brakeman-lib 5.0.2 → 5.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d16867dd5c48de9ec2975e1dc420e3a5154939361988d70c4217f251881452ed
-  data.tar.gz: f5cae624d83a1298fb3f07108c76d1f55c756404d6998fccfd9e5fcfe69a068e
+  metadata.gz: 650df7997ecbf4c9bf7c1ea47ef851ec2eac1593d0c9fed8197ca5aa78f8fded
+  data.tar.gz: 9582c10b7cd30496793d5d1b3ddbd88fbf610fa834bdab402267c4ad73962622
 SHA512:
-  metadata.gz: f8724b266165ef9ed4ad926432e0786b955cb2e98b56e7100354b0ad04a51cc0eaa139343a769980852ae615bd209e8854f6f83616b0703d3a2aaf08229860c6
-  data.tar.gz: 963f46a856d6f943c74c6aca8ec3f3dc61ae3d82758fbfdda63bb4fc789ff95535f49cc73f9abef4cf1553323606d4fd50c8a03082178a6dd3cea0883e544a40
+  metadata.gz: bdcc242df0b6e60ba87e1d4445c56bf7ed6c2c2a0dfdd34904fc41369f9b05ed9e370a1c2cf80a6d45d9b1cedcc1f1e56600b96f47437a9ffb6f343a01c41385
+  data.tar.gz: d623285512f64799f9e230289f6c864bcb937770d781a974c1c4ac224ff1a89ac104fd0fc4fcc98c2b840ea68b5f8ddf1b67781b85cbc7257099995848b8f9ef

data/CHANGES.md

@@ -1,3 +1,48 @@
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
+# 5.1.1 - 2021-07-19
+
+* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
+
+# 5.1.0 - 2021-07-19
+
+* Initial support for ActiveRecord enums
+* Support `Hash#include?`
+* Interprocedural dataflow from very simple class methods
+* Fix SARIF report when checks have no description (Eli Block)
+* Add ignored warnings to SARIF report (Eli Block)
+* Add `--sql-safe-methods` option (Esty Scheiner)
+* Update SQL injection check for Rails 6.0/6.1
+* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
+* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
+* Ignore dates in SQL
+* Refactor `cookie?`/`param?` methods (Keenan Brock)
+* Ignore renderables in dynamic render path check (Brad Parker)
+* Support `Array#push`
+* Better `Array#join` support
+* Adjust copy of `--interactive` menu (Elia Schito)
+* Support `Array#*`
+* Better method definition tracking and lookup
+* Support `Hash#values` and `Hash#values_at`
+* Check for user-controlled evaluation even if it's a call target
+* Support `Array#fetch` and `Hash#fetch`
+* Ignore `sanitize_sql_like` in SQL
+* Ignore method calls on numbers in SQL
+* Add GitHub Actions format (Klaus Badelt)
+* Read and parse files in parallel
+
+# 5.0.4 - 2021-06-08
+
+(brakeman gem release only)
+
+* Update bundled `ruby_parser` to include argument forwarding support
+
 # 5.0.2 - 2021-06-07
 
 * Fix Loofah version check
@@ -412,7 +457,7 @@
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
 
 # Basic Options
 

data/lib/brakeman/app_tree.rb

@@ -28,7 +28,7 @@ module Brakeman
     # Accepts an array of filenames and paths with the following format and
     # returns a Regexp to match them:
     #   * "path1/file1.rb" - Matches a specific filename in the project directory.
-    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
     def self.regex_for_paths(paths)

data/lib/brakeman/checks/check_execute.rb

@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg) ||
                   dangerous_string_building?(first_arg)
       end
+    when :capture2, :capture2e, :capture3
+      # Open3 capture methods can take a :stdin_data argument which is used as the
+      # the input to the called command so it is not succeptable to command injection.
+      # As such if the last argument is a hash (and therefore execution options) it
+      # should be ignored
+
+      args.pop if hash?(args.last) && args.length > 2
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||

