brakeman-lib 4.5.0 → 4.5.1

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter
+    :duration, :ignored_filter, :app_tree
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -34,7 +34,7 @@ class Brakeman::Tracker
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
-    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
     @routes = {}
     @initializers = {}
     @errors = []
@@ -71,7 +71,7 @@ class Brakeman::Tracker
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks
-    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+    @checks = Brakeman::Checks.run_checks(self)
 
     @end_time = Time.now
     @duration = @end_time - @start_time
@@ -172,7 +172,7 @@ class Brakeman::Tracker
 
   #Returns a Report with this Tracker's information
   def report
-    Brakeman::Report.new(@app_tree, self)
+    Brakeman::Report.new(self)
   end
 
   def warnings

data/lib/brakeman/tracker/collection.rb

@@ -9,13 +9,14 @@ module Brakeman
     def initialize name, parent, file_name, src, tracker
       @name = name
       @parent = parent
-      @file_name = file_name
-      @files = [ file_name ]
-      @src = { file_name => src }
+      @files = []
+      @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @options = {}
       @tracker = tracker
+
+      add_file file_name, src
     end
 
     def ancestor? parent, seen={}

data/lib/brakeman/tracker/config.rb

@@ -97,6 +97,12 @@ module Brakeman
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             Brakeman.notify "[Notice] Detected Rails 5 application"
+          elsif @rails_version.start_with? "6"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            Brakeman.notify "[Notice] Detected Rails 6 application"
           end
         end
       end

data/lib/brakeman/util.rb

@@ -346,158 +346,12 @@ module Brakeman::Util
     @tracker.config.rails_version
   end
 
-  #Return file name related to given warning. Uses +warning.file+ if it exists
-  def file_for warning, tracker = nil
-    if tracker.nil?
-      tracker = @tracker || self.tracker
-    end
-
-    if warning.file
-      File.expand_path warning.file, tracker.app_path
-    elsif warning.template and warning.template.file
-      warning.template.file
-    else
-      case warning.warning_set
-      when :controller
-        file_by_name warning.controller, :controller, tracker
-      when :template
-        file_by_name warning.template.name, :template, tracker
-      when :model
-        file_by_name warning.model, :model, tracker
-      when :warning
-        file_by_name warning.class, nil, tracker
-      else
-        nil
-      end
-    end
-  end
-
-  #Attempt to determine path to context file based on the reported name
-  #in the warning.
-  #
-  #For example,
-  #
-  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
-  def file_by_name name, type, tracker = nil
-    return nil unless name
-    string_name = name.to_s
-    name = name.to_sym
-
-    unless type
-      if string_name =~ /Controller$/
-        type = :controller
-      elsif camelize(string_name) == string_name # This is not always true
-        type = :model
-      else
-        type = :template
-      end
-    end
-
-    path = tracker.app_path
-
-    case type
-    when :controller
-      if tracker.controllers[name]
-        path = tracker.controllers[name].file
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :model
-      if tracker.models[name]
-        path = tracker.models[name].file
-      else
-        path += "/app/models/#{underscore(string_name)}.rb"
-      end
-    when :template
-      if tracker.templates[name] and tracker.templates[name].file
-        path = tracker.templates[name].file
-      elsif string_name.include? " "
-        name = string_name.split[0].to_sym
-        path = file_for tracker, name, :template
-      else
-        path = nil
-      end
-    end
-
-    path
-  end
-
-  #Return array of lines surrounding the warning location from the original
-  #file.
-  def context_for app_tree, warning, tracker = nil
-    file = file_for warning, tracker
-    context = []
-    return context unless warning.line and file and @app_tree.path_exists? file
-
-    current_line = 0
-    start_line = warning.line - 5
-    end_line = warning.line + 5
-
-    start_line = 1 if start_line < 0
-
-    File.open file do |f|
-      f.each_line do |line|
-        current_line += 1
-
-        next if line.strip == ""
-
-        if current_line > end_line
-          break
-        end
-
-        if current_line >= start_line
-          context << [current_line, line]
-        end
-      end
-    end
-
-    context
-  end
-
-  def relative_path file
-    pname = Pathname.new file
-    if file and not file.empty? and pname.absolute?
-      pname.relative_path_from(Pathname.new(@tracker.app_path)).to_s
-    else
-      file
-    end
-  end
-
   #Convert path/filename to view name
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.split("/")
+    names = path.relative.split("/")
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
-
-  def github_url file, line=nil
-    if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
-      url = "#{repo_url}/#{relative_path(file)}"
-      url << "#L#{line}" if line
-    else
-      nil
-    end
-  end
-
-  def truncate_table str
-    @terminal_width ||= if @tracker.options[:table_width]
-                          @tracker.options[:table_width]
-                        elsif $stdin && $stdin.tty?
-                          Brakeman.load_brakeman_dependency 'highline'
-                          ::HighLine.new.terminal_size[0]
-                        else
-                          80
-                        end
-    lines = str.lines
-
-    lines.map do |line|
-      if line.chomp.length > @terminal_width
-        line[0..(@terminal_width - 3)] + ">>\n"
-      else
-        line
-      end
-    end.join
-  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.5.0"
+  Version = "4.5.1"
 end

data/lib/brakeman/warning.rb

@@ -9,7 +9,7 @@ class Brakeman::Warning
     :line, :method, :model, :template, :user_input, :user_input_type,
     :warning_code, :warning_set, :warning_type
 
