brakeman-lib 5.0.0 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59808cb56d2701ba4806eaf3e8fdaa70e3b15d3578badb1a93177ae60a03fe16
-  data.tar.gz: d74f4ffa7620d6ae48cddc85ad661548c6c21fa807306a987e31343990e33a09
+  metadata.gz: 425078e2c4abfb5dc629bd5b70fcbaa1de59be69093097ad5ca78c3f425f575c
+  data.tar.gz: 1ddaf7c9084213dcc7db6772dc164095800de50897d157345a01c234d09fe778
 SHA512:
-  metadata.gz: 1319c8e5a981305d8ab91885a9edfe475240014e7f3e19d2f4e24da8eabc0c0cf355cd8ef387091291dd4a7d3a29fc35309531e6edce6606100b5a7c48f24b64
-  data.tar.gz: 02356cced5a4aaae709a3f237319af4bf4f511224762c41bb61d1130813385d27e922722771d037ef1773271db642431be689f249b72396f7800730606ad3ba3
+  metadata.gz: 4a0a910c6859f389eeaf21253dc8d33f7f0d199e2289bc3e6145b7d9eecaf7dd0793dad3a2a013ec3a4c64c681cfbbf88647e21566ea3b7269bf485f29ef10ee
+  data.tar.gz: 2d5845a9bd98a86f3af891122d9fe410da8586aa8aa45ccb2e05bcf25b8fdf6b6702d6ac396f866a4b53b9659cceface62a03997c30954d20d2e32b73cffab5c

data/CHANGES.md

@@ -1,3 +1,49 @@
+# 5.1.0 - 2021-07-19
+
+* Initial support for ActiveRecord enums
+* Support `Hash#include?`
+* Interprocedural dataflow from very simple class methods
+* Fix SARIF report when checks have no description (Eli Block)
+* Add ignored warnings to SARIF report (Eli Block)
+* Add `--sql-safe-methods` option (Esty Scheiner)
+* Update SQL injection check for Rails 6.0/6.1
+* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
+* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
+* Ignore dates in SQL
+* Refactor `cookie?`/`param?` methods (Keenan Brock)
+* Ignore renderables in dynamic render path check (Brad Parker)
+* Support `Array#push`
+* Better `Array#join` support
+* Adjust copy of `--interactive` menu (Elia Schito)
+* Support `Array#*`
+* Better method definition tracking and lookup
+* Support `Hash#values` and `Hash#values_at`
+* Check for user-controlled evaluation even if it's a call target
+* Support `Array#fetch` and `Hash#fetch`
+* Ignore `sanitize_sql_like` in SQL
+* Ignore method calls on numbers in SQL
+* Add GitHub Actions format (Klaus Badelt)
+* Read and parse files in parallel
+
+# 5.0.4 - 2021-06-08
+
+(brakeman gem release only)
+
+* Update bundled `ruby_parser` to include argument forwarding support
+
+# 5.0.2 - 2021-06-07
+
+* Fix Loofah version check
+
+# 5.0.1 - 2021-04-27
+
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
+
 # 5.0.0 - 2021-01-26
 
 * Ignore `uuid` as a safe attribute

data/README.md

@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
 
 # Configuration files
 
-Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+Brakeman options can be stored and read from YAML files.
+
+To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
+
+```sh
+$ brakeman -C --skip-files plugins/
+---
+:skip_files:
+- plugins/
+```
 
 Options passed in on the commandline have priority over configuration files.
 

data/lib/brakeman.rb

@@ -65,6 +65,7 @@ module Brakeman
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
+  #  * :sql_safe_methods - array of sql sanitization methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
@@ -157,10 +158,17 @@ module Brakeman
     end
   end
 
-  CONFIG_FILES = [
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
+  CONFIG_FILES = begin
+                   [
+                     File.expand_path("~/.brakeman/config.yml"),
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 rescue ArgumentError
+                   # In case $HOME or $USER aren't defined for use of `~`
+                   [
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 end
 
   def self.config_file custom_location, app_path
     app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
@@ -191,6 +199,7 @@ module Brakeman
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
+      :sql_safe_methods => Set.new,
       :skip_checks => Set.new,
       :skip_vendor => true,
     }
@@ -243,6 +252,8 @@ module Brakeman
       [:to_sarif]
     when :sonar, :to_sonar
       [:to_sonar]
+    when :github, :to_github
+      [:to_github]
     else
       [:to_text]
     end
@@ -276,6 +287,8 @@ module Brakeman
         :to_sarif
       when /\.sonar$/i
         :to_sonar
+      when /\.github$/i
+        :to_github
       else
         :to_text
       end
@@ -514,12 +527,14 @@ module Brakeman
 
   # Returns an array of alert fingerprints for any ignored warnings without
   # notes found in the specified ignore file (if it exists).
-  def self.ignore_file_entries_with_empty_notes file
+  def self.ignore_file_entries_with_empty_notes file, options
     return [] unless file
 
     require 'brakeman/report/ignore/config'
 
-    config = IgnoreConfig.new(file, nil)
+    app_tree = Brakeman::AppTree.from_options(options)
+
+    config = IgnoreConfig.new(Brakeman::FilePath.from_app_tree(app_tree, file), nil)
     config.read_from_file
     config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
   end
@@ -530,9 +545,9 @@ module Brakeman
     app_tree = Brakeman::AppTree.from_options(options)
 
     if options[:ignore_file]
-      file = options[:ignore_file]
+      file = Brakeman::FilePath.from_app_tree(app_tree, options[:ignore_file])
     elsif app_tree.exists? "config/brakeman.ignore"
-      file = app_tree.expand_path("config/brakeman.ignore")
+      file = Brakeman::FilePath.from_app_tree(app_tree, "config/brakeman.ignore")
     elsif not options[:interactive_ignore]
       return
     end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   def check_detailed_exceptions
     tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
-        src = definition[:src]
+        src = definition.src
         body = src.body.last
         next unless body
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"
-    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
+    calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
 
     Brakeman.debug "Processing eval-like calls"
     calls.each do |call|

data/lib/brakeman/checks/check_execute.rb

@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg) ||
                   dangerous_string_building?(first_arg)
       end
+    when :capture2, :capture2e, :capture3
+      # Open3 capture methods can take a :stdin_data argument which is used as the
+      # the input to the called command so it is not succeptable to command injection.
+      # As such if the last argument is a hash (and therefore execution options) it
+      # should be ignored
+
+      args.pop if hash?(args.last) && args.length > 2
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and original? res
 
       model = tracker.models[res[:chain].first]
-
       attr_protected = (model and model.attr_protected)
+      first_arg = call.first_arg
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
+      elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+        return
       elsif input = include_user_input?(call.arglist)
-        first_arg = call.first_arg
-
-        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
-          return
-        elsif not node_type? first_arg, :hash
+        if not node_type? first_arg, :hash
           if attr_protected
             confidence = :medium
           else

data/lib/brakeman/checks/check_render.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     view = result[:call][2]
 
     if sexp? view and original? result
+      return if renderable?(view)
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
-end 
+
+  def renderable? exp
+    return false unless call?(exp) and constant?(exp.target)
+
+    target_class_name = class_name(exp.target)
+    known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
+  end
+
+  def known_renderable_class? class_name
+    klass = tracker.find_class(class_name)
+    return false if klass.nil?
+    klass.ancestor? :"ViewComponent::Base"
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -90,7 +90,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.2.1"
+    # 2.2.1 is fix version
+    loofah_version and version_between?("0.0.0", "2.2.0", loofah_version)
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_sql.rb

@@ -22,7 +22,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
     @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
-    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
+
+    if tracker.options[:rails6]
+      @sql_targets.concat [:delete_by, :destroy_by, :rewhere, :reselect]
+
+      @sql_targets.delete :delete_all
+      @sql_targets.delete :destroy_all
+    end
+
+    if version_between?("6.1.0", "9.9.9")
+      @sql_targets.delete :order
+      @sql_targets.delete :reorder
+      @sql_targets.delete :pluck
+    end
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -185,7 +197,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
+                      when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist
@@ -199,7 +211,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         unsafe_sql? call.first_arg
                       when :sql
                         unsafe_sql? call.first_arg
-                      when :update_all, :select
+                      when :update_all, :select, :reselect
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg
@@ -572,13 +584,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
     :where_values_hash, :foreign_key, :uuid
   ]
 
+  def ignore_methods_in_sql
+    @ignore_methods_in_sql ||= IGNORE_METHODS_IN_SQL + (tracker.options[:sql_safe_methods] || [])
+  end
+
   def safe_value? exp
     return true unless sexp? exp
 
@@ -589,10 +605,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       if exp.method == :to_s or exp.method == :to_sym
         safe_value? exp.target
       else
-        IGNORE_METHODS_IN_SQL.include? exp.method or
-        quote_call? exp or
-        arel? exp or
-        exp.method.to_s.end_with? "_id"
+        ignore_call? exp
       end
     when :if
       safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -607,6 +620,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def ignore_call? exp
+    return unless call? exp
+
+    ignore_methods_in_sql.include? exp.method or
+      quote_call? exp or
+      arel? exp or
+      exp.method.to_s.end_with? "_id" or
+      number_target? exp or
+      date_target? exp
+  end
+
   QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
 
   def quote_call? exp
@@ -695,4 +719,30 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
+
+  def number_target? exp
+    return unless call? exp
+
+    if number? exp.target
+      true
+    elsif call? exp.target
+      number_target? exp.target
+    else
+      false
+    end
+  end
+
+  DATE_CLASS = s(:const, :Date)
+
+  def date_target? exp
+    return unless call? exp
+
+    if exp.target == DATE_CLASS
+      true
+    elsif call? exp.target
+      date_target? exp.target
+    else
+     false
+    end 
+  end
 end

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
       return
     end
 
-    process method[:src]
+    process method.src
   end
 
   def process_if exp

data/lib/brakeman/commandline.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         ensure_ignore_notes_failed = false
         if tracker.options[:ensure_ignore_notes]
-          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file, options
 
           unless fingerprints.empty?
             ensure_ignore_notes_failed = true

data/lib/brakeman/file_parser.rb

@@ -1,3 +1,5 @@
+require 'parallel'
+
 module Brakeman
   ASTFile = Struct.new(:path, :ast)
 
@@ -5,29 +7,62 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
 
-    def initialize app_tree, timeout
+    def initialize app_tree, timeout, parallel = true
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
       @errors = []
+      @parallel = parallel
     end
 
     def parse_files list
-      read_files list do |path, contents|
-        if ast = parse_ruby(contents, path.relative)
-          ASTFile.new(path, ast)
+      if @parallel
+        parallel_options = {}
+      else
+        # Disable parallelism
+        parallel_options = { in_threads: 0 }
+      end
+
+      # Parse the files in parallel.
+      # By default, the parsing will be in separate processes.
+      # So we map the result to ASTFiles and/or Exceptions
+      # then partition them into ASTFiles and Exceptions
+      # and add the Exceptions to @errors
+      #
+      # Basically just a funky way to deal with two possible
+      # return types that are returned from isolated processes.
+      #
+      # Note this method no longer uses read_files
+      @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
+        file_path = @app_tree.file_path(file_name)
+        contents = file_path.read
+
+        begin
+          if ast = parse_ruby(contents, file_path.relative)
+            ASTFile.new(file_name, ast)
+          end
+        rescue Exception => e
+          e
         end
+      end.compact.partition do |result|
+        result.is_a? ASTFile
       end
+
+      errors.concat new_errors
     end
 
     def read_files list
       list.each do |path|
         file = @app_tree.file_path(path)
 
-        result = yield file, file.read
+        begin
+          result = yield file, file.read
 
-        if result
-          @file_list << result
+          if result
+            @file_list << result
+          end
+        rescue Exception => e
+          @errors << e
         end
       end
     end
@@ -42,17 +77,12 @@ module Brakeman
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        error e.exception(e.message + "\nCould not parse #{path}")
+        raise e.exception(e.message + "\nCould not parse #{path}")
       rescue Timeout::Error => e
-        error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
+        raise Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
       rescue => e
-        error e.exception(e.message + "\nWhile processing #{path}")
+        raise e.exception(e.message + "\nWhile processing #{path}")
       end
     end
-
-    def error exception
-      @errors << exception
-      nil
-    end
   end
 end