RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.5.1 - Mend

brakeman-lib 4.5.0 → 4.5.1

Files changed (71) hide show

checksums.yaml +4 -4
data/CHANGES.md +15 -0
data/README.md +6 -6
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +9 -9
data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +52 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_json_parsing.rb +5 -0
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +10 -10
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/file_parser.rb +6 -8
data/lib/brakeman/file_path.rb +71 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/template_parser.rb +3 -3
data/lib/brakeman/processor.rb +3 -4
data/lib/brakeman/processors/alias_processor.rb +12 -6
data/lib/brakeman/processors/base_processor.rb +8 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +5 -9
data/lib/brakeman/processors/haml_template_processor.rb +5 -0
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +4 -5
data/lib/brakeman/processors/template_processor.rb +4 -4
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +2 -2
data/lib/brakeman/rescanner.rb +9 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +4 -4
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +6 -0
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +23 -13
data/lib/brakeman/warning_codes.rb +1 -0
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +20 -10

data/lib/brakeman/processors/model_processor.rb CHANGED

@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     @current_method = nil
     @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = nil
   end
   #Process model source
-  def process_model src, file_name = nil
-    @file_name = file_name
+  def process_model src, current_file = @current_file
+    @current_file = current_file
     process src
   end
   #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name(exp.class_name)
-    parent = class_name(exp.parent_name)
     #If inside an inner class we treat it as a library.
     if @current_class
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/output_processor.rb CHANGED

@@ -8,6 +8,11 @@ require 'brakeman/util'
 class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
+  def initialize *args
+    super
+    @user_input = nil
+  end
   #Copies +exp+ and then formats it.
   def format exp, user_input = nil, &block
     @user_input = user_input

data/lib/brakeman/processors/template_alias_processor.rb CHANGED

@@ -14,22 +14,21 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def initialize tracker, template, called_from = nil
     super tracker
     @template = template
+    @current_file = template.file
     @called_from = called_from
   end
   #Process template
-  def process_template name, args, _, line = nil, file_name = nil
-    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+  def process_template name, args, _, line = nil
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name), line
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name), line
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
     end
   end

data/lib/brakeman/processors/template_processor.rb CHANGED

@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Initializes template information.
-  def initialize tracker, template_name, called_from = nil, file_name = nil
-    super(tracker)
-    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
-    @file_name = file_name
+  def initialize tracker, template_name, called_from = nil, current_file = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
+    @current_file = @current_template.file
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym

data/lib/brakeman/report.rb CHANGED

@@ -8,8 +8,8 @@ class Brakeman::Report
   VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
   end
@@ -83,6 +83,6 @@ class Brakeman::Report
   alias to_s to_text
   def generate reporter
-    reporter.new(@app_tree, @tracker).generate_report
+    reporter.new(@tracker).generate_report
   end
 end

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -22,6 +22,7 @@ module Brakeman
     def filter_ignored
       @shown_warnings = []
       @ignored_warnings = []
+      @used_fingerprints = Set.new
       @new_warnings.each do |w|
         if ignored? w
@@ -112,9 +113,7 @@ module Brakeman
     def save_to_file warnings, file = @file
       warnings = warnings.map do |w|
         if w.is_a? Warning
-          w_hash = w.to_hash
-          w_hash[:file] = w.relative_path
-          w = w_hash
+          w = w.to_hash(absolute_paths: false)
         end
         w[:note] = @notes[w[:fingerprint]] || ""

data/lib/brakeman/report/ignore/interactive.rb CHANGED

@@ -280,9 +280,9 @@ q - Quit, do not update ignored warnings
         say warning.format_code
       end
-      if warning.relative_path
+      if warning.file
         label "File"
-        say warning.relative_path
+        say warning.file.relative
       end
       if warning.line

data/lib/brakeman/report/pager.rb CHANGED

@@ -4,6 +4,7 @@ module Brakeman
       @tracker = tracker
       @pager = pager
       @output = output
+      @less_available = @less_options = nil
     end
     def page_report report, format

data/lib/brakeman/report/report_base.rb CHANGED

@@ -13,8 +13,8 @@ class Brakeman::Report::Base
   TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
     @checks = tracker.checks
     @ignore_filter = tracker.ignored_filter
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
     Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
-  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+  def absolute_paths?
+    @tracker.options[:absolute_paths]
+  end
+  def warning_file warning
     return nil if warning.file.nil?
-    if absolute
-      warning.file
+    if absolute_paths?
+      warning.file.absolute
     else
-      relative_path warning.file
+      warning.file.relative
     end
   end
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning
+    file = warning.file
+    context = []
+    return context unless warning.line and file and file.exists?
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+    start_line = 1 if start_line < 0
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+        next if line.strip == ""
+        if current_line > end_line
+          break
+        end
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+    context
+  end
   def rails_version
     case
     when tracker.config.rails_version
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file
+      url = "#{repo_url}/#{file.relative}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
 end

data/lib/brakeman/report/report_codeclimate.rb CHANGED

@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
   end
   def file_path(warning)
-    fp = Pathname.new(warning.relative_path)
     if tracker.options[:path_prefix]
-      fp = Pathname.new(tracker.options[:path_prefix]) + fp
+      (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
+    else
+      warning.file
     end
-    fp.to_s
   end
 end

data/lib/brakeman/report/report_hash.rb CHANGED

@@ -11,7 +11,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
       report[meth] = self.send(meth)
       report[meth].each do |w|
         w.message = w.format_message
-        w.context = context_for(@app_tree, w).join("\n")
+        w.context = context_for(w).join("\n")
       end
     end

data/lib/brakeman/report/report_html.rb CHANGED

@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   def convert_ignored_warning warning, original
     warning = convert_warning(warning, original)
-    warning['File'] = original.relative_path
+    warning['File'] = original.file.relative
     warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
     warning
   end
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
     @element_id += 1
-    context = context_for(@app_tree, warning)
+    context = context_for(warning)
     message = html_message(warning, message)
     code_id = "context#@element_id"

data/lib/brakeman/report/report_json.rb CHANGED

@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
   def convert_to_hashes warnings
     warnings.map do |w|
-      hash = w.to_hash
-      hash[:render_path] = convert_render_path hash[:render_path]
-      hash[:file] = warning_file w
-      hash
+      w.to_hash(absolute_paths: false)
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
-  def convert_render_path render_path
-    return unless render_path and not @tracker.options[:absolute_paths]
-    render_path.map do |r|
-      r = r.dup
-      if r[:file]
-        r[:file] = relative_path(r[:file])
-      end
-      if r[:rendered] and r[:rendered][:file]
-        r[:rendered] = r[:rendered].dup
-        r[:rendered][:file] = relative_path(r[:rendered][:file])
-      end
-      r
-    end
-  end
 end

data/lib/brakeman/report/report_table.rb CHANGED

@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
-  def convert_warning warning, original
-    warning
-  end
   def convert_ignored_warning warning, original
     convert_warning warning, original
   end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
 Checks run: #{checks.checks_run.sort.join(", ")}
 HEADER
   end
+  def truncate_table str
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
+                          Brakeman.load_brakeman_dependency 'highline'
+                          ::HighLine.default_instance.terminal.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
 end

data/lib/brakeman/report/report_tabs.rb CHANGED

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
     end.join "\n"

data/lib/brakeman/report/report_text.rb CHANGED

@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
-    controllers = values.map do |name, parent, includes, routes|
-      c = [ label("Controller", name) ]
+    controllers = values.map do |controller_name, parent, includes, routes|
+      c = [ label("Controller", controller_name) ]
       c << label("Parent", parent) unless parent.empty?
       c << label("Includes", includes) unless includes.empty?
       c << label("Routes", routes)

data/lib/brakeman/rescanner.rb CHANGED

@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
-    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
     @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
-    unless @app_tree.path_exists?(path)
+    unless path.exists?
       return rescan_deleted_file path, type
     end
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
     template_name = template_path_to_name(path)
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    fp = Brakeman::FileParser.new(tracker)
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, @app_tree.read_path(path)
+    template_parser.parse_template path, path.read
     process_template fp.file_list[:templates].first
     @processor.process_template_alias tracker.templates[template_name]
@@ -256,16 +256,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def rescan_deleted_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
     template_name = template_path_to_name(path)
     #Remove template
     tracker.reset_template template_name
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +368,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       next unless template.render_path
       if template.render_path.include_any_method? method_names
-        name.to_s.match /^([^.]+)/
+        name.to_s.match(/^([^.]+)/)
         original = tracker.templates[$1.to_sym]
@@ -388,8 +385,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
   def parse_ruby_files list
-    paths = list.select { |path| @app_tree.path_exists? path }
-    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    paths = list.select(&:exists?)
+    file_parser = Brakeman::FileParser.new(tracker)
     file_parser.parse_files paths, :rescan
     file_parser.file_list[:rescan]
   end

data/lib/brakeman/scanner.rb CHANGED

@@ -16,7 +16,6 @@ end
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
-  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -66,7 +65,7 @@ class Brakeman::Scanner
   end
   def parse_files
-    fp = Brakeman::FileParser.new tracker, @app_tree
+    fp = Brakeman::FileParser.new tracker
     files = {
       :initializers => @app_tree.initializer_paths,
@@ -95,7 +94,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3] or options[:rails4] or options[:rails5]
+    if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -111,14 +110,14 @@ class Brakeman::Scanner
     end
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
   end
   def process_config_file file
-    path = "config/#{file}"
+    path = @app_tree.file_path("config/#{file}")
-    if @app_tree.exists?(path)
+    if path.exists?
       @processor.process_config(parse_ruby_file(path), path)
     end
@@ -132,16 +131,21 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
+      file = @app_tree.file_path("Gemfile")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
+      file = @app_tree.file_path("gems.rb")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     end
     if @app_tree.exists? "Gemfile.lock"
-      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+      file = @app_tree.file_path("Gemfile.lock")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     elsif @app_tree.exists? "gems.locked"
-      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+      file = @app_tree.file_path("gems.locked")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     end
     if @app_tree.gemspec
@@ -215,7 +219,8 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      if routes_sexp = parse_ruby_file("config/routes.rb")
+      file = @app_tree.file_path("config/routes.rb")
+      if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -316,9 +321,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
-  def parse_ruby_file path
-    fp = Brakeman::FileParser.new(self.tracker, @app_tree)
-    fp.parse_ruby(@app_tree.read(path), path)
+  def parse_ruby_file file
+    fp = Brakeman::FileParser.new(self.tracker)
+    fp.parse_ruby(file.read, file)
   end
 end