brakeman-lib 3.4.1 → 3.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 41a53603e2fa56ad3a6fd895b93db05b1e532503
-  data.tar.gz: ec97788b6b989dd66c7dcc4698a86ec143a34eeb
+  metadata.gz: fee8845f90b3f881eea2126cf21818bc5ec0a01b
+  data.tar.gz: 6d04dfa38599476644b42dfd4037f0b033ca3f3f
 SHA512:
-  metadata.gz: ec25a806ebdb9aa3ad8842020a12a5b9b1e7c581b9bf4ead664ceeec9b2a00d6c63ffa71ad955e105660b8a39cb4a0db3ddf38a716ce3d7303438a2b5ee78076
-  data.tar.gz: d55e00d236e989175bace2779b3bf94390ec189542911ed408a73e07146076699d72ad6e2d1e3f560532e8cb43e10391a262a1900c302e8d7c52941d9d6121d3
+  metadata.gz: b83dd03f8fb44b7fe43178e65dcb4e0e2e72da8eb1a7e336ec65dc5f7ac1d03fde5f7dd1f32bb1057de1d4f49992b10b21f8a11937cdd2adca18e2ff5e7bc840
+  data.tar.gz: a17dee450fdd91d5e4332692c04ac3a4436c53a859682b31bf6c4279694fec921656132f6977cbf1ced8bafe96056cf5881f63699e2475dd2e4ff0c6d1424851

data/CHANGES

@@ -1,3 +1,18 @@
+# 3.5.0
+
+* Allow `-t None`
+* Fail on invalid checks specified by `-x` or `-t`
+* Avoid warning about all, first, or last after Rails 4.0
+* Avoid warning about models in SQLi
+* Lower confidence of SQLi when maybe not on models
+* Warn about SQLi even potentially on non-models
+* Report check name in JSON and plain reports
+* Treat templates without `.html` as HTML anyway
+* Add `--ensure-latest` option (tamgrosser / Michael Grosser)
+* Add `--no-summary` to hide summaries in HTML/text reports
+* Handle `included` block in concerns
+* Process concerns before controllers
+
 # 3.4.1
 
 * Show action help at start of interactive ignore

data/README.md

@@ -36,7 +36,9 @@ Outside of Rails root:
 
 # Compatibility
 
-Brakeman works with Rails 2.x, 3.x, and 4.x.
+Brakeman should work with any version of Rails from 2.3.x to 5.x.
+
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
 
 # Basic Options
 
@@ -101,7 +103,7 @@ To create and manage this file, use:
 
 # Warning information
 
-See [WARNING\_TYPES](WARNING_TYPES) for more information on the warnings reported by this tool.
+See [warning\_types](docs/warning_types) for more information on the warnings reported by this tool.
 
 # Warning context
 

data/bin/brakeman

@@ -57,6 +57,13 @@ if options[:quiet].nil?
 end
 
 begin
+  if options[:ensure_latest]
+    if error = Brakeman.ensure_latest
+      warn error
+      exit Brakeman::Not_Latest_Version_Exit_Code
+    end
+  end
+
   if options[:previous_results_json]
     require 'json'
     vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
@@ -84,6 +91,9 @@ begin
     end
   end
 rescue Brakeman::NoApplication => e
-  $stderr.puts e.message
+  warn e.message
   exit Brakeman::No_App_Found_Exit_Code
+rescue Brakeman::MissingChecksError => e
+  warn e.message
+  exit Brakeman::Missing_Checks_Exit_Code
 end

data/lib/brakeman.rb

@@ -9,6 +9,12 @@ module Brakeman
   #Exit code returned when no Rails application is detected
   No_App_Found_Exit_Code = 4
 
+  #Exit code returned when brakeman was outdated
+  Not_Latest_Version_Exit_Code = 5
+
+  #Exit code returned when user requests non-existent checks
+  Missing_Checks_Exit_Code = 6
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -48,8 +54,7 @@ module Brakeman
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
-  #  * :summary_only - only output summary section of report
-  #                    (does not apply to tabs format)
+  #  * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
   #
   #Alternatively, just supply a path as a string.
   def self.run options
@@ -324,6 +329,14 @@ module Brakeman
     end
   end
 
+  def self.ensure_latest
+    current = Brakeman::Version
+    latest = Gem.latest_version_for('brakeman').to_s
+    if current != latest
+      "Brakeman #{current} is not the latest version #{latest}"
+    end
+  end
+
   #Run a scan. Generally called from Brakeman.run instead of directly.
   def self.scan options
     #Load scanner
@@ -341,6 +354,8 @@ module Brakeman
     scanner = Scanner.new options
     tracker = scanner.tracker
 
+    check_for_missing_checks options[:run_checks], options[:skip_checks]
+
     notify "Processing application in #{tracker.app_path}"
     scanner.process
 
@@ -506,8 +521,17 @@ module Brakeman
     end if options[:additional_checks_path]
   end
 
+  def self.check_for_missing_checks included_checks, excluded_checks
+    missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
+
+    unless missing.empty?
+      raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.to_a.join(', ')}"
+    end
+  end
+
   class DependencyError < RuntimeError; end
   class RakeInstallError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end
+  class MissingChecksError < RuntimeError; end
 end

data/lib/brakeman/app_tree.rb

@@ -89,19 +89,20 @@ module Brakeman
     end
 
     def initializer_paths
-      @initializer_paths ||= find_paths("config/initializers")
+      @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
     end
 
     def controller_paths
-      @controller_paths ||= find_paths("app/**/controllers")
+      @controller_paths ||= prioritize_concerns(find_paths("app/**/controllers"))
     end
 
     def model_paths
-      @model_paths ||= find_paths("app/**/models")
+      @model_paths ||= prioritize_concerns(find_paths("app/**/models"))
     end
 
     def template_paths
-      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}")
+      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
+                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -177,5 +178,9 @@ module Brakeman
       rel_engines = (rel + [""]).join("/,")
       @root_search_patrern = "{#{roots}}/{#{rel_engines}}"
     end
+
+    def prioritize_concerns paths
+      paths.partition { |path| path.include? "concerns" }.flatten
+    end
   end
 end

data/lib/brakeman/checks.rb

@@ -37,6 +37,24 @@ class Brakeman::Checks
     end
   end
 
+  def self.missing_checks included_checks, excluded_checks
+    included_checks = included_checks.map(&:to_s).to_set
+    excluded_checks = excluded_checks.map(&:to_s).to_set
+
+    if included_checks == Set['CheckNone']
+      return []
+    else
+      loaded = self.checks.map { |name| name.to_s.gsub('Brakeman::', '') }.to_set
+      missing = (included_checks - loaded) + (excluded_checks - loaded)
+
+      unless missing.empty?
+        return missing
+      end
+    end
+
+    []
+  end
+
   #No need to use this directly.
   def initialize options = { }
     if options[:min_confidence]

data/lib/brakeman/checks/check_sql.rb

@@ -14,11 +14,21 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   @description = "Check for SQL injection"
 
   def run_check
-    @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
-      :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
-    @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
+    narrow_targets = [:exists?, :select]
+
+    @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
+                    :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
+    @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
     @sql_targets << :find_by << :find_by! if tracker.options[:rails4]
 
+    if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
+      @sql_targets << :first << :last << :all
+    end
+
+    if version_between?("2.0.0", "4.0.99") or tracker.config.rails_version.nil?
+      @sql_targets << :find
+    end
+
     @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
       :select_rows, :select_value, :select_values]
 
@@ -28,10 +38,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       @connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
     end
 
+    @expected_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
+
     Brakeman.debug "Finding possible SQL calls on models"
-    calls = tracker.find_call :targets => active_record_models.keys,
-      :methods => @sql_targets,
-      :chained => true
+    calls = tracker.find_call(:methods => @sql_targets, :nested => true)
+
+    calls.concat tracker.find_call(:targets => active_record_models.keys, :methods => narrow_targets, :chained => true)
 
     Brakeman.debug "Finding possible SQL calls with no target"
     calls.concat tracker.find_call(:target => nil, :methods => @sql_targets)
@@ -39,8 +51,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding possible SQL calls using constantized()"
     calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
 
-    connect_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
-    calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
+    calls.concat tracker.find_call(:targets => @expected_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
 
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
@@ -203,6 +214,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         user_input = dangerous_value
       end
 
+      if result[:call].target and result[:chain] and not @expected_targets.include? result[:chain].first
+        confidence = case confidence
+                     when CONFIDENCE[:high]
+                       CONFIDENCE[:med]
+                     when CONFIDENCE[:med]
+                       CONFIDENCE[:low]
+                     else
+                       confidence
+                     end
+      end
+
       warn :result => result,
         :warning_type => "SQL Injection",
         :warning_code => :sql_injection,
@@ -429,7 +451,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
     when :call
       unless IGNORE_METHODS_IN_SQL.include? exp.method
-        if has_immediate_user_input? exp or has_immediate_model? exp
+        if has_immediate_user_input? exp
           exp
         elsif exp.method == :to_s
           find_dangerous_value exp.target, ignore_hash
@@ -446,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :block, :rlist
       unsafe_sql? exp.last
     else
-      if has_immediate_user_input? exp or has_immediate_model? exp
+      if has_immediate_user_input? exp
         exp
       else
         nil

data/lib/brakeman/options.rb

@@ -43,6 +43,10 @@ module Brakeman::Options
           options[:exit_on_warn] = exit_on_warn
         end
 
+        opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
+          options[:ensure_latest] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -229,8 +233,12 @@ module Brakeman::Options
           options[:collapse_mass_assignment] = !separate
         end
 
-        opts.on "--summary", "Only output summary of warnings" do
-          options[:summary_only] = true
+        opts.on "--[no-]summary", "Only output summary of warnings" do |summary_only|
+          if summary_only
+            options[:summary_only] = :summary_only
+          else
+            options[:summary_only] = :no_summary
+          end
         end
 
         opts.on "--absolute-paths", "Output absolute file paths in reports" do
@@ -249,7 +257,7 @@ module Brakeman::Options
           options[:min_confidence] =  3 - level.to_i
         end
 
-        opts.on "--compare FILE", "Compare the results of a previous brakeman scan (only JSON is supported)" do |file|
+        opts.on "--compare FILE", "Compare the results of a previous Brakeman scan (only JSON is supported)" do |file|
           options[:previous_results_json] = File.expand_path(file)
         end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -61,6 +61,16 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     handle_module exp, Brakeman::Controller, parent
   end
 
+  def process_concern concern_name
+    return unless @current_class
+
+    if mod = @tracker.find_class(concern_name)
+      if mod.options[:included]
+        process mod.options[:included].deep_clone
+      end
+    end
+  end
+
   #Look for specific calls inside the controller
   def process_call exp
     return exp if process_call_defn? exp
@@ -89,7 +99,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       else
         case method
         when :include
-          @current_class.add_include class_name(first_arg) if @current_class
+          if @current_class
+            concern = class_name(first_arg)
+            @current_class.add_include concern
+            process_concern concern
+          end
         when :before_filter, :append_before_filter, :before_action, :append_before_action
           if node_type? exp.first_arg, :iter
             add_lambda_filter exp

data/lib/brakeman/processors/library_processor.rb

@@ -51,4 +51,16 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       process_default exp
     end
   end
+
+  def process_iter exp
+    res = process_default exp
+
+    if node_type? res, :iter and call? exp.block_call # sometimes this changes after processing
+      if exp.block_call.method == :included
+        (@current_module || @current_class).options[:included] = res.block
+      end
+    end
+
+    res
+  end
 end

data/lib/brakeman/report/report_table.rb

@@ -7,13 +7,20 @@ class Brakeman::Report::Table < Brakeman::Report::Base
   end
 
   def generate_report
-    out = text_header <<
-    "\n\n+SUMMARY+\n\n" <<
-    truncate_table(generate_overview.to_s) << "\n\n" <<
-    truncate_table(generate_warning_overview.to_s) << "\n"
+    summary_option = tracker.options[:summary_only]
+    out = ""
+
+    unless summary_option == :no_summary
+      out << text_header <<
+        "\n\n+SUMMARY+\n\n" <<
+        truncate_table(generate_overview.to_s) << "\n\n" <<
+        truncate_table(generate_warning_overview.to_s) << "\n"
+    end
 
     #Return output early if only summarizing
-    return out if tracker.options[:summary_only]
+    if summary_option == :summary_only or summary_option == true
+      return out
+    end
 
     if tracker.options[:report_routes] or tracker.options[:debug]
       out << "\n+CONTROLLERS+\n" <<

data/lib/brakeman/report/report_text.rb

@@ -3,12 +3,18 @@ Brakeman.load_brakeman_dependency 'highline'
 class Brakeman::Report::Text < Brakeman::Report::Base
   def generate_report
     HighLine.use_color = !!tracker.options[:output_color]
+    summary_option = tracker.options[:summary_only]
     @output_string = "\n"
 
-    add_chunk generate_header
-    add_chunk generate_overview
-    add_chunk generate_warning_overview
-    return @output_string if tracker.options[:summary_only]
+    unless summary_option == :no_summary
+      add_chunk generate_header
+      add_chunk generate_overview
+      add_chunk generate_warning_overview
+    end
+
+    if summary_option == :summary_only or summary_option == true
+      return @output_string
+    end
 
     add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
     add_chunk generate_templates if tracker.options[:debug]
@@ -126,6 +132,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     out = [
       label('Confidence', confidence(w.confidence)),
       label('Category', w.warning_type.to_s),
+      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
       label('Message', w.message)
     ]
 

data/lib/brakeman/tracker.rb

@@ -198,6 +198,16 @@ class Brakeman::Tracker
     @constants.get_literal name unless @options[:disable_constant_tracking]
   end
 
+  def find_class name
+    [@controllers, @models, @libs].each do |collection|
+      if c = collection[name]
+        return c
+      end
+    end
+
+    nil
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.4.1"
+  Version = "3.5.0"
 end

data/lib/brakeman/warning.rb

@@ -238,6 +238,7 @@ class Brakeman::Warning
     { :warning_type => self.warning_type,
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
+      :check_name => self.check.gsub(/^Brakeman::Check/, ''),
       :message => self.message,
       :file => self.file,
       :line => self.line,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.4.1
+  version: 3.5.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-11-02 00:00:00.000000000 Z
+date: 2017-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -181,7 +181,6 @@ files:
 - CHANGES
 - FEATURES
 - README.md
-- WARNING_TYPES
 - bin/brakeman
 - lib/brakeman.rb
 - lib/brakeman/app_tree.rb

data/WARNING_TYPES

@@ -1,95 +0,0 @@
-This file describes the various warning types reported by this tool.
-
-# Attribute Restriction
-
-This warning comes up if a model does not limit what attributes can be set through mass assignment.
-
-In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
-
-Note that disabling mass assignment globally will suppress these warnings.
-
-# Authentication
-
-# Basic Auth
-
-# Command Injection
-
-Request parameters or string interpolation has been detected in a `system` call. This can lead to someone executing arbitrary commands. Use the safe form of `system` instead, which will pass in arguments safely.
-
-See http://guides.rubyonrails.org/security.html#command-line-injection for details.
-
-# Cross Site Scripting
-
-Cross site scripting warnings are raised when a parameter or model attribute is output through a view without being escaped.
-
-See http://guides.rubyonrails.org/security.html#cross-site-scripting-xss for details.
-
-# Cross-Site Request Forgery
-
-No call to `protect_from_forgery` was found in `ApplicationController`. This method prevents CSRF.
-
-See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf for details.
-
-# Dangerous Eval
-
-# Dangerous Send
-
-# Default Routes
-
-The general default routes warning means there is a call to `map.connect ":controller/:action/:id"` in config/routes.rb. This allows any public method on any controller to be called as an action.
-
-If this warning is reported for a particular controller, it means there is a route to that controller containing `:action`.
-
-Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
-
-# Denial of Service
-
-# Dynamic Render Path
-
-When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
-
-This warning is shown whenever the path to be rendered is not a static string or symbol.
-
-# File Access
-
-# Format Validation
-
-Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as `$` will only match up to a new line. This allows an attacker to put whatever malicious input they would like after a new line character.
-
-See http://guides.rubyonrails.org/security.html#regular-expressions for details.
-
-# Information Disclosure
-
-# Mail Link
-
-# Mass Assignment
-
-Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
-
-Mass assignment can be disabled globally.
-
-Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
-
-# Nested Attributes
-
-# Redirect
-
-Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
-
-This warning is shown when request parameters are used inside a call to `redirect_to`.
-
-See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
-
-# Remote Code Execution
-
-# Response Splitting
-
-# Session Setting
-
-# SQL Injection
-
-String interpolation or concatenation has been detected in an SQL query. Use parameterized queries instead.
-
-See http://guides.rubyonrails.org/security.html#sql-injection for details.
-
-# SSL Verification Bypass