-  attr_accessor :code, :context, :file, :message, :relative_path
+  attr_accessor :code, :context, :file, :message
 
   TEXT_CONFIDENCE = {
     0 => "High",
@@ -34,11 +34,11 @@ class Brakeman::Warning
     :file => :@file,
     :gem_info => :@gem_info,
     :line => :@line,
+    :link => :@link,
     :link_path => :@link_path,
     :message => :@message,
     :method => :@method,
     :model => :@model,
-    :relative_path => :@relative_path,
     :template => :@template,
     :user_input => :@user_input,
     :warning_set => :@warning_set,
@@ -100,9 +100,11 @@ class Brakeman::Warning
     unless @warning_set
       if self.model
         @warning_set = :model
+        @file ||= self.model.file
       elsif self.template
         @warning_set = :template
         @called_from = self.template.render_path
+        @file ||= self.template.file
       elsif self.controller
         @warning_set = :controller
       else
@@ -112,6 +114,8 @@ class Brakeman::Warning
 
     if options[:warning_code]
       @warning_code = Brakeman::WarningCodes.code options[:warning_code]
+    else
+      @warning_code = nil
     end
 
     Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
@@ -221,7 +225,7 @@ class Brakeman::Warning
     when :template
       @row["Template"] = self.view_name.to_s
     when :model
-      @row["Model"] = self.model.to_s
+      @row["Model"] = self.model.name.to_s
     when :controller
       @row["Controller"] = self.controller.to_s
     when :warning
@@ -235,7 +239,7 @@ class Brakeman::Warning
   def to_s
    output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
    output << " near line #{self.line}" if self.line
-   output << " in #{self.file}" if self.file
+   output << " in #{self.file.relative}" if self.file
    output << ": #{self.format_code}" if self.code
 
    output
@@ -247,37 +251,43 @@ class Brakeman::Warning
     warning_code_string = sprintf("%03d", @warning_code)
     code_string = @code.inspect
 
-    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
+    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
   end
 
   def location include_renderer = true
     case @warning_set
     when :template
-      location = { :type => :template, :template => self.view_name(include_renderer) }
+      { :type => :template, :template => self.view_name(include_renderer) }
     when :model
-      location = { :type => :model, :model => self.model }
+      { :type => :model, :model => self.model.name }
     when :controller
-      location = { :type => :controller, :controller => self.controller }
+      { :type => :controller, :controller => self.controller }
     when :warning
       if self.class
-        location = { :type => :method, :class => self.class, :method => self.method }
+        { :type => :method, :class => self.class, :method => self.method }
       else
-        location = nil
+        nil
       end
     end
   end
 
-  def to_hash
+  def to_hash absolute_paths: true
+    if self.called_from and not absolute_paths
+      render_path = self.called_from.with_relative_paths
+    else
+      render_path = self.called_from
+    end
+
     { :warning_type => self.warning_type,
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
       :check_name => self.check.gsub(/^Brakeman::Check/, ''),
       :message => self.message.to_s,
-      :file => self.file,
+      :file => (absolute_paths ? self.file.absolute : self.file.relative),
       :line => self.line,
       :link => self.link,
       :code => (@code && self.format_code(false)),
-      :render_path => self.called_from,
+      :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
       :confidence => TEXT_CONFIDENCE[self.confidence]

data/lib/brakeman/warning_codes.rb

@@ -110,6 +110,7 @@ module Brakeman::WarningCodes
     :CVE_2018_8048 => 106,
     :CVE_2018_3741 => 107,
     :CVE_2018_3760 => 108,
+    :force_ssl_disabled => 109,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -45,6 +45,7 @@ class Brakeman::SexpProcessor
     @expected            = Sexp
     @processors = self.class.processors
     @context    = []
+    @current_class = @current_module = @current_method = @visibility = nil
 
     if @processors.empty?
       public_methods.each do |name|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.5.0
+  version: 4.5.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2019-03-16 00:00:00.000000000 Z
+date: 2019-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -39,6 +39,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -127,20 +141,14 @@ dependencies:
   name: highline
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.20
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.20
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
@@ -232,6 +240,7 @@ files:
 - lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_file_disclosure.rb
 - lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_force_ssl.rb
 - lib/brakeman/checks/check_forgery_setting.rb
 - lib/brakeman/checks/check_header_dos.rb
 - lib/brakeman/checks/check_i18n_xss.rb
@@ -289,6 +298,7 @@ files:
 - lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
+- lib/brakeman/file_path.rb
 - lib/brakeman/format/style.css
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb