
-        w.context = context_for(@app_tree, w).join("\n")
+        w.context = context_for(w).join("\n")
       end
     end

data/lib/brakeman/report/report_html.rb CHANGED

@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   def convert_ignored_warning warning, original
     warning = convert_warning(warning, original)
-    warning['File'] = original.relative_path
+    warning['File'] = original.file.relative
     warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
     warning
   end
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
     @element_id += 1
-    context = context_for(@app_tree, warning)
+    context = context_for(warning)
     message = html_message(warning, message)
     code_id = "context#@element_id"

data/lib/brakeman/report/report_json.rb CHANGED

@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
   def convert_to_hashes warnings
     warnings.map do |w|
-      hash = w.to_hash
-      hash[:render_path] = convert_render_path hash[:render_path]
-      hash[:file] = warning_file w
-      hash
+      w.to_hash(absolute_paths: false)
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
-  def convert_render_path render_path
-    return unless render_path and not @tracker.options[:absolute_paths]
-    render_path.map do |r|
-      r = r.dup
-      if r[:file]
-        r[:file] = relative_path(r[:file])
-      end
-      if r[:rendered] and r[:rendered][:file]
-        r[:rendered] = r[:rendered].dup
-        r[:rendered][:file] = relative_path(r[:rendered][:file])
-      end
-      r
-    end
-  end
 end

data/lib/brakeman/report/report_table.rb CHANGED

@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
-  def convert_warning warning, original
-    warning
-  end
   def convert_ignored_warning warning, original
     convert_warning warning, original
   end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
 Checks run: #{checks.checks_run.sort.join(", ")}
 HEADER
   end
+  def truncate_table str
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
+                          Brakeman.load_brakeman_dependency 'highline'
+                          ::HighLine.default_instance.terminal.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
 end

data/lib/brakeman/report/report_tabs.rb CHANGED

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
     end.join "\n"

data/lib/brakeman/report/report_text.rb CHANGED

@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
-    controllers = values.map do |name, parent, includes, routes|
-      c = [ label("Controller", name) ]
+    controllers = values.map do |controller_name, parent, includes, routes|
+      c = [ label("Controller", controller_name) ]
       c << label("Parent", parent) unless parent.empty?
       c << label("Includes", includes) unless includes.empty?
       c << label("Routes", routes)

data/lib/brakeman/rescanner.rb CHANGED

@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
-    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
     @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
-    unless @app_tree.path_exists?(path)
+    unless path.exists?
       return rescan_deleted_file path, type
     end
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
     template_name = template_path_to_name(path)
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    fp = Brakeman::FileParser.new(tracker)
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, @app_tree.read_path(path)
+    template_parser.parse_template path, path.read
     process_template fp.file_list[:templates].first
     @processor.process_template_alias tracker.templates[template_name]
@@ -256,16 +256,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def rescan_deleted_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
     template_name = template_path_to_name(path)
     #Remove template
     tracker.reset_template template_name
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +368,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       next unless template.render_path
       if template.render_path.include_any_method? method_names
-        name.to_s.match /^([^.]+)/
+        name.to_s.match(/^([^.]+)/)
         original = tracker.templates[$1.to_sym]
@@ -388,8 +385,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def parse_ruby_files list
-    paths = list.select { |path| @app_tree.path_exists? path }
-    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    paths = list.select(&:exists?)
+    file_parser = Brakeman::FileParser.new(tracker)
     file_parser.parse_files paths, :rescan
     file_parser.file_list[:rescan]
   end

data/lib/brakeman/scanner.rb CHANGED

@@ -16,7 +16,6 @@ end
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
-  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -66,7 +65,7 @@ class Brakeman::Scanner
   end
   def parse_files
-    fp = Brakeman::FileParser.new tracker, @app_tree
+    fp = Brakeman::FileParser.new tracker
     files = {
       :initializers => @app_tree.initializer_paths,
@@ -95,7 +94,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3] or options[:rails4] or options[:rails5]
+    if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -111,14 +110,14 @@ class Brakeman::Scanner
     end
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
   end
   def process_config_file file
-    path = "config/#{file}"
+    path = @app_tree.file_path("config/#{file}")
-    if @app_tree.exists?(path)
+    if path.exists?
       @processor.process_config(parse_ruby_file(path), path)
     end
@@ -132,16 +131,21 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
+      file = @app_tree.file_path("Gemfile")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
+      file = @app_tree.file_path("gems.rb")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     end
     if @app_tree.exists? "Gemfile.lock"
-      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+      file = @app_tree.file_path("Gemfile.lock")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     elsif @app_tree.exists? "gems.locked"
-      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+      file = @app_tree.file_path("gems.locked")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     end
     if @app_tree.gemspec
@@ -215,7 +219,8 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      if routes_sexp = parse_ruby_file("config/routes.rb")
+      file = @app_tree.file_path("config/routes.rb")
+      if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -316,9 +321,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
-  def parse_ruby_file path
-    fp = Brakeman::FileParser.new(self.tracker, @app_tree)
-    fp.parse_ruby(@app_tree.read(path), path)
+  def parse_ruby_file file
+    fp = Brakeman::FileParser.new(self.tracker)
+    fp.parse_ruby(file.read, file)
   end
 end