brakeman-lib 5.0.0 → 5.1.0

data/lib/brakeman/options.rb

@@ -39,7 +39,7 @@ module Brakeman::Options
       OptionParser.new do |opts|
         opts.banner = "Usage: brakeman [options] rails/root/path"
 
-        opts.on "-n", "--no-threads", "Run checks sequentially" do
+        opts.on "-n", "--no-threads", "Run checks and file parsing sequentially" do
           options[:parallel_checks] = false
         end
 
@@ -151,6 +151,11 @@ module Brakeman::Options
           options[:safe_methods].merge methods.map {|e| e.to_sym }
         end
 
+        opts.on "--sql-safe-methods meth1,meth2,etc", Array, "Do not warn of SQL if the input is wrapped in a safe method" do |methods|
+          options[:sql_safe_methods] ||= Set.new
+          options[:sql_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
         opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
           options[:url_safe_methods] ||= Set.new
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
@@ -233,7 +238,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/parsers/template_parser.rb

@@ -9,6 +9,7 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
+      @slim_smart = nil # Load slim/smart ?
     end
 
     def parse_template path, text
@@ -88,6 +89,14 @@ module Brakeman
 
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+
+      if @slim_smart.nil? and load_slim_smart?
+        @slim_smart = true
+        Brakeman.load_brakeman_dependency 'slim/smart'
+      else
+        @slim_smart = false
+      end
+
       require_relative 'slim_embedded'
 
       Slim::Template.new(path,
@@ -95,6 +104,21 @@ module Brakeman
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
 
+    def load_slim_smart?
+      return !@slim_smart unless @slim_smart.nil?
+
+      # Terrible hack to find
+      #   gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
+      if tracker.app_tree.exists? 'Gemfile'
+        gemfile_contents = tracker.app_tree.file_path('Gemfile').read
+        if gemfile_contents.include? 'slim/smart'
+          return true
+        end
+      end
+
+      false
+    end
+
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)

data/lib/brakeman/processors/alias_processor.rb

@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return exp
     end
 
+    # If x(*[1,2,3]) change to x(1,2,3)
+    # if that's the only argument
+    if splat_array? exp.first_arg and exp.second_arg.nil?
+      exp.arglist = exp.first_arg[1].sexp_body
+    end
+
     target = exp.target
     method = exp.method
     first_arg = exp.first_arg
@@ -195,11 +201,20 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       res = process_or_simple_operation(exp)
       return res if res
     elsif target == ARRAY_CONST and method == :new
-      return Sexp.new(:array, *exp.args)
+      return Sexp.new(:array, *exp.args).line(exp.line)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
-      return Sexp.new(:hash)
+      return Sexp.new(:hash).line(exp.line)
     elsif exp == RAILS_TEST or exp == RAILS_DEV
-      return Sexp.new(:false)
+      return Sexp.new(:false).line(exp.line)
+    end
+
+    # For the simplest case of `Foo.thing`
+    if node_type? target, :const and first_arg.nil?
+      if tracker and (klass = tracker.find_class(class_name(target.value)))
+        if return_value = klass.get_simple_method_return_value(:class, method)
+          return return_value.deep_clone(exp.line)
+        end
+      end
     end
 
     #See if it is possible to simplify some basic cases
@@ -214,13 +229,28 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(:+, target, first_arg, exp)
       end
     when :-, :*, :/
-      exp = math_op(method, target, first_arg, exp)
+      if method == :* and array? target
+        if string? first_arg
+          exp = process_array_join(target, first_arg)
+        end
+      else
+        exp = math_op(method, target, first_arg, exp)
+      end
     when :[]
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
         exp = process_hash_access(target, first_arg, exp)
       end
+    when :fetch
+      if array? target
+        # Not dealing with default value
+        # so just pass in first argument, but process_array_access expects
+        # an array of arguments.
+        exp = process_array_access(target, [first_arg], exp)
+      elsif hash? target
+        exp = process_hash_access(target, first_arg, exp)
+      end
     when :merge!, :update
       if hash? target and hash? first_arg
          target = process_hash_merge! target, first_arg
@@ -237,7 +267,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -260,6 +290,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target = find_push_target(target_var)
         env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
+    when :push
+      if array? target
+        target << first_arg
+        env[target_var] = target
+        return target
+      end
     when :first
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
@@ -273,7 +309,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target
       end
     when :join
-      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
+      if array? target and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
     when :!
@@ -281,6 +317,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if call? target and target.method == :!
         exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
       end
+    when :values
+      # Hash literal
+      if node_type? target, :hash
+        exp = hash_values(target)
+      end
+    when :values_at
+      if node_type? target, :hash
+        exp = hash_values_at target, exp.args
+      end
     end
 
     exp
@@ -288,7 +333,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
-    result = s()
+    # Empty array
+    if array.length == 1
+      return s(:str, '').line(array.line)
+    end
+
+    result = s().line(array.line)
 
     join_value = if string? join_str
                    join_str.value
@@ -296,8 +346,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
                    nil
                  end
 
-    array[1..-2].each do |e|
-      result << join_item(e, join_value)
+    if array.length > 2
+      array[1..-2].each do |e|
+        result << join_item(e, join_value)
+      end
     end
 
     result << join_item(array.last, nil)
@@ -326,24 +378,32 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
 
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr)) do |memo, e|
+    string = result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
-        memo << s(:str, join_value)
+        memo << s(:str, join_value).line(e.line)
       end
 
       memo << e
     end
+
+    # Convert (:dstr, "hello world")
+    # to (:str, "hello world")
+    if string.length == 2 and string.last.is_a? String
+      string[0] = :str
+    end
+
+    string
   end
 
   def join_item item, join_value
     if item.is_a? String
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
-      s(:str, "#{item.value}#{join_value}")
+      s(:str, "#{item.value}#{join_value}").line(item.line)
     else
-      s(:evstr, item)
+      s(:evstr, item).line(item.line)
     end
   end
 
@@ -359,6 +419,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
 
+  def splat_array? exp
+    node_type? exp, :splat and
+      node_type? exp[1], :array
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -679,7 +744,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     else
-      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
+      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
 
       env[match] = new_value
     end
@@ -738,6 +803,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def hash_or_array_include_all_literals? exp
+    return unless call? exp and sexp? exp.target
+    target = exp.target
+
+    case target.node_type
+    when :hash
+      hash_include_all_literals? exp
+    else
+      array_include_all_literals? exp
+    end
+  end
+
   # Check if exp is a call to Array#include? on an array literal
   # that contains all literal values. For example:
   #
@@ -756,6 +833,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Hash#include? on a hash literal
+  # that contains all literal values. For example:
+  #
+  #    {x: 1}.include? x
+  def hash_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    all_literals? exp.target, :hash
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -796,7 +883,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and array_include_all_literals? condition
+          if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
             # set x to "a" inside the true branch
             var = condition.first_arg
@@ -804,7 +891,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and early_return? branch
+          elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
@@ -1002,8 +1089,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method_name = call.method
 
     #Look for helper methods and see if we can get a return value
-    if found_method = find_method(method_name, @current_class)
-      helper = found_method[:method]
+    if found_method = tracker.find_method(method_name, @current_class)
+      helper = found_method.src
 
       if sexp? helper
         value = process_helper_method helper, call.args

data/lib/brakeman/processors/base_processor.rb

@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::SafeCallHelper
   include Brakeman::Util
 
-  IGNORE = Sexp.new :ignore
+  IGNORE = Sexp.new(:ignore).line(0)
 
   #Return a new Processor.
   def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #
   #And also :layout for inside templates
   def find_render_type call, in_view = false
-    rest = Sexp.new(:hash)
+    rest = Sexp.new(:hash).line(call.line)
     type = nil
     value = nil
     first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, first_arg.to_sym)
+      value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
 
-    return s(:lit, template_name), options
+    return s(:lit, template_name).line(value.line), options
   end
 end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
-        method = mixin.get_method(name)[:src].deep_clone
+        method = mixin.get_method(name).src.deep_clone
 
         if node_type? method, :defn
           method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name
-    filter = find_method name, @current_class
+    filter = tracker.find_method name, @current_class
 
     if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    method = filter[:method]
+    method = filter.src
 
-    if ivars = @tracker.filter_cache[[filter[:controller], name]]
+    if ivars = @tracker.filter_cache[[filter.owner, name]]
       ivars.each do |variable, value|
         env[variable] = value
       end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
       ivars = processor.only_ivars(:include_request_vars).all
 
-      @tracker.filter_cache[[filter[:controller], name]] = ivars
+      @tracker.filter_cache[[filter.owner, name]] = ivars
 
       ivars.each do |variable, value|
         env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+        if line = meth.src && meth.src.last && meth.src.last.line
           line += 1
         else
           line = 1
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       []
     end
   end
-
-  #Finds a method in the given class or a parent class
-  #
-  #Returns nil if the method could not be found.
-  #
-  #If found, returns hash table with controller name and method sexp.
-  def find_method method_name, klass
-    return nil if sexp? method_name
-    method_name = method_name.to_sym
-
-    if method = @method_cache[method_name]
-      return method
-    end
-
-    controller = @tracker.controllers[klass]
-    controller ||= @tracker.libs[klass]
-
-    if klass and controller
-      method = controller.get_method method_name
-
-      if method.nil?
-        controller.includes.each do |included|
-          method = find_method method_name, included
-          if method
-            @method_cache[method_name] = method
-            return method
-          end
-       end
-
-        @method_cache[method_name] = find_method method_name, controller.parent
-      else
-        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
-      end
-    else
-      nil
-    end
-  end
 end