brakeman-lib 3.3.2 → 3.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 247e1f6cbd985e4c43a49652500d38319984d212
-  data.tar.gz: bb49ccd6dce05cab284eca01935d2368a7c976e3
+  metadata.gz: e4f086cc0f5c5aa7d689faf4145c49801f21457f
+  data.tar.gz: 6ab7f7fed14040fc66d6973b70147b25cf48f959
 SHA512:
-  metadata.gz: f213baa263336bc6589ae552d87d10fb498abefc4b1921b6a3056abd80716910a61a1c5cedae8c2ec5317f1bcb8fb391cc9832cd6ffbfe014d3dcd4de3bb00c6
-  data.tar.gz: 9b8b4242889b5c03f59c0dec5a21e98bef3dcbdfe3a05cf8f5ac8ae1a9c826f60418cc1b5b9ab3c5c823be3c616da9922fa4511a64a4b48bf149c1917114a418
+  metadata.gz: e08d73e3e686eb091e925d425fd16426b10784cffc6bcc67135c296c60e6c02cdcdedde92ba536846dc4d01182d9c8071cc64b8f57c7615e671d8062d5fae901
+  data.tar.gz: b92eed67245b493cfc3bab3f11068bc97983784dea1cc4b0616a0c833d5121015547e513ea9f51fa177693a75ccf0c2180fb1c2d0ec5c78e76dd7646a2fe426d

data/CHANGES

@@ -1,3 +1,16 @@
+# 3.3.3
+
+* Show path when no Rails app found (Neil Matatall)
+* Index calls in view helpers
+* Process inline template renders
+* Avoid warning about hashes in link_to hrefs
+* Add documentation for authentication category
+* Ignore boolean methods in render paths
+* Reduce open redirect duplicates
+* Fix SymbolDoS error with unknown Rails version
+* Sexp#value returns nil when there is no value
+* Improve return value estimation
+
 # 3.3.2
 
 * Fix serious performance regression with global constant tracking

data/lib/brakeman/app_tree.rb

@@ -106,11 +106,16 @@ module Brakeman
 
     def lib_paths
       @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" } +
-                     find_additional_lib_paths
+                     find_additional_lib_paths +
+                     find_helper_paths
     end
 
   private
 
+    def find_helper_paths
+      find_paths "app/helpers"
+    end
+
     def find_additional_lib_paths
       @additional_libs_path.collect{ |path| find_paths path }.flatten
     end

data/lib/brakeman/checks/base_check.rb

@@ -131,6 +131,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @comparison_ops.include? meth
   end
 
+  def boolean_method? method
+    method[-1] == "?"
+  end
+
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }
@@ -233,6 +237,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled
   end
 
+  def original? result
+    return false if result[:call].original_line or duplicate? result
+    add_result result
+    true
+  end
+
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil

data/lib/brakeman/checks/check_create_with.rb

@@ -26,8 +26,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     arg = result[:call].first_arg
 
     confidence = danger_level arg

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -378,8 +378,4 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def safe_input_attribute? target, method
     target and always_safe_method? method
   end
-
-  def boolean_method? method
-    method.to_s.end_with? "?"
-  end
 end

data/lib/brakeman/checks/check_deserialize.rb

@@ -30,8 +30,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_deserialize result, target, arg = nil
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     arg ||= result[:call].first_arg
     method = result[:call].method

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -15,8 +15,7 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     call = result[:call]
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -20,8 +20,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Warns if eval includes user input
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     if input = include_user_input?(result[:call].arglist)
       warn :result => result,

data/lib/brakeman/checks/check_execute.rb

@@ -53,8 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
 
-    if failure and not duplicate? result
-      add_result result
+    if failure and original? result
 
       if failure.type == :interp #Not from user input
         confidence = CONFIDENCE[:med]
@@ -107,9 +106,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
   #Processes backticks.
   def process_backticks result
-    return if duplicate? result
-
-    add_result result
+    return unless original? result
 
     exp = result[:call]
 

data/lib/brakeman/checks/check_file_access.rb

@@ -27,8 +27,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     call = result[:call]
     file_name = call.first_arg
 

data/lib/brakeman/checks/check_link_to_href.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :polymorphic_url, :radio_button, :select, :slice,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :u, :url_for,
+                           :text_field_tag, :url_encode, :u,
                            :will_paginate].merge(tracker.options[:url_safe_methods] || [])
 
     @models = tracker.models.keys
@@ -36,6 +36,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @matched = false
     url_arg = process call.second_arg
 
+    if call? url_arg and url_arg.method == :url_for
+      url_arg = url_arg.first_arg
+    end
+
     #Ignore situations where the href is an interpolated string
     #with something before the user input
     return if string_interp?(url_arg) && !url_arg[1].chomp.empty?
@@ -45,7 +49,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     if input = has_immediate_user_input?(url_arg)
       message = "Unsafe #{friendly_type_of input} in link_to href"
 
-      unless duplicate? result
+      unless duplicate? result or call_on_params? url_arg
         add_result result
         warn :result => result,
           :warning_type => "Cross Site Scripting", 
@@ -74,7 +78,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     elsif @matched
       if @matched.type == :model and not tracker.options[:ignore_model_output]
         message = "Unsafe model attribute in link_to href"
-      elsif @matched.type == :params
+      elsif @matched.type == :params and not call_on_params? @matched.match
         message = "Unsafe parameter value in link_to href"
       end
 
