brakeman-lib 3.6.2 → 3.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b009aece1db925bc835024219dd9728197628bc3
-  data.tar.gz: b4d231e1a8d98847f66c220570ddfc733b92f8f6
+  metadata.gz: 3c3cd6ef685d42e97e293f59c00f8dbb22fdd260
+  data.tar.gz: 607b26573452f7a3003e34ff1151dc1e46a41cb1
 SHA512:
-  metadata.gz: 9dd15326cb813bb0f2fd5bb588caaf4f7e1b30f8dc7a353a691f9490df10631aafd0218dd1c55f6e90c97d83401a6650cfb79d1afd073e7a06a9113026f95635
-  data.tar.gz: 7a35e0864a7c7ad084291cf9a313e404a62f4daff8fb5d4d46ad1c8a7270b6e5781a9a56a640c482ae6fdcd500a4bfcb65fcf8a71ae147b2d8fedf4c2cd4c994
+  metadata.gz: b88ae2370d4dfde46dcfd88558bf41bbc99bb2b371ea27749bdb0a0c1e0bb456f9de3ecc44f9f891f61ae4f19cb99ae2b2347f55391580f8ae43c72657ac410b
+  data.tar.gz: a0ff1f759bde8f5ed837bc01d812bbc8e6140b4e8930ab799cd0e7362c7a5594272a9ef438cf1eaf3291431442d67f051c33aff5a2322ee131267f1eb218e179

data/CHANGES

@@ -1,3 +1,12 @@
+# 3.7.0
+
+* Improve support for rails4/rails5 options in config file
+* Track more information about constant assignments
+* Show progress indicator in interactive mode
+* Handle simple conditional guards that use `return`
+* Fix false positive for redirect_to in Rails 4 (Mário Areias)
+* Avoid interpolating hashes/arrays on failed access
+
 # 3.6.2
 
 * Handle safe call operator in checks

data/lib/brakeman.rb

@@ -90,6 +90,13 @@ module Brakeman
       options[:quiet] = true
     end
 
+    if options[:rails4]
+      options[:rails3] = true
+    elsif options[:rails5]
+      options[:rails3] = true
+      options[:rails4] = true
+    end
+
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 

data/lib/brakeman/checks/check_redirect.rb

@@ -105,11 +105,34 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     arg = call.first_arg
 
     if hash? arg
-      if value = hash_access(arg, :only_path)
-        return true if true?(value)
-      end
+      return has_only_path? arg
     elsif call? arg and arg.method == :url_for
       return check_url_for(arg)
+    elsif call? arg and hash? arg.first_arg and use_unsafe_hash_method? arg
+      return has_only_path? arg.first_arg
+    end
+
+    false
+  end
+
+  def use_unsafe_hash_method? arg
+    return call_has_param(arg, :to_unsafe_hash) || call_has_param(arg, :to_unsafe_h)
+  end
+
+  def call_has_param arg, key
+    if call? arg and call? arg.target
+      target = arg.target
+      method = target.method
+
+      node_type? target.target, :params and method == key
+    else
+      false
+    end
+  end
+
+  def has_only_path? arg
+    if value = hash_access(arg, :only_path)
+      return true if true?(value)
     end
 
     false

data/lib/brakeman/processors/alias_processor.rb

@@ -87,6 +87,73 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def process_bracket_call exp
+    r = replace(exp)
+
+    if r != exp
+      return r
+    end
+
+    exp.arglist = process_default(exp.arglist)
+
+    r = replace(exp)
+
+    if r != exp
+      return r
+    end
+
+    t = process(exp.target.deep_clone)
+
+    # sometimes t[blah] has a match in the env
+    # but we don't want to actually set the target
+    # in case the target is big...which is what this
+    # whole method is trying to avoid
+    if t != exp.target
+      e = exp.deep_clone
+      e.target = t
+
+      r = replace(e)
+
+      if r != e
+        return r
+      end
+    else
+      t = nil
+    end
+
+    if hash? t
+      if v = hash_access(t, exp.first_arg)
+        v.deep_clone(exp.line)
+      else
+        case t.node_type
+        when :params
+          exp.target = PARAMS_SEXP.deep_clone(exp.target.line)
+        when :session
+          exp.target = SESSION_SEXP.deep_clone(exp.target.line)
+        when :cookies
+          exp.target = COOKIES_SEXP.deep_clone(exp.target.line)
+        end
+
+        exp
+      end
+    elsif array? t
+      if v = process_array_access(t, exp.args)
+        v.deep_clone(exp.line)
+      else
+        exp
+      end
+    elsif t
+      exp.target = t
+      exp
+    else
+      if exp.target # `self` target is reported as `nil` https://github.com/seattlerb/ruby_parser/issues/250
+        exp.target = process_default exp.target
+      end
+
+      exp
+    end
+  end
+
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
   RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
@@ -99,7 +166,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if exp.node_type == :safe_call
       exp.node_type = :call
     end
-    exp = process_default exp
+
+    if exp.method == :[]
+      return process_bracket_call exp
+    else
+      exp = process_default exp
+    end
 
     #In case it is replaced with something else
     unless call? exp
@@ -391,7 +463,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # x[:y] = 1
   def process_attrasgn exp
     tar_variable = exp.target
-    target = exp.target = process(exp.target)
+    target = process(exp.target)
     method = exp.method
     index_arg = exp.first_arg
     value_arg = exp.second_arg
@@ -406,6 +478,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if hash? target
         env[tar_variable] = hash_insert target.deep_clone, index, value
       end
+
+      unless node_type? target, :hash
+        exp.target = target
+      end
     elsif method.to_s[-1,1] == "="
       exp.first_arg = process(index_arg)
       value = get_rhs(exp)
@@ -413,6 +489,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
       set_value match, value
+      exp.target = target
     else
       raise "Unrecognized assignment: #{exp}"
     end
@@ -522,7 +599,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.rhs = process exp.rhs
     end
 
-    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
+    if @tracker
+      @tracker.add_constant exp.lhs,
+        exp.rhs,
+        :file => current_file_name,
+        :module => @current_module,
+        :class => @current_class,
+        :method => @current_method
+    end
 
     if exp.lhs.is_a? Symbol
       match = Sexp.new(:const, exp.lhs)
@@ -598,6 +682,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = condition.target[1]
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
+          elsif i == 1 and array_include_all_literals? condition and node_type? branch, :return
+            var = condition.first_arg
+            env.current[var] = condition.target[1]
+            exp[branch_index] = process_if_branch branch
           else
             exp[branch_index] = process_if_branch branch
           end

data/lib/brakeman/processors/base_processor.rb

@@ -183,7 +183,15 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   end
 
   def process_cdecl exp
-    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
+    if @tracker
+      @tracker.add_constant exp.lhs,
+        exp.rhs,
+        :file => current_file_name,
+        :module => @current_module,
+        :class => @current_class,
+        :method => @current_method
+    end
+
     exp
   end
 

data/lib/brakeman/report/ignore/interactive.rb

@@ -101,7 +101,7 @@ module Brakeman
     end
 
     def pre_show_help
-      say "-" * 20
+      say "-" * 30
       say "Actions:", :cyan
       show_help
     end
@@ -189,7 +189,11 @@ q - Quit, do not update ignored warnings
     end
 
     def process_warnings
-      @new_warnings.each do |w|
+      @warning_count = @new_warnings.length
+
+      @new_warnings.each_with_index do |w, index|
+        @current_index = index
+
         if skip_ignored? w or @skip_rest
           next
         elsif @ignore_rest
@@ -261,7 +265,8 @@ q - Quit, do not update ignored warnings
     end
 
     def pretty_display warning
-      say "-" * 20
+      progress = "#{@current_index + 1}/#{@warning_count}"
+      say "-------- #{progress} #{"-" * (20 - progress.length)}", :cyan
       show_confidence warning
 
       label "Category"
@@ -302,7 +307,7 @@ q - Quit, do not update ignored warnings
     end
 
     def summarize_changes
-      say "-" * 20
+      say "-" * 30
 
       say "Ignoring #{@ignore_config.ignored_warnings.length} warnings", :yellow
       say "Showing #{@ignore_config.shown_warnings.length} warnings", :green

data/lib/brakeman/tracker/constants.rb

@@ -2,14 +2,18 @@ require 'brakeman/processors/output_processor'
 
 module Brakeman
   class Constant
-    attr_reader :name, :name_array, :file, :value
+    attr_reader :name, :name_array, :file, :value, :context
 
-    def initialize name, value = nil, context = nil 
+    def initialize name, value, context = {}
       set_name name, context
       @value = value
       @context = context
 
       if @context
+        if @context[:class].is_a? Brakeman::Controller
+          @context[:class] = @context[:class].name
+        end
+
         @file = @context[:file]
       end
     end
@@ -88,6 +92,11 @@ module Brakeman
       nil
     end
 
+    def find_all exp
+      base_name = Constants.get_constant_base_name(exp)
+      @constants[base_name]
+    end
+
     def add name, value, context = nil
       if call? value and value.method == :freeze
         value = value.target

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.6.2"
+  Version = "3.7.0"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -120,14 +120,6 @@ class Sexp
     old_find_node(*args)
   end
 
-  #Iterates over the Sexps in an Sexp, skipping values that are not
-  #an Sexp.
-  def each_sexp
-    self.each do |e|
-      yield e if Sexp === e
-    end
-  end
-
   #Raise a WrongSexpError if the nodes type does not match one of the expected
   #types.
   def expect *types

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.6.2
+  version: 3.7.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-05-20 00:00:00.000000000 Z
+date: 2017-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -39,6 +39,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.9.0
+- !ruby/object:Gem::Dependency
+  name: sexp_processor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement