brakeman-lib 4.8.0 → 4.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34099e8abef9a4c7108905ea8d956d01afbb6037cab597d2ad0beab8790a9060
-  data.tar.gz: 982be6bfad0eef60f17627001fef1873bad5a23eef76f687ea434d23773ba9b4
+  metadata.gz: 0b264d50410107be24af470596fa3b5511eb8f174707f571f9884a6aea932d87
+  data.tar.gz: 4a8ab18c5e077e4b192ea52db29b52c7dd6006f66163862f0d4b1fd9973ba366
 SHA512:
-  metadata.gz: ce68529ca660b85d86b9569b4f8ddfe41c4b7b3bc724d1afc9860f91fa0a945eb473bbd5bb83b4c9d8e61ac6255ab0b11a42878921671a03a0964d2440912178
-  data.tar.gz: 1fbd104e129d5fce136d4c4984296a7daa6c88ffd8f22edbb576613cb6519547676f38364a2f728dcc2c9a322119d0024ae845baf7383ecf38b43038e9e129c6
+  metadata.gz: 524c94b3b25e13273dea5707e315fde68fe5ad984433e3c0a11674bc7baf1c133a9e4becc528fabb092536ba9b5d02f05714dd10dd32014067cff8e301c37096
+  data.tar.gz: 349db7828699760d574a0534f21361eee617454647033f27ed7440e16a9ef38b7807f76b62fbd62fd1746d024c70a557f3d3fa5970cc390f3e92eaf3ca004f0c

data/CHANGES.md

@@ -1,4 +1,42 @@
-# Unreleased
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
 
 * Add JUnit-XML report format (Naoki Kimura)
 * Sort ignore files by fingerprint and line (Ngan Pham)

data/README.md

@@ -16,9 +16,11 @@ Using RubyGems:
 
 Using Bundler:
 
-    group :development do
-      gem 'brakeman'
-    end
+```ruby
+group :development do
+  gem 'brakeman'
+end
+```
 
 Using Docker:
 
@@ -74,12 +76,16 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
 
 Multiple output files can be specified:
 
     brakeman -o output.html -o output.json
 
+To output to both a file and to the console, with color:
+
+    brakeman --color -o /dev/stdout -o output.json
+
 To suppress informational warnings and just output the report:
 
     brakeman -q
@@ -167,6 +173,8 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
+There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+
 # Building
 
     git clone git://github.com/presidentbeef/brakeman.git

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -233,6 +237,8 @@ module Brakeman
       [:to_table]
     when :junit, :to_junit
       [:to_junit]
+    when :sarif, :to_sarif
+      [:to_sarif]
     else
       [:to_text]
     end
@@ -262,6 +268,8 @@ module Brakeman
         :to_table
       when /\.junit$/i
         :to_junit
+      when /\.sarif$/i
+        :to_sarif
       else
         :to_text
       end
@@ -498,6 +506,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/base_check.rb

@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config.get_gem(gem_name)
+    if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
       info
     elsif @app_tree.exists?("Gemfile")
       @app_tree.file_path "Gemfile"

data/lib/brakeman/checks/check_basic_auth.rb

@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   # Check if the block of a result contains a comparison of password to string
   def include_password_literal? result
+    return false if result[:block_args].nil?
+
     @password_var = result[:block_args].last
     @include_password = false
     process result[:block]

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_json_entity_escape.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check if HTML escaping is disabled for JSON output"
+
+  def run_check
+    check_config_setting
+    check_manual_disable
+  end
+
+  def check_config_setting
+    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :json_html_escape_config,
+        :message => msg("HTML entities in JSON are not escaped by default"),
+        :confidence => :medium,
+        :file => "config/environments/production.rb",
+        :line => 1
+    end
+  end
+
+  def check_manual_disable
+    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
+      setting = result[:call].first_arg
+
+      if false? setting
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :json_html_escape_module,
+          :message => msg("HTML entities in JSON are not escaped by default"),
+          :confidence => :medium,
+          :file => "config/environments/production.rb"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   def run_check
     check_mass_assignment
     check_permit!
+    check_permit_all_parameters
   end
 
   def find_mass_assign_calls
@@ -159,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -190,7 +206,21 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
+
+  def check_permit_all_parameters
+    tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
+      call = result[:call]
+
+      if true? call.first_arg
+        warn :result => result,
+          :warning_type => "Mass Assignment",
+          :warning_code => :mass_assign_permit_all,
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
+          :confidence => :high
+      end
+    end
+  end
 end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_model_attributes.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
 
   def run_check
-    return if mass_assign_disabled?
+    return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]

data/lib/brakeman/checks/check_page_caching_cve.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for page caching vulnerability (CVE-2020-8159)"
+
+  def run_check
+    gem_name = 'actionpack-page_caching'
+    gem_version = tracker.config.gem_version(gem_name.to_sym)
+    upgrade_version = '1.2.2'
+    cve = 'CVE-2020-8159'
+
+    return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
+
+    message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
+
+    if uses_caches_page?
+      confidence = :high
+    else
+      confidence = :weak
+    end
+
+    warn :warning_type => 'Directory Traversal',
+      :warning_code => :CVE_2020_8159,
+      :message => message,
+      :confidence => confidence,
+      :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
+      :gem_info => gemfile_or_environment(gem_name)
+  end
+
+  def uses_caches_page?
+    tracker.controllers.any? do |name, controller|
+      controller.options.has_key? :caches_page
+    end
+  end
+end

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
 
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_sql.rb

@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
-  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+  TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp

data/lib/brakeman/checks/check_template_injection.rb

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input through template injection"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -225,7 +229,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
@@ -301,6 +305,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
 
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+
+          options[:text_fields] = format.map(&:to_sym)
+
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -10,7 +10,7 @@ module Brakeman
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -89,7 +90,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
 
     add_simple_call :render, exp
 
@@ -137,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }.freeze
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -214,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
 
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value)] = value
+          if symbol? key
+            template_env[Sexp.new(:call, nil, key.value)] = value
+          end
         end
       end
 

data/lib/brakeman/report.rb

@@ -43,6 +43,8 @@ class Brakeman::Report
     when :to_junit
       require_report 'junit'
       Brakeman::Report::JUnit
+    when :to_sarif
+      return self.to_sarif
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -85,6 +87,11 @@ class Brakeman::Report
   alias to_plain to_text
   alias to_s to_text
 
+  def to_sarif
+    require_report 'sarif'
+    generate Brakeman::Report::SARIF
+  end
+
   def generate reporter
     reporter.new(@tracker).generate_report
   end

data/lib/brakeman/report/ignore/config.rb

@@ -94,6 +94,10 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/report/report_sarif.rb

@@ -0,0 +1,114 @@
+class Brakeman::Report::SARIF < Brakeman::Report::Base
+  def generate_report
+    sarif_log = {
+      :version => '2.1.0',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :runs => runs,
+    }
+    JSON.pretty_generate sarif_log
+  end
+
+  def runs
+    [
+      {
+        :tool => {
+          :driver => {
+            :name => 'Brakeman',
+            :informationUri => 'https://brakemanscanner.org',
+            :semanticVersion => Brakeman::Version,
+            :rules => rules,
+          },
+        },
+        :results => results,
+      },
+    ]
+  end
+
+  def rules
+    @rules ||= unique_warnings_by_warning_code.map do |warning|
+      rule_id = render_id warning
+      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_description = render_message check_descriptions[check_name]
+      {
+        :id => rule_id,
+        :name => "#{check_name}/#{warning.warning_type}",
+        :fullDescription => {
+          :text => check_description,
+        },
+        :helpUri => warning.link,
+        :help => {
+          :text => "More info: #{warning.link}.",
+          :markdown => "[More info](#{warning.link}).",
+        },
+        :properties => {
+          :tags => [check_name],
+        },
+      }
+    end
+  end
+
+  def results
+    @results ||= all_warnings.map do |warning|
+      rule_id = render_id warning
+      result_level = infer_level warning
+      message_text = render_message warning.message.to_s
+      result = {
+        :ruleId => rule_id,
+        :ruleIndex => rules.index { |r| r[:id] == rule_id },
+        :level => result_level,
+        :message => {
+          :text => message_text,
+        },
+        :locations => [
+          :physicalLocation => {
+            :artifactLocation => {
+              :uri => warning.file.relative,
+              :uriBaseId => '%SRCROOT%',
+            },
+            :region => {
+              :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
+            },
+          },
+        ],
+      }
+
+      result
+    end
+  end
+
+  # Returns a hash of all check descriptions, keyed by check namne
+  def check_descriptions
+    @check_descriptions ||= Brakeman::Checks.checks.map do |check|
+      [check.name.gsub(/^Check/, ''), check.description]
+    end.to_h
+  end
+
+  # Returns a de-duplicated set of warnings, used to generate rules
+  def unique_warnings_by_warning_code
+    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+  end
+
+  def render_id warning
+    # Include alpha prefix to provide 'compiler error' appearance
+    "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
+  end
+
+  def render_message message
+    # Ensure message ends with a period
+    if message.end_with? "."
+      message
+    else
+      "#{message}."
+    end
+  end
+
+  def infer_level warning
+    # Infer result level from warning confidence
+    @@levels_from_confidence ||= Hash.new('warning').update({
+      0 => 'error',    # 0 represents 'high confidence', which we infer as 'error'
+      1 => 'warning',  # 1 represents 'medium confidence' which we infer as 'warning'
+      2 => 'note',     # 2 represents 'weak, or low, confidence', which we infer as 'note'
+    })
+    @@levels_from_confidence[warning.confidence]
+  end
+end

data/lib/brakeman/report/report_text.rb

@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   end
 
   def output_warning w
-    out = [
-      label('Confidence', confidence(w.confidence)),
-      label('Category', w.warning_type.to_s),
-      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
+    text_format = tracker.options[:text_fields] ||
+      [:confidence, :category, :check, :message, :code, :file, :line]
+
+    text_format.map do |option|
+      format_line(w, option)
+    end.compact
+  end
+
+  def format_line w, option
+    case option
+    when :confidence
+      label('Confidence', confidence(w.confidence))
+    when :category
+      label('Category', w.warning_type.to_s)
+    when :check
+      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+    when :message
       label('Message', w.message)
-    ]
-
-    if w.code
-      out << label('Code', format_code(w))
-    end
-
-    out << label('File', warning_file(w))
-
-    if w.line
-      out << label('Line', w.line)
+    when :code
+      if w.code
+        label('Code', format_code(w))
+      end
+    when :file
+      label('File', warning_file(w))
+    when :line
+      if w.line
+        label('Line', w.line)
+      end
+    when :link
+      label('Link', w.link)
+    when :fingerprint
+      label('Fingerprint', w.fingerprint)
+    when :category_id
+      label('Category ID', w.warning_code)
+    when :render_path
+      if w.called_from
+        label('Render Path', w.called_from.join(" > "))
+      end
     end
-
-    out
   end
 
   def double_space title, values

data/lib/brakeman/scanner.rb

@@ -94,11 +94,14 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
+    # Sometimes folks like to put constants in environment.rb
+    # so let's always process it even for newer Rails versions
+    process_config_file "environment.rb"
+
     if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
-      process_config_file "environment.rb"
       process_config_file "gems.rb"
     end
 

data/lib/brakeman/tracker.rb

@@ -198,8 +198,10 @@ class Brakeman::Tracker
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end
 
+  # This method does not return all constants at this time,
+  # just ones with "simple" values.
   def constant_lookup name
-    @constants.get_literal name unless @options[:disable_constant_tracking]
+    @constants.get_simple_value name unless @options[:disable_constant_tracking]
   end
 
   def find_class name

data/lib/brakeman/tracker/config.rb

@@ -54,7 +54,7 @@ module Brakeman
     end
 
     def gem_version name
-      extract_version @gems.dig(name, :version)
+      extract_version @gems.dig(name.to_sym, :version)
     end
 
     def add_gem name, version, file, line
@@ -67,11 +67,11 @@ module Brakeman
     end
 
     def has_gem? name
-      !!@gems[name]
+      !!@gems[name.to_sym]
     end
 
     def get_gem name
-      @gems[name]
+      @gems[name.to_sym]
     end
 
     def set_rails_version version = nil
@@ -79,7 +79,9 @@ module Brakeman
                   # Only used by Rails2ConfigProcessor right now
                   extract_version(version)
                 else
-                  gem_version(:rails) || gem_version(:railties)
+                  gem_version(:rails) ||
+                    gem_version(:railties) ||
+                    gem_version(:activerecord)
                 end
 
       if version

data/lib/brakeman/tracker/constants.rb

@@ -1,7 +1,10 @@
 require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 module Brakeman
   class Constant
+    include Brakeman::Util
+
     attr_reader :name, :name_array, :file, :value, :context
 
     def initialize name, value, context = {}
@@ -107,13 +110,11 @@ module Brakeman
       @constants[base_name] << Constant.new(name, value, context)
     end
 
-    LITERALS = [:lit, :false, :str, :true, :array, :hash]
-    def literal? exp
-      exp.is_a? Sexp and LITERALS.include? exp.node_type
-    end
-
-    def get_literal name
-      if x = self[name] and literal? x
+    # Returns constant values that are not too complicated.
+    # Right now that means literal values (string, array, etc.)
+    # or calls on Dir.glob(..).whatever.
+    def get_simple_value name
+      if x = self[name] and (literal? x or dir_glob? x)
         x
       else
         nil

data/lib/brakeman/util.rb

@@ -293,6 +293,22 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+
+  def literal? exp
+    exp.is_a? Sexp and LITERALS.include? exp.node_type
+  end
+
+  DIR_CONST = s(:const, :Dir)
+
+  # Dir.glob(...).whatever
+  def dir_glob? exp
+    exp = exp.block_call if node_type? exp, :iter
+    return unless call? exp
+
+    (exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
+  end
+
   #Returns true if the given _exp_ contains a :class node.
   #
   #Useful for checking if a module is just a module or if it is a namespace.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.0"
+  Version = "4.10.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -113,6 +113,13 @@ module Brakeman::WarningCodes
     :force_ssl_disabled => 109,
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
+    :mass_assign_permit_all => 112,
+    :json_html_escape_config => 113,
+    :json_html_escape_module => 114,
+    :CVE_2020_8159 => 115,
+    :CVE_2020_8166 => 116,
+    :erb_template_injection => 117,
+
     :custom_check => 9090,
   }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.8.0
+  version: 4.10.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-18 00:00:00.000000000 Z
+date: 2020-09-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-html
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +184,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 5.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 5.1.0
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -187,7 +201,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -197,7 +211,7 @@ dependencies:
         version: 1.3.6
     - - "<="
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: '4.1'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -222,6 +236,7 @@ files:
 - lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
@@ -240,6 +255,7 @@ files:
 - lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_json_encoding.rb
+- lib/brakeman/checks/check_json_entity_escape.rb
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
@@ -252,6 +268,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_page_caching_cve.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -281,6 +298,7 @@ files:
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb
@@ -350,6 +368,7 @@ files:
 - lib/brakeman/report/report_json.rb
 - lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
+- lib/brakeman/report/report_sarif.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/report_text.rb