brakeman-lib 5.0.0 → 5.1.0

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -76,6 +70,8 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
+      elsif all_literals? array
+        safe_literal(array.line)
       else
         original_exp
       end
@@ -92,5 +88,13 @@ module Brakeman
         original_exp
       end
     end
+
+    def hash_values_at hash, keys
+      values = keys.map do |key|
+        process_hash_access hash, key
+      end
+
+      Sexp.new(:array).concat(values).line(hash.line)
+    end
   end
 end

data/lib/brakeman/processors/lib/rails4_config_processor.rb

@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
 
 class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
   APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
 
   # Look for Rails.application.configure do ... end
   def process_iter exp
-    if exp.block_call == APPLICATION_CONFIG
+    if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
       @inside_config = true
       process exp.block if sexp? exp.block
       @inside_config = false

data/lib/brakeman/processors/library_processor.rb

@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if process_call_defn? exp
+      exp
+    elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
+      # Methods called inside class / module
+      case exp.method
+      when :include
+        module_name = class_name(exp.first_arg)
+        (@current_class || @current_module).add_include module_name
+      end
+
       exp
     else
       process_default exp

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,33 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -48,6 +48,9 @@ class Brakeman::Report
     when :to_sonar
       require_report 'sonar'
       Brakeman::Report::Sonar
+    when :to_github
+      require_report 'github'
+      Brakeman::Report::Github
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/config.rb

@@ -100,14 +100,14 @@ module Brakeman
 
     # Read configuration to file
     def read_from_file file = @file
-      if File.exist? file
+      if File.exist? file.absolute
         begin
           @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
         rescue => e
-          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
+          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file.relative}\n"
         end
       else
-        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        Brakeman.notify "[Notice] Could not find ignore configuration in #{file.relative}"
         @already_ignored = []
       end
 
@@ -134,7 +134,7 @@ module Brakeman
         :brakeman_version => Brakeman::Version
       }
 
-      File.open file, "w" do |f|
+      File.open file.absolute, "w" do |f|
         f.puts JSON.pretty_generate(output)
       end
     end

data/lib/brakeman/report/ignore/interactive.rb

@@ -62,7 +62,7 @@ module Brakeman
           process_warnings
         end
 
-        m.choice "Hide previously ignored warnings" do
+        m.choice "Inspect new warnings" do
           @skip_ignored = true
           pre_show_help
           process_warnings

data/lib/brakeman/report/report_github.rb

@@ -0,0 +1,31 @@
+# Github Actions Formatter
+# Formats warnings as workflow commands to create annotations in GitHub UI
+class Brakeman::Report::Github < Brakeman::Report::Base
+  def generate_report
+    # @see https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-a-warning-message
+    errors.concat(warnings).join("\n")
+  end
+
+  def warnings
+    all_warnings
+      .map { |warning| "::warning file=#{warning_file(warning)},line=#{warning.line}::#{warning.message}" }
+  end
+
+  def errors
+    tracker.errors.map do |error|
+      if error[:exception].is_a?(Racc::ParseError)
+        # app/services/balance.rb:4 :: parse error on value "..." (tDOT3)
+        file, line = error[:exception].message.split(':').map(&:strip)[0,2]
+        "::error file=#{file},line=#{line}::#{clean_message(error[:error])}"
+      else
+        "::error ::#{clean_message(error[:error])}"
+      end
+    end
+  end
+
+  private
+
+  def clean_message(msg)
+    msg.gsub('::','').squeeze(' ')
+  end
+end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,6 +72,23 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => @ignore_filter.file.relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message

data/lib/brakeman/rescanner.rb

@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
     file_parser.parse_files paths
     tracker.add_errors(file_parser.errors)
     file_parser.file_list

data/lib/brakeman/scanner.rb

@@ -71,7 +71,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 
@@ -353,6 +353,9 @@ class Brakeman::Scanner
   def parse_ruby_file file
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
+  rescue Exception => e
+    tracker.error(e)
+    nil
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -35,6 +35,7 @@ class Brakeman::Tracker
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
+    @method_cache = {}
     @routes = {}
     @initializers = {}
     @errors = []
@@ -99,8 +100,8 @@ class Brakeman::Tracker
     classes.each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
-          src = definition[:src]
-          yield src, set_name, method_name, definition[:file]
+          src = definition.src
+          yield src, set_name, method_name, definition.file
         end
       end
     end
@@ -220,6 +221,34 @@ class Brakeman::Tracker
     nil
   end
 
+  def find_method method_name, class_name, method_type = :instance
+    return nil unless method_name.is_a? Symbol
+
+    klass = find_class(class_name)
+    return nil unless klass
+
+    cache_key = [klass, method_name, method_type]
+
+    if method = @method_cache[cache_key]
+      return method
+    end
+
+    if method = klass.get_method(method_name, method_type)
+      return method
+    else
+      # Check modules included for method definition
+      # TODO: only for instance methods, otherwise check extends!
+      klass.includes.each do |included_name|
+        if method = find_method(method_name, included_name, method_type)
+          return (@method_cache[cache_key] = method)
+        end
+      end
+
+      # Not in any included modules, check the parent
+      @method_cache[cache_key] = find_method(method_name, klass.parent)
+    end
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 
@@ -285,8 +314,8 @@ class Brakeman::Tracker
     method_sets.each do |set|
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
-          src = definition[:src]
-          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
+          src = definition.src
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition.file
         end
       end
     end

data/lib/brakeman/tracker/collection.rb

@@ -1,4 +1,5 @@
 require 'brakeman/util'
+require 'brakeman/tracker/method_info'
 
 module Brakeman
   class Collection
@@ -13,6 +14,8 @@ module Brakeman
       @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
+      @class_methods = {}
+      @simple_methods = { :class => {}, instance: {} }
       @options = {}
       @tracker = tracker
 
@@ -22,7 +25,7 @@ module Brakeman
     def ancestor? parent, seen={}
       seen[self.name] = true
 
-      if self.parent == parent or seen[self.parent]
+      if self.parent == parent or self.name == parent or seen[self.parent]
         true
       elsif parent_model = collection[self.parent]
         parent_model.ancestor? parent, seen
@@ -37,7 +40,7 @@ module Brakeman
     end
 
     def add_include class_name
-      @includes << class_name
+      @includes << class_name unless ancestor?(class_name)
     end
 
     def add_option name, exp
@@ -46,11 +49,17 @@ module Brakeman
     end
 
     def add_method visibility, name, src, file_name
+      meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
+      add_simple_method_maybe meth_info
+
       if src.node_type == :defs
+        @class_methods[name] = meth_info
+
+        # TODO fix this weirdness
         name = :"#{src[1]}.#{name}"
       end
 
-      @methods[visibility][name] = { :src => src, :file => file_name }
+      @methods[visibility][name] = meth_info
     end
 
     def each_method
@@ -61,16 +70,31 @@ module Brakeman
       end
     end
 
-    def get_method name
-      each_method do |n, info|
-        if n == name
-          return info
+    def get_method name, type = :instance
+      case type
+      when :class
+        get_class_method name
+      when :instance
+        get_instance_method name
+      else
+        raise "Unexpected method type: #{type.inspect}"
+      end
+    end
+
+    def get_instance_method name
+      @methods.each do |_vis, meths|
+        if meths[name]
+          return meths[name]
         end
       end
 
       nil
     end
 
+    def get_class_method name
+      @class_methods[name]
+    end
+
     def file
       @files.first
     end
@@ -90,5 +114,31 @@ module Brakeman
     def methods_public
       @methods[:public]
     end
+
+    def get_simple_method_return_value type, name
+      @simple_methods[type][name]
+    end
+
+    private
+
+    def add_simple_method_maybe meth_info
+      if meth_info.very_simple_method?
+        add_simple_method meth_info
+      end
+    end
+
+    def add_simple_method meth_info
+      name = meth_info.name
+      value = meth_info.return_value
+
+      case meth_info.src.node_type
+      when :defn
+        @simple_methods[:instance][name] = value
+      when :defs
+        @simple_methods[:class][name] = value
+      else
+        raise "Expected sexp type: #{src.node_type}"
+      end
+    end
   end
 end