brakeman-lib 5.3.1 → 5.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1cfbfc4a477ca4da5ff22010526e792bc218fa2aa7abe454a8a9d0be4dd2128
-  data.tar.gz: 5209d14eb749f8ec05ffd724e53a0cf575834c8f21fda1ef6c0481be4165133b
+  metadata.gz: 1bd15d1d3f41a0fe1f537728a63f5fe432eae4d4b82cdb07233007e794b4b19a
+  data.tar.gz: 8fd1c274006689e0e391c5586c9bd59c7ce776a998c9313561185216e51f9519
 SHA512:
-  metadata.gz: 5e3deacdca32c220ca081e3ceff9f98f4a4152150b97e9fa2915c40569fc9a01b5f9a2b451593090e2ea20874ba741168ca2c1913a0fe77e59b215f58f2ea80e
-  data.tar.gz: 8acf5cef0175a70381c5dfa6d015e9882a23786317b13cf16b6432376614dffb3bb30ead9fd12bb45f267f92a786012dd28d86728fc17e9ae7a4ef467951def9
+  metadata.gz: d3c99025931ba8a59c7852132cb80100f3f720de1ebfe632899e499a5784d5e92534efc6d9a04729bf3aec0d07c90fc2f69efccfd3d49558c277e370ae3d58f3
+  data.tar.gz: 571f89f8d5eb19b1d2c472517e3d66d819ab715379fd6b5bdd15cd136560499d8d86ff79da19a86a2c03830b8e0b0d0bf0dec3935267f75eacc95396a71d1f81

data/CHANGES.md

@@ -1,3 +1,24 @@
+# 5.4.1 - 2023-02-21
+
+* Fix file/line location for EOL software warnings
+* Revise checking for request.env to only consider request headers
+* Add `redirect_back` and `redirect_back_or_to` to open redirect check
+* Support Rails 7 redirect options
+* Add Rails 6.1 and 7.0 default configuration values
+* Prevent redirects using `url_from` being marked as unsafe (Lachlan Sylvester)
+* Warn about unscoped find for `find_by(id: ...)`
+* Support `presence`, `presence_in` and `in?`
+* Fix issue with `if` expressions in `when` clauses
+
+# 5.4.0 - 2022-11-17
+
+* Use relative paths for CodeClimate report format (Mike Poage)
+* Add check for weak RSA key sizes and padding modes
+* Handle multiple values and splats in case/when
+* Ignore more model methods in redirects
+* Add check for absolute paths issue with Pathname
+* Fix `load_rails_defaults` overwriting settings in the Rails application (James Gregory-Monk)
+
 # 5.3.1 - 2022-08-09
 
 * Fix version range for CVE-2022-32209

data/README.md

@@ -64,9 +64,9 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 6.x.
+Brakeman should work with any version of Rails from 2.3.x to 7.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
 
 # Basic Options
 

data/lib/brakeman/checks/base_check.rb

@@ -76,7 +76,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         @has_user_input = Match.new(:params, exp)
       elsif cookies? target
         @has_user_input = Match.new(:cookies, exp)
-      elsif request_env? target
+      elsif request_headers? target
         @has_user_input = Match.new(:request, exp)
       elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
         @has_user_input = Match.new(:model, exp)
@@ -313,7 +313,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         return Match.new(:params, exp)
       elsif cookies? exp
         return Match.new(:cookies, exp)
-      elsif request_env? exp
+      elsif request_headers? exp
         return Match.new(:request, exp)
       else
         has_immediate_user_input? exp.target
@@ -467,7 +467,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
   end
 
-
   def version_between? low_version, high_version, current_version = nil
     tracker.config.version_between? low_version, high_version, current_version
   end

data/lib/brakeman/checks/check_pathname.rb

@@ -0,0 +1,48 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPathname < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for unexpected Pathname behavior"
+
+  def run_check
+    check_rails_root_join
+    check_pathname_join
+
+  end
+
+  def check_rails_root_join
+    tracker.find_call(target: :'Rails.root', method: :join, nested: true).each do |result|
+      check_result result
+    end
+  end
+
+  def check_pathname_join
+    pathname_methods = [
+      :'Pathname.new',
+      :'Pathname.getwd',
+      :'Pathname.glob',
+      :'Pathname.pwd',
+    ]
+
+    tracker.find_call(targets: pathname_methods, method: :join, nested: true).each do |result|
+      check_result result
+    end
+  end
+
+  def check_result result
+    return unless original? result
+
+    result[:call].each_arg do |arg|
+      if match = has_immediate_user_input?(arg)
+        warn :result => result,
+          :warning_type => "Path Traversal",
+          :warning_code => :pathname_traversal,
+          :message => "Absolute paths in `Pathname#join` cause the entire path to be relative to the absolute path, ignoring any prior values",
+          :user_input => match,
+          :confidence => :high,
+          :cwe_id => [22]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_redirect.rb

@@ -11,9 +11,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   @description = "Looks for calls to redirect_to with user input as arguments"
 
   def run_check
-    Brakeman.debug "Finding calls to redirect_to()"
-
-    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :last, :new]
+    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :first!, :last, :last!, :new, :sole]
 
     if tracker.options[:rails3]
       @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
@@ -23,7 +21,13 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
       @model_find_calls.merge [:find_by, :find_by!, :take]
     end
 
-    @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
+    if version_between? "7.0.0", "9.9.9"
+      @model_find_calls << :find_sole_by
+    end
+
+    methods = [:redirect_to, :redirect_back, :redirect_back_or_to]
+
+    @tracker.find_call(:target => false, :methods => methods).each do |res|
       process_result res
     end
   end
@@ -32,18 +36,28 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    method = call.method
-
     opt = call.first_arg
 
-    if method == :redirect_to and
+    # Location is specified with `fallback_location:`
+    # otherwise the arguments do not contain a location and
+    # the call can be ignored
+    if call.method == :redirect_back
+      if hash? opt and location = hash_access(opt, :fallback_location)
+        opt = location
+      else
+        return
+      end
+    end
+
+    if not protected_by_raise?(call) and
         not only_path?(call) and
         not explicit_host?(opt) and
         not slice_call?(opt) and
         not safe_permit?(opt) and
-        res = include_user_input?(call)
+        not disallow_other_host?(call) and
+        res = include_user_input?(opt)
 
-      if res.type == :immediate
+      if res.type == :immediate and not allow_other_host?(call)
         confidence = :high
       else
         confidence = :weak
@@ -64,42 +78,42 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   #is being output directly. This is necessary because of tracker.options[:check_arguments]
   #which can be used to enable/disable reporting output of method calls which use
   #user input as arguments.
-  def include_user_input? call, immediate = :immediate
+  def include_user_input? opt, immediate = :immediate
     Brakeman.debug "Checking if call includes user input"
 
-    arg = call.first_arg
-
     # if the first argument is an array, rails assumes you are building a
     # polymorphic route, which will never jump off-host
-    return false if array? arg
+    return false if array? opt
 
     if tracker.options[:ignore_redirect_to_model]
-      if model_instance?(arg) or decorated_model?(arg)
+      if model_instance?(opt) or decorated_model?(opt)
         return false
       end
     end
 
-    if res = has_immediate_model?(arg)
-      unless call? arg and arg.method.to_s =~ /_path/
+    if res = has_immediate_model?(opt)
+      unless call? opt and opt.method.to_s =~ /_path/
         return Match.new(immediate, res)
       end
-    elsif call? arg
-      if request_value? arg
-        return Match.new(immediate, arg)
-      elsif request_value? arg.target
-        return Match.new(immediate, arg.target)
-      elsif arg.method == :url_for and include_user_input? arg
-        return Match.new(immediate, arg)
+    elsif call? opt
+      if request_value? opt
+        return Match.new(immediate, opt)
+      elsif opt.method == :url_for and include_user_input? opt.first_arg
+        return Match.new(immediate, opt)
         #Ignore helpers like some_model_url?
-      elsif arg.method.to_s =~ /_(url|path)\z/
+      elsif opt.method.to_s =~ /_(url|path)\z/
+        return false
+      elsif opt.method == :url_from
         return false
       end
-    elsif request_value? arg
-      return Match.new(immediate, arg)
+    elsif request_value? opt
+      return Match.new(immediate, opt)
+    elsif node_type? opt, :or
+      return (include_user_input?(opt.lhs) or include_user_input?(opt.rhs))
     end
 
-    if tracker.options[:check_arguments] and call? arg
-      include_user_input? arg, false  #I'm doubting if this is really necessary...
+    if tracker.options[:check_arguments] and call? opt
+      include_user_input? opt.first_arg, false  #I'm doubting if this is really necessary...
     else
       false
     end
@@ -204,7 +218,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def friendly_model? exp
     call? exp and model_name? exp.target and exp.method == :friendly
   end
-  
+
   #Returns true if exp is (probably) a decorated model instance
   #using the Draper gem
   def decorated_model? exp
@@ -245,7 +259,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if call? exp and params? exp.target and exp.method == :permit
       exp.each_arg do |opt|
         if symbol? opt and DANGEROUS_KEYS.include? opt.value
-          return false 
+          return false
         end
       end
 
@@ -254,4 +268,25 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     false
   end
+
+  def protected_by_raise? call
+    raise_on_redirects? and
+      not allow_other_host? call
+  end
+
+  def raise_on_redirects?
+    @raise_on_redirects ||= true?(tracker.config.rails.dig(:action_controller, :raise_on_open_redirects))
+  end
+
+  def allow_other_host? call
+    opt = call.last_arg
+
+    hash? opt and true? hash_access(opt, :allow_other_host)
+  end
+
+  def disallow_other_host? call
+    opt = call.last_arg
+
+    hash? opt and false? hash_access(opt, :allow_other_host)
+  end
 end

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -23,6 +23,14 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     calls.each do |call|
       process_result call
     end
+
+    tracker.find_call(:method => :find_by, :targets => associated_model_names).each do |result|
+      arg = result[:call].first_arg
+
+      if hash? arg and hash_access(arg, :id)
+        process_result result
+      end
+    end
   end
 
