brakeman-lib 5.0.4 → 5.2.0

data/lib/brakeman/processors/alias_processor.rb

@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false).line(exp.line)
     end
 
+    # For the simplest case of `Foo.thing`
+    if node_type? target, :const and first_arg.nil?
+      if tracker and (klass = tracker.find_class(class_name(target.value)))
+        if return_value = klass.get_simple_method_return_value(:class, method)
+          return return_value.deep_clone(exp.line)
+        end
+      end
+    end
+
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -220,13 +229,28 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(:+, target, first_arg, exp)
       end
     when :-, :*, :/
-      exp = math_op(method, target, first_arg, exp)
+      if method == :* and array? target
+        if string? first_arg
+          exp = process_array_join(target, first_arg)
+        end
+      else
+        exp = math_op(method, target, first_arg, exp)
+      end
     when :[]
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
         exp = process_hash_access(target, first_arg, exp)
       end
+    when :fetch
+      if array? target
+        # Not dealing with default value
+        # so just pass in first argument, but process_array_access expects
+        # an array of arguments.
+        exp = process_array_access(target, [first_arg], exp)
+      elsif hash? target
+        exp = process_hash_access(target, first_arg, exp)
+      end
     when :merge!, :update
       if hash? target and hash? first_arg
          target = process_hash_merge! target, first_arg
@@ -266,6 +290,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target = find_push_target(target_var)
         env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
+    when :push
+      if array? target
+        target << first_arg
+        env[target_var] = target
+        return target
+      end
     when :first
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
@@ -279,7 +309,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target
       end
     when :join
-      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
+      if array? target and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
     when :!
@@ -287,6 +317,21 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if call? target and target.method == :!
         exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
       end
+    when :values
+      # Hash literal
+      if node_type? target, :hash
+        exp = hash_values(target)
+      end
+    when :values_at
+      if node_type? target, :hash
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
+      end
     end
 
     exp
@@ -294,6 +339,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
+    # Empty array
+    if array.length == 1
+      return s(:str, '').line(array.line)
+    end
+
     result = s().line(array.line)
 
     join_value = if string? join_str
@@ -302,8 +352,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
                    nil
                  end
 
-    array[1..-2].each do |e|
-      result << join_item(e, join_value)
+    if array.length > 2
+      array[1..-2].each do |e|
+        result << join_item(e, join_value)
+      end
     end
 
     result << join_item(array.last, nil)
@@ -332,7 +384,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
 
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr).line(array.line)) do |memo, e|
+    string = result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
@@ -341,6 +393,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
       memo << e
     end
+
+    # Convert (:dstr, "hello world")
+    # to (:str, "hello world")
+    if string.length == 2 and string.last.is_a? String
+      string[0] = :str
+    end
+
+    string
   end
 
   def join_item item, join_value
@@ -749,6 +809,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def hash_or_array_include_all_literals? exp
+    return unless call? exp and sexp? exp.target
+    target = exp.target
+
+    case target.node_type
+    when :hash
+      hash_include_all_literals? exp
+    else
+      array_include_all_literals? exp
+    end
+  end
+
   # Check if exp is a call to Array#include? on an array literal
   # that contains all literal values. For example:
   #
@@ -767,6 +839,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Hash#include? on a hash literal
+  # that contains all literal values. For example:
+  #
+  #    {x: 1}.include? x
+  def hash_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    all_literals? exp.target, :hash
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -807,7 +889,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and array_include_all_literals? condition
+          if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
             # set x to "a" inside the true branch
             var = condition.first_arg
@@ -815,7 +897,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and early_return? branch
+          elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
@@ -1013,8 +1095,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method_name = call.method
 
     #Look for helper methods and see if we can get a return value
-    if found_method = find_method(method_name, @current_class)
-      helper = found_method[:method]
+    if found_method = tracker.find_method(method_name, @current_class)
+      helper = found_method.src
 
       if sexp? helper
         value = process_helper_method helper, call.args

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
-        method = mixin.get_method(name)[:src].deep_clone
+        method = mixin.get_method(name).src.deep_clone
 
         if node_type? method, :defn
           method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name
-    filter = find_method name, @current_class
+    filter = tracker.find_method name, @current_class
 
     if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    method = filter[:method]
+    method = filter.src
 
-    if ivars = @tracker.filter_cache[[filter[:controller], name]]
+    if ivars = @tracker.filter_cache[[filter.owner, name]]
       ivars.each do |variable, value|
         env[variable] = value
       end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
       ivars = processor.only_ivars(:include_request_vars).all
 
-      @tracker.filter_cache[[filter[:controller], name]] = ivars
+      @tracker.filter_cache[[filter.owner, name]] = ivars
 
       ivars.each do |variable, value|
         env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+        if line = meth.src && meth.src.last && meth.src.last.line
           line += 1
         else
           line = 1
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       []
     end
   end
-
-  #Finds a method in the given class or a parent class
-  #
-  #Returns nil if the method could not be found.
-  #
-  #If found, returns hash table with controller name and method sexp.
-  def find_method method_name, klass
-    return nil if sexp? method_name
-    method_name = method_name.to_sym
-
-    if method = @method_cache[method_name]
-      return method
-    end
-
-    controller = @tracker.controllers[klass]
-    controller ||= @tracker.libs[klass]
-
-    if klass and controller
-      method = controller.get_method method_name
-
-      if method.nil?
-        controller.includes.each do |included|
-          method = find_method method_name, included
-          if method
-            @method_cache[method_name] = method
-            return method
-          end
-       end
-
-        @method_cache[method_name] = find_method method_name, controller.parent
-      else
-        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
-      end
-    else
-      nil
-    end
-  end
 end

data/lib/brakeman/processors/gem_processor.rb

@@ -6,6 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
+    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
   end
 
   def process_gems gem_files
@@ -95,6 +96,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def set_gem_version_and_file line, file, line_num
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
+    elsif line =~ @ruby_version
+      @tracker.config.set_ruby_version $1
     end
   end
 end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
         get_pushed_value(exp.first_arg, default)
         @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.method == :attributes
   end
 
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
   def fix_textareas? exp
     call? exp and
       exp.target == HAMLOUT and

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -76,6 +70,8 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
+      elsif all_literals? array
+        safe_literal(array.line)
       else
         original_exp
       end
@@ -92,5 +88,15 @@ module Brakeman
         original_exp
       end
     end
+
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
+    def hash_values_at hash, keys
+      values = keys.map do |key|
+        process_hash_access hash, key
+      end
+
+      Sexp.new(:array).concat(values).line(hash.line)
+    end
   end
 end

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -78,6 +78,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
 
   #TODO: Need test for this
   def process_root exp
+    return exp unless hash? exp.first_arg
+
     if value = hash_access(exp.first_arg, :to)
       if string? value
         add_route_from_string value

data/lib/brakeman/processors/library_processor.rb

@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if process_call_defn? exp
+      exp
+    elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
+      # Methods called inside class / module
+      case exp.method
+      when :include
+        module_name = class_name(exp.first_arg)
+        (@current_class || @current_module).add_include module_name
+      end
+
       exp
     else
       process_default exp

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,34 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+    return unless symbol? arg[1]
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report/ignore/config.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| [w[:fingerprint], w[:line]] }
+      end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/ignore/interactive.rb

@@ -62,7 +62,7 @@ module Brakeman
           process_warnings
         end
 
-        m.choice "Hide previously ignored warnings" do
+        m.choice "Inspect new warnings" do
           @skip_ignored = true
           pre_show_help
           process_warnings

data/lib/brakeman/report/report_csv.rb

@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     ]
 
     rows = tracker.filtered_warnings.sort_by do |w|
-      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+      [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
     end.map do |warning|
       generate_row(headers, warning)
     end

data/lib/brakeman/report/report_github.rb

@@ -0,0 +1,31 @@
+# Github Actions Formatter
+# Formats warnings as workflow commands to create annotations in GitHub UI
+class Brakeman::Report::Github < Brakeman::Report::Base
+  def generate_report
+    # @see https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-a-warning-message
+    errors.concat(warnings).join("\n")
+  end
+
+  def warnings
+    all_warnings
+      .map { |warning| "::warning file=#{warning_file(warning)},line=#{warning.line}::#{warning.message}" }
+  end
+
+  def errors
+    tracker.errors.map do |error|
+      if error[:exception].is_a?(Racc::ParseError)
+        # app/services/balance.rb:4 :: parse error on value "..." (tDOT3)
+        file, line = error[:exception].message.split(':').map(&:strip)[0,2]
+        "::error file=#{file},line=#{line}::#{clean_message(error[:error])}"
+      else
+        "::error ::#{clean_message(error[:error])}"
+      end
+    end
+  end
+
+  private
+
+  def clean_message(msg)
+    msg.gsub('::','').squeeze(' ')
+  end
+end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,11 +72,28 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
 
-  # Returns a hash of all check descriptions, keyed by check namne
+  # Returns a hash of all check descriptions, keyed by check name
   def check_descriptions
     @check_descriptions ||= Brakeman::Checks.checks.map do |check|
       [check.name.gsub(/^Check/, ''), check.description]
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message

data/lib/brakeman/report/report_text.rb

@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
       end.map do |w|
         output_warning w
       end

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -48,6 +48,9 @@ class Brakeman::Report
     when :to_sonar
       require_report 'sonar'
       Brakeman::Report::Sonar
+    when :to_github
+      require_report 'github'
+      Brakeman::Report::Github
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/rescanner.rb

@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
     file_parser.parse_files paths
     tracker.add_errors(file_parser.errors)
     file_parser.file_list

data/lib/brakeman/scanner.rb

@@ -40,38 +40,38 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems..."
+    Brakeman.notify "Processing gems...                    "
     process_gems
     guess_rails_version
-    Brakeman.notify "Processing configuration..."
+    Brakeman.notify "Processing configuration...           "
     process_config
-    Brakeman.notify "Parsing files..."
+    Brakeman.notify "Parsing files...                      "
     parse_files
-    Brakeman.notify "Detecting file types..."
+    Brakeman.notify "Detecting file types...               "
     detect_file_types
-    Brakeman.notify "Processing initializers..."
+    Brakeman.notify "Processing initializers...            "
     process_initializers
-    Brakeman.notify "Processing libs..."
+    Brakeman.notify "Processing libs...                    "
     process_libs
-    Brakeman.notify "Processing routes...          "
+    Brakeman.notify "Processing routes...                  "
     process_routes
-    Brakeman.notify "Processing templates...       "
+    Brakeman.notify "Processing templates...               "
     process_templates
-    Brakeman.notify "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates...  "
     process_template_data_flows
-    Brakeman.notify "Processing models...          "
+    Brakeman.notify "Processing models...                  "
     process_models
-    Brakeman.notify "Processing controllers...     "
+    Brakeman.notify "Processing controllers...             "
     process_controllers
     Brakeman.notify "Processing data flow in controllers..."
     process_controller_data_flows
-    Brakeman.notify "Indexing call sites...        "
+    Brakeman.notify "Indexing call sites...                "
     index_call_sites
     tracker
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 
@@ -137,7 +137,9 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
+      if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
+        tracker.config.set_ruby_version version
+      end
     end
 
     tracker.config.load_rails_defaults
@@ -353,6 +355,9 @@ class Brakeman::Scanner
   def parse_ruby_file file
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
+  rescue Exception => e
+    tracker.error(e)
+    nil
   end
 end