brakeman-lib 5.0.0 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +46 -0
  3. data/README.md +10 -1
  4. data/lib/brakeman.rb +23 -8
  5. data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
  6. data/lib/brakeman/checks/check_evaluation.rb +1 -1
  7. data/lib/brakeman/checks/check_execute.rb +10 -0
  8. data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
  9. data/lib/brakeman/checks/check_render.rb +15 -1
  10. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
  11. data/lib/brakeman/checks/check_sql.rb +58 -8
  12. data/lib/brakeman/checks/check_verb_confusion.rb +1 -1
  13. data/lib/brakeman/commandline.rb +1 -1
  14. data/lib/brakeman/file_parser.rb +45 -15
  15. data/lib/brakeman/options.rb +7 -2
  16. data/lib/brakeman/parsers/template_parser.rb +24 -0
  17. data/lib/brakeman/processors/alias_processor.rb +105 -18
  18. data/lib/brakeman/processors/base_processor.rb +4 -4
  19. data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
  20. data/lib/brakeman/processors/lib/call_conversion_helper.rb +10 -6
  21. data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
  22. data/lib/brakeman/processors/library_processor.rb +9 -0
  23. data/lib/brakeman/processors/model_processor.rb +31 -0
  24. data/lib/brakeman/report.rb +4 -1
  25. data/lib/brakeman/report/ignore/config.rb +4 -4
  26. data/lib/brakeman/report/ignore/interactive.rb +1 -1
  27. data/lib/brakeman/report/report_github.rb +31 -0
  28. data/lib/brakeman/report/report_sarif.rb +21 -2
  29. data/lib/brakeman/rescanner.rb +1 -1
  30. data/lib/brakeman/scanner.rb +4 -1
  31. data/lib/brakeman/tracker.rb +33 -4
  32. data/lib/brakeman/tracker/collection.rb +57 -7
  33. data/lib/brakeman/tracker/method_info.rb +70 -0
  34. data/lib/brakeman/util.rb +34 -18
  35. data/lib/brakeman/version.rb +1 -1
  36. data/lib/ruby_parser/bm_sexp.rb +14 -0
  37. metadata +18 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 59808cb56d2701ba4806eaf3e8fdaa70e3b15d3578badb1a93177ae60a03fe16
4
- data.tar.gz: d74f4ffa7620d6ae48cddc85ad661548c6c21fa807306a987e31343990e33a09
3
+ metadata.gz: 425078e2c4abfb5dc629bd5b70fcbaa1de59be69093097ad5ca78c3f425f575c
4
+ data.tar.gz: 1ddaf7c9084213dcc7db6772dc164095800de50897d157345a01c234d09fe778
5
5
  SHA512:
6
- metadata.gz: 1319c8e5a981305d8ab91885a9edfe475240014e7f3e19d2f4e24da8eabc0c0cf355cd8ef387091291dd4a7d3a29fc35309531e6edce6606100b5a7c48f24b64
7
- data.tar.gz: 02356cced5a4aaae709a3f237319af4bf4f511224762c41bb61d1130813385d27e922722771d037ef1773271db642431be689f249b72396f7800730606ad3ba3
6
+ metadata.gz: 4a0a910c6859f389eeaf21253dc8d33f7f0d199e2289bc3e6145b7d9eecaf7dd0793dad3a2a013ec3a4c64c681cfbbf88647e21566ea3b7269bf485f29ef10ee
7
+ data.tar.gz: 2d5845a9bd98a86f3af891122d9fe410da8586aa8aa45ccb2e05bcf25b8fdf6b6702d6ac396f866a4b53b9659cceface62a03997c30954d20d2e32b73cffab5c
data/CHANGES.md CHANGED
@@ -1,3 +1,49 @@
1
+ # 5.1.0 - 2021-07-19
2
+
3
+ * Initial support for ActiveRecord enums
4
+ * Support `Hash#include?`
5
+ * Interprocedural dataflow from very simple class methods
6
+ * Fix SARIF report when checks have no description (Eli Block)
7
+ * Add ignored warnings to SARIF report (Eli Block)
8
+ * Add `--sql-safe-methods` option (Esty Scheiner)
9
+ * Update SQL injection check for Rails 6.0/6.1
10
+ * Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
11
+ * Fix infinite loop on mixin self-includes (Andrew Szczepanski)
12
+ * Ignore dates in SQL
13
+ * Refactor `cookie?`/`param?` methods (Keenan Brock)
14
+ * Ignore renderables in dynamic render path check (Brad Parker)
15
+ * Support `Array#push`
16
+ * Better `Array#join` support
17
+ * Adjust copy of `--interactive` menu (Elia Schito)
18
+ * Support `Array#*`
19
+ * Better method definition tracking and lookup
20
+ * Support `Hash#values` and `Hash#values_at`
21
+ * Check for user-controlled evaluation even if it's a call target
22
+ * Support `Array#fetch` and `Hash#fetch`
23
+ * Ignore `sanitize_sql_like` in SQL
24
+ * Ignore method calls on numbers in SQL
25
+ * Add GitHub Actions format (Klaus Badelt)
26
+ * Read and parse files in parallel
27
+
28
+ # 5.0.4 - 2021-06-08
29
+
30
+ (brakeman gem release only)
31
+
32
+ * Update bundled `ruby_parser` to include argument forwarding support
33
+
34
+ # 5.0.2 - 2021-06-07
35
+
36
+ * Fix Loofah version check
37
+
38
+ # 5.0.1 - 2021-04-27
39
+
40
+ * Detect `::Rails.application.configure` too
41
+ * Set more line numbers on Sexps
42
+ * Support loading `slim/smart`
43
+ * Don't fail if $HOME/$USER are not defined
44
+ * Always ignore slice/only calls for mass assignment
45
+ * Convert splat array arguments to arguments
46
+
1
47
  # 5.0.0 - 2021-01-26
2
48
 
3
49
  * Ignore `uuid` as a safe attribute
data/README.md CHANGED
@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
159
159
 
160
160
  # Configuration files
161
161
 
162
- Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
162
+ Brakeman options can be stored and read from YAML files.
163
+
164
+ To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
165
+
166
+ ```sh
167
+ $ brakeman -C --skip-files plugins/
168
+ ---
169
+ :skip_files:
170
+ - plugins/
171
+ ```
163
172
 
164
173
  Options passed in on the commandline have priority over configuration files.
165
174
 
data/lib/brakeman.rb CHANGED
@@ -65,6 +65,7 @@ module Brakeman
65
65
  # * :report_routes - show found routes on controllers (default: false)
66
66
  # * :run_checks - array of checks to run (run all if not specified)
67
67
  # * :safe_methods - array of methods to consider safe
68
+ # * :sql_safe_methods - array of sql sanitization methods to consider safe
68
69
  # * :skip_libs - do not process lib/ directory (default: false)
69
70
  # * :skip_vendor - do not process vendor/ directory (default: true)
70
71
  # * :skip_checks - checks not to run (run all if not specified)
@@ -157,10 +158,17 @@ module Brakeman
157
158
  end
158
159
  end
159
160
 
160
- CONFIG_FILES = [
161
- File.expand_path("~/.brakeman/config.yml"),
162
- File.expand_path("/etc/brakeman/config.yml")
163
- ]
161
+ CONFIG_FILES = begin
162
+ [
163
+ File.expand_path("~/.brakeman/config.yml"),
164
+ File.expand_path("/etc/brakeman/config.yml")
165
+ ]
166
+ rescue ArgumentError
167
+ # In case $HOME or $USER aren't defined for use of `~`
168
+ [
169
+ File.expand_path("/etc/brakeman/config.yml")
170
+ ]
171
+ end
164
172
 
165
173
  def self.config_file custom_location, app_path
166
174
  app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
@@ -191,6 +199,7 @@ module Brakeman
191
199
  :relative_path => false,
192
200
  :report_progress => true,
193
201
  :safe_methods => Set.new,
202
+ :sql_safe_methods => Set.new,
194
203
  :skip_checks => Set.new,
195
204
  :skip_vendor => true,
196
205
  }
@@ -243,6 +252,8 @@ module Brakeman
243
252
  [:to_sarif]
244
253
  when :sonar, :to_sonar
245
254
  [:to_sonar]
255
+ when :github, :to_github
256
+ [:to_github]
246
257
  else
247
258
  [:to_text]
248
259
  end
@@ -276,6 +287,8 @@ module Brakeman
276
287
  :to_sarif
277
288
  when /\.sonar$/i
278
289
  :to_sonar
290
+ when /\.github$/i
291
+ :to_github
279
292
  else
280
293
  :to_text
281
294
  end
@@ -514,12 +527,14 @@ module Brakeman
514
527
 
515
528
  # Returns an array of alert fingerprints for any ignored warnings without
516
529
  # notes found in the specified ignore file (if it exists).
517
- def self.ignore_file_entries_with_empty_notes file
530
+ def self.ignore_file_entries_with_empty_notes file, options
518
531
  return [] unless file
519
532
 
520
533
  require 'brakeman/report/ignore/config'
521
534
 
522
- config = IgnoreConfig.new(file, nil)
535
+ app_tree = Brakeman::AppTree.from_options(options)
536
+
537
+ config = IgnoreConfig.new(Brakeman::FilePath.from_app_tree(app_tree, file), nil)
523
538
  config.read_from_file
524
539
  config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
525
540
  end
@@ -530,9 +545,9 @@ module Brakeman
530
545
  app_tree = Brakeman::AppTree.from_options(options)
531
546
 
532
547
  if options[:ignore_file]
533
- file = options[:ignore_file]
548
+ file = Brakeman::FilePath.from_app_tree(app_tree, options[:ignore_file])
534
549
  elsif app_tree.exists? "config/brakeman.ignore"
535
- file = app_tree.expand_path("config/brakeman.ignore")
550
+ file = Brakeman::FilePath.from_app_tree(app_tree, "config/brakeman.ignore")
536
551
  elsif not options[:interactive_ignore]
537
552
  return
538
553
  end
@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
26
26
  def check_detailed_exceptions
27
27
  tracker.controllers.each do |_name, controller|
28
28
  controller.methods_public.each do |method_name, definition|
29
- src = definition[:src]
29
+ src = definition.src
30
30
  body = src.body.last
31
31
  next unless body
32
32
 
@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
10
10
  #Process calls
11
11
  def run_check
12
12
  Brakeman.debug "Finding eval-like calls"
13
- calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
13
+ calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
14
14
 
15
15
  Brakeman.debug "Processing eval-like calls"
16
16
  calls.each do |call|
@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
87
87
  dangerous_interp?(first_arg) ||
88
88
  dangerous_string_building?(first_arg)
89
89
  end
90
+ when :capture2, :capture2e, :capture3
91
+ # Open3 capture methods can take a :stdin_data argument which is used as the
92
+ # the input to the called command so it is not succeptable to command injection.
93
+ # As such if the last argument is a hash (and therefore execution options) it
94
+ # should be ignored
95
+
96
+ args.pop if hash?(args.last) && args.length > 2
97
+ failure = include_user_input?(args) ||
98
+ dangerous_interp?(args) ||
99
+ dangerous_string_building?(args)
90
100
  else
91
101
  failure = include_user_input?(args) ||
92
102
  dangerous_interp?(args) ||
@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
69
69
  if check and original? res
70
70
 
71
71
  model = tracker.models[res[:chain].first]
72
-
73
72
  attr_protected = (model and model.attr_protected)
73
+ first_arg = call.first_arg
74
74
 
75
75
  if attr_protected and tracker.options[:ignore_attr_protected]
76
76
  return
77
+ elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
78
+ return
77
79
  elsif input = include_user_input?(call.arglist)
78
- first_arg = call.first_arg
79
-
80
- if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
81
- return
82
- elsif not node_type? first_arg, :hash
80
+ if not node_type? first_arg, :hash
83
81
  if attr_protected
84
82
  confidence = :medium
85
83
  else
@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
33
33
  view = result[:call][2]
34
34
 
35
35
  if sexp? view and original? result
36
+ return if renderable?(view)
36
37
 
37
38
  if input = has_immediate_user_input?(view)
38
39
  if string_interp? view
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
94
95
  end
95
96
  end
96
97
  end
97
- end
98
+
99
+ def renderable? exp
100
+ return false unless call?(exp) and constant?(exp.target)
101
+
102
+ target_class_name = class_name(exp.target)
103
+ known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
104
+ end
105
+
106
+ def known_renderable_class? class_name
107
+ klass = tracker.find_class(class_name)
108
+ return false if klass.nil?
109
+ klass.ancestor? :"ViewComponent::Base"
110
+ end
111
+ end
@@ -90,7 +90,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
90
90
  def loofah_vulnerable_cve_2018_8048?
91
91
  loofah_version = tracker.config.gem_version(:loofah)
92
92
 
93
- loofah_version and loofah_version < "2.2.1"
93
+ # 2.2.1 is fix version
94
+ loofah_version and version_between?("0.0.0", "2.2.0", loofah_version)
94
95
  end
95
96
 
96
97
  def warn_sanitizer_cve cve, link, upgrade_version
@@ -22,7 +22,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
22
22
  :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
23
23
  @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
24
24
  @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
25
- @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
25
+
26
+ if tracker.options[:rails6]
27
+ @sql_targets.concat [:delete_by, :destroy_by, :rewhere, :reselect]
28
+
29
+ @sql_targets.delete :delete_all
30
+ @sql_targets.delete :destroy_all
31
+ end
32
+
33
+ if version_between?("6.1.0", "9.9.9")
34
+ @sql_targets.delete :order
35
+ @sql_targets.delete :reorder
36
+ @sql_targets.delete :pluck
37
+ end
26
38
 
27
39
  if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
28
40
  @sql_targets << :first << :last << :all
@@ -185,7 +197,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
185
197
  else
186
198
  check_find_arguments call.last_arg
187
199
  end
188
- when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
200
+ when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
189
201
  check_query_arguments call.arglist
190
202
  when :order, :group, :reorder
191
203
  check_order_arguments call.arglist
@@ -199,7 +211,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
199
211
  unsafe_sql? call.first_arg
200
212
  when :sql
201
213
  unsafe_sql? call.first_arg
202
- when :update_all, :select
214
+ when :update_all, :select, :reselect
203
215
  check_update_all_arguments call.args
204
216
  when *@connection_calls
205
217
  check_by_sql_arguments call.first_arg
@@ -572,13 +584,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
572
584
  end
573
585
 
574
586
  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
575
- :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
587
+ :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
576
588
  :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
577
589
  :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
578
590
  :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
579
591
  :where_values_hash, :foreign_key, :uuid
580
592
  ]
581
593
 
594
+ def ignore_methods_in_sql
595
+ @ignore_methods_in_sql ||= IGNORE_METHODS_IN_SQL + (tracker.options[:sql_safe_methods] || [])
596
+ end
597
+
582
598
  def safe_value? exp
583
599
  return true unless sexp? exp
584
600
 
@@ -589,10 +605,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
589
605
  if exp.method == :to_s or exp.method == :to_sym
590
606
  safe_value? exp.target
591
607
  else
592
- IGNORE_METHODS_IN_SQL.include? exp.method or
593
- quote_call? exp or
594
- arel? exp or
595
- exp.method.to_s.end_with? "_id"
608
+ ignore_call? exp
596
609
  end
597
610
  when :if
598
611
  safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -607,6 +620,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
607
620
  end
608
621
  end
609
622
 
623
+ def ignore_call? exp
624
+ return unless call? exp
625
+
626
+ ignore_methods_in_sql.include? exp.method or
627
+ quote_call? exp or
628
+ arel? exp or
629
+ exp.method.to_s.end_with? "_id" or
630
+ number_target? exp or
631
+ date_target? exp
632
+ end
633
+
610
634
  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
611
635
 
612
636
  def quote_call? exp
@@ -695,4 +719,30 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
695
719
  active_record_models.include? klass
696
720
  end
697
721
  end
722
+
723
+ def number_target? exp
724
+ return unless call? exp
725
+
726
+ if number? exp.target
727
+ true
728
+ elsif call? exp.target
729
+ number_target? exp.target
730
+ else
731
+ false
732
+ end
733
+ end
734
+
735
+ DATE_CLASS = s(:const, :Date)
736
+
737
+ def date_target? exp
738
+ return unless call? exp
739
+
740
+ if exp.target == DATE_CLASS
741
+ true
742
+ elsif call? exp.target
743
+ date_target? exp.target
744
+ else
745
+ false
746
+ end
747
+ end
698
748
  end
@@ -32,7 +32,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
32
32
  return
33
33
  end
34
34
 
35
- process method[:src]
35
+ process method.src
36
36
  end
37
37
 
38
38
  def process_if exp
@@ -126,7 +126,7 @@ module Brakeman
126
126
 
127
127
  ensure_ignore_notes_failed = false
128
128
  if tracker.options[:ensure_ignore_notes]
129
- fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
129
+ fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file, options
130
130
 
131
131
  unless fingerprints.empty?
132
132
  ensure_ignore_notes_failed = true
@@ -1,3 +1,5 @@
1
+ require 'parallel'
2
+
1
3
  module Brakeman
2
4
  ASTFile = Struct.new(:path, :ast)
3
5
 
@@ -5,29 +7,62 @@ module Brakeman
5
7
  class FileParser
6
8
  attr_reader :file_list, :errors
7
9
 
8
- def initialize app_tree, timeout
10
+ def initialize app_tree, timeout, parallel = true
9
11
  @app_tree = app_tree
10
12
  @timeout = timeout
11
13
  @file_list = []
12
14
  @errors = []
15
+ @parallel = parallel
13
16
  end
14
17
 
15
18
  def parse_files list
16
- read_files list do |path, contents|
17
- if ast = parse_ruby(contents, path.relative)
18
- ASTFile.new(path, ast)
19
+ if @parallel
20
+ parallel_options = {}
21
+ else
22
+ # Disable parallelism
23
+ parallel_options = { in_threads: 0 }
24
+ end
25
+
26
+ # Parse the files in parallel.
27
+ # By default, the parsing will be in separate processes.
28
+ # So we map the result to ASTFiles and/or Exceptions
29
+ # then partition them into ASTFiles and Exceptions
30
+ # and add the Exceptions to @errors
31
+ #
32
+ # Basically just a funky way to deal with two possible
33
+ # return types that are returned from isolated processes.
34
+ #
35
+ # Note this method no longer uses read_files
36
+ @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
37
+ file_path = @app_tree.file_path(file_name)
38
+ contents = file_path.read
39
+
40
+ begin
41
+ if ast = parse_ruby(contents, file_path.relative)
42
+ ASTFile.new(file_name, ast)
43
+ end
44
+ rescue Exception => e
45
+ e
19
46
  end
47
+ end.compact.partition do |result|
48
+ result.is_a? ASTFile
20
49
  end
50
+
51
+ errors.concat new_errors
21
52
  end
22
53
 
23
54
  def read_files list
24
55
  list.each do |path|
25
56
  file = @app_tree.file_path(path)
26
57
 
27
- result = yield file, file.read
58
+ begin
59
+ result = yield file, file.read
28
60
 
29
- if result
30
- @file_list << result
61
+ if result
62
+ @file_list << result
63
+ end
64
+ rescue Exception => e
65
+ @errors << e
31
66
  end
32
67
  end
33
68
  end
@@ -42,17 +77,12 @@ module Brakeman
42
77
  Brakeman.debug "Parsing #{path}"
43
78
  RubyParser.new.parse input, path, @timeout
44
79
  rescue Racc::ParseError => e
45
- error e.exception(e.message + "\nCould not parse #{path}")
80
+ raise e.exception(e.message + "\nCould not parse #{path}")
46
81
  rescue Timeout::Error => e
47
- error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
82
+ raise Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
48
83
  rescue => e
49
- error e.exception(e.message + "\nWhile processing #{path}")
84
+ raise e.exception(e.message + "\nWhile processing #{path}")
50
85
  end
51
86
  end
52
-
53
- def error exception
54
- @errors << exception
55
- nil
56
- end
57
87
  end
58
88
  end