   def process_result result

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -0,0 +1,112 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for weak uses RSA keys"
+
+  def run_check
+    check_rsa_key_creation
+    check_rsa_operations
+  end
+
+  def check_rsa_key_creation
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA'], method: [:new, :generate], nested: true).each do |result|
+      key_size_arg = result[:call].first_arg
+      check_key_size(result, key_size_arg)
+    end
+
+    tracker.find_call(targets: [:'OpenSSL::PKey'], method: [:generate_key], nested: true).each do |result|
+      call = result[:call]
+      key_type = call.first_arg
+      options_arg = call.second_arg
+
+      next unless options_arg and hash? options_arg
+
+      if string? key_type and key_type.value.upcase == 'RSA'
+        key_size_arg = (hash_access(options_arg, :rsa_keygen_bits) || hash_access(options_arg, s(:str, 'rsa_key_gen_bits')))
+        check_key_size(result, key_size_arg)
+      end
+    end
+  end
+
+  def check_rsa_operations
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA.new'], methods: [:public_encrypt, :public_decrypt, :private_encrypt, :private_decrypt], nested: true).each do |result|
+      padding_arg = result[:call].second_arg
+      check_padding(result, padding_arg)
+    end
+
+    tracker.find_call(targets: [:'OpenSSL::PKey.generate_key'], methods: [:encrypt, :decrypt, :sign, :verify, :sign_raw, :verify_raw], nested: true).each do |result|
+      call = result[:call]
+      options_arg = call.last_arg
+
+      if options_arg and hash? options_arg
+        padding_arg = (hash_access(options_arg, :rsa_padding_mode) || hash_access(options_arg, s(:str, 'rsa_padding_mode')))
+      else
+        padding_arg = nil
+      end
+
+      check_padding(result, padding_arg)
+    end
+  end
+
+  def check_key_size result, key_size_arg
+    return unless number? key_size_arg
+    return unless original? result
+
+    key_size = key_size_arg.value
+
+    if key_size < 1024
+      confidence = :high
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered very weak. Use at least 2048 bit key size")
+    elsif key_size < 2048
+      confidence = :medium
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered weak. Use at least 2048 bit key size")
+    else
+      return
+    end
+
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :small_rsa_key_size,
+      message: message,
+      confidence: confidence,
+      user_input: key_size_arg,
+      cwe_id: [326]
+  end
+
+  PKCS1_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :PKCS1_PADDING).freeze
+  PKCS1_PADDING_STR = s(:str, 'pkcs1').freeze
+  SSLV23_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :SSLV23_PADDING).freeze
+  SSLV23_PADDING_STR = s(:str, 'sslv23').freeze
+  NO_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :NO_PADDING).freeze
+  NO_PADDING_STR = s(:str, 'none').freeze
+
+  def check_padding result, padding_arg
+    return unless original? result
+
+    if string? padding_arg
+      padding_arg = padding_arg.deep_clone(padding_arg.line)
+      padding_arg.value.downcase!
+    end
+
+    case padding_arg
+    when PKCS1_PADDING, PKCS1_PADDING_STR, nil
+      message = "Use of padding mode PKCS1 (default if not specified), which is known to be insecure. Use OAEP instead"
+    when SSLV23_PADDING, SSLV23_PADDING_STR
+      message = "Use of padding mode SSLV23 for RSA key, which is only useful for outdated versions of SSL. Use OAEP instead"
+    when NO_PADDING, NO_PADDING_STR
+      message = "No padding mode used for RSA key. A safe padding mode (OAEP) should be specified for RSA keys"
+    else
+      return
+    end
+
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :insecure_rsa_padding_mode,
+      message: message,
+      confidence: :high,
+      user_input: padding_arg,
+      cwe_id: [780]
+  end
+end

data/lib/brakeman/checks/eol_check.rb

@@ -34,7 +34,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"pending_eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
       confidence: confidence,
-      gem_info: gemfile_or_environment,
+      gem_info: gemfile_or_environment(library),
       :cwe_id => [1104]
   end
 
@@ -43,7 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
       confidence: :high,
-      gem_info: gemfile_or_environment,
+      gem_info: gemfile_or_environment(library),
       :cwe_id => [1104]
   end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -300,11 +300,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
       end
-    when :freeze
-      unless target.nil?
-        exp = target
-      end
-    when :dup
+    when :freeze, :dup, :presence
       unless target.nil?
         exp = target
       end
@@ -332,6 +328,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           exp = res
         end
       end
+    when :presence_in
+      arg = exp.first_arg
+
+      if node_type? arg, :array
+        # 1.presence_in [1,2,3]
+        if arg.include? target
+          exp = target
+        elsif all_literals? arg
+          exp = safe_literal(exp.line)
+        end
+      end
     end
 
     exp
@@ -862,6 +869,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Array#include? on an array literal
+  # that contains all literal values. For example:
+  #
+  #    x.in? [1, 2, "a"]
+  #
+  def in_array_all_literals? exp
+    call? exp and
+      exp.method == :in? and
+      all_literals? exp.first_arg
+  end
+
   # Check if exp is a call to Hash#include? on a hash literal
   # that contains all literal values. For example:
   #
@@ -915,28 +933,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and hash_or_array_include_all_literals? condition
+         exp[branch_index] = if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
-            # set x to "a" inside the true branch
+            # set x to safe_literal inside the true branch
             var = condition.first_arg
-            previous_value = env.current[var]
-            env.current[var] = safe_literal(var.line)
-            exp[branch_index] = process_if_branch branch
-            env.current[var] = previous_value
+            value = safe_literal(var.line)
+            process_branch_with_value(var, value, branch, i)
+          elsif i == 0 and in_array_all_literals? condition
+            # If the condition is x.in? ["a", "b"]
+            # set x to safe_literal inside the true branch
+            var = condition.target
+            value = safe_literal(var.line)
+            process_branch_with_value(var, value, branch, i)
           elsif i == 0 and equality_check? condition
             # For conditions like a == b,
             # set a to b inside the true branch
             var = condition.target
-            previous_value = env.current[var]
-            env.current[var] = condition.first_arg
-            exp[branch_index] = process_if_branch branch
-            env.current[var] = previous_value
+            value = condition.first_arg
+            process_branch_with_value(var, value, branch, i)
           elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
-            exp[branch_index] = process_if_branch branch
+            process_if_branch branch
           else
-            exp[branch_index] = process_if_branch branch
+            process_if_branch branch
           end
           branch_scopes << env.current
           @branch_env = nil
@@ -953,6 +973,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_branch_with_value var, value, branch, branch_index
+    previous_value = env.current[var]
+    env.current[var] = value
+    result = process_if_branch branch
+    env.current[var] = previous_value
+    result
+  end
+
   def early_return? exp
     return true if node_type? exp, :return
     return true if call? exp and [:fail, :raise].include? exp.method
@@ -970,11 +998,27 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :==
   end
 
+  # Not a list of values
+  #   when :example
   def simple_when? exp
     node_type? exp[1], :array and
-      not node_type? exp[1][1], :splat, :array and
-      (exp[1].length == 2 or
-       exp[1].all? { |e| e.is_a? Symbol or node_type? e, :lit, :str })
+      exp[1].length == 2 and # only one element in the array
+      not node_type? exp[1][1], :splat, :array
+  end
+
+  # A list of literal values
+  #
+  #   when 1,2,3
+  #
+  # or
+  #
+  #   when *[:a, :b]
+  def all_literals_when? exp
+    if array? exp[1] # pretty sure this is always true
+      all_literals? exp[1] or # simple list, not actually array
+        (splat_array? exp[1][1] and
+         all_literals? exp[1][1][1])
+    end
   end
 
   def process_case exp
@@ -1000,11 +1044,21 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.each_sexp do |e|
       if node_type? e, :when
         scope do
+          # Process the when value for matching
+          process_default e[1]
+
+          # Moved here to avoid @branch_env being cleared out
+          # in process_default
+          # Maybe in the future don't set it to nil?
           @branch_env = env.current
 
           # set value of case var if possible
-          if case_value and simple_when? e
-            @branch_env[case_value] = e[1][1]
+          if case_value
+            if simple_when? e
+              @branch_env[case_value] = e[1][1]
+            elsif all_literals_when? e
+              @branch_env[case_value] = safe_literal(e.line + 1)
+            end
           end
 
           # when blocks aren't blocks, they are lists of expressions

data/lib/brakeman/processors/gem_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
       elsif exp.method == :ruby
         version = exp.first_arg
         if string? version
-          @tracker.config.set_ruby_version version.value
+          @tracker.config.set_ruby_version version.value, @gemfile, exp.line
         end
       end
     elsif @inside_gemspec and exp.method == :add_dependency
@@ -97,7 +97,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
     elsif line =~ @ruby_version
-      @tracker.config.set_ruby_version $1
+      @tracker.config.set_ruby_version $1, file, line_num
     end
   end
 end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -86,7 +86,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
       end
     elsif include_rails_config? exp
       options_path = get_rails_config exp
-      @tracker.config.set_rails_config(exp.first_arg, *options_path)
+      @tracker.config.set_rails_config(value: exp.first_arg, path: options_path, overwrite: true)
     end
 
     exp

data/lib/brakeman/report/report_codeclimate.rb

@@ -73,7 +73,7 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
     if tracker.options[:path_prefix]
       (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
     else
-      warning.file
+      warning.relative_path
     end
   end
 end

data/lib/brakeman/rescanner.rb

@@ -6,7 +6,7 @@ require 'brakeman/differ'
 class Brakeman::Rescanner < Brakeman::Scanner
  include Brakeman::Util
   KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
-  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+  SCAN_ORDER = [:gemfile, :config, :initializer, :lib, :routes, :template,
     :model, :controller]
 
   #Create new Rescanner to scan changed files
@@ -332,6 +332,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :routes
     when /\/config\/.+\.(rb|yml)/
       :config
+    when /\.ruby-version/
+      :config
     when /Gemfile|gems\./
       :gemfile
     else

data/lib/brakeman/scanner.rb

@@ -138,7 +138,7 @@ class Brakeman::Scanner
 
     if @app_tree.exists? ".ruby-version"
       if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
-        tracker.config.set_ruby_version version
+        tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
       end
     end
 

data/lib/brakeman/tracker/config.rb

@@ -129,8 +129,9 @@ module Brakeman
       @rails_version
     end
 
-    def set_ruby_version version
+    def set_ruby_version version, file, line
       @ruby_version = extract_version(version)
+      add_gem :ruby, @ruby_version, file, line
     end
 
     def extract_version version
@@ -166,7 +167,7 @@ module Brakeman
     # then this will set
     #
     #   rails[:action_controller][:perform_caching] = value
-    def set_rails_config value, *path
+    def set_rails_config value:, path:, overwrite: false
       config = self.rails
 
       path[0..-2].each do |o|
@@ -182,7 +183,9 @@ module Brakeman
         config = option
       end
 
-      config[path.last] = value
+      if overwrite || config[path.last].nil?
+        config[path.last] = value
+      end
     end
 
     # Load defaults based on config.load_defaults value
@@ -195,38 +198,78 @@ module Brakeman
       false_value = Sexp.new(:false)
 
       if version >= 5.0
-        set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
-        set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
-        set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
+        set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
+        set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
+        set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
         # Note: this may need to be changed, because ssl_options is a Hash
-        set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
+        set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
       end
 
       if version >= 5.1
-        set_rails_config(false_value, :assets, :unknown_asset_fallback)
-        set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
+        set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
       end
 
       if version >= 5.2
-        set_rails_config(true_value, :active_record, :cache_versioning)
-        set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
-        set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
-        set_rails_config(true_value, :active_support, :use_sha1_digests)
-        set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
-        set_rails_config(true_value, :action_view, :form_with_generates_ids)
+        set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_sha1_digests])
+        set_rails_config(value: true_value, path: [:action_controller, :default_protect_from_forgery])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
       end
 
       if version >= 6.0
-        set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
-        set_rails_config(false_value, :action_view, :default_enforce_utf8)
-        set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
-        set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
-        set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
-        set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
-        set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
-        set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
-        set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
-        set_rails_config(true_value, :active_record, :collection_cache_versioning)
+        set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
+        set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), path: [:action_mailer, :delivery_job])
+        set_rails_config(value: true_value, path: [:active_job, :return_false_on_aborted_enqueue])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_analysis), path: [:active_storage, :queues, :analysis])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_purge), path: [:active_storage, :queues, :purge])
+        set_rails_config(value: true_value, path: [:active_storage, :replace_on_assign_to_many])
+        set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
+      end
+
+      if version >= 6.1
+        set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
+        set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
+        set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
+        set_rails_config(value: false_value, path: [:action_view, :form_with_generates_remote_forms])
+        set_rails_config(value: true_value, path: [:action_view, :preload_links_header])
+        set_rails_config(value: Sexp.new(:lit, 0.15), path: [:active_job, :retry_jitter])
+        set_rails_config(value: true_value, path: [:active_record, :has_many_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :legacy_connection_handling])
+        set_rails_config(value: true_value, path: [:active_storage, :track_variants])
+      end
+
+      if version >= 7.0
+        video_args =
+          Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
+        hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)
+
+        set_rails_config(value: true_value, path: [:action_controller, :raise_on_open_redirects])
+        set_rails_config(value: true_value, path: [:action_controller, :wrap_parameters_by_default])
+        set_rails_config(value: Sexp.new(:lit, :json), path: [:action_dispatch, :cookies_serializer])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_request_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:lit, 5), path: [:action_mailer, :smtp_timeout])
+        set_rails_config(value: false_value, path: [:action_view, :apply_stylesheet_media_default])
+        set_rails_config(value: true_value, path: [:ction_view, :button_to_generates_button_tag])
+        set_rails_config(value: true_value, path: [:active_record, :automatic_scope_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :partial_inserts])
+        set_rails_config(value: true_value, path: [:active_record, :verify_foreign_keys_for_fixtures])
+        set_rails_config(value: true_value, path: [:active_storage, :multiple_file_field_include_hidden])
+        set_rails_config(value: Sexp.new(:lit, :vips), path: [:active_storage, :variant_processor])
+        set_rails_config(value: video_args, path: [:active_storage, :video_preview_arguments])
+        set_rails_config(value: Sexp.new(:lit, 7.0), path: [:active_support, :cache_format_version])
+        set_rails_config(value: true_value, path: [:active_support, :disable_to_s_conversion])
+        set_rails_config(value: true_value, path: [:active_support, :executor_around_test_case])
+        set_rails_config(value: hash_class, path: [:active_support, :hash_digest_class])
+        set_rails_config(value: Sexp.new(:lit, :thread), path: [:active_support, :isolation_level])
+        set_rails_config(value: hash_class, path: [:active_support, :key_generator_hash_digest_class])
+        set_rails_config(value: true_value, path: [:active_support, :remove_deprecated_time_with_zone_name])
+        set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
       end
     end
   end

data/lib/brakeman/tracker.rb

@@ -371,7 +371,7 @@ class Brakeman::Tracker
       end
     end
 
-    @models.delete model_name
+    @models.delete(model_name)
   end
 
   #Clear information related to model

data/lib/brakeman/util.rb

@@ -265,15 +265,31 @@ module Brakeman::Util
     false
   end
 
-  def request_env? exp
-    call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
+  # Only return true when accessing request headers via request.env[...]
+  def request_headers? exp
+    return unless sexp? exp
+
+    if exp[1] == REQUEST_ENV
+      if exp.method == :[]
+        if string? exp.first_arg
+          # Only care about HTTP headers, which are prefixed by 'HTTP_'
+          exp.first_arg.value.start_with?('HTTP_'.freeze)
+        else
+          true # request.env[something]
+        end
+      else
+        false # request.env.something
+      end
+    else
+      false
+    end
   end
 
-  #Check if exp is params, cookies, or request_env
+  #Check if exp is params, cookies, or request_headers
   def request_value? exp
     params? exp or
     cookies? exp or
-    request_env? exp
+    request_headers? exp
   end
 
   def constant? exp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.3.1"
+  Version = "5.4.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -126,6 +126,10 @@ module Brakeman::WarningCodes
     :pending_eol_rails => 122,
     :pending_eol_ruby => 123,
     :CVE_2022_32209 => 124,
+    :pathname_traversal => 125,
+    :insecure_rsa_padding_mode => 126,
+    :missing_rsa_padding_mode => 127,
+    :small_rsa_key_size => 128,
 
     :custom_check => 9090,
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.3.1
+  version: 5.4.1
 platform: ruby
 authors:
 - Justin Collins
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-10 00:00:00.000000000 Z
+date: 2023-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -299,6 +299,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
 - lib/brakeman/checks/check_page_caching_cve.rb
+- lib/brakeman/checks/check_pathname.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -337,6 +338,7 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_verb_confusion.rb
 - lib/brakeman/checks/check_weak_hash.rb
+- lib/brakeman/checks/check_weak_rsa_key.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
@@ -448,7 +450,7 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -463,8 +465,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []