RubyGems - brakeman-lib - Versions diffs - 4.5.0 → 4.7.1 - Mend

brakeman-lib 4.5.0 → 4.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

checksums.yaml +4 -4
data/CHANGES.md +164 -108
data/README.md +6 -7
data/lib/brakeman.rb +7 -0
data/lib/brakeman/app_tree.rb +34 -22
data/lib/brakeman/call_index.rb +54 -15
data/lib/brakeman/checks.rb +7 -7
data/lib/brakeman/checks/base_check.rb +59 -56
data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
data/lib/brakeman/checks/check_default_routes.rb +5 -0
data/lib/brakeman/checks/check_deserialize.rb +49 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +26 -1
data/lib/brakeman/checks/check_file_access.rb +7 -1
data/lib/brakeman/checks/check_force_ssl.rb +27 -0
data/lib/brakeman/checks/check_header_dos.rb +2 -2
data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
data/lib/brakeman/checks/check_json_parsing.rb +7 -2
data/lib/brakeman/checks/check_link_to_href.rb +6 -1
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +12 -50
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +15 -12
data/lib/brakeman/checks/check_simple_format.rb +5 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql.rb +15 -17
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_xml_dos.rb +2 -2
data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
data/lib/brakeman/differ.rb +16 -28
data/lib/brakeman/file_parser.rb +10 -16
data/lib/brakeman/file_path.rb +85 -0
data/lib/brakeman/options.rb +7 -0
data/lib/brakeman/parsers/haml_embedded.rb +1 -1
data/lib/brakeman/parsers/template_parser.rb +6 -4
data/lib/brakeman/processor.rb +4 -5
data/lib/brakeman/processors/alias_processor.rb +27 -7
data/lib/brakeman/processors/base_processor.rb +10 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
data/lib/brakeman/processors/controller_processor.rb +9 -13
data/lib/brakeman/processors/gem_processor.rb +10 -2
data/lib/brakeman/processors/haml_template_processor.rb +92 -123
data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
data/lib/brakeman/processors/lib/find_call.rb +3 -64
data/lib/brakeman/processors/lib/module_helper.rb +8 -8
data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
data/lib/brakeman/processors/lib/render_helper.rb +2 -2
data/lib/brakeman/processors/lib/render_path.rb +18 -1
data/lib/brakeman/processors/library_processor.rb +5 -5
data/lib/brakeman/processors/model_processor.rb +4 -5
data/lib/brakeman/processors/output_processor.rb +5 -0
data/lib/brakeman/processors/template_alias_processor.rb +32 -5
data/lib/brakeman/processors/template_processor.rb +14 -10
data/lib/brakeman/report.rb +3 -3
data/lib/brakeman/report/ignore/config.rb +2 -3
data/lib/brakeman/report/ignore/interactive.rb +2 -2
data/lib/brakeman/report/pager.rb +1 -0
data/lib/brakeman/report/report_base.rb +51 -6
data/lib/brakeman/report/report_codeclimate.rb +3 -3
data/lib/brakeman/report/report_hash.rb +1 -1
data/lib/brakeman/report/report_html.rb +2 -2
data/lib/brakeman/report/report_json.rb +1 -24
data/lib/brakeman/report/report_table.rb +20 -4
data/lib/brakeman/report/report_tabs.rb +1 -1
data/lib/brakeman/report/report_text.rb +6 -7
data/lib/brakeman/rescanner.rb +13 -12
data/lib/brakeman/scanner.rb +19 -14
data/lib/brakeman/tracker.rb +30 -6
data/lib/brakeman/tracker/collection.rb +4 -3
data/lib/brakeman/tracker/config.rb +44 -73
data/lib/brakeman/tracker/constants.rb +2 -1
data/lib/brakeman/util.rb +1 -147
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +27 -13
data/lib/brakeman/warning_codes.rb +4 -0
data/lib/ruby_parser/bm_sexp.rb +7 -2
data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
metadata +27 -22

data/lib/brakeman/processors/lib/module_helper.rb CHANGED Viewed

@@ -13,9 +13,9 @@ module Brakeman::ModuleHelper
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
+      @current_module.add_file @current_file, exp
     else
-      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_module = tracker_class.new name, parent, @current_file, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -45,9 +45,9 @@ module Brakeman::ModuleHelper
     if collection[name]
       @current_class = collection[name]
-      @current_class.add_file @file_name, exp
+      @current_class.add_file @current_file, exp
     else
-      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_class = tracker_class.new name, parent, @current_file, exp, @tracker
       collection[name] = @current_class
     end
@@ -85,9 +85,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res
   end
@@ -101,9 +101,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res

data/lib/brakeman/processors/lib/processor_helper.rb CHANGED Viewed

@@ -73,10 +73,10 @@ module Brakeman::ProcessorHelper
     end
   end
-  def current_file_name
+  def current_file
     case
-    when @file_name
-      @file_name
+    when @current_file
+      @current_file
     when @current_class.is_a?(Brakeman::Collection)
       @current_class.file
     when @current_module.is_a?(Brakeman::Collection)

data/lib/brakeman/processors/lib/rails2_config_processor.rb CHANGED Viewed

@@ -27,9 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, current_file)
     process res
   end
@@ -75,7 +75,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config.rails_version = exp.rhs.value
+      @tracker.config.set_rails_version exp.rhs.value
     end
     exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED Viewed

@@ -16,7 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   #Call this with parsed route file information.
@@ -24,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb CHANGED Viewed

@@ -24,9 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
     process res
   end

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED Viewed

@@ -17,11 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
   def process_routes exp
-    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @current_file)
   end
   def process_call exp

data/lib/brakeman/processors/lib/render_helper.rb CHANGED Viewed

@@ -36,7 +36,7 @@ module Brakeman::RenderHelper
   #Determines file name for partial and then processes it
   def process_partial name, args, line
-    if name == "" or !(string? name or symbol? name)
+    if !(string? name or symbol? name) or name.value == ""
       return
     end
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template.type, called_from
+      @tracker.processor.process_template name, src, template.type, called_from, template.file
     end
   end

data/lib/brakeman/processors/lib/render_path.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module Brakeman
     end
     def map &block
-      @path.map &block
+      @path.map(&block)
     end
     def to_a
@@ -114,6 +114,23 @@ module Brakeman
       JSON.generate(@path)
     end
+    def with_relative_paths
+      @path.map do |loc|
+        r = loc.dup
+        if r[:file]
+          r[:file] = r[:file].relative
+        end
+        if r[:rendered] and r[:rendered][:file]
+          r[:rendered] = r[:rendered].dup
+          r[:rendered][:file] = r[:rendered][:file].relative
+        end
+        r
+      end
+    end
     def initialize_copy original
       @path = original.path.dup
       self

data/lib/brakeman/processors/library_processor.rb CHANGED Viewed

@@ -9,15 +9,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
-    @file_name = nil
+    @current_file = nil
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
     @initializer_env = nil
   end
-  def process_library src, file_name = nil
-    @file_name = file_name
+  def process_library src, current_file = @current_file
+    @current_file = current_file
     process src
   end
@@ -41,10 +41,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
+      @current_class.add_method :public, exp.method_name, exp, @current_file
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
+      @current_module.add_method :public, exp.method_name, exp, @current_file
     end
     exp

data/lib/brakeman/processors/model_processor.rb CHANGED Viewed

@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     @current_method = nil
     @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = nil
   end
   #Process model source
-  def process_model src, file_name = nil
-    @file_name = file_name
+  def process_model src, current_file = @current_file
+    @current_file = current_file
     process src
   end
   #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name(exp.class_name)
-    parent = class_name(exp.parent_name)
     #If inside an inner class we treat it as a library.
     if @current_class
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/output_processor.rb CHANGED Viewed

@@ -8,6 +8,11 @@ require 'brakeman/util'
 class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
+  def initialize *args
+    super
+    @user_input = nil
+  end
   #Copies +exp+ and then formats it.
   def format exp, user_input = nil, &block
     @user_input = user_input

data/lib/brakeman/processors/template_alias_processor.rb CHANGED Viewed

@@ -14,25 +14,52 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def initialize tracker, template, called_from = nil
     super tracker
     @template = template
+    @current_file = template.file
     @called_from = called_from
   end
   #Process template
-  def process_template name, args, _, line = nil, file_name = nil
-    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
+  def process_template name, args, _, line = nil
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name), line
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
+    else
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
+    end
+  end
+  def process_lasgn exp
+    if exp.lhs == :haml_temp or haml_capture? exp.rhs
+      exp.rhs = process exp.rhs
+      # Avoid propagating contents of block
+      if node_type? exp.rhs, :iter
+        new_exp = exp.dup
+        new_exp.rhs = exp.rhs.block_call
+        super new_exp
+        exp # Still save the original, though
+      else
+        super exp
+      end
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name), line
+      super exp
     end
   end
+  HAML_CAPTURE = [:capture, :capture_haml]
+  def haml_capture? exp
+    node_type? exp, :iter and
+      call? exp.block_call and
+      HAML_CAPTURE.include? exp.block_call.method
+  end
   #Determine template name
   def template_name name
     if !name.to_s.include?('/') && @template.name.to_s.include?('/')

data/lib/brakeman/processors/template_processor.rb CHANGED Viewed

@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Initializes template information.
-  def initialize tracker, template_name, called_from = nil, file_name = nil
-    super(tracker)
-    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
-    @file_name = file_name
+  def initialize tracker, template_name, called_from = nil, current_file = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
+    @current_file = @current_template.file
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym
@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       branches = [arg.then_clause, arg.else_clause].compact
       if branches.empty?
-        s(:nil)
+        s(:nil).line(arg.line)
       elsif branches.length == 2
-        Sexp.new(:or, *branches)
+        Sexp.new(:or, *branches).line(arg.line)
       else
         branches.first
       end
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   end
   def add_output output, type = :output
-    s = Sexp.new(type, output)
-    s.line(output.line)
-    @current_template.add_output s
-    s
+    if node_type? output, :or
+      Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
+    else
+      s = Sexp.new(type, output)
+      s.line(output.line)
+      @current_template.add_output s
+      s
+    end
   end
 end

data/lib/brakeman/report.rb CHANGED Viewed

@@ -8,8 +8,8 @@ class Brakeman::Report
   VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
   end
@@ -83,6 +83,6 @@ class Brakeman::Report
   alias to_s to_text
   def generate reporter
-    reporter.new(@app_tree, @tracker).generate_report
+    reporter.new(@tracker).generate_report
   end
 end

data/lib/brakeman/report/ignore/config.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module Brakeman
     def filter_ignored
       @shown_warnings = []
       @ignored_warnings = []
+      @used_fingerprints = Set.new
       @new_warnings.each do |w|
         if ignored? w
@@ -112,9 +113,7 @@ module Brakeman
     def save_to_file warnings, file = @file
       warnings = warnings.map do |w|
         if w.is_a? Warning
-          w_hash = w.to_hash
-          w_hash[:file] = w.relative_path
-          w = w_hash
+          w = w.to_hash(absolute_paths: false)
         end
         w[:note] = @notes[w[:fingerprint]] || ""

data/lib/brakeman/report/ignore/interactive.rb CHANGED Viewed

@@ -280,9 +280,9 @@ q - Quit, do not update ignored warnings
         say warning.format_code
       end
-      if warning.relative_path
+      if warning.file
         label "File"
-        say warning.relative_path
+        say warning.file.relative
       end
       if warning.line

data/lib/brakeman/report/pager.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module Brakeman
       @tracker = tracker
       @pager = pager
       @output = output
+      @less_available = @less_options = nil
     end
     def page_report report, format

data/lib/brakeman/report/report_base.rb CHANGED Viewed

@@ -13,8 +13,8 @@ class Brakeman::Report::Base
   TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
     @checks = tracker.checks
     @ignore_filter = tracker.ignored_filter
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
     Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
-  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+  def absolute_paths?
+    @tracker.options[:absolute_paths]
+  end
+  def warning_file warning
     return nil if warning.file.nil?
-    if absolute
-      warning.file
+    if absolute_paths?
+      warning.file.absolute
     else
-      relative_path warning.file
+      warning.file.relative
     end
   end
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning
+    file = warning.file
+    context = []
+    return context unless warning.line and file and file.exists?
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+    start_line = 1 if start_line < 0
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+        next if line.strip == ""
+        if current_line > end_line
+          break
+        end
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+    context
+  end
   def rails_version
     case
     when tracker.config.rails_version
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file
+      url = "#{repo_url}/#{file.relative}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
 end