brakeman-lib 4.7.1 → 4.9.0

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_page_caching_cve.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for page caching vulnerability (CVE-2020-8159)"
+
+  def run_check
+    gem_name = 'actionpack-page_caching'
+    gem_version = tracker.config.gem_version(gem_name.to_sym)
+    upgrade_version = '1.2.2'
+    cve = 'CVE-2020-8159'
+
+    return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
+
+    message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
+
+    if uses_caches_page?
+      confidence = :high
+    else
+      confidence = :weak
+    end
+
+    warn :warning_type => 'Directory Traversal',
+      :warning_code => :CVE_2020_8159,
+      :message => message,
+      :confidence => confidence,
+      :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
+      :gem_info => gemfile_or_environment(gem_name)
+  end
+
+  def uses_caches_page?
+    tracker.controllers.any? do |name, controller|
+      controller.options.has_key? :caches_page
+    end
+  end
+end

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
 
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_sql.rb

@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def find_scope_calls
     scope_calls = []
 
-    if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |model, args|
-        call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, model, :named_scope)
-      end
-    elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |model, args|
-        second_arg = args[2]
-        next unless sexp? second_arg
-
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(model, args)
-        elsif call? second_arg
-          call = second_arg
-          scope_calls << scope_call_hash(call, model, call.method)
-        else
-          call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, model, :scope)
-        end
+    # Used in pre-3.1.0 versions of Rails
+    ar_scope_calls(:named_scope) do |model, args|
+      call = make_call(nil, :named_scope, args).line(args.line)
+      scope_calls << scope_call_hash(call, model, :named_scope)
+    end
+
+    # Use in 3.1.0 and later
+    ar_scope_calls(:scope) do |model, args|
+      second_arg = args[2]
+      next unless sexp? second_arg
+
+      if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+        process_scope_with_block(model, args)
+      elsif call? second_arg
+        call = second_arg
+        scope_calls << scope_call_hash(call, model, call.method)
+      else
+        call = make_call(nil, :scope, args).line(args.line)
+        scope_calls << scope_call_hash(call, model, :scope)
       end
     end
 
     scope_calls
   end
 
-  def ar_scope_calls(symbol_name = :named_scope, &block)
+  def ar_scope_calls(symbol_name, &block)
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
+  TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
+
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
     if node_type? exp, :evstr
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     if not sexp? value
       nil
-    elsif call? value and value.method == :to_s
+    elsif call? value and TO_STRING_METHODS.include? value.method
       unsafe_string_interp? value.target
     elsif call? value and safe_literal_target? value
       nil
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp
           exp
-        elsif exp.method == :to_s
+        elsif TO_STRING_METHODS.include? exp.method
           find_dangerous_value exp.target, ignore_hash
         else
           check_call exp
@@ -523,8 +525,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     false
   end
 
-  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
-
   def check_for_string_building exp
     return unless call? exp
 
@@ -571,15 +571,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
-  def string_building? exp
-    return false unless call? exp and STRING_METHODS.include? exp.method
-
-    node_type? exp.target, :str, :dstr or
-    node_type? exp.first_arg, :str, :dstr or
-    string_building? exp.target or
-    string_building? exp.first_arg
-  end
-
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
     :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,

data/lib/brakeman/checks/check_template_injection.rb

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input through template injection"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/differ.rb

@@ -1,8 +1,6 @@
 # extracting the diff logic to it's own class for consistency. Currently handles
 # an array of Brakeman::Warnings or plain hash representations.  
 class Brakeman::Differ
-  DEFAULT_HASH = {:new => [], :fixed => []}
-  OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
   attr_reader :old_warnings, :new_warnings
 
   def initialize new_warnings, old_warnings
@@ -11,9 +9,6 @@ class Brakeman::Differ
   end
 
   def diff
-    # get the type of elements
-    return DEFAULT_HASH if @new_warnings.empty?
-
     warnings = {}
     warnings[:new] = @new_warnings - @old_warnings
     warnings[:fixed] = @old_warnings - @new_warnings

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -225,7 +229,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
@@ -301,6 +305,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
 
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+
+          options[:text_fields] = format.map(&:to_sym)
+
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processor.rb

@@ -53,7 +53,7 @@ module Brakeman
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new(@tracker).process result if result
+      AliasProcessor.new(@tracker, file_name).process result if result
     end
 
     #Process either an ERB or HAML template

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -60,7 +61,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   end
 
   def process_call exp
-    @calls << create_call_hash(exp)
+    @calls << create_call_hash(exp).freeze
     exp
   end
 
@@ -72,6 +73,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
       call_hash[:block] = exp.block
       call_hash[:block_args] = exp.block_args
+      call_hash.freeze
 
       @calls << call_hash
 
@@ -88,7 +90,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
 
     add_simple_call :render, exp
 
@@ -136,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -213,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end