brakeman-lib 5.0.4 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bc22b69b0b137fe9f223c2469fe6e3857054b0b98621645b52ed94af7fa4886
-  data.tar.gz: 183f206e691c8251adef49319ca76939a4bf079cf5b14ead1f3f7923754ff9ff
+  metadata.gz: cf18736db7a992849a30cccc66f741442e05b695f9ad1bd27fe06f6bc25db849
+  data.tar.gz: a884f20cc12305c0856bcc296ddae3aea746b024c232bf11d7988d4e37bd96a3
 SHA512:
-  metadata.gz: b902bcfbc2be499f0a892534bf443d88ce92f5a0b47edd31b7ac01a964e9ec13230f03f5ba8bb246dcdee27a7e6bd72b873d2826ce2f6b2486f64999f45b52e8
-  data.tar.gz: 62f878559fd4aa1f2d96c35742d0c490c0d57c53e07d9a3619675f6519c0fafbaace29e0b616c217ea796132e7810b51b3f06cf1ff60a3a28a34ae9482069f32
+  metadata.gz: be93f9f9ba9d808989cbed1bfd450b29c272e806d84707ab0420a8a86b8c797f88d4338f22a1124a462be43ac7bfea605566779321a72d772e9c39d216ded8c3
+  data.tar.gz: cf9aa7f34fa5cc737b2e7bbecf625025b50f72f1b3c43ab8f346832145e3cab2245d2af79fd021584ab0aa5fdbb2f854dd41fee8f5a5c891197f1f1e8a570a65

data/CHANGES.md

@@ -1,3 +1,51 @@
+# 5.2.0 - 2021-12-15
+
+* Initial Rails 7 support
+* Require Ruby 2.5.0+
+* Fix issue with calls to `foo.root` in routes
+* Ignore `I18n.locale` in SQL queries
+* Do not treat `sanitize_sql_like` as safe
+* Add new checks for unsupported Ruby and Rails versions
+
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
+# 5.1.1 - 2021-07-19
+
+* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
+
+# 5.1.0 - 2021-07-19
+
+* Initial support for ActiveRecord enums
+* Support `Hash#include?`
+* Interprocedural dataflow from very simple class methods
+* Fix SARIF report when checks have no description (Eli Block)
+* Add ignored warnings to SARIF report (Eli Block)
+* Add `--sql-safe-methods` option (Esty Scheiner)
+* Update SQL injection check for Rails 6.0/6.1
+* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
+* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
+* Ignore dates in SQL
+* Refactor `cookie?`/`param?` methods (Keenan Brock)
+* Ignore renderables in dynamic render path check (Brad Parker)
+* Support `Array#push`
+* Better `Array#join` support
+* Adjust copy of `--interactive` menu (Elia Schito)
+* Support `Array#*`
+* Better method definition tracking and lookup
+* Support `Hash#values` and `Hash#values_at`
+* Check for user-controlled evaluation even if it's a call target
+* Support `Array#fetch` and `Hash#fetch`
+* Ignore `sanitize_sql_like` in SQL
+* Ignore method calls on numbers in SQL
+* Add GitHub Actions format (Klaus Badelt)
+* Read and parse files in parallel
+
 # 5.0.4 - 2021-06-08
 
 (brakeman gem release only)
@@ -418,7 +466,7 @@
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
 
 # Basic Options
 

data/lib/brakeman/app_tree.rb

@@ -28,7 +28,7 @@ module Brakeman
     # Accepts an array of filenames and paths with the following format and
     # returns a Regexp to match them:
     #   * "path1/file1.rb" - Matches a specific filename in the project directory.
-    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
     def self.regex_for_paths(paths)

data/lib/brakeman/checks/base_check.rb

@@ -513,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     string_building? exp.target or
     string_building? exp.first_arg
   end
+
+  I18N_CLASS = s(:const, :I18n)
+
+  def locale_call? exp
+    return unless call? exp
+
+    (exp.target == I18N_CLASS and
+     exp.method == :locale) or
+    locale_call? exp.target
+  end
 end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   def check_detailed_exceptions
     tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
-        src = definition[:src]
+        src = definition.src
         body = src.body.last
         next unless body
 

data/lib/brakeman/checks/check_eol_rails.rb

@@ -0,0 +1,23 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRails < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Rails"
+
+  def run_check
+    return unless tracker.config.rails_version
+
+    check_eol_version :rails, RAILS_EOL_DATES
+  end
+
+  RAILS_EOL_DATES = {
+    ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
+    ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
+    ['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
+    ['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
+    ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
+    ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
+    ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+  }
+end

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -0,0 +1,26 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Ruby"
+
+  def run_check
+    return unless tracker.config.ruby_version
+
+    check_eol_version :ruby, RUBY_EOL_DATES
+  end
+
+  RUBY_EOL_DATES = {
+    ['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
+    ['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
+    ['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
+    ['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
+    ['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
+    ['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
+    ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
+    ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
+    ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
+    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+  }
+end

data/lib/brakeman/checks/check_evaluation.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"
-    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
+    calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
 
     Brakeman.debug "Processing eval-like calls"
     calls.each do |call|

data/lib/brakeman/checks/check_execute.rb

@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg) ||
                   dangerous_string_building?(first_arg)
       end
+    when :capture2, :capture2e, :capture3
+      # Open3 capture methods can take a :stdin_data argument which is used as the
+      # the input to the called command so it is not succeptable to command injection.
+      # As such if the last argument is a hash (and therefore execution options) it
+      # should be ignored
+
+      args.pop if hash?(args.last) && args.length > 2
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||

data/lib/brakeman/checks/check_json_parsing.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     warning_type = "Denial of Service"
     confidence = :medium
     gem_name = "#{name} gem"
-    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
+    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
 
     if version >= "1.7.0"
       confidence = :high

data/lib/brakeman/checks/check_render.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     view = result[:call][2]
 
     if sexp? view and original? result
+      return if renderable?(view)
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
-end 
+
+  def renderable? exp
+    return false unless call?(exp) and constant?(exp.target)
+
+    target_class_name = class_name(exp.target)
+    known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
+  end
+
+  def known_renderable_class? class_name
+    klass = tracker.find_class(class_name)
+    return false if klass.nil?
+    klass.ancestor? :"ViewComponent::Base"
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -22,7 +22,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
     @sql_targets.concat [:find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by, :not] if tracker.options[:rails4]
-    @sql_targets << :delete_by << :destroy_by if tracker.options[:rails6]
+
+    if tracker.options[:rails6]
+      @sql_targets.concat [:delete_by, :destroy_by, :rewhere, :reselect]
+
+      @sql_targets.delete :delete_all
+      @sql_targets.delete :destroy_all
+    end
+
+    if version_between?("6.1.0", "9.9.9")
+      @sql_targets.delete :order
+      @sql_targets.delete :reorder
+      @sql_targets.delete :pluck
+    end
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -185,7 +197,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
+                      when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist
@@ -199,7 +211,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         unsafe_sql? call.first_arg
                       when :sql
                         unsafe_sql? call.first_arg
-                      when :update_all, :select
+                      when :update_all, :select, :reselect
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg
@@ -579,6 +591,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :where_values_hash, :foreign_key, :uuid
   ]
 
+  def ignore_methods_in_sql
+    @ignore_methods_in_sql ||= IGNORE_METHODS_IN_SQL + (tracker.options[:sql_safe_methods] || [])
+  end
+
   def safe_value? exp
     return true unless sexp? exp
 
@@ -589,10 +605,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       if exp.method == :to_s or exp.method == :to_sym
         safe_value? exp.target
       else
-        IGNORE_METHODS_IN_SQL.include? exp.method or
-        quote_call? exp or
-        arel? exp or
-        exp.method.to_s.end_with? "_id"
+        ignore_call? exp
       end
     when :if
       safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -607,6 +620,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def ignore_call? exp
+    return unless call? exp
+
+    ignore_methods_in_sql.include? exp.method or
+      quote_call? exp or
+      arel? exp or
+      exp.method.to_s.end_with? "_id" or
+      number_target? exp or
+      date_target? exp or
+      locale_call? exp
+  end
+
   QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
 
   def quote_call? exp
@@ -695,4 +720,30 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
+
+  def number_target? exp
+    return unless call? exp
+
+    if number? exp.target
+      true
+    elsif call? exp.target
+      number_target? exp.target
+    else
+      false
+    end
+  end
+
+  DATE_CLASS = s(:const, :Date)
+
+  def date_target? exp
+    return unless call? exp
+
+    if exp.target == DATE_CLASS
+      true
+    elsif call? exp.target
+      date_target? exp.target
+    else
+     false
+    end 
+  end
 end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
 
   def run_check
     return if rails_version and rails_version >= "5.0.0"
-    return if tracker.config.ruby_version >= "2.2"
+    return if tracker.config.ruby_version and tracker.config.ruby_version >= "2.2"
 
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
       return
     end
 
-    process method[:src]
+    process method.src
   end
 
   def process_if exp

data/lib/brakeman/checks/eol_check.rb

@@ -0,0 +1,47 @@
+require 'date'
+require 'brakeman/checks/base_check'
+
+# Not used directly - base check for EOLRails and EOLRuby
+class Brakeman::EOLCheck < Brakeman::BaseCheck
+  def check_eol_version library, eol_dates
+    version = case library
+              when :rails
+                tracker.config.rails_version
+              when :ruby
+                tracker.config.ruby_version
+              else
+                raise 'Implement using tracker.config.gem_version'
+              end
+
+    eol_dates.each do |(start_version, end_version), eol_date|
+      if version_between? start_version, end_version, version
+        case
+        when Date.today >= eol_date
+          warn_about_unsupported_version library, eol_date, version
+        when (Date.today + 30) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :medium
+        when (Date.today + 60) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :low
+        end
+
+        break
+      end
+    end
+  end
+
+  def warn_about_soon_unsupported_version library, eol_date, version, confidence
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"pending_eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
+      confidence: confidence,
+      gem_info: gemfile_or_environment
+  end
+
+  def warn_about_unsupported_version library, eol_date, version
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
+      confidence: :high,
+      gem_info: gemfile_or_environment
+  end
+end

data/lib/brakeman/file_parser.rb

@@ -1,3 +1,5 @@
+require 'parallel'
+
 module Brakeman
   ASTFile = Struct.new(:path, :ast)
 
@@ -5,29 +7,62 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
 
-    def initialize app_tree, timeout
+    def initialize app_tree, timeout, parallel = true
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
       @errors = []
+      @parallel = parallel
     end
 
     def parse_files list
-      read_files list do |path, contents|
-        if ast = parse_ruby(contents, path.relative)
-          ASTFile.new(path, ast)
+      if @parallel
+        parallel_options = {}
+      else
+        # Disable parallelism
+        parallel_options = { in_threads: 0 }
+      end
+
+      # Parse the files in parallel.
+      # By default, the parsing will be in separate processes.
+      # So we map the result to ASTFiles and/or Exceptions
+      # then partition them into ASTFiles and Exceptions
+      # and add the Exceptions to @errors
+      #
+      # Basically just a funky way to deal with two possible
+      # return types that are returned from isolated processes.
+      #
+      # Note this method no longer uses read_files
+      @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
+        file_path = @app_tree.file_path(file_name)
+        contents = file_path.read
+
+        begin
+          if ast = parse_ruby(contents, file_path.relative)
+            ASTFile.new(file_name, ast)
+          end
+        rescue Exception => e
+          e
         end
+      end.compact.partition do |result|
+        result.is_a? ASTFile
       end
+
+      errors.concat new_errors
     end
 
     def read_files list
       list.each do |path|
         file = @app_tree.file_path(path)
 
-        result = yield file, file.read
+        begin
+          result = yield file, file.read
 
-        if result
-          @file_list << result
+          if result
+            @file_list << result
+          end
+        rescue Exception => e
+          @errors << e
         end
       end
     end
@@ -42,17 +77,12 @@ module Brakeman
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        error e.exception(e.message + "\nCould not parse #{path}")
+        raise e.exception(e.message + "\nCould not parse #{path}")
       rescue Timeout::Error => e
-        error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
+        raise Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
       rescue => e
-        error e.exception(e.message + "\nWhile processing #{path}")
+        raise e.exception(e.message + "\nWhile processing #{path}")
       end
     end
-
-    def error exception
-      @errors << exception
-      nil
-    end
   end
 end

data/lib/brakeman/options.rb

@@ -39,7 +39,7 @@ module Brakeman::Options
       OptionParser.new do |opts|
         opts.banner = "Usage: brakeman [options] rails/root/path"
 
-        opts.on "-n", "--no-threads", "Run checks sequentially" do
+        opts.on "-n", "--no-threads", "Run checks and file parsing sequentially" do
           options[:parallel_checks] = false
         end
 
@@ -93,6 +93,14 @@ module Brakeman::Options
           options[:rails6] = true
         end
 
+        opts.on "-7", "--rails7", "Force Rails 7 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -151,6 +159,11 @@ module Brakeman::Options
           options[:safe_methods].merge methods.map {|e| e.to_sym }
         end
 
+        opts.on "--sql-safe-methods meth1,meth2,etc", Array, "Do not warn of SQL if the input is wrapped in a safe method" do |methods|
+          options[:sql_safe_methods] ||= Set.new
+          options[:sql_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
         opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
           options[:url_safe_methods] ||= Set.new
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
@@ -233,7 +246,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text