brakeman-lib 3.6.1 → 3.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b0df5204ececcf12fbf58c9024517536da1bd573
-  data.tar.gz: 5a03298107656214eaf8308091a3667521541526
+  metadata.gz: b009aece1db925bc835024219dd9728197628bc3
+  data.tar.gz: b4d231e1a8d98847f66c220570ddfc733b92f8f6
 SHA512:
-  metadata.gz: 06d0807326483e035bb28e3f26cfe04d960053f30cc91270b7efbb741b174b5caa8c850226866024e890beaa77e8167e48de8f003251cfbfacc789e842258c96
-  data.tar.gz: b4bfe784e6d0b51b4bd7d444285b7d840dec42e59058f5638f71f9debd5bd5313bcd77929947f38b55279ead29b8031cb62f23043524d24b42e625b182a7289d
+  metadata.gz: 9dd15326cb813bb0f2fd5bb588caaf4f7e1b30f8dc7a353a691f9490df10631aafd0218dd1c55f6e90c97d83401a6650cfb79d1afd073e7a06a9113026f95635
+  data.tar.gz: 7a35e0864a7c7ad084291cf9a313e404a62f4daff8fb5d4d46ad1c8a7270b6e5781a9a56a640c482ae6fdcd500a4bfcb65fcf8a71ae147b2d8fedf4c2cd4c994

data/CHANGES

@@ -1,3 +1,18 @@
+# 3.6.2
+
+* Handle safe call operator in checks
+* Better handling of `if` expressions in HAML rendering
+* Remove `--rake` option
+* Properly handle template names without `.html` or `.js`
+* Set template file names during rendering for better errors
+* Limit Slim dependency to before 3.0.8
+* Catch YAML parsing errors in session settings check
+* Avoid warning about SQLi with `to_s` in `exists?`
+* Update RubyParser to 3.9.0
+* Do not honor additional check paths in config by default
+* Handle empty `if` expressions when finding return values
+* Fix finding return value from empty `if`
+
 # 3.6.1
 
 * Fix error when using `--compare` (Sean Gransee)

data/bin/brakeman

@@ -28,9 +28,6 @@ elsif options[:show_help]
 elsif options[:show_version]
   puts "brakeman #{Brakeman::Version}"
   exit
-elsif options[:install_rake_task]
-  Brakeman.install_rake_task
-  exit
 end
 
 #Set application path according to the commandline arguments

data/lib/brakeman.rb

@@ -114,6 +114,14 @@ module Brakeman
         # After parsing the yaml config file for options, convert any string keys into symbols.
         options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
+        unless line_options[:allow_check_paths_in_config]
+          if options.include? :additional_checks_path
+            options.delete :additional_checks_path
+
+            notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
+          end
+        end
+
         # notify if options[:quiet] and quiet is nil||false
         notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
         options
@@ -269,43 +277,6 @@ module Brakeman
     end
   end
 
-  #Installs Rake task for running Brakeman,
-  #which basically means copying `lib/brakeman/brakeman.rake` to
-  #`lib/tasks/brakeman.rake` in the current Rails application.
-  def self.install_rake_task install_path = nil
-    if install_path
-      rake_path = File.join(install_path, "Rakefile")
-      task_path = File.join(install_path, "lib", "tasks", "brakeman.rake")
-    else
-      rake_path = "Rakefile"
-      task_path = File.join("lib", "tasks", "brakeman.rake")
-    end
-
-    if not File.exist? rake_path
-      raise RakeInstallError, "No Rakefile detected"
-    elsif File.exist? task_path
-      raise RakeInstallError, "Task already exists"
-    end
-
-    require 'fileutils'
-
-    if not File.exist? "lib/tasks"
-      notify "Creating lib/tasks"
-      FileUtils.mkdir_p "lib/tasks"
-    end
-
-    path = File.expand_path(File.dirname(__FILE__))
-
-    FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
-
-    if File.exist? task_path
-      notify "Task created in #{task_path}"
-      notify "Usage: rake brakeman:run[output_file]"
-    else
-      raise RakeInstallError, "Could not create task"
-    end
-  end
-
   #Output configuration to YAML
   def self.dump_config options
     require 'yaml'
@@ -534,7 +505,6 @@ module Brakeman
   end
 
   class DependencyError < RuntimeError; end
-  class RakeInstallError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end
   class MissingChecksError < RuntimeError; end

data/lib/brakeman/checks/base_check.rb

@@ -6,6 +6,7 @@ require 'brakeman/util'
 #Basis of vulnerability checks.
 class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
   include Brakeman::Util
   attr_reader :tracker, :warnings
 

data/lib/brakeman/checks/check_session_settings.rb

@@ -115,7 +115,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       yaml = @app_tree.read secrets_file
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
-      secrets = SafeYAML.load yaml
+      begin
+        secrets = SafeYAML.load yaml
+      rescue Psych::SyntaxError, RuntimeError => e
+        Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
+        return
+      end
 
       if secrets["production"] and secret = secrets["production"]["secret_key_base"]
         unless secret.include? "<%="

data/lib/brakeman/checks/check_sql.rb

@@ -164,7 +164,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     dangerous_value = case method
                       when :find
                         check_find_arguments call.second_arg
-                      when :exists?, :delete_all, :destroy_all
+                      when :exists?
+                        check_exists call.first_arg
+                      when :delete_all, :destroy_all
                         check_find_arguments call.first_arg
                       when :named_scope, :scope
                         check_scope_arguments call
@@ -633,6 +635,14 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def check_exists arg
+    if call? arg and arg.method == :to_s
+      false
+    else
+      check_find_arguments arg
+    end
+  end
+
   #Prior to Rails 2.1.1, the :offset and :limit parameters were not
   #escaping input properly.
   #

data/lib/brakeman/options.rb

@@ -280,6 +280,10 @@ module Brakeman::Options
           end
         end
 
+        opts.on "--allow-check-paths-in-config", "Allow loading checks from configuration file (Unsafe)" do
+          options[:allow_check_paths_in_config] = true
+        end
+
         opts.separator ""
 
         opts.on "-k", "--checks", "List all available vulnerability checks" do
@@ -290,10 +294,6 @@ module Brakeman::Options
           options[:list_optional_checks] = true
         end
 
-        opts.on "--rake", "Create rake task to run Brakeman" do
-          options[:install_rake_task] = true
-        end
-
         opts.on "-v", "--version", "Show Brakeman version" do
           options[:show_version] = true
         end

data/lib/brakeman/parsers/template_parser.rb

@@ -22,11 +22,11 @@ module Brakeman
         src = case type
               when :erb
                 type = :erubis if erubis?
-                parse_erb text
+                parse_erb path, text
               when :haml
-                parse_haml text
+                parse_haml path, text
               when :slim
-                parse_slim text
+                parse_slim path, text
               else
                 tracker.error "Unknown template type in #{path}"
                 nil
@@ -46,21 +46,21 @@ module Brakeman
       nil
     end
 
-    def parse_erb text
+    def parse_erb path, text
       if tracker.config.escape_html?
         if tracker.options[:rails3]
           require 'brakeman/parsers/rails3_erubis'
-          Brakeman::Rails3Erubis.new(text).src
+          Brakeman::Rails3Erubis.new(text, :filename => path).src
         else
           require 'brakeman/parsers/rails2_xss_plugin_erubis'
-          Brakeman::Rails2XSSPluginErubis.new(text).src
+          Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
         end
       elsif tracker.config.erubis?
         require 'brakeman/parsers/rails2_erubis'
-        Brakeman::ScannerErubis.new(text).src
+        Brakeman::ScannerErubis.new(text, :filename => path).src
       else
         require 'erb'
-        src = ERB.new(text, nil, "-").src
+        src = ERB.new(text, nil, path).src
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src
       end
@@ -71,25 +71,27 @@ module Brakeman
         tracker.config.erubis?
     end
 
-    def parse_haml text
+    def parse_haml path, text
       Brakeman.load_brakeman_dependency 'haml'
       Brakeman.load_brakeman_dependency 'sass'
 
       Haml::Engine.new(text,
+                       :filename => path,
                        :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
     end
 
-    def parse_slim text
+    def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
 
-      Slim::Template.new(:disable_capture => true,
+      Slim::Template.new(path,
+                         :disable_capture => true,
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
 
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(nil, nil)
       tp = self.new(tracker, fp)
-      src = tp.parse_erb text
+      src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb
 
       return type, fp.parse_ruby(src, "_inline_")

data/lib/brakeman/processors/haml_template_processor.rb

@@ -170,6 +170,14 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp
     when :block, :rlist, :dstr
       exp.map! { |e| get_pushed_value e }
+    when :if
+      clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
+
+      if clauses.length > 1
+        s(:or, *clauses)
+      else
+        clauses.first
+      end
     else
       if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
         add_escaped_output exp.first_arg

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -81,7 +81,9 @@ class Brakeman::FindReturnValue
       then_clause = exp.then_clause
       else_clause = exp.else_clause
 
-      if then_clause.nil?
+      if then_clause.nil? and else_clause.nil?
+        nil
+      elsif then_clause.nil?
         last_value else_clause
       elsif else_clause.nil?
         last_value then_clause

data/lib/brakeman/util.rb

@@ -429,7 +429,7 @@ module Brakeman::Util
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
     names = path.split("/")
-    names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
+    names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.6.1"
+  Version = "3.6.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.6.1
+  version: 3.6.2
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-03-24 00:00:00.000000000 Z
+date: 2017-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.3
+        version: 3.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.3
+        version: 3.9.0
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
@@ -158,7 +158,7 @@ dependencies:
         version: 1.3.6
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 3.0.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -168,7 +168,7 @@ dependencies:
         version: 1.3.6
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 3.0.8
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -184,7 +184,6 @@ files:
 - bin/brakeman
 - lib/brakeman.rb
 - lib/brakeman/app_tree.rb
-- lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
 - lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb

data/lib/brakeman/brakeman.rake

@@ -1,17 +0,0 @@
-namespace :brakeman do
-
-  desc "Run Brakeman"
-  task :run, :output_files do |t, args|
-    require 'brakeman'
-
-    files = args[:output_files].split(' ') if args[:output_files]
-    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
-  end
-
-  desc "Check your code with Brakeman"
-  task :check do
-    require 'brakeman'
-    result = Brakeman.run app_path: '.', print_report: true
-    exit Brakeman::Warnings_Found_Exit_Code unless result.filtered_warnings.empty?
-  end
-end