data/lib/brakeman/checks/check_json_parsing.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     warning_type = "Denial of Service"
     confidence = :medium
     gem_name = "#{name} gem"
-    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
+    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
 
     if version >= "1.7.0"
       confidence = :high

data/lib/brakeman/checks/check_render.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     view = result[:call][2]
 
     if sexp? view and original? result
+      return if renderable?(view)
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
-end 
+
+  def renderable? exp
+    return false unless call?(exp) and constant?(exp.target)
+
+    target_class_name = class_name(exp.target)
+    known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
+  end
+
+  def known_renderable_class? class_name
+    klass = tracker.find_class(class_name)
+    return false if klass.nil?
+    klass.ancestor? :"ViewComponent::Base"
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -22,7 +22,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
     @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
-    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
+
+    if tracker.options[:rails6]
+      @sql_targets.concat [:delete_by, :destroy_by, :rewhere, :reselect]
+
+      @sql_targets.delete :delete_all
+      @sql_targets.delete :destroy_all
+    end
+
+    if version_between?("6.1.0", "9.9.9")
+      @sql_targets.delete :order
+      @sql_targets.delete :reorder
+      @sql_targets.delete :pluck
+    end
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -185,7 +197,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
+                      when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist
@@ -199,7 +211,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         unsafe_sql? call.first_arg
                       when :sql
                         unsafe_sql? call.first_arg
-                      when :update_all, :select
+                      when :update_all, :select, :reselect
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg
@@ -579,6 +591,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :where_values_hash, :foreign_key, :uuid
   ]
 
+  def ignore_methods_in_sql
+    @ignore_methods_in_sql ||= IGNORE_METHODS_IN_SQL + (tracker.options[:sql_safe_methods] || [])
+  end
+
   def safe_value? exp
     return true unless sexp? exp
 
@@ -589,11 +605,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       if exp.method == :to_s or exp.method == :to_sym
         safe_value? exp.target
       else
-        IGNORE_METHODS_IN_SQL.include? exp.method or
-        quote_call? exp or
-        arel? exp or
-        exp.method.to_s.end_with? "_id" or
-        number_target? exp
+        ignore_call? exp
       end
     when :if
       safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -608,6 +620,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def ignore_call? exp
+    return unless call? exp
+
+    ignore_methods_in_sql.include? exp.method or
+      quote_call? exp or
+      arel? exp or
+      exp.method.to_s.end_with? "_id" or
+      number_target? exp or
+      date_target? exp
+  end
+
   QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
 
   def quote_call? exp
@@ -708,4 +731,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       false
     end
   end
+
+  DATE_CLASS = s(:const, :Date)
+
+  def date_target? exp
+    return unless call? exp
+
+    if exp.target == DATE_CLASS
+      true
+    elsif call? exp.target
+      date_target? exp.target
+    else
+     false
+    end 
+  end
 end

data/lib/brakeman/file_parser.rb

@@ -7,14 +7,22 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
 
-    def initialize app_tree, timeout
+    def initialize app_tree, timeout, parallel = true
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
       @errors = []
+      @parallel = parallel
     end
 
     def parse_files list
+      if @parallel
+        parallel_options = {}
+      else
+        # Disable parallelism
+        parallel_options = { in_threads: 0 }
+      end
+
       # Parse the files in parallel.
       # By default, the parsing will be in separate processes.
       # So we map the result to ASTFiles and/or Exceptions
@@ -25,7 +33,7 @@ module Brakeman
       # return types that are returned from isolated processes.
       #
       # Note this method no longer uses read_files
-      @file_list, new_errors = Parallel.map(list) do |file_name|
+      @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
         file_path = @app_tree.file_path(file_name)
         contents = file_path.read
 

data/lib/brakeman/options.rb

@@ -39,7 +39,7 @@ module Brakeman::Options
       OptionParser.new do |opts|
         opts.banner = "Usage: brakeman [options] rails/root/path"
 