@@ -112,4 +116,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     MODEL_METHODS.include? exp.method or
       exp.method.to_s =~ /^find_by_/
   end
+
+  def call_on_params? exp
+    call? exp and
+    params? exp.target and
+    exp.method != :[]
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -65,8 +65,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     check = check_call call
 
-    if check and not call.original_line and not duplicate? res
-      add_result res
+    if check and original? res
 
       model = tracker.models[res[:chain].first]
 
@@ -180,8 +179,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   end
 
   def warn_on_permit! result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     confidence = if subsequent_mass_assignment? result
                    CONFIDENCE[:high]

data/lib/brakeman/checks/check_redirect.rb

@@ -29,10 +29,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result
+    return unless original? result
 
     call = result[:call]
-
     method = call.method
 
     if method == :redirect_to and
@@ -41,8 +40,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         not slice_call?(call.first_arg) and
         res = include_user_input?(call)
 
-      add_result result
-
       if res.type == :immediate
         confidence = CONFIDENCE[:high]
       else

data/lib/brakeman/checks/check_regex_dos.rb

@@ -26,8 +26,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
 
   #Warns if regex includes user input
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     call = result[:call]
     components = call[1..-1]

data/lib/brakeman/checks/check_render.rb

@@ -32,8 +32,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def check_for_dynamic_path result
     view = result[:call][2]
 
-    if sexp? view and not duplicate? result
-      add_result result
+    if sexp? view and original? result
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -84,9 +83,15 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   end
 
   def safe_param? exp
-    if params? exp and call? exp and exp.method == :[]
-      arg = exp.first_arg
-      symbol? arg and [:controller, :action].include? arg.value
+    if params? exp and call? exp
+      method_name = exp.method
+
+      if method_name == :[]
+        arg = exp.first_arg
+        symbol? arg and [:controller, :action].include? arg.value
+      else
+        boolean_method? method_name
+      end
     end
   end
 end 

data/lib/brakeman/checks/check_render_inline.rb

@@ -12,8 +12,7 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
   end
 
   def check_render result
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     call = result[:call]
 

data/lib/brakeman/checks/check_select_tag.rb

@@ -34,8 +34,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
 
   #Check if select_tag is called with user input in :prompt option
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     #Only concerned if user input is supplied for :prompt option
     last_arg = result[:call].last_arg

data/lib/brakeman/checks/check_send.rb

@@ -17,8 +17,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     send_call = get_send result[:call]
     process_call_args send_call

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -12,8 +12,7 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
   end
 
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     index = result[:call].first_arg
 

data/lib/brakeman/checks/check_simple_format.rb

@@ -43,8 +43,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
   end
 
   def warn_on_simple_format result, match
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     @found_any = true
 

data/lib/brakeman/checks/check_ssl_verify.rb

@@ -37,8 +37,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
   end
 
   def warn_about_ssl_verification_bypass result
-    return if duplicate?(result)
-    add_result result
+    return unless original? result
 
     warn :result => result,
       :warning_type => "SSL Verification Bypass",

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   @description = "Checks for symbol denial of service"
 
   def run_check
-    return if rails_version > "5.0.0"
+    return if rails_version and rails_version > "5.0.0"
 
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)
@@ -16,9 +16,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   end
 
   def check_unsafe_symbol_creation result
-    return if duplicate? result or result[:call].original_line
-
-    add_result result
+    return unless original? result
 
     call = result[:call]
 

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -18,8 +18,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   end
 
   def check_unsafe_reflection result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
 
     call = result[:call] 
     method = call.method

data/lib/brakeman/checks/check_weak_hash.rb

@@ -22,8 +22,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
 
   def process_hash_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     input = nil
     call = result[:call]
@@ -59,8 +58,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
 
   def process_hmac_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     call = result[:call]
 
@@ -81,8 +79,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
 
   def process_openssl_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
 
     arg = result[:call].first_arg
 

data/lib/brakeman/parsers/template_parser.rb

@@ -85,5 +85,14 @@ module Brakeman
       Slim::Template.new(:disable_capture => true,
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
+
+    def self.parse_inline_erb tracker, text
+      fp = Brakeman::FileParser.new(nil, nil)
+      tp = self.new(tracker, fp)
+      src = tp.parse_erb text
+      type = tp.erubis? ? :erubis : :erb
+
+      return type, fp.parse_ruby(src, "_inline_")
+    end
   end
 end

data/lib/brakeman/processors/base_processor.rb

@@ -272,6 +272,31 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
 
     type ||= :default
     value ||= :default
+
+    if type == :inline and string? value and not hash_access(rest, :type)
+      value, rest = make_inline_render(value, rest)
+    end
+
     return type, value, rest
   end
+
+  def make_inline_render value, options
+    require 'brakeman/parsers/template_parser'
+
+    class_or_module = (@current_class || @current_module)
+
+    class_or_module = if class_or_module.nil?
+                        "Unknown"
+                      else
+                        class_or_module.name
+                      end
+
+    template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
+    type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
+    ast = ast.deep_clone(value.line)
+    @tracker.processor.process_template(template_name, ast, type, nil, @file_name)
+    @tracker.processor.process_template_alias(@tracker.templates[template_name])
+
+    return s(:lit, template_name), options
+  end
 end