brakeman-lib 4.7.1 → 4.9.0

data/lib/brakeman/processors/lib/render_helper.rb

@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
 
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value)] = value
+          if symbol? key
+            template_env[Sexp.new(:call, nil, key.value)] = value
+          end
         end
       end
 

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -40,6 +40,9 @@ class Brakeman::Report
       return self.to_table
     when :to_pdf
       raise "PDF output is not yet supported."
+    when :to_junit
+      require_report 'junit'
+      Brakeman::Report::JUnit
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/config.rb

@@ -94,10 +94,18 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        begin
+          @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        rescue => e
+          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
+        end
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -118,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| w[:fingerprint] }
+      end.sort_by { |w| [w[:fingerprint], w[:line]] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_junit.rb

@@ -0,0 +1,104 @@
+require 'time'
+require "stringio"
+require 'rexml/document'
+
+class Brakeman::Report::JUnit < Brakeman::Report::Base
+  def generate_report
+    io = StringIO.new
+    doc = REXML::Document.new
+    doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
+
+    test_suites = REXML::Element.new 'testsuites'
+    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
+    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
+
+    errors = test_suites.add_element 'brakeman:errors'
+    tracker.errors.each { |e|
+      error = errors.add_element 'brakeman:error'
+      error.add_attribute 'brakeman:message', e[:error]
+      e[:backtrace].each { |b|
+        backtrace = error.add_element 'brakeman:backtrace'
+        backtrace.add_text b
+      }
+    }
+
+    obsolete = test_suites.add_element 'brakeman:obsolete'
+    tracker.unused_fingerprints.each { |fingerprint|
+      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
+    }
+
+    ignored = test_suites.add_element 'brakeman:ignored'
+    ignored_warnings.each { |w|
+      warning = ignored.add_element 'brakeman:warning'
+      warning.add_attribute 'brakeman:message', w.message
+      warning.add_attribute 'brakeman:category', w.warning_type
+      warning.add_attribute 'brakeman:file', warning_file(w)
+      warning.add_attribute 'brakeman:line', w.line
+      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
+      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:code', w.format_code
+      warning.add_text w.to_s
+    }
+
+    hostname = `hostname`.strip
+    i = 0
+    all_warnings
+      .map { |warning| [warning.file, [warning]] }
+      .reduce({}) { |entries, entry|
+        key, value = entry
+        entries[key] = entries[key] ? entries[key].concat(value) : value
+        entries
+      }
+      .each { |file, warnings|
+        i += 1
+        test_suite = test_suites.add_element 'testsuite'
+        test_suite.add_attribute 'id', i
+        test_suite.add_attribute 'package', 'brakeman'
+        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
+        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
+        test_suite.add_attribute 'tests', checks.checks_run.length
+        test_suite.add_attribute 'failures', warnings.length
+        test_suite.add_attribute 'errors', '0'
+        test_suite.add_attribute 'time', '0'
+
+        test_suite.add_element 'properties'
+
+        warnings.each { |warning|
+          test_case = test_suite.add_element 'testcase'
+          test_case.add_attribute 'name', 'run_check'
+          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'time', '0'
+
+          failure = test_case.add_element 'failure'
+          failure.add_attribute 'message', warning.message
+          failure.add_attribute 'type', warning.warning_type
+          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
+          failure.add_attribute 'brakeman:file', warning_file(warning)
+          failure.add_attribute 'brakeman:line', warning.line
+          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:code', warning.format_code
+          failure.add_text warning.to_s
+        }
+
+        test_suite.add_element 'system-out'
+        test_suite.add_element 'system-err'
+      }
+
+    doc.add test_suites
+    doc.write io
+    io.string
+  end
+end

data/lib/brakeman/report/report_markdown.rb

@@ -84,7 +84,6 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
   end
 
   def convert_warning warning, original
-    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
     warning["Message"] = markdown_message original, warning["Message"]
     warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
     warning

data/lib/brakeman/report/report_text.rb

@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   end
 
   def output_warning w
-    out = [
-      label('Confidence', confidence(w.confidence)),
-      label('Category', w.warning_type.to_s),
-      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
+    text_format = tracker.options[:text_fields] ||
+      [:confidence, :category, :check, :message, :code, :file, :line]
+
+    text_format.map do |option|
+      format_line(w, option)
+    end.compact
+  end
+
+  def format_line w, option
+    case option
+    when :confidence
+      label('Confidence', confidence(w.confidence))
+    when :category
+      label('Category', w.warning_type.to_s)
+    when :check
+      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+    when :message
       label('Message', w.message)
-    ]
-
-    if w.code
-      out << label('Code', format_code(w))
-    end
-
-    out << label('File', warning_file(w))
-
-    if w.line
-      out << label('Line', w.line)
+    when :code
+      if w.code
+        label('Code', format_code(w))
+      end
+    when :file
+      label('File', warning_file(w))
+    when :line
+      if w.line
+        label('Line', w.line)
+      end
+    when :link
+      label('Link', w.link)
+    when :fingerprint
+      label('Fingerprint', w.fingerprint)
+    when :category_id
+      label('Category ID', w.warning_code)
+    when :render_path
+      if w.called_from
+        label('Render Path', w.called_from.join(" > "))
+      end
     end
-
-    out
   end
 
   def double_space title, values

data/lib/brakeman/scanner.rb

@@ -94,11 +94,14 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
+    # Sometimes folks like to put constants in environment.rb
+    # so let's always process it even for newer Rails versions
+    process_config_file "environment.rb"
+
     if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
-      process_config_file "environment.rb"
       process_config_file "gems.rb"
     end
 

data/lib/brakeman/tracker.rb

@@ -198,8 +198,10 @@ class Brakeman::Tracker
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end
 
+  # This method does not return all constants at this time,
+  # just ones with "simple" values.
   def constant_lookup name
-    @constants.get_literal name unless @options[:disable_constant_tracking]
+    @constants.get_simple_value name unless @options[:disable_constant_tracking]
   end
 
   def find_class name

data/lib/brakeman/tracker/config.rb

@@ -15,6 +15,7 @@ module Brakeman
       @escape_html = nil
       @erubis = nil
       @ruby_version = ""
+      @rails_version = nil
     end
 
     def default_protect_from_forgery?
@@ -53,7 +54,7 @@ module Brakeman
     end
 
     def gem_version name
-      extract_version @gems.dig(name, :version)
+      extract_version @gems.dig(name.to_sym, :version)
     end
 
     def add_gem name, version, file, line
@@ -66,11 +67,11 @@ module Brakeman
     end
 
     def has_gem? name
-      !!@gems[name]
+      !!@gems[name.to_sym]
     end
 
     def get_gem name
-      @gems[name]
+      @gems[name.to_sym]
     end
 
     def set_rails_version version = nil

data/lib/brakeman/tracker/constants.rb

@@ -1,7 +1,10 @@
 require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 module Brakeman
   class Constant
+    include Brakeman::Util
+
     attr_reader :name, :name_array, :file, :value, :context
 
     def initialize name, value, context = {}
@@ -107,13 +110,11 @@ module Brakeman
       @constants[base_name] << Constant.new(name, value, context)
     end
 
-    LITERALS = [:lit, :false, :str, :true, :array, :hash]
-    def literal? exp
-      exp.is_a? Sexp and LITERALS.include? exp.node_type
-    end
-
-    def get_literal name
-      if x = self[name] and literal? x
+    # Returns constant values that are not too complicated.
+    # Right now that means literal values (string, array, etc.)
+    # or calls on Dir.glob(..).whatever.
+    def get_simple_value name
+      if x = self[name] and (literal? x or dir_glob? x)
         x
       else
         nil

data/lib/brakeman/util.rb

@@ -8,9 +8,11 @@ module Brakeman::Util
 
   PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
 
-  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
+  REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
 
-  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
 
   REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
 
@@ -22,7 +24,7 @@ module Brakeman::Util
 
   SESSION = Sexp.new(:call, nil, :session)
 
-  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 
@@ -291,6 +293,22 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+
+  def literal? exp
+    exp.is_a? Sexp and LITERALS.include? exp.node_type
+  end
+
+  DIR_CONST = s(:const, :Dir)
+
+  # Dir.glob(...).whatever
+  def dir_glob? exp
+    exp = exp.block_call if node_type? exp, :iter
+    return unless call? exp
+
+    (exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
+  end
+
   #Returns true if the given _exp_ contains a :class node.
   #
   #Useful for checking if a module is just a module or if it is a namespace.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.7.1"
+  Version = "4.9.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -113,6 +113,13 @@ module Brakeman::WarningCodes
     :force_ssl_disabled => 109,
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
+    :mass_assign_permit_all => 112,
+    :json_html_escape_config => 113,
+    :json_html_escape_module => 114,
+    :CVE_2020_8159 => 115,
+    :CVE_2020_8166 => 116,
+    :erb_template_injection => 117,
+
     :custom_check => 9090,
   }
 

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.7.1
+  version: 4.9.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
-cert_chain:
-- brakeman-public_cert.pem
-date: 2019-10-29 00:00:00.000000000 Z
+cert_chain: []
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -53,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-html
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -188,7 +201,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -198,7 +211,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -223,6 +236,7 @@ files:
 - lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
@@ -241,6 +255,7 @@ files:
 - lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_json_encoding.rb
+- lib/brakeman/checks/check_json_entity_escape.rb
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
@@ -253,6 +268,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_page_caching_cve.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -282,6 +298,7 @@ files:
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb
@@ -349,6 +366,7 @@ files:
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb
 - lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
@@ -383,7 +401,14 @@ files:
 homepage: http://brakemanscanner.org
 licenses:
 - Brakeman Public Use License
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
+  changelog_uri: https://github.com/presidentbeef/brakeman/releases
+  documentation_uri: https://brakemanscanner.org/docs/
+  homepage_uri: https://brakemanscanner.org/
+  mailing_list_uri: https://gitter.im/presidentbeef/brakeman
+  source_code_uri: https://github.com/presidentbeef/brakeman
+  wiki_uri: https://github.com/presidentbeef/brakeman/wiki
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -399,7 +424,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.