-        opts.on "-n", "--no-threads", "Run checks sequentially" do
+        opts.on "-n", "--no-threads", "Run checks and file parsing sequentially" do
           options[:parallel_checks] = false
         end
 
@@ -151,6 +151,11 @@ module Brakeman::Options
           options[:safe_methods].merge methods.map {|e| e.to_sym }
         end
 
+        opts.on "--sql-safe-methods meth1,meth2,etc", Array, "Do not warn of SQL if the input is wrapped in a safe method" do |methods|
+          options[:sql_safe_methods] ||= Set.new
+          options[:sql_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
         opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
           options[:url_safe_methods] ||= Set.new
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }

data/lib/brakeman/processors/alias_processor.rb

@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false).line(exp.line)
     end
 
+    # For the simplest case of `Foo.thing`
+    if node_type? target, :const and first_arg.nil?
+      if tracker and (klass = tracker.find_class(class_name(target.value)))
+        if return_value = klass.get_simple_method_return_value(:class, method)
+          return return_value.deep_clone(exp.line)
+        end
+      end
+    end
+
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -314,8 +323,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = hash_values(target)
       end
     when :values_at
-      if hash? target
-        exp = hash_values_at target, exp.args
+      if node_type? target, :hash
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
       end
     end
 
@@ -794,6 +809,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def hash_or_array_include_all_literals? exp
+    return unless call? exp and sexp? exp.target
+    target = exp.target
+
+    case target.node_type
+    when :hash
+      hash_include_all_literals? exp
+    else
+      array_include_all_literals? exp
+    end
+  end
+
   # Check if exp is a call to Array#include? on an array literal
   # that contains all literal values. For example:
   #
@@ -812,6 +839,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Hash#include? on a hash literal
+  # that contains all literal values. For example:
+  #
+  #    {x: 1}.include? x
+  def hash_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    all_literals? exp.target, :hash
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -852,7 +889,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and array_include_all_literals? condition
+          if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
             # set x to "a" inside the true branch
             var = condition.first_arg
@@ -860,7 +897,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and early_return? branch
+          elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch

data/lib/brakeman/processors/haml_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
         get_pushed_value(exp.first_arg, default)
         @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.method == :attributes
   end
 
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
   def fix_textareas? exp
     call? exp and
       exp.target == HAMLOUT and

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -95,6 +89,8 @@ module Brakeman
       end
     end
 
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
     def hash_values_at hash, keys
       values = keys.map do |key|
         process_hash_access hash, key

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,34 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+    return unless symbol? arg[1]
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report/ignore/config.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| [w[:fingerprint], w[:line]] }
+      end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_csv.rb

@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     ]
 
     rows = tracker.filtered_warnings.sort_by do |w|
-      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+      [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
     end.map do |warning|
       generate_row(headers, warning)
     end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,11 +72,28 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
 
-  # Returns a hash of all check descriptions, keyed by check namne
+  # Returns a hash of all check descriptions, keyed by check name
   def check_descriptions
     @check_descriptions ||= Brakeman::Checks.checks.map do |check|
       [check.name.gsub(/^Check/, ''), check.description]
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message

data/lib/brakeman/report/report_text.rb

@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
       end.map do |w|
         output_warning w
       end

data/lib/brakeman/rescanner.rb

@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
     file_parser.parse_files paths
     tracker.add_errors(file_parser.errors)
     file_parser.file_list

data/lib/brakeman/scanner.rb

@@ -40,38 +40,38 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems..."
+    Brakeman.notify "Processing gems...                    "
     process_gems
     guess_rails_version
-    Brakeman.notify "Processing configuration..."
+    Brakeman.notify "Processing configuration...           "
     process_config
-    Brakeman.notify "Parsing files..."
+    Brakeman.notify "Parsing files...                      "
     parse_files
-    Brakeman.notify "Detecting file types..."
+    Brakeman.notify "Detecting file types...               "
     detect_file_types
-    Brakeman.notify "Processing initializers..."
+    Brakeman.notify "Processing initializers...            "
     process_initializers
-    Brakeman.notify "Processing libs..."
+    Brakeman.notify "Processing libs...                    "
     process_libs
-    Brakeman.notify "Processing routes...          "
+    Brakeman.notify "Processing routes...                  "
     process_routes
-    Brakeman.notify "Processing templates...       "
+    Brakeman.notify "Processing templates...               "
     process_templates
-    Brakeman.notify "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates...  "
     process_template_data_flows
-    Brakeman.notify "Processing models...          "
+    Brakeman.notify "Processing models...                  "
     process_models
-    Brakeman.notify "Processing controllers...     "
+    Brakeman.notify "Processing controllers...             "
     process_controllers
     Brakeman.notify "Processing data flow in controllers..."
     process_controller_data_flows
-    Brakeman.notify "Indexing call sites...        "
+    Brakeman.notify "Indexing call sites...                "
     index_call_sites
     tracker
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 

data/lib/brakeman/tracker/collection.rb

@@ -15,6 +15,7 @@ module Brakeman
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @class_methods = {}
+      @simple_methods = { :class => {}, instance: {} }
       @options = {}
       @tracker = tracker
 
@@ -24,7 +25,7 @@ module Brakeman
     def ancestor? parent, seen={}
       seen[self.name] = true
 
-      if self.parent == parent or seen[self.parent]
+      if self.parent == parent or self.name == parent or seen[self.parent]
         true
       elsif parent_model = collection[self.parent]
         parent_model.ancestor? parent, seen
@@ -39,7 +40,7 @@ module Brakeman
     end
 
     def add_include class_name
-      @includes << class_name
+      @includes << class_name unless ancestor?(class_name)
     end
 
     def add_option name, exp
@@ -49,6 +50,7 @@ module Brakeman
 
     def add_method visibility, name, src, file_name
       meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
+      add_simple_method_maybe meth_info
 
       if src.node_type == :defs
         @class_methods[name] = meth_info
@@ -112,5 +114,31 @@ module Brakeman
     def methods_public
       @methods[:public]
     end
+
+    def get_simple_method_return_value type, name
+      @simple_methods[type][name]
+    end
+
+    private
+
+    def add_simple_method_maybe meth_info
+      if meth_info.very_simple_method?
+        add_simple_method meth_info
+      end
+    end
+
+    def add_simple_method meth_info
+      name = meth_info.name
+      value = meth_info.return_value
+
+      case meth_info.src.node_type
+      when :defn
+        @simple_methods[:instance][name] = value
+      when :defs
+        @simple_methods[:class][name] = value
+      else
+        raise "Expected sexp type: #{src.node_type}"
+      end
+    end
   end
 end

data/lib/brakeman/tracker/method_info.rb

@@ -19,11 +19,52 @@ module Brakeman
               else
                 raise "Expected sexp type: #{src.node_type}"
               end
+
+      @simple_method = nil
     end
 
     # To support legacy code that expected a Hash
     def [] attr
       self.send(attr)
     end
+
+    def very_simple_method?
+      return @simple_method == :very unless @simple_method.nil?
+
+      # Very simple methods have one (simple) expression in the body and
+      # no arguments
+      if src.formal_args.length == 1 # no args
+        if src.method_length == 1 # Single expression in body
+          value = first_body # First expression in body
+
+          if simple_literal? value or
+              (array? value and all_literals? value) or
+              (hash? value and all_literals? value, :hash)
+
+            @return_value = value
+            @simple_method = :very
+          end
+        end
+      end
+
+      @simple_method ||= false
+    end
+
+    def return_value env = nil
+      if very_simple_method?
+        return @return_value
+      else
+        nil
+      end
+    end
+
+    def first_body
+      case @type
+      when :class
+        src[4]
+      when :instance
+        src[3]
+      end
+    end
   end
 end

data/lib/brakeman/util.rb

@@ -50,7 +50,11 @@ module Brakeman::Util
 
   # stupid simple, used to delegate to ActiveSupport
   def pluralize word
-    word + "s"
+    if word.end_with? 's'
+      word + 'es'
+    else
+      word + 's'
+    end
   end
 
   #Returns a class name as a Symbol.
@@ -238,30 +242,22 @@ module Brakeman::Util
 
   #Check if _exp_ is a params hash
   def params? exp
-    if exp.is_a? Sexp
-      return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
-
-      if call? exp
-        if params? exp[1]
-          return true
-        elsif exp[2] == :[]
-          return params? exp[1]
-        end
-      end
-    end
-
-    false
+    recurse_check?(exp) { |child| child.node_type == :params or ALL_PARAMETERS.include? child }
   end
 
   def cookies? exp
+    recurse_check?(exp) { |child| child.node_type == :cookies or ALL_COOKIES.include? child }
+  end
+
+  def recurse_check? exp, &check
     if exp.is_a? Sexp
-      return true if exp.node_type == :cookies or ALL_COOKIES.include? exp
+      return true if yield(exp)
 
       if call? exp
-        if cookies? exp[1]
+        if recurse_check? exp[1], &check
           return true
         elsif exp[2] == :[]
-          return cookies? exp[1]
+          return recurse_check? exp[1], &check
         end
       end
     end
@@ -301,12 +297,24 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
-  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+  SIMPLE_LITERALS = [:lit, :false, :str, :true]
+
+  def simple_literal? exp
+    exp.is_a? Sexp and SIMPLE_LITERALS.include? exp.node_type
+  end
+
+  LITERALS = [*SIMPLE_LITERALS, :array, :hash]
 
   def literal? exp
     exp.is_a? Sexp and LITERALS.include? exp.node_type
   end
 
+  def all_literals? exp, expected_type = :array
+    node_type? exp, expected_type and
+      exp.length > 1 and
+      exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+
   DIR_CONST = s(:const, :Dir)
 
   # Dir.glob(...).whatever

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.0.2"
+  Version = "5.1.2"
 end

data/lib/brakeman.rb

@@ -65,6 +65,7 @@ module Brakeman
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
+  #  * :sql_safe_methods - array of sql sanitization methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
@@ -198,6 +199,7 @@ module Brakeman
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
+      :sql_safe_methods => Set.new,
       :skip_checks => Set.new,
       :skip_vendor => true,
     }
@@ -392,7 +394,7 @@ module Brakeman
     if options[:parallel_checks]
       notify "Running checks in parallel..."
     else
-      notify "Runnning checks..."
+      notify "Running checks..."
     end
 
     tracker.run_checks
@@ -477,7 +479,7 @@ module Brakeman
     $stderr.puts message if @debug
   end
 
-  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  # Compare JSON output from a previous scan and return the diff of the two scans
   def self.compare options
     require 'json'
     require 'brakeman/differ'

data/lib/ruby_parser/bm_sexp.rb

@@ -543,6 +543,20 @@ class Sexp
     self.body.unshift :rlist
   end
 
+  # Number of "statements" in a method.
+  # This is more efficient than `Sexp#body.length`
+  # because `Sexp#body` creates a new Sexp.
+  def method_length
+    expect :defn, :defs
+
+    case self.node_type
+    when :defn
+      self.length - 3
+    when :defs
+      self.length - 4
+    end
+  end
+
   def render_type
     expect :render
     self[1]
@@ -628,4 +642,14 @@ end
   RUBY
 end
 
+class String
+  ##
+  # This is a hack used by the lexer to sneak in line numbers at the
+  # identifier level. This should be MUCH smaller than making
+  # process_token return [value, lineno] and modifying EVERYTHING that
+  # reduces tIDENTIFIER.
+
+  attr_accessor :lineno
+end
+
 class WrongSexpError < RuntimeError; end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.0.2
+  version: 5.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-07 00:00:00.000000000 Z
+date: 2021-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
 - !ruby/object:Gem::Dependency
   name: ruby_parser-legacy
   requirement: !ruby/object:Gem::Requirement