brakeman-lib 3.5.0 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fee8845f90b3f881eea2126cf21818bc5ec0a01b
-  data.tar.gz: 6d04dfa38599476644b42dfd4037f0b033ca3f3f
+  metadata.gz: 949738b634fa2db8605362f8f0b79da7732be813
+  data.tar.gz: e8e37375e853b53b61e84cdbd36af7cadda5f870
 SHA512:
-  metadata.gz: b83dd03f8fb44b7fe43178e65dcb4e0e2e72da8eb1a7e336ec65dc5f7ac1d03fde5f7dd1f32bb1057de1d4f49992b10b21f8a11937cdd2adca18e2ff5e7bc840
-  data.tar.gz: a17dee450fdd91d5e4332692c04ac3a4436c53a859682b31bf6c4279694fec921656132f6977cbf1ced8bafe96056cf5881f63699e2475dd2e4ff0c6d1424851
+  metadata.gz: b3d4ff2d048f151edbb3df5931b40bcaaaba3630eda5c8cf577f33c80b8de2de6c5d76f45cc57d8cd285d286d281105b9af31a0c0e3f903128209862561bdd9a
+  data.tar.gz: 835a8b52e94c8b287ec0e649ae11104728f3ecd0bddc66bb86e493fc2a779a6d14d883d42e6de4c913d01b330d6c50bddf32d0ca9544d01f0ed1f84720f4a458

data/CHANGES

@@ -1,3 +1,14 @@
+# 3.6.0 
+
+* Avoid recursive Concerns
+* Branch inside of `case` expressions
+* Print command line option errors without modification
+* Fix issue with nested interpolation inside SQL strings
+* Ignore GraphQL tags inside ERB templates
+* Add `--exit-on-error` (Michael Grosser)
+* Only report CVE-2015-3227 when exact version is known
+* Check targetless SQL calls outside of known models
+
 # 3.5.0
 
 * Allow `-t None`
@@ -102,7 +113,7 @@
 * Update ruby_parser dependency to 3.8.1
 * Remove `fastercsv` dependency
 * Fix finding calls with `targets: nil`
-* Remove `multi_json` dependecy
+* Remove `multi_json` dependency
 * Handle CoffeeScript in HAML
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
@@ -118,7 +129,7 @@
 * Add check for mime-type denial of service (CVE-2016-0751)
 * Add check for basic auth timing attack (CVE-2015-7576)
 * Add initial Rails 5 support
-* Check for implict integer comparison in dynamic finders
+* Check for implicit integer comparison in dynamic finders
 * Support directories better in --only-files and --skip-files (Patrick Toomey)
 * Avoid warning about `permit` in SQL
 * Handle guards using `detect`
@@ -235,7 +246,7 @@
 * Remove formatting newlines in HAML template output
 * Ignore case value in XSS checks
 * Fix CSV output when there are no warnings
-* Handle processing of explictly shadowed block arguments
+* Handle processing of explicitly shadowed block arguments
 
 # 3.0.1
 
@@ -285,7 +296,7 @@
 * Add `-4` option to force Rails 4 mode
 * Check entire call for `send`
 * Check for .gitignore of secrets in subdirectories
-* Fix block statment endings in Erubis
+* Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
 # 2.6.1

data/bin/brakeman

@@ -10,7 +10,7 @@ require 'brakeman/version'
 begin
   options, parser = Brakeman::Options.parse! ARGV
 rescue OptionParser::ParseError => e
-  $stderr.puts e.message.capitalize
+  $stderr.puts e.message
   $stderr.puts "Please see `brakeman --help` for valid options"
   exit(-1)
 end
@@ -90,6 +90,11 @@ begin
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end
+
+  #Return error code if --exit-on-error is used and errors were found
+  if tracker.options[:exit_on_error] and tracker.errors.any?
+    exit Brakeman::Errors_Found_Exit_Code
+  end
 rescue Brakeman::NoApplication => e
   warn e.message
   exit Brakeman::No_App_Found_Exit_Code

data/lib/brakeman.rb

@@ -15,6 +15,10 @@ module Brakeman
   #Exit code returned when user requests non-existent checks
   Missing_Checks_Exit_Code = 6
 
+  #Exit code returned when errors were found and the --exit-on-error
+  #option is set
+  Errors_Found_Exit_Code = 7
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []

data/lib/brakeman/checks/check_sql.rb

@@ -157,8 +157,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #
   def process_result result
     return if duplicate?(result) or result[:call].original_line
-    return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
-
 
     call = result[:call]
     method = call.method
@@ -596,6 +594,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       safe_value? exp.last
     when :or
       safe_value? exp.lhs and safe_value? exp.rhs
+    when :dstr
+      not unsafe_string_interp? exp
     else
       false
     end

data/lib/brakeman/checks/check_xml_dos.rb

@@ -17,12 +17,6 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
                     "4.2.2"
                   when version_between?("4.0.0", "4.0.99")
                     "4.2.2"
-                  when (version.nil? and tracker.options[:rails3])
-                    version = "3.x"
-                    "3.2.22"
-                  when (version.nil? and tracker.options[:rails4])
-                    version = "4.x"
-                    "4.2.2"
                   else
                     return
                   end

data/lib/brakeman/options.rb

@@ -43,6 +43,10 @@ module Brakeman::Options
           options[:exit_on_warn] = exit_on_warn
         end
 
+        opts.on "--[no-]exit-on-error", "Exit code is non-zero if errors found" do |exit_on_error|
+          options[:exit_on_error] = exit_on_error
+        end
+
         opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
           options[:ensure_latest] = true
         end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -71,4 +71,11 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
       @newline_pending = 0
     end
   end
+
+  # This is borrowed from graphql's erb plugin:
+  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
+  def convert_input(src, input)
+    input = input.gsub(/<%graphql/, "<%#")
+    super(src, input)
+  end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -616,6 +616,75 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def simple_when? exp
+    node_type? exp[1], :array and
+      not node_type? exp[1][1], :splat, :array and
+      (exp[1].length == 2 or
+       exp[1].all? { |e| e.is_a? Symbol or node_type? e, :lit, :str })
+  end
+
+  def process_case exp
+    if @ignore_ifs.nil?
+      @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
+    end
+
+    if @ignore_ifs
+      process_default exp
+      return exp
+    end
+
+    branch_scopes = []
+    was_inside = @inside_if
+    @inside_if = true
+
+    exp[1] = process exp[1] if exp[1]
+
+    case_value = if node_type? exp[1], :lvar, :ivar, :call
+      exp[1].deep_clone
+    end
+
+    exp.each_sexp do |e|
+      if node_type? e, :when
+        scope do
+          @branch_env = env.current
+
+          # set value of case var if possible
+          if case_value and simple_when? e
+            @branch_env[case_value] = e[1][1]
+          end
+
+          # when blocks aren't blocks, they are lists of expressions
+          process_default e
+
+          branch_scopes << env.current
+
+          @branch_env = nil
+        end
+      end
+    end
+
+    # else clause
+    if sexp? exp.last
+      scope do
+        @branch_env = env.current
+
+        process_default exp[-1]
+
+        branch_scopes << env.current
+
+        @branch_env = nil
+      end
+    end
+
+    @inside_if = was_inside
+
+    branch_scopes.each do |s|
+      merge_if_branch s
+    end
+
+    exp
+  end
+
   def process_if_branch exp
     if sexp? exp
       if block? exp
@@ -934,6 +1003,36 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def value_from_case exp
+    result = []
+
+    exp.each do |e|
+      if node_type? e, :when
+        result << e.last
+      end
+    end
+
+    result << exp.last if exp.last # else
+
+    result.reduce do |c, e|
+      if c.nil?
+        e
+      elsif node_type? e, :if
+        c.combine(value_from_if e)
+      elsif raise? e
+        c # ignore exceptions
+      elsif e
+        c.combine e
+      else # when e is nil
+        c
+      end
+    end
+  end
+
+  def raise? exp
+    call? exp and exp.method == :raise
+  end
+
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same
@@ -941,6 +1040,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def set_value var, value
     if node_type? value, :if
       value = value_from_if(value)
+    elsif node_type? value, :case
+      value = value_from_case(value)
     end
 
     if @ignore_ifs or not @inside_if

data/lib/brakeman/processors/controller_processor.rb

@@ -16,6 +16,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     @current_module = nil
     @visibility = :public
     @file_name = nil
+    @concerns = Set.new
   end
 
   #Use this method to process a Controller
@@ -65,7 +66,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     return unless @current_class
 
     if mod = @tracker.find_class(concern_name)
-      if mod.options[:included]
+      if mod.options[:included] and not @concerns.include? concern_name
+        @concerns << concern_name
         process mod.options[:included].deep_clone
       end
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.5.0"
+  Version = "3.6.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.6.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-02-01 00:00:00.000000000 Z
+date: 2017-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest