brakeman-lib 5.4.0 → 5.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c63376837c6212df7e6f9ec337cc1091bcb726799b2437293cd6a32cbc59362a
-  data.tar.gz: 5c3023810d965759ce42f96ce1af3a5de5dd891b907f7d50c8ce1c1aa0e058ca
+  metadata.gz: 1bd15d1d3f41a0fe1f537728a63f5fe432eae4d4b82cdb07233007e794b4b19a
+  data.tar.gz: 8fd1c274006689e0e391c5586c9bd59c7ce776a998c9313561185216e51f9519
 SHA512:
-  metadata.gz: f7e7972da6fb0625832a35c8faf224df3de41dab66a1986110f671c21b5609262697656045e67ca418665aa9d5638ff8ff42a293e01f16406b54de718ce38da5
-  data.tar.gz: f43ea6ec1fb403926d3e5c021f94a18babb611bc53c3ad073e9af25ac40c49aeeefd630460f43fb8c45d08be18754a2d0270fad8e70fda2d0089674e29f6ec7c
+  metadata.gz: d3c99025931ba8a59c7852132cb80100f3f720de1ebfe632899e499a5784d5e92534efc6d9a04729bf3aec0d07c90fc2f69efccfd3d49558c277e370ae3d58f3
+  data.tar.gz: 571f89f8d5eb19b1d2c472517e3d66d819ab715379fd6b5bdd15cd136560499d8d86ff79da19a86a2c03830b8e0b0d0bf0dec3935267f75eacc95396a71d1f81

data/CHANGES.md

@@ -1,3 +1,15 @@
+# 5.4.1 - 2023-02-21
+
+* Fix file/line location for EOL software warnings
+* Revise checking for request.env to only consider request headers
+* Add `redirect_back` and `redirect_back_or_to` to open redirect check
+* Support Rails 7 redirect options
+* Add Rails 6.1 and 7.0 default configuration values
+* Prevent redirects using `url_from` being marked as unsafe (Lachlan Sylvester)
+* Warn about unscoped find for `find_by(id: ...)`
+* Support `presence`, `presence_in` and `in?`
+* Fix issue with `if` expressions in `when` clauses
+
 # 5.4.0 - 2022-11-17
 
 * Use relative paths for CodeClimate report format (Mike Poage)

data/README.md

@@ -64,9 +64,9 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 6.x.
+Brakeman should work with any version of Rails from 2.3.x to 7.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
 
 # Basic Options
 

data/lib/brakeman/checks/base_check.rb

@@ -76,7 +76,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         @has_user_input = Match.new(:params, exp)
       elsif cookies? target
         @has_user_input = Match.new(:cookies, exp)
-      elsif request_env? target
+      elsif request_headers? target
         @has_user_input = Match.new(:request, exp)
       elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
         @has_user_input = Match.new(:model, exp)
@@ -313,7 +313,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         return Match.new(:params, exp)
       elsif cookies? exp
         return Match.new(:cookies, exp)
-      elsif request_env? exp
+      elsif request_headers? exp
         return Match.new(:request, exp)
       else
         has_immediate_user_input? exp.target
@@ -467,7 +467,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
   end
 
-
   def version_between? low_version, high_version, current_version = nil
     tracker.config.version_between? low_version, high_version, current_version
   end

data/lib/brakeman/checks/check_redirect.rb

@@ -11,8 +11,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   @description = "Looks for calls to redirect_to with user input as arguments"
 
   def run_check
-    Brakeman.debug "Finding calls to redirect_to()"
-
     @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :first!, :last, :last!, :new, :sole]
 
     if tracker.options[:rails3]
@@ -27,7 +25,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
       @model_find_calls << :find_sole_by
     end
 
-    @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
+    methods = [:redirect_to, :redirect_back, :redirect_back_or_to]
+
+    @tracker.find_call(:target => false, :methods => methods).each do |res|
       process_result res
     end
   end
@@ -36,18 +36,28 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    method = call.method
-
     opt = call.first_arg
 
-    if method == :redirect_to and
+    # Location is specified with `fallback_location:`
+    # otherwise the arguments do not contain a location and
+    # the call can be ignored
+    if call.method == :redirect_back
+      if hash? opt and location = hash_access(opt, :fallback_location)
+        opt = location
+      else
+        return
+      end
+    end
+
+    if not protected_by_raise?(call) and
         not only_path?(call) and
         not explicit_host?(opt) and
         not slice_call?(opt) and
         not safe_permit?(opt) and
-        res = include_user_input?(call)
+        not disallow_other_host?(call) and
+        res = include_user_input?(opt)
 
-      if res.type == :immediate
+      if res.type == :immediate and not allow_other_host?(call)
         confidence = :high
       else
         confidence = :weak
@@ -68,42 +78,42 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   #is being output directly. This is necessary because of tracker.options[:check_arguments]
   #which can be used to enable/disable reporting output of method calls which use
   #user input as arguments.
-  def include_user_input? call, immediate = :immediate
+  def include_user_input? opt, immediate = :immediate
     Brakeman.debug "Checking if call includes user input"
 
-    arg = call.first_arg
-
     # if the first argument is an array, rails assumes you are building a
     # polymorphic route, which will never jump off-host
-    return false if array? arg
+    return false if array? opt
 
     if tracker.options[:ignore_redirect_to_model]
-      if model_instance?(arg) or decorated_model?(arg)
+      if model_instance?(opt) or decorated_model?(opt)
         return false
       end
     end
 
-    if res = has_immediate_model?(arg)
-      unless call? arg and arg.method.to_s =~ /_path/
+    if res = has_immediate_model?(opt)
+      unless call? opt and opt.method.to_s =~ /_path/
         return Match.new(immediate, res)
       end
-    elsif call? arg
-      if request_value? arg
-        return Match.new(immediate, arg)
-      elsif request_value? arg.target
-        return Match.new(immediate, arg.target)
-      elsif arg.method == :url_for and include_user_input? arg
-        return Match.new(immediate, arg)
+    elsif call? opt
+      if request_value? opt
+        return Match.new(immediate, opt)
+      elsif opt.method == :url_for and include_user_input? opt.first_arg
+        return Match.new(immediate, opt)
         #Ignore helpers like some_model_url?
-      elsif arg.method.to_s =~ /_(url|path)\z/
+      elsif opt.method.to_s =~ /_(url|path)\z/
+        return false
+      elsif opt.method == :url_from
         return false
       end
-    elsif request_value? arg
-      return Match.new(immediate, arg)
+    elsif request_value? opt
+      return Match.new(immediate, opt)
+    elsif node_type? opt, :or
+      return (include_user_input?(opt.lhs) or include_user_input?(opt.rhs))
     end
 
-    if tracker.options[:check_arguments] and call? arg
-      include_user_input? arg, false  #I'm doubting if this is really necessary...
+    if tracker.options[:check_arguments] and call? opt
+      include_user_input? opt.first_arg, false  #I'm doubting if this is really necessary...
     else
       false
     end
@@ -208,7 +218,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def friendly_model? exp
     call? exp and model_name? exp.target and exp.method == :friendly
   end
-  
+
   #Returns true if exp is (probably) a decorated model instance
   #using the Draper gem
   def decorated_model? exp
@@ -249,7 +259,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if call? exp and params? exp.target and exp.method == :permit
       exp.each_arg do |opt|
         if symbol? opt and DANGEROUS_KEYS.include? opt.value
-          return false 
+          return false
         end
       end
 
@@ -258,4 +268,25 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     false
   end
+
+  def protected_by_raise? call
+    raise_on_redirects? and
+      not allow_other_host? call
+  end
+
+  def raise_on_redirects?
+    @raise_on_redirects ||= true?(tracker.config.rails.dig(:action_controller, :raise_on_open_redirects))
+  end
+
+  def allow_other_host? call
+    opt = call.last_arg
+
+    hash? opt and true? hash_access(opt, :allow_other_host)
+  end
+
+  def disallow_other_host? call
+    opt = call.last_arg
+
+    hash? opt and false? hash_access(opt, :allow_other_host)
+  end
 end

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -23,6 +23,14 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     calls.each do |call|
       process_result call
     end
+
+    tracker.find_call(:method => :find_by, :targets => associated_model_names).each do |result|
+      arg = result[:call].first_arg
+
+      if hash? arg and hash_access(arg, :id)
+        process_result result
+      end
+    end
   end
 
   def process_result result

data/lib/brakeman/checks/eol_check.rb

@@ -34,7 +34,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"pending_eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
       confidence: confidence,
-      gem_info: gemfile_or_environment,
+      gem_info: gemfile_or_environment(library),
       :cwe_id => [1104]
   end
 
@@ -43,7 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
       confidence: :high,
-      gem_info: gemfile_or_environment,
+      gem_info: gemfile_or_environment(library),
       :cwe_id => [1104]
   end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -300,11 +300,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
       end
-    when :freeze
-      unless target.nil?
-        exp = target
-      end
-    when :dup
+    when :freeze, :dup, :presence
       unless target.nil?
         exp = target
       end
@@ -332,6 +328,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           exp = res
         end
       end
+    when :presence_in
+      arg = exp.first_arg
+
+      if node_type? arg, :array
+        # 1.presence_in [1,2,3]
+        if arg.include? target
+          exp = target
+        elsif all_literals? arg
+          exp = safe_literal(exp.line)
+        end
+      end
     end
 
     exp
@@ -862,6 +869,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Array#include? on an array literal
+  # that contains all literal values. For example:
+  #
+  #    x.in? [1, 2, "a"]
+  #
+  def in_array_all_literals? exp
+    call? exp and
+      exp.method == :in? and
+      all_literals? exp.first_arg
+  end
+
   # Check if exp is a call to Hash#include? on a hash literal
   # that contains all literal values. For example:
   #
@@ -915,28 +933,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and hash_or_array_include_all_literals? condition
+         exp[branch_index] = if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
-            # set x to "a" inside the true branch
+            # set x to safe_literal inside the true branch
             var = condition.first_arg
-            previous_value = env.current[var]
-            env.current[var] = safe_literal(var.line)
-            exp[branch_index] = process_if_branch branch
-            env.current[var] = previous_value
+            value = safe_literal(var.line)
+            process_branch_with_value(var, value, branch, i)
+          elsif i == 0 and in_array_all_literals? condition
+            # If the condition is x.in? ["a", "b"]
+            # set x to safe_literal inside the true branch
+            var = condition.target
+            value = safe_literal(var.line)
+            process_branch_with_value(var, value, branch, i)
           elsif i == 0 and equality_check? condition
             # For conditions like a == b,
             # set a to b inside the true branch
             var = condition.target
-            previous_value = env.current[var]
-            env.current[var] = condition.first_arg
-            exp[branch_index] = process_if_branch branch
-            env.current[var] = previous_value
+            value = condition.first_arg
+            process_branch_with_value(var, value, branch, i)
           elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
-            exp[branch_index] = process_if_branch branch
+            process_if_branch branch
           else
-            exp[branch_index] = process_if_branch branch
+            process_if_branch branch
           end
           branch_scopes << env.current
           @branch_env = nil
@@ -953,6 +973,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_branch_with_value var, value, branch, branch_index
+    previous_value = env.current[var]
+    env.current[var] = value
+    result = process_if_branch branch
+    env.current[var] = previous_value
+    result
+  end
+
   def early_return? exp
     return true if node_type? exp, :return
     return true if call? exp and [:fail, :raise].include? exp.method
@@ -1016,11 +1044,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.each_sexp do |e|
       if node_type? e, :when
         scope do
-          @branch_env = env.current
-
           # Process the when value for matching
           process_default e[1]
 
+          # Moved here to avoid @branch_env being cleared out
+          # in process_default
+          # Maybe in the future don't set it to nil?
+          @branch_env = env.current
+
           # set value of case var if possible
           if case_value
             if simple_when? e

data/lib/brakeman/processors/gem_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
       elsif exp.method == :ruby
         version = exp.first_arg
         if string? version
-          @tracker.config.set_ruby_version version.value
+          @tracker.config.set_ruby_version version.value, @gemfile, exp.line
         end
       end
     elsif @inside_gemspec and exp.method == :add_dependency
@@ -97,7 +97,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
     elsif line =~ @ruby_version
-      @tracker.config.set_ruby_version $1
+      @tracker.config.set_ruby_version $1, file, line_num
     end
   end
 end

data/lib/brakeman/rescanner.rb

@@ -6,7 +6,7 @@ require 'brakeman/differ'
 class Brakeman::Rescanner < Brakeman::Scanner
  include Brakeman::Util
   KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
-  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+  SCAN_ORDER = [:gemfile, :config, :initializer, :lib, :routes, :template,
     :model, :controller]
 
