brakeman-lib 4.5.1 → 4.7.2

data/lib/brakeman/processors/lib/find_call.rb

@@ -33,14 +33,13 @@ require 'brakeman/processors/lib/basic_processor'
 # FindCall.new nil, /^g?sub!?$/
 class Brakeman::FindCall < Brakeman::BasicProcessor
 
-  def initialize targets, methods, tracker, in_depth = false
+  def initialize targets, methods, tracker
     super tracker
     @calls = []
     @find_targets = targets
     @find_methods = methods
     @current_class = nil
     @current_method = nil
-    @in_depth = in_depth
   end
 
   #Returns a list of results.
@@ -48,10 +47,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #A result looks like:
   #
   # s(:result, :ClassName, :method_name, s(:call, ...))
-  #
-  #or
-  #
-  # s(:result, :template_name, s(:call, ...))
   def matches
     @calls
   end
@@ -60,10 +55,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #or the template. These names are used when reporting results.
   #
   #Use FindCall#matches to retrieve results.
-  def process_source exp, klass = nil, method = nil, template = nil
-    @current_class = klass
-    @current_method = method
-    @current_template = template
+  def process_source exp
     process exp
   end
 
@@ -74,11 +66,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
 
   alias :process_defs :process_defn
 
-  #Process body of block
-  def process_rlist exp
-    process_all exp
-  end
-
   #Look for matching calls and add them to results
   def process_call exp
     target = get_target exp.target
@@ -87,25 +74,9 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     process_call_args exp
 
     if match(@find_targets, target) and match(@find_methods, method)
-
-      if @current_template
-        @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
-      else
-        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
-      end
-
+      @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
     end
     
-    #Normally FindCall won't match a method invocation that is the target of
-    #another call, such as:
-    #
-    #  User.find(:first, :conditions => "user = '#{params['user']}').name
-    #
-    #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and call? exp.target
-      process exp.target
-    end
-
     exp
   end
 
@@ -123,8 +94,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
       case exp.node_type
       when :ivar, :lvar, :const, :lit
         exp.value
-      when :true, :false
-        exp.node_type
       when :colon2
         class_name exp
       else
@@ -141,43 +110,13 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     when Symbol
       if search_terms == item
         true
-      elsif sexp? item
-        is_instance_of? item, search_terms
       else
         false
       end
-    when Sexp
-      search_terms == item
     when Enumerable
       if search_terms.empty?
         item == nil
-      else
-        search_terms.each do|term|
-          if match(term, item)
-            return true
-          end
-        end
-        false
       end
-    when Regexp
-      search_terms.match item.to_s
-    when nil
-      true
-    else
-      raise "Cannot match #{search_terms} and #{item}"
-    end
-  end
-
-  #Checks if +item+ is an instance of +klass+ by looking for Klass.new
-  def is_instance_of? item, klass
-    if call? item
-      if sexp? item.target
-        item.method == :new and item.target.node_type == :const and item.target.value == klass
-      else
-        item.method == :new and item.target == klass
-      end
-    else
-      false
     end
   end
 end

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -75,7 +75,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config.rails_version = exp.rhs.value
+      @tracker.config.set_rails_version exp.rhs.value
     end
 
     exp

data/lib/brakeman/processors/template_alias_processor.rb

@@ -32,6 +32,34 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     end
   end
 
+  def process_lasgn exp
+    if exp.lhs == :haml_temp or haml_capture? exp.rhs
+      exp.rhs = process exp.rhs
+
+      # Avoid propagating contents of block
+      if node_type? exp.rhs, :iter
+        new_exp = exp.dup
+        new_exp.rhs = exp.rhs.block_call
+
+        super new_exp
+
+        exp # Still save the original, though
+      else
+        super exp
+      end
+    else
+      super exp
+    end
+  end
+
+  HAML_CAPTURE = [:capture, :capture_haml]
+
+  def haml_capture? exp
+    node_type? exp, :iter and
+      call? exp.block_call and
+      HAML_CAPTURE.include? exp.block_call.method
+  end
+
   #Determine template name
   def template_name name
     if !name.to_s.include?('/') && @template.name.to_s.include?('/')

data/lib/brakeman/processors/template_processor.rb

@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       branches = [arg.then_clause, arg.else_clause].compact
 
       if branches.empty?
-        s(:nil)
+        s(:nil).line(arg.line)
       elsif branches.length == 2
-        Sexp.new(:or, *branches)
+        Sexp.new(:or, *branches).line(arg.line)
       else
         branches.first
       end
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   end
 
   def add_output output, type = :output
-    s = Sexp.new(type, output)
-    s.line(output.line)
-    @current_template.add_output s
-    s
+    if node_type? output, :or
+      Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
+    else
+      s = Sexp.new(type, output)
+      s.line(output.line)
+      @current_template.add_output s
+      s
+    end
   end
 end

data/lib/brakeman/report/report_text.rb

@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
     add_chunk generate_templates if tracker.options[:debug]
     add_chunk generate_obsolete
-    add_chunk generate_errors 
+    add_chunk generate_errors
     add_chunk generate_warnings
   end
 
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   def generate_header
     [
-      header("Brakeman Report"), 
+      header("Brakeman Report"),
       label("Application Path", tracker.app_path),
       label("Rails Version", rails_version),
       label("Brakeman Version", Brakeman::Version),
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
       end.map do |w|
         output_warning w
       end
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     end
 
     double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
-      [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
+      [HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
     }.compact
   end
 
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     double_space "Controller Overview", controllers
   end
 end
-

data/lib/brakeman/rescanner.rb

@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_initializer path
+    tracker.reset_initializer path
+
     parse_ruby_files([path]).each do |astfile|
       process_initializer astfile
     end
+
+    @reindex << :initializers
   end
 
   #Handle rescanning when a file is deleted

data/lib/brakeman/tracker.rb

@@ -227,6 +227,10 @@ class Brakeman::Tracker
       finder.process_source template.src, :template => template, :file => template.file
     end
 
+    self.initializers.each do |file_name, src|
+      finder.process_all_source src, :file => file_name
+    end
+
     @call_index = Brakeman::CallIndex.new finder.calls
   end
 
@@ -237,8 +241,8 @@ class Brakeman::Tracker
   #
   #This will limit reindexing to the given sets
   def reindex_call_sites locations
-    #If reindexing templates, models, and controllers, just redo
-    #everything
+    #If reindexing templates, models, controllers,
+    #just redo everything.
     if locations.length == 3
       return index_call_sites
     end
@@ -260,6 +264,12 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        @call_index.remove_indexes_by_file file_name
+      end
+    end
+
     @call_index.remove_indexes_by_class classes_to_reindex
 
     finder = Brakeman::FindAllCalls.new self
@@ -279,6 +289,12 @@ class Brakeman::Tracker
       end
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        finder.process_all_source src, :file => file_name
+      end
+    end
+
     @call_index.index_calls finder.calls
   end
 
@@ -363,4 +379,12 @@ class Brakeman::Tracker
   def reset_routes
     @routes = {}
   end
+
+  def reset_initializer path
+    @initializers.delete_if do |file, src|
+      path.relative.include? file
+    end
+
+    @call_index.remove_indexes_by_file path
+  end
 end

data/lib/brakeman/tracker/config.rb

@@ -4,10 +4,8 @@ module Brakeman
   class Config
     include Util
 
-    attr_reader :rails, :tracker
-    attr_accessor :rails_version, :ruby_version
+    attr_reader :gems, :rails, :ruby_version, :tracker
     attr_writer :erubis, :escape_html
-    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -19,16 +17,9 @@ module Brakeman
       @ruby_version = ""
     end
 
-    def allow_forgery_protection?
-      @rails[:action_controller] and
-        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
-    end
-
     def default_protect_from_forgery?
-      if version_between? "5.2.0", "9.9.9"
-        if @rails[:action_controller] and
-            @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)
-
+      if version_between? "5.2.0.beta1", "9.9.9"
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
           return false
         else
           return true
@@ -48,17 +39,21 @@ module Brakeman
 
     def escape_html_entities_in_json?
       #TODO add version-specific information here
-      @rails[:active_support] and
-        true? @rails[:active_support][:escape_html_entities_in_json]
+      true? @rails.dig(:active_support, :escape_html_entities_in_json)
+    end
+
+    def escape_filter_interpolations?
+      # TODO see if app is actually turning this off itself
+      has_gem?(:haml) and
+        version_between? "5.0.0", "5.99", gem_version(:haml)
     end
 
     def whitelist_attributes?
-      @rails[:active_record] and
-        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+      @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
     end
 
     def gem_version name
-      @gems[name] and @gems[name][:version]
+      extract_version @gems.dig(name, :version)
     end
 
     def add_gem name, version, file, line
@@ -78,11 +73,16 @@ module Brakeman
       @gems[name]
     end
 
-    def set_rails_version
-      # Ignore ~>, etc. when using values from Gemfile
-      version = gem_version(:rails) || gem_version(:railties)
-      if version and version.match(/(\d+\.\d+(\.\d+.*)?)/)
-        @rails_version = $1
+    def set_rails_version version = nil
+      version = if version
+                  # Only used by Rails2ConfigProcessor right now
+                  extract_version(version)
+                else
+                  gem_version(:rails) || gem_version(:railties)
+                end
+
+      if version
+        @rails_version = version
 
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
@@ -113,12 +113,20 @@ module Brakeman
       end
     end
 
+    def rails_version
+      # This needs to be here because Util#rails_version calls Tracker::Config#rails_version
+      # but Tracker::Config includes Util...
+      @rails_version
+    end
+
     def set_ruby_version version
+      @ruby_version = extract_version(version)
+    end
+
+    def extract_version version
       return unless version.is_a? String
 
-      if version =~ /(\d+\.\d+\.\d+)/
-        self.ruby_version = $1
-      end
+      version[/\d+\.\d+(\.\d+.*)?/]
     end
 
     #Returns true if low_version <= RAILS_VERSION <= high_version
@@ -128,58 +136,15 @@ module Brakeman
       current_version ||= rails_version
       return false unless current_version
 
-      version = current_version.split(".").map! { |v| convert_version_number v }
-      low_version = low_version.split(".").map! { |v| convert_version_number v }
-      high_version = high_version.split(".").map! { |v| convert_version_number v }
-
-      version.each_with_index do |v, i|
-        if lower? v, low_version.fetch(i, 0)
-          return false
-        elsif higher? v, low_version.fetch(i, 0)
-          break
-        end
-      end
+      low = Gem::Version.new(low_version)
+      high = Gem::Version.new(high_version)
+      current = Gem::Version.new(current_version)
 
-      version.each_with_index do |v, i|
-        if higher? v, high_version.fetch(i, 0)
-          return false
-        elsif lower? v, high_version.fetch(i, 0)
-          break
-        end
-      end
-
-      true
+      current.between?(low, high)
     end
 
     def session_settings
-      @rails[:action_controller] &&
-        @rails[:action_controller][:session]
-    end
-
-    private
-
-    def convert_version_number value
-      if value.match(/\A\d+\z/)
-        value.to_i
-      else
-        value
-      end
-    end
-
-    def lower? lhs, rhs
-      if lhs.class == rhs.class
-        lhs < rhs
-      else
-        false
-      end
-    end
-
-    def higher? lhs, rhs
-      if lhs.class == rhs.class
-        lhs > rhs
-      else
-        false
-      end
+      @rails.dig(:action_controller, :session)
     end
   end
 end