RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.7.1 - Mend

brakeman-lib 4.5.0 → 4.7.1

Files changed (91) hide show

checksums.yaml +4 -4
data/CHANGES.md +164 -108
data/README.md +6 -7
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/call_index.rb +54 -15
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +59 -56
data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +49 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +26 -1
data/lib/brakeman/checks/check_file_access.rb +7 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_header_dos.rb +2 -2
data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
data/lib/brakeman/checks/check_json_parsing.rb +7 -2
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +15 -12
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_xml_dos.rb +2 -2
data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
data/lib/brakeman/differ.rb +16 -28
data/lib/brakeman/file_parser.rb +10 -16
data/lib/brakeman/file_path.rb +85 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/haml_embedded.rb +1 -1
data/lib/brakeman/parsers/template_parser.rb +6 -4
data/lib/brakeman/processor.rb +4 -5
data/lib/brakeman/processors/alias_processor.rb +27 -7
data/lib/brakeman/processors/base_processor.rb +10 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +9 -13
data/lib/brakeman/processors/gem_processor.rb +10 -2
data/lib/brakeman/processors/haml_template_processor.rb +92 -123
data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
data/lib/brakeman/processors/lib/find_call.rb +3 -64
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +32 -5
data/lib/brakeman/processors/template_processor.rb +14 -10
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +6 -7
data/lib/brakeman/rescanner.rb +13 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +30 -6
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +44 -73
data/lib/brakeman/tracker/constants.rb +2 -1
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +27 -13
data/lib/brakeman/warning_codes.rb +4 -0
data/lib/ruby_parser/bm_sexp.rb +7 -2
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +27 -22

data/lib/brakeman/processors/lib/module_helper.rb CHANGED Viewed

@@ -13,9 +13,9 @@ module Brakeman::ModuleHelper
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
+      @current_module.add_file @current_file, exp
     else
-      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_module = tracker_class.new name, parent, @current_file, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -45,9 +45,9 @@ module Brakeman::ModuleHelper
     if collection[name]
       @current_class = collection[name]
-      @current_class.add_file @file_name, exp
+      @current_class.add_file @current_file, exp
     else
-      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_class = tracker_class.new name, parent, @current_file, exp, @tracker
       collection[name] = @current_class
     end
@@ -85,9 +85,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res
   end
@@ -101,9 +101,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res

data/lib/brakeman/processors/lib/processor_helper.rb CHANGED Viewed

@@ -73,10 +73,10 @@ module Brakeman::ProcessorHelper
     end
   end
-  def current_file_name
+  def current_file
     case
-    when @file_name
-      @file_name
+    when @current_file
+      @current_file
     when @current_class.is_a?(Brakeman::Collection)
       @current_class.file
     when @current_module.is_a?(Brakeman::Collection)

data/lib/brakeman/processors/lib/rails2_config_processor.rb CHANGED Viewed

@@ -27,9 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, current_file)
     process res
   end
@@ -75,7 +75,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config.rails_version = exp.rhs.value
+      @tracker.config.set_rails_version exp.rhs.value
     end
     exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED Viewed

@@ -16,7 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   #Call this with parsed route file information.
@@ -24,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb CHANGED Viewed

@@ -24,9 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED Viewed

@@ -17,11 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   def process_routes exp
-    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   def process_call exp

data/lib/brakeman/processors/lib/render_helper.rb CHANGED Viewed

@@ -36,7 +36,7 @@ module Brakeman::RenderHelper
   #Determines file name for partial and then processes it
   def process_partial name, args, line
-    if name == "" or !(string? name or symbol? name)
+    if !(string? name or symbol? name) or name.value == ""
       return
     end
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template.type, called_from
+      @tracker.processor.process_template name, src, template.type, called_from, template.file
     end
   end

data/lib/brakeman/processors/lib/render_path.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module Brakeman
     end
     def map &block
-      @path.map &block
+      @path.map(&block)
     end
     def to_a
@@ -114,6 +114,23 @@ module Brakeman
       JSON.generate(@path)
     end
+    def with_relative_paths
+      @path.map do |loc|
+        r = loc.dup
+        if r[:file]
+          r[:file] = r[:file].relative
+        end
+        if r[:rendered] and r[:rendered][:file]
+          r[:rendered] = r[:rendered].dup
+          r[:rendered][:file] = r[:rendered][:file].relative
+        end
+        r
+      end
+    end
     def initialize_copy original
       @path = original.path.dup
       self

data/lib/brakeman/processors/library_processor.rb CHANGED Viewed

@@ -9,15 +9,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
-    @file_name = nil
+    @current_file = nil
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
     @initializer_env = nil
   end
-  def process_library src, file_name = nil
-    @file_name = file_name
+  def process_library src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -41,10 +41,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
+      @current_class.add_method :public, exp.method_name, exp, @current_file
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
+      @current_module.add_method :public, exp.method_name, exp, @current_file
     end
     exp

data/lib/brakeman/processors/model_processor.rb CHANGED Viewed

@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     @current_method = nil
     @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = nil
   end
   #Process model source
-  def process_model src, file_name = nil
-    @file_name = file_name
+  def process_model src, current_file = @current_file
+    @current_file = current_file
     process src
   end
   #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name(exp.class_name)
-    parent = class_name(exp.parent_name)
     #If inside an inner class we treat it as a library.
     if @current_class
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/output_processor.rb CHANGED Viewed

@@ -8,6 +8,11 @@ require 'brakeman/util'
 class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
+  def initialize *args
+    super
+    @user_input = nil
+  end
   #Copies +exp+ and then formats it.
   def format exp, user_input = nil, &block
     @user_input = user_input

data/lib/brakeman/processors/template_alias_processor.rb CHANGED Viewed

@@ -14,25 +14,52 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def initialize tracker, template, called_from = nil
     super tracker
     @template = template
+    @current_file = template.file
     @called_from = called_from
   end
   #Process template
-  def process_template name, args, _, line = nil, file_name = nil
-    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+  def process_template name, args, _, line = nil
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name), line
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
+    else
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
+    end
+  end
+  def process_lasgn exp
+    if exp.lhs == :haml_temp or haml_capture? exp.rhs
+      exp.rhs = process exp.rhs
+      # Avoid propagating contents of block
+      if node_type? exp.rhs, :iter
+        new_exp = exp.dup
+        new_exp.rhs = exp.rhs.block_call
+        super new_exp
+        exp # Still save the original, though
+      else
+        super exp
+      end
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name), line
+      super exp
     end
   end
+  HAML_CAPTURE = [:capture, :capture_haml]
+  def haml_capture? exp
+    node_type? exp, :iter and
+      call? exp.block_call and
+      HAML_CAPTURE.include? exp.block_call.method
+  end
   #Determine template name
   def template_name name
     if !name.to_s.include?('/') && @template.name.to_s.include?('/')

data/lib/brakeman/processors/template_processor.rb CHANGED Viewed

@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Initializes template information.
-  def initialize tracker, template_name, called_from = nil, file_name = nil
-    super(tracker)
-    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
-    @file_name = file_name
+  def initialize tracker, template_name, called_from = nil, current_file = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
+    @current_file = @current_template.file
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym
@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       branches = [arg.then_clause, arg.else_clause].compact
       if branches.empty?
-        s(:nil)
+        s(:nil).line(arg.line)
       elsif branches.length == 2
-        Sexp.new(:or, *branches)
+        Sexp.new(:or, *branches).line(arg.line)
       else
         branches.first
       end
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   end
   def add_output output, type = :output
-    s = Sexp.new(type, output)
-    s.line(output.line)
-    @current_template.add_output s
-    s
+    if node_type? output, :or
+      Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
+    else
+      s = Sexp.new(type, output)
+      s.line(output.line)
+      @current_template.add_output s
+      s
+    end
   end
 end

data/lib/brakeman/report.rb CHANGED Viewed

@@ -8,8 +8,8 @@ class Brakeman::Report
   VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
   end
@@ -83,6 +83,6 @@ class Brakeman::Report
   alias to_s to_text
   def generate reporter
-    reporter.new(@app_tree, @tracker).generate_report
+    reporter.new(@tracker).generate_report
   end
 end

data/lib/brakeman/report/ignore/config.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module Brakeman
     def filter_ignored
       @shown_warnings = []
       @ignored_warnings = []
+      @used_fingerprints = Set.new
       @new_warnings.each do |w|
         if ignored? w
@@ -112,9 +113,7 @@ module Brakeman
     def save_to_file warnings, file = @file
       warnings = warnings.map do |w|
         if w.is_a? Warning
-          w_hash = w.to_hash
-          w_hash[:file] = w.relative_path
-          w = w_hash
+          w = w.to_hash(absolute_paths: false)
         end
         w[:note] = @notes[w[:fingerprint]] || ""

data/lib/brakeman/report/ignore/interactive.rb CHANGED Viewed

@@ -280,9 +280,9 @@ q - Quit, do not update ignored warnings
         say warning.format_code
       end
-      if warning.relative_path
+      if warning.file
         label "File"
-        say warning.relative_path
+        say warning.file.relative
       end
       if warning.line

data/lib/brakeman/report/pager.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module Brakeman
       @tracker = tracker
       @pager = pager
       @output = output
+      @less_available = @less_options = nil
     end
     def page_report report, format

data/lib/brakeman/report/report_base.rb CHANGED Viewed

@@ -13,8 +13,8 @@ class Brakeman::Report::Base
   TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
     @checks = tracker.checks
     @ignore_filter = tracker.ignored_filter
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
     Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
-  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+  def absolute_paths?
+    @tracker.options[:absolute_paths]
+  end
+  def warning_file warning
     return nil if warning.file.nil?
-    if absolute
-      warning.file
+    if absolute_paths?
+      warning.file.absolute
     else
-      relative_path warning.file
+      warning.file.relative
     end
   end
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning
+    file = warning.file
+    context = []
+    return context unless warning.line and file and file.exists?
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+    start_line = 1 if start_line < 0
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+        next if line.strip == ""
+        if current_line > end_line
+          break
+        end
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+    context
+  end
   def rails_version
     case
     when tracker.config.rails_version
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file
+      url = "#{repo_url}/#{file.relative}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
 end