   #Create new Rescanner to scan changed files
@@ -332,6 +332,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :routes
     when /\/config\/.+\.(rb|yml)/
       :config
+    when /\.ruby-version/
+      :config
     when /Gemfile|gems\./
       :gemfile
     else

data/lib/brakeman/scanner.rb

@@ -138,7 +138,7 @@ class Brakeman::Scanner
 
     if @app_tree.exists? ".ruby-version"
       if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
-        tracker.config.set_ruby_version version
+        tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
       end
     end
 

data/lib/brakeman/tracker/config.rb

@@ -129,8 +129,9 @@ module Brakeman
       @rails_version
     end
 
-    def set_ruby_version version
+    def set_ruby_version version, file, line
       @ruby_version = extract_version(version)
+      add_gem :ruby, @ruby_version, file, line
     end
 
     def extract_version version
@@ -230,6 +231,46 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_storage, :replace_on_assign_to_many])
         set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
       end
+
+      if version >= 6.1
+        set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
+        set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
+        set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
+        set_rails_config(value: false_value, path: [:action_view, :form_with_generates_remote_forms])
+        set_rails_config(value: true_value, path: [:action_view, :preload_links_header])
+        set_rails_config(value: Sexp.new(:lit, 0.15), path: [:active_job, :retry_jitter])
+        set_rails_config(value: true_value, path: [:active_record, :has_many_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :legacy_connection_handling])
+        set_rails_config(value: true_value, path: [:active_storage, :track_variants])
+      end
+
+      if version >= 7.0
+        video_args =
+          Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
+        hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)
+
+        set_rails_config(value: true_value, path: [:action_controller, :raise_on_open_redirects])
+        set_rails_config(value: true_value, path: [:action_controller, :wrap_parameters_by_default])
+        set_rails_config(value: Sexp.new(:lit, :json), path: [:action_dispatch, :cookies_serializer])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_request_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:lit, 5), path: [:action_mailer, :smtp_timeout])
+        set_rails_config(value: false_value, path: [:action_view, :apply_stylesheet_media_default])
+        set_rails_config(value: true_value, path: [:ction_view, :button_to_generates_button_tag])
+        set_rails_config(value: true_value, path: [:active_record, :automatic_scope_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :partial_inserts])
+        set_rails_config(value: true_value, path: [:active_record, :verify_foreign_keys_for_fixtures])
+        set_rails_config(value: true_value, path: [:active_storage, :multiple_file_field_include_hidden])
+        set_rails_config(value: Sexp.new(:lit, :vips), path: [:active_storage, :variant_processor])
+        set_rails_config(value: video_args, path: [:active_storage, :video_preview_arguments])
+        set_rails_config(value: Sexp.new(:lit, 7.0), path: [:active_support, :cache_format_version])
+        set_rails_config(value: true_value, path: [:active_support, :disable_to_s_conversion])
+        set_rails_config(value: true_value, path: [:active_support, :executor_around_test_case])
+        set_rails_config(value: hash_class, path: [:active_support, :hash_digest_class])
+        set_rails_config(value: Sexp.new(:lit, :thread), path: [:active_support, :isolation_level])
+        set_rails_config(value: hash_class, path: [:active_support, :key_generator_hash_digest_class])
+        set_rails_config(value: true_value, path: [:active_support, :remove_deprecated_time_with_zone_name])
+        set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
+      end
     end
   end
 end

data/lib/brakeman/tracker.rb

@@ -371,7 +371,7 @@ class Brakeman::Tracker
       end
     end
 
-    @models.delete model_name
+    @models.delete(model_name)
   end
 
   #Clear information related to model

data/lib/brakeman/util.rb

@@ -265,15 +265,31 @@ module Brakeman::Util
     false
   end
 
-  def request_env? exp
-    call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
+  # Only return true when accessing request headers via request.env[...]
+  def request_headers? exp
+    return unless sexp? exp
+
+    if exp[1] == REQUEST_ENV
+      if exp.method == :[]
+        if string? exp.first_arg
+          # Only care about HTTP headers, which are prefixed by 'HTTP_'
+          exp.first_arg.value.start_with?('HTTP_'.freeze)
+        else
+          true # request.env[something]
+        end
+      else
+        false # request.env.something
+      end
+    else
+      false
+    end
   end
 
-  #Check if exp is params, cookies, or request_env
+  #Check if exp is params, cookies, or request_headers
   def request_value? exp
     params? exp or
     cookies? exp or
-    request_env? exp
+    request_headers? exp
   end
 
   def constant? exp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.4.0"
+  Version = "5.4.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.4.0
+  version: 5.4.1
 platform: ruby
 authors:
 - Justin Collins
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-18 00:00:00.000000000 Z
+date: 2023-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -450,7 +450,7 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -465,8 +465,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []