brakeman-lib 4.5.0 → 4.7.1

data/lib/brakeman/tracker/config.rb

@@ -4,10 +4,8 @@ module Brakeman
   class Config
     include Util
 
-    attr_reader :rails, :tracker
-    attr_accessor :rails_version, :ruby_version
+    attr_reader :gems, :rails, :ruby_version, :tracker
     attr_writer :erubis, :escape_html
-    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -19,16 +17,9 @@ module Brakeman
       @ruby_version = ""
     end
 
-    def allow_forgery_protection?
-      @rails[:action_controller] and
-        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
-    end
-
     def default_protect_from_forgery?
-      if version_between? "5.2.0", "9.9.9"
-        if @rails[:action_controller] and
-            @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)
-
+      if version_between? "5.2.0.beta1", "9.9.9"
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
           return false
         else
           return true
@@ -48,17 +39,21 @@ module Brakeman
 
     def escape_html_entities_in_json?
       #TODO add version-specific information here
-      @rails[:active_support] and
-        true? @rails[:active_support][:escape_html_entities_in_json]
+      true? @rails.dig(:active_support, :escape_html_entities_in_json)
+    end
+
+    def escape_filter_interpolations?
+      # TODO see if app is actually turning this off itself
+      has_gem?(:haml) and
+        version_between? "5.0.0", "5.99", gem_version(:haml)
     end
 
     def whitelist_attributes?
-      @rails[:active_record] and
-        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+      @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
     end
 
     def gem_version name
-      @gems[name] and @gems[name][:version]
+      extract_version @gems.dig(name, :version)
     end
 
     def add_gem name, version, file, line
@@ -78,11 +73,16 @@ module Brakeman
       @gems[name]
     end
 
-    def set_rails_version
-      # Ignore ~>, etc. when using values from Gemfile
-      version = gem_version(:rails) || gem_version(:railties)
-      if version and version.match(/(\d+\.\d+(\.\d+.*)?)/)
-        @rails_version = $1
+    def set_rails_version version = nil
+      version = if version
+                  # Only used by Rails2ConfigProcessor right now
+                  extract_version(version)
+                else
+                  gem_version(:rails) || gem_version(:railties)
+                end
+
+      if version
+        @rails_version = version
 
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
@@ -97,6 +97,12 @@ module Brakeman
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             Brakeman.notify "[Notice] Detected Rails 5 application"
+          elsif @rails_version.start_with? "6"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            Brakeman.notify "[Notice] Detected Rails 6 application"
           end
         end
       end
@@ -107,12 +113,20 @@ module Brakeman
       end
     end
 
+    def rails_version
+      # This needs to be here because Util#rails_version calls Tracker::Config#rails_version
+      # but Tracker::Config includes Util...
+      @rails_version
+    end
+
     def set_ruby_version version
+      @ruby_version = extract_version(version)
+    end
+
+    def extract_version version
       return unless version.is_a? String
 
-      if version =~ /(\d+\.\d+\.\d+)/
-        self.ruby_version = $1
-      end
+      version[/\d+\.\d+(\.\d+.*)?/]
     end
 
     #Returns true if low_version <= RAILS_VERSION <= high_version
@@ -122,58 +136,15 @@ module Brakeman
       current_version ||= rails_version
       return false unless current_version
 
-      version = current_version.split(".").map! { |v| convert_version_number v }
-      low_version = low_version.split(".").map! { |v| convert_version_number v }
-      high_version = high_version.split(".").map! { |v| convert_version_number v }
-
-      version.each_with_index do |v, i|
-        if lower? v, low_version.fetch(i, 0)
-          return false
-        elsif higher? v, low_version.fetch(i, 0)
-          break
-        end
-      end
-
-      version.each_with_index do |v, i|
-        if higher? v, high_version.fetch(i, 0)
-          return false
-        elsif lower? v, high_version.fetch(i, 0)
-          break
-        end
-      end
+      low = Gem::Version.new(low_version)
+      high = Gem::Version.new(high_version)
+      current = Gem::Version.new(current_version)
 
-      true
+      current.between?(low, high)
     end
 
     def session_settings
-      @rails[:action_controller] &&
-        @rails[:action_controller][:session]
-    end
-
-    private
-
-    def convert_version_number value
-      if value.match(/\A\d+\z/)
-        value.to_i
-      else
-        value
-      end
-    end
-
-    def lower? lhs, rhs
-      if lhs.class == rhs.class
-        lhs < rhs
-      else
-        false
-      end
-    end
-
-    def higher? lhs, rhs
-      if lhs.class == rhs.class
-        lhs > rhs
-      else
-        false
-      end
+      @rails.dig(:action_controller, :session)
     end
   end
 end

data/lib/brakeman/tracker/constants.rb

@@ -49,7 +49,7 @@ module Brakeman
     include Brakeman::Util
 
     def initialize
-      @constants = Hash.new { |h, k| h[k] = [] }
+      @constants = {}
     end
 
     def size
@@ -103,6 +103,7 @@ module Brakeman
       end
 
       base_name = Constants.get_constant_base_name(name)
+      @constants[base_name] ||= []
       @constants[base_name] << Constant.new(name, value, context)
     end
 

data/lib/brakeman/util.rb

@@ -346,158 +346,12 @@ module Brakeman::Util
     @tracker.config.rails_version
   end
 
-  #Return file name related to given warning. Uses +warning.file+ if it exists
-  def file_for warning, tracker = nil
-    if tracker.nil?
-      tracker = @tracker || self.tracker
-    end
-
-    if warning.file
-      File.expand_path warning.file, tracker.app_path
-    elsif warning.template and warning.template.file
-      warning.template.file
-    else
-      case warning.warning_set
-      when :controller
-        file_by_name warning.controller, :controller, tracker
-      when :template
-        file_by_name warning.template.name, :template, tracker
-      when :model
-        file_by_name warning.model, :model, tracker
-      when :warning
-        file_by_name warning.class, nil, tracker
-      else
-        nil
-      end
-    end
-  end
-
-  #Attempt to determine path to context file based on the reported name
-  #in the warning.
-  #
-  #For example,
-  #
-  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
-  def file_by_name name, type, tracker = nil
-    return nil unless name
-    string_name = name.to_s
-    name = name.to_sym
-
-    unless type
-      if string_name =~ /Controller$/
-        type = :controller
-      elsif camelize(string_name) == string_name # This is not always true
-        type = :model
-      else
-        type = :template
-      end
-    end
-
-    path = tracker.app_path
-
-    case type
-    when :controller
-      if tracker.controllers[name]
-        path = tracker.controllers[name].file
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :model
-      if tracker.models[name]
-        path = tracker.models[name].file
-      else
-        path += "/app/models/#{underscore(string_name)}.rb"
-      end
-    when :template
-      if tracker.templates[name] and tracker.templates[name].file
-        path = tracker.templates[name].file
-      elsif string_name.include? " "
-        name = string_name.split[0].to_sym
-        path = file_for tracker, name, :template
-      else
-        path = nil
-      end
-    end
-
-    path
-  end
-
-  #Return array of lines surrounding the warning location from the original
-  #file.
-  def context_for app_tree, warning, tracker = nil
-    file = file_for warning, tracker
-    context = []
-    return context unless warning.line and file and @app_tree.path_exists? file
-
-    current_line = 0
-    start_line = warning.line - 5
-    end_line = warning.line + 5
-
-    start_line = 1 if start_line < 0
-
-    File.open file do |f|
-      f.each_line do |line|
-        current_line += 1
-
-        next if line.strip == ""
-
-        if current_line > end_line
-          break
-        end
-
-        if current_line >= start_line
-          context << [current_line, line]
-        end
-      end
-    end
-
-    context
-  end
-
-  def relative_path file
-    pname = Pathname.new file
-    if file and not file.empty? and pname.absolute?
-      pname.relative_path_from(Pathname.new(@tracker.app_path)).to_s
-    else
-      file
-    end
-  end
-
   #Convert path/filename to view name
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.split("/")
+    names = path.relative.split("/")
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
-
-  def github_url file, line=nil
-    if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
-      url = "#{repo_url}/#{relative_path(file)}"
-      url << "#L#{line}" if line
-    else
-      nil
-    end
-  end
-
-  def truncate_table str
-    @terminal_width ||= if @tracker.options[:table_width]
-                          @tracker.options[:table_width]
-                        elsif $stdin && $stdin.tty?
-                          Brakeman.load_brakeman_dependency 'highline'
-                          ::HighLine.new.terminal_size[0]
-                        else
-                          80
-                        end
-    lines = str.lines
-
-    lines.map do |line|
-      if line.chomp.length > @terminal_width
-        line[0..(@terminal_width - 3)] + ">>\n"
-      else
-        line
-      end
-    end.join
-  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.5.0"
+  Version = "4.7.1"
 end

data/lib/brakeman/warning.rb

@@ -9,7 +9,7 @@ class Brakeman::Warning
     :line, :method, :model, :template, :user_input, :user_input_type,
     :warning_code, :warning_set, :warning_type
 
-  attr_accessor :code, :context, :file, :message, :relative_path
+  attr_accessor :code, :context, :file, :message
 
   TEXT_CONFIDENCE = {
     0 => "High",
@@ -34,11 +34,11 @@ class Brakeman::Warning
     :file => :@file,
     :gem_info => :@gem_info,
     :line => :@line,
+    :link => :@link,
     :link_path => :@link_path,
     :message => :@message,
     :method => :@method,
     :model => :@model,
-    :relative_path => :@relative_path,
     :template => :@template,
     :user_input => :@user_input,
     :warning_set => :@warning_set,
@@ -100,9 +100,11 @@ class Brakeman::Warning
     unless @warning_set
       if self.model
         @warning_set = :model
+        @file ||= self.model.file
       elsif self.template
         @warning_set = :template
         @called_from = self.template.render_path
+        @file ||= self.template.file
       elsif self.controller
         @warning_set = :controller
       else
@@ -112,6 +114,8 @@ class Brakeman::Warning
 
     if options[:warning_code]
       @warning_code = Brakeman::WarningCodes.code options[:warning_code]
+    else
+      @warning_code = nil
     end
 
     Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
@@ -221,7 +225,7 @@ class Brakeman::Warning
     when :template
       @row["Template"] = self.view_name.to_s
     when :model
-      @row["Model"] = self.model.to_s
+      @row["Model"] = self.model.name.to_s
     when :controller
       @row["Controller"] = self.controller.to_s
     when :warning
@@ -235,7 +239,7 @@ class Brakeman::Warning
   def to_s
    output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
    output << " near line #{self.line}" if self.line
-   output << " in #{self.file}" if self.file
+   output << " in #{self.file.relative}" if self.file
    output << ": #{self.format_code}" if self.code
 
    output
@@ -247,37 +251,47 @@ class Brakeman::Warning
     warning_code_string = sprintf("%03d", @warning_code)
     code_string = @code.inspect
 
-    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
+    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
   end
 
   def location include_renderer = true
     case @warning_set
     when :template
-      location = { :type => :template, :template => self.view_name(include_renderer) }
+      { :type => :template, :template => self.view_name(include_renderer) }
     when :model
-      location = { :type => :model, :model => self.model }
+      { :type => :model, :model => self.model.name }
     when :controller
-      location = { :type => :controller, :controller => self.controller }
+      { :type => :controller, :controller => self.controller }
     when :warning
       if self.class
-        location = { :type => :method, :class => self.class, :method => self.method }
+        { :type => :method, :class => self.class, :method => self.method }
       else
-        location = nil
+        nil
       end
     end
   end
 
-  def to_hash
+  def relative_path
+    self.file.relative
+  end
+
+  def to_hash absolute_paths: true
+    if self.called_from and not absolute_paths
+      render_path = self.called_from.with_relative_paths
+    else
+      render_path = self.called_from
+    end
+
     { :warning_type => self.warning_type,
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
       :check_name => self.check.gsub(/^Brakeman::Check/, ''),
       :message => self.message.to_s,
-      :file => self.file,
+      :file => (absolute_paths ? self.file.absolute : self.file.relative),
       :line => self.line,
       :link => self.link,
       :code => (@code && self.format_code(false)),
-      :render_path => self.called_from,
+      :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
       :confidence => TEXT_CONFIDENCE[self.confidence]