brakeman-lib 4.7.1 → 4.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a0bb1fb9eebcf11e5493213b5cd4a40b6c5359952f754bd7aab4fe727fa3950
-  data.tar.gz: '07648dfb71e125045d345bd154a56547f0b8168f6ecd29f6b47442e7923fbd3a'
+  metadata.gz: ef101a185ff582733d1564d862fcb87afbedb1df01482f1c8815f130bd886a0b
+  data.tar.gz: 938ff3304347e001f5f21880d8d6dfca2bb1d3b26f29dae7d269db67350df70f
 SHA512:
-  metadata.gz: dd82f20198e48a73d7c7ddac934fcc9b192400e0b333f665033b7375c63ed5ffd5baf130ce31afd5aab48f7661cc93694a87b81ba87e29ad5a879c897052e1df
-  data.tar.gz: 5975dcd2ef58e1007d45b2206fcdf8232962b22739ccde18c9e72f3aafe72196efb11b4627051ca43bad2aaf7881dc0a7e35b25ef32436b33fea2853bb65b65b
+  metadata.gz: de7d5d8fc614fd226145878158e4e75745e31afce19e87e84e73d19d5182b42128ff36d2a5fa45567286ec989513fa5c1ae40aa53353f56b04c3a7a52a11bef6
+  data.tar.gz: 78006970c55993fbcf96ac56783d3ed04beb1d5bf54d4b716a04158796398577ded0fb1bd7b7070e91074a6daff48e762b6b49515c10ca6d27c84cde0e7b0531

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 4.7.2 - 2019-11-25
+
+* Remove version guard for `named_scope` vs. `scope`
+* Find SQL injection in `String#strip_heredoc` target
+* Handle more `permit!` cases
+* Ensure file name is set when processing model
+* Add `request.params` as query parameters
+
 # 4.7.1 - 2019-10-29 
 
 * Check string length against limit before joining

data/README.md

@@ -62,7 +62,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 5.x.
+Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
 Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
 

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -158,7 +158,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
-    tracker.find_call(:method => :permit!).each do |result|
+    tracker.find_call(:method => :permit!, :nested => true).each do |result|
       if params? result[:call].target and not result[:chain].include? :slice
         warn_on_permit! result
       end

data/lib/brakeman/checks/check_sql.rb

@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def find_scope_calls
     scope_calls = []
 
-    if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |model, args|
-        call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, model, :named_scope)
-      end
-    elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |model, args|
-        second_arg = args[2]
-        next unless sexp? second_arg
-
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(model, args)
-        elsif call? second_arg
-          call = second_arg
-          scope_calls << scope_call_hash(call, model, call.method)
-        else
-          call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, model, :scope)
-        end
+    # Used in pre-3.1.0 versions of Rails
+    ar_scope_calls(:named_scope) do |model, args|
+      call = make_call(nil, :named_scope, args).line(args.line)
+      scope_calls << scope_call_hash(call, model, :named_scope)
+    end
+
+    # Use in 3.1.0 and later
+    ar_scope_calls(:scope) do |model, args|
+      second_arg = args[2]
+      next unless sexp? second_arg
+
+      if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+        process_scope_with_block(model, args)
+      elsif call? second_arg
+        call = second_arg
+        scope_calls << scope_call_hash(call, model, call.method)
+      else
+        call = make_call(nil, :scope, args).line(args.line)
+        scope_calls << scope_call_hash(call, model, :scope)
       end
     end
 
     scope_calls
   end
 
-  def ar_scope_calls(symbol_name = :named_scope, &block)
+  def ar_scope_calls(symbol_name, &block)
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
+  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
     if node_type? exp, :evstr
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     if not sexp? value
       nil
-    elsif call? value and value.method == :to_s
+    elsif call? value and TO_STRING_METHODS.include? value.method
       unsafe_string_interp? value.target
     elsif call? value and safe_literal_target? value
       nil
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp
           exp
-        elsif exp.method == :to_s
+        elsif TO_STRING_METHODS.include? exp.method
           find_dangerous_value exp.target, ignore_hash
         else
           check_call exp

data/lib/brakeman/processor.rb

@@ -53,7 +53,7 @@ module Brakeman
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new(@tracker).process result if result
+      AliasProcessor.new(@tracker, file_name).process result if result
     end
 
     #Process either an ERB or HAML template

data/lib/brakeman/util.rb

@@ -8,9 +8,11 @@ module Brakeman::Util
 
   PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
 
-  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
+  REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
 
-  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
 
   REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
 
@@ -22,7 +24,7 @@ module Brakeman::Util
 
   SESSION = Sexp.new(:call, nil, :session)
 
-  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.7.1"
+  Version = "4.7.2"
 end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.7.1
+  version: 4.7.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
-cert_chain:
-- brakeman-public_cert.pem
-date: 2019-10-29 00:00:00.000000000 Z
+cert_chain: []
+date: 2019-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -383,7 +382,14 @@ files:
 homepage: http://brakemanscanner.org
 licenses:
 - Brakeman Public Use License
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
+  changelog_uri: https://github.com/presidentbeef/brakeman/releases
+  documentation_uri: https://brakemanscanner.org/docs/
+  homepage_uri: https://brakemanscanner.org/
+  mailing_list_uri: https://gitter.im/presidentbeef/brakeman
+  source_code_uri: https://github.com/presidentbeef/brakeman
+  wiki_uri: https://github.com/presidentbeef/brakeman/wiki
 post_install_message: 
 rdoc_options: []
 require_paths: