brakeman-lib 3.7.0 → 3.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3c3cd6ef685d42e97e293f59c00f8dbb22fdd260
-  data.tar.gz: 607b26573452f7a3003e34ff1151dc1e46a41cb1
+  metadata.gz: d8caf9e1df412c52a1a95b66b77512b0a8e8ff48
+  data.tar.gz: de550a511ffb1f74a101214a5184afa7edb0b878
 SHA512:
-  metadata.gz: b88ae2370d4dfde46dcfd88558bf41bbc99bb2b371ea27749bdb0a0c1e0bb456f9de3ecc44f9f891f61ae4f19cb99ae2b2347f55391580f8ae43c72657ac410b
-  data.tar.gz: a0ff1f759bde8f5ed837bc01d812bbc8e6140b4e8930ab799cd0e7362c7a5594272a9ef438cf1eaf3291431442d67f051c33aff5a2322ee131267f1eb218e179
+  metadata.gz: d8938f327f53f200f7d0dcf4a89ca8b7785deff656cf8ac55469366e419517bf8644a8152b71fe3611e2e9a8622791cf09ab88a09e93f0a0fc9e17b265c0dc1d
+  data.tar.gz: f76360d0a4d0b1850a599efea4e1be2e08cd2c1795274705abaf92a95d200af5769dfc70320ccf0fbdaa710bc00889854fd5a0091b8d7fe8e79c914bf2d92c95

data/CHANGES

@@ -1,3 +1,11 @@
+# 3.7.1
+
+* Handle simple guard with return at end of branch
+* Modularize bin/brakeman
+* Improve multi-value Sexp error message
+* Add more collection methods for iteration detection
+* Update ruby2ruby and ruby_parser
+
 # 3.7.0
 
 * Improve support for rails4/rails5 options in config file

data/bin/brakeman

@@ -3,100 +3,6 @@
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
 require 'brakeman'
-require 'brakeman/options'
-require 'brakeman/version'
+require 'brakeman/commandline'
 
-#Parse options
-begin
-  options, parser = Brakeman::Options.parse! ARGV
-rescue OptionParser::ParseError => e
-  $stderr.puts e.message
-  $stderr.puts "Please see `brakeman --help` for valid options"
-  exit(-1)
-end
-
-#Exit early for these options
-if options[:list_checks] or options[:list_optional_checks]
-  Brakeman.list_checks options
-  exit
-elsif options[:create_config]
-  Brakeman.dump_config options
-  exit
-elsif options[:show_help]
-  puts parser
-  exit
-elsif options[:show_version]
-  puts "brakeman #{Brakeman::Version}"
-  exit
-end
-
-#Set application path according to the commandline arguments
-unless options[:app_path]
-  if ARGV[-1].nil?
-    options[:app_path] = "."
-  else
-    options[:app_path] = ARGV[-1]
-  end
-end
-
-trap("INT") do
-  $stderr.puts "\nInterrupted - exiting."
-
-  if options[:debug]
-    $stderr.puts caller
-  end
-
-  exit!
-end
-
-if options[:quiet].nil?
-  options[:quiet] = :command_line
-end
-
-begin
-  if options[:ensure_latest]
-    if error = Brakeman.ensure_latest
-      warn error
-      exit Brakeman::Not_Latest_Version_Exit_Code
-    end
-  end
-
-  if options[:previous_results_json]
-    require 'json'
-    vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
-
-    if options[:comparison_output_file]
-      File.open options[:comparison_output_file], "w" do |f|
-        f.puts JSON.pretty_generate(vulns)
-      end
-
-      Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
-    else
-      puts JSON.pretty_generate(vulns)
-    end
-
-    if options[:exit_on_warn] && vulns[:new].count > 0
-      exit Brakeman::Warnings_Found_Exit_Code
-    end
-  else
-    #Run scan and output a report
-    tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
-
-    #Return error code if --exit-on-warn is used and warnings were found
-    if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
-      exit Brakeman::Warnings_Found_Exit_Code
-    end
-
-    #Return error code if --exit-on-error is used and errors were found
-    if tracker.options[:exit_on_error] and tracker.errors.any?
-      exit Brakeman::Errors_Found_Exit_Code
-    end
-  end
-
-rescue Brakeman::NoApplication => e
-  warn e.message
-  exit Brakeman::No_App_Found_Exit_Code
-rescue Brakeman::MissingChecksError => e
-  warn e.message
-  exit Brakeman::Missing_Checks_Exit_Code
-end
+Brakeman::Commandline.start

data/lib/brakeman.rb

@@ -511,6 +511,14 @@ module Brakeman
     end
   end
 
+  def self.debug= val
+    @debug = val
+  end
+
+  def self.quiet= val
+    @quiet = val
+  end
+
   class DependencyError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end

data/lib/brakeman/commandline.rb

@@ -0,0 +1,179 @@
+require 'brakeman/options'
+
+module Brakeman
+
+  # Implements handling of running Brakeman from the command line.
+  class Commandline
+    class << self
+
+      # Main method to run Brakeman from the command line.
+      #
+      # If no options are provided, ARGV will be parsed and used instead.
+      # Otherwise, the options are expected to be a Hash like the one returned
+      # after ARGV is parsed.
+      def start options = nil, app_path = "."
+
+        unless options
+          options, app_path = parse_options ARGV
+        end
+
+        run options, app_path
+      end
+
+      # Runs everything:
+      #
+      # - `set_interrupt_handler`
+      # - `early_exit_options`
+      # - `set_options`
+      # - `check_latest`
+      # - `run_report`
+      def run options, default_app_path = "."
+        set_interrupt_handler options
+        early_exit_options options
+        set_options options, default_app_path
+        check_latest if options[:ensure_latest]
+        run_report options
+      end
+
+      # Check for the latest version.
+      #
+      # If the latest version is newer, quit with a message.
+      def check_latest
+        if error = Brakeman.ensure_latest
+          quit Brakeman::Not_Latest_Version_Exit_Code, error
+        end
+      end
+
+      # Runs a comparison report based on the options provided.
+      def compare_results options
+        require 'json'
+        vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
+
+        if options[:comparison_output_file]
+          File.open options[:comparison_output_file], "w" do |f|
+            f.puts JSON.pretty_generate(vulns)
+          end
+
+          Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+        else
+          puts JSON.pretty_generate(vulns)
+        end
+
+        if options[:exit_on_warn] && vulns[:new].count > 0
+          quit Brakeman::Warnings_Found_Exit_Code
+        end
+      end
+
+      # Handle options that exit without generating a report.
+      def early_exit_options options
+        if options[:list_checks] or options[:list_optional_checks]
+          Brakeman.list_checks options
+          quit
+        elsif options[:create_config]
+          Brakeman.dump_config options
+          quit
+        elsif options[:show_help]
+          puts Brakeman::Options.create_option_parser({})
+          quit
+        elsif options[:show_version]
+          require 'brakeman/version'
+          puts "brakeman #{Brakeman::Version}"
+          quit
+        end
+      end
+
+      # Parse ARGV-style array of options.
+      #
+      # Exits if options are invalid.
+      #
+      # Returns an option hash and the app_path.
+      def parse_options argv
+        begin
+          options, _ = Brakeman::Options.parse! argv
+        rescue OptionParser::ParseError => e
+          $stderr.puts e.message
+          $stderr.puts "Please see `brakeman --help` for valid options"
+          quit(-1)
+        end
+
+        if argv[-1]
+          app_path = argv[-1]
+        else
+          app_path = "."
+        end
+
+        return options, app_path
+      end
+
+      # Exits with the given exit code and prints out the message, if given.
+      #
+      # Override this method for different behavior.
+      def quit exit_code = 0, message = nil
+        warn message if message
+        exit exit_code
+      end
+
+      # Runs a regular report based on the options provided.
+      def regular_report options
+        tracker = run_brakeman options 
+
+        if options[:exit_on_warn] and not tracker.filtered_warnings.empty?
+          quit Brakeman::Warnings_Found_Exit_Code
+        end
+
+        if options[:exit_on_error] and tracker.errors.any?
+          quit Brakeman::Errors_Found_Exit_Code
+        end
+      end
+
+      # Actually run Brakeman.
+      #
+      # Returns a Tracker object.
+      def run_brakeman options
+        Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
+      end
+
+      # Run either a comparison or regular report based on options provided.
+      def run_report options
+        begin
+          if options[:previous_results_json]
+            compare_results options
+          else
+            regular_report options
+          end
+        rescue Brakeman::NoApplication => e
+          quit Brakeman::No_App_Found_Exit_Code, e.message
+        rescue Brakeman::MissingChecksError => e
+          quit Brakeman::Missing_Checks_Exit_Code, e.message
+        end
+      end
+
+      # Sets interrupt handler to gracefully handle Ctrl+C
+      def set_interrupt_handler options
+        trap("INT") do
+          warn "\nInterrupted - exiting."
+
+          if options[:debug]
+            warn caller
+          end
+
+          exit!
+        end
+      end
+
+      # Modifies options, including setting the app_path
+      # if none is given in the options hash.
+      def set_options options, default_app_path = "."
+        unless options[:app_path]
+          options[:app_path] = default_app_path
+        end
+
+        if options[:quiet].nil?
+          options[:quiet] = :command_line
+        end
+
+        options
+      end
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -20,7 +20,23 @@ module Brakeman::Options
     def get_options args, destructive = false
       options = {}
 
-      parser = OptionParser.new do |opts|
+      parser = create_option_parser options
+
+      if destructive
+        parser.parse! args
+      else
+        parser.parse args
+      end
+
+      if options[:previous_results_json] and options[:output_files]
+        options[:comparison_output_file] = options[:output_files].shift
+      end
+
+      return options, parser
+    end
+
+    def create_option_parser options
+      OptionParser.new do |opts|
         opts.banner = "Usage: brakeman [options] rails/root/path"
 
         opts.on "-n", "--no-threads", "Run checks sequentially" do
@@ -306,18 +322,6 @@ module Brakeman::Options
           options[:show_help] = true
         end
       end
-
-      if destructive
-        parser.parse! args
-      else
-        parser.parse args
-      end
-
-      if options[:previous_results_json] and options[:output_files]
-        options[:comparison_output_file] = options[:output_files].shift
-      end
-
-      return options, parser
     end
   end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -682,7 +682,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = condition.target[1]
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and node_type? branch, :return
+          elsif i == 1 and array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = condition.target[1]
             exp[branch_index] = process_if_branch branch
@@ -704,6 +704,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def early_return? exp
+    return true if node_type? exp, :return
+
+    if node_type? exp, :block, :rlist
+      node_type? exp.last, :return
+    else
+      false
+    end
+  end
+
   def simple_when? exp
     node_type? exp[1], :array and
       not node_type? exp[1][1], :splat, :array and

data/lib/brakeman/processors/output_processor.rb

@@ -30,22 +30,18 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   def process_ignore exp
-    exp.clear
     "[ignored]"
   end
 
   def process_params exp
-    exp.clear
     "params"
   end
 
   def process_session exp
-    exp.clear
     "session"
   end
 
   def process_cookies exp
-    exp.clear
     "cookies"
   end
 
@@ -58,13 +54,15 @@ class Brakeman::OutputProcessor < Ruby2Ruby
         res
       end
     end.compact.join("\n")
-    exp.clear
+
     out
   end
 
   def process_defn exp
     # Copied from Ruby2Ruby except without the whole
     # "convert methods to attr_*" stuff
+    exp = exp.deep_clone
+    exp.shift
     name = exp.shift
     args = process exp.shift
     args = "" if args == "()"
@@ -84,10 +82,10 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   def process_iter exp
-    call = process exp[0]
-    block = process_rlist exp[2..-1]
+    call = process exp[1]
+    block = process_rlist exp[3..-1]
     out = "#{call} do\n #{block}\n end"
-    exp.clear
+
     out
   end
 
@@ -109,10 +107,10 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   def output_format exp, tag
-    out = if exp[0].node_type == :str or exp[0].node_type == :ignore
+    out = if exp[1].node_type == :str or exp[1].node_type == :ignore
             ""
           else
-            res = process exp[0]
+            res = process exp[1]
 
             if res == ""
               ""
@@ -120,26 +118,27 @@ class Brakeman::OutputProcessor < Ruby2Ruby
               "[#{tag}] #{res}"
             end
           end
-    exp.clear
+
     out
   end
 
   def process_const exp
-    if exp[0] == Brakeman::Tracker::UNKNOWN_MODEL
-      exp.clear
+    if exp[1] == Brakeman::Tracker::UNKNOWN_MODEL
       "(Unresolved Model)"
     else
-      out = exp[0].to_s
-      exp.clear
+      out = exp[1].to_s
       out
     end
   end
 
   def process_render exp
+    exp = exp.deep_clone
+    exp.shift
+
     exp[1] = process exp[1] if sexp? exp[1]
     exp[2] = process exp[2] if sexp? exp[2]
     out = "render(#{exp[0]} => #{exp[1]}, #{exp[2]})"
-    exp.clear
+
     out
   end
 end

data/lib/brakeman/processors/template_alias_processor.rb

@@ -79,12 +79,14 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     exp
   end
 
+  COLLECTION_METHODS = [:all, :find, :select, :where]
+
   #Checks if +exp+ is a call to Model.all or Model.find*
   def get_model_target exp
     if call? exp
       target = exp.target
 
-      if exp.method == :all or exp.method.to_s[0,4] == "find"
+      if COLLECTION_METHODS.include? exp.method or exp.method.to_s[0,4] == "find"
         models = Set.new @tracker.models.keys
         name = class_name target
         return target if models.include?(name)

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.7.0"
+  Version = "3.7.1"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -50,12 +50,12 @@ class Sexp
   end
 
   def value
-    raise WrongSexpError, "Sexp#value called on multi-item Sexp", caller[1..-1] if size > 2
+    raise WrongSexpError, "Sexp#value called on multi-item Sexp: `#{self.inspect}`" if size > 2
     self[1]
   end
 
   def value= exp
-    raise WrongSexpError, "Sexp#value= called on multi-item Sexp", caller[1..-1] if size > 2
+    raise WrongSexpError, "Sexp#value= called on multi-item Sexp: `#{self.inspect}`" if size > 2
     @my_hash_value = nil
     self[1] = exp
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.7.0
+  version: 3.7.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-06-30 00:00:00.000000000 Z
+date: 2017-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -59,14 +59,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: 2.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: 2.4.0
 - !ruby/object:Gem::Dependency
   name: safe_yaml
   requirement: !ruby/object:Gem::Requirement
@@ -156,6 +156,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -163,6 +166,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.5.0
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -268,6 +274,7 @@ files:
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
 - lib/brakeman/format/style.css