brakeman-lib 3.7.2 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 873b9e7109c348302a61f42bd50716fcdf4e6bc6
-  data.tar.gz: 9b360b0de2141a4da3fa0e1b712e905c3e240eb0
+  metadata.gz: 65d7f9da4db99f231e82cb739f928573cbe8f1f8
+  data.tar.gz: b2d50032e9c74c9557b905e3f5c827430bcddb54
 SHA512:
-  metadata.gz: 4069231d3000040ef9cea61d0f25284d9e30e7af0dd1b16f32370ebdc82fd9c786ee82cb7a52527d98989c55e79d9c88a2e50d5ec3331dee6e1853e907b97f24
-  data.tar.gz: eb21ddfa90a1e98cb047e2eebaa88d1efb32e8502aa3c5bf1756162752685bdae9d73f8c12802911149521feb280e55c9d3554954fc126b536b613e8b032484b
+  metadata.gz: a760782c7a3be6d4db663d17ec654b0ef6212966c0318866320a7e0669e5e9c9bf3cb9d9a3c54d5a98f0951b797c27647cb7b728be65c9fea1eeb2e8fc20618b
+  data.tar.gz: 9efcb5bbe4e4fd9fd596ce4c4e3093352faee56cfb3183c4b0f996e09aed448bad82558fd05a838f1d3575e4d153a0b11fec323ea74c13b9004ed9f260556254

data/CHANGES

@@ -1,3 +1,17 @@
+# 4.0.0
+
+* Add simple pager for reports output to terminal
+* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
+* Rearrange tests a little bit
+* Treat `request.cookies` like `cookies`
+* Treat `fail`/`raise` like early returns
+* Remove reliance on `CONFIDENCE` constant in checks
+* Remove low confidence mass assignment warnings
+* Reduce warnings about XSS in `link_to`
+* "Plain" report output is now the default
+* --exit-on-error and --exit-on-warn are now the default
+* Fix --exit-on-error and --exit-on-warn in config files
+
 # 3.7.2
 
 * Fix --ensure-latest (David Guyon)
@@ -300,7 +314,7 @@
 # 3.0.0
 
 * Add check for CVE-2014-7829
-* Add check for cross site scripting via inline renders
+* Add check for cross-site scripting via inline renders
 * Fix formatting of command interpolation
 * Local variables are no longer formatted as `(local var)`
 * Actually skip skipped before filters

data/FEATURES

@@ -1,5 +1,5 @@
 Can detect:
--Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
+-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
 -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
 -String interpolation in find_by_sql (SQL Injection)
 -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)

data/lib/brakeman.rb

@@ -38,7 +38,8 @@ module Brakeman
   #  * :combine_locations - combine warning locations (default: true)
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
-  #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :exit_on_error - only affects Commandline module (default: true)
+  #  * :exit_on_warn - only affects Commandline module (default: true)
   #  * :github_repo - github repo to use for file links (user/repo[/path][@ref])
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
@@ -71,6 +72,7 @@ module Brakeman
     if @quiet
       options[:report_progress] = false
     end
+
     scan options
   end
 
@@ -156,23 +158,26 @@ module Brakeman
   #Default set of options
   def self.default_options
     { :assume_all_routes => true,
-      :skip_checks => Set.new,
       :check_arguments => true,
-      :safe_methods => Set.new,
-      :min_confidence => 2,
-      :combine_locations => true,
       :collapse_mass_assignment => false,
+      :combine_locations => true,
+      :engine_paths => ["engines/*"],
+      :exit_on_error => true,
+      :exit_on_warn => true,
       :highlight_user_input => true,
-      :ignore_redirect_to_model => true,
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
       :ignore_model_output => false,
+      :ignore_redirect_to_model => true,
       :index_libs => true,
       :message_limit => 100,
+      :min_confidence => 2,
+      :output_color => true,
+      :pager => true,
       :parallel_checks => true,
       :relative_path => false,
       :report_progress => true,
-      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
-      :output_color => true,
-      :engine_paths => ["engines/*"]
+      :safe_methods => Set.new,
+      :skip_checks => Set.new,
     }
   end
 
@@ -213,10 +218,12 @@ module Brakeman
       [:to_markdown]
     when :cc, :to_cc, :codeclimate, :to_codeclimate
       [:to_codeclimate]
-    when :plain ,:to_plain
-      [:to_plain]
+    when :plain ,:to_plain, :text, :to_text, :to_s
+      [:to_text]
+    when :table, :to_table
+      [:to_table]
     else
-      [:to_s]
+      [:to_text]
     end
   end
   private_class_method :get_formats_from_output_format
@@ -239,9 +246,11 @@ module Brakeman
       when /(\.cc|\.codeclimate)$/i
         :to_codeclimate
       when /\.plain$/i
-        :to_plain
+        :to_text
+      when /\.table$/i
+        :to_table
       else
-        :to_s
+        :to_text
       end
     end
   end
@@ -388,12 +397,41 @@ module Brakeman
       tracker.options[:output_color] = false
     end
 
-    output_formats.each do |output_format|
-      puts tracker.report.format(output_format)
+    if not $stdout.tty? or not tracker.options[:pager] or output_formats.length > 1 # does this ever happen??
+      output_formats.each do |output_format|
+        puts tracker.report.format(output_format)
+      end
+    else
+      page_output tracker.report.format(output_formats.first)
     end
   end
   private_class_method :write_report_to_formats
 
+  def self.page_output text
+    if system("which less")
+      # Adapted from https://github.com/piotrmurach/tty-pager/
+      write_io = open("|less -R", 'w')
+      pid = write_io.pid
+
+      write_io.write(text)
+      write_io.close
+
+      Process.waitpid2(pid, Process::WNOHANG)
+    else
+      load_brakeman_dependency 'highline'
+      h = ::HighLine.new
+      h.page_at = :auto
+      h.say tracker.report.format(output_formats.first)
+    end
+  rescue Errno::ECHILD
+    # on jruby 9x waiting on pid raises (per tty-pager)
+    true
+  rescue => e
+    warn "[Error] #{e}"
+    warn "[Error] Could not use pager. Set --no-pager to avoid this issue."
+    puts tracker.report.format(output_formats.first)
+  end
+
   #Rescan a subset of files in a Rails application.
   #
   #A full scan must have been run already to use this method.
@@ -508,7 +546,7 @@ module Brakeman
     missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
 
     unless missing.empty?
-      raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.to_a.join(', ')}"
+      raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"
     end
   end
 

data/lib/brakeman/call_index.rb

@@ -67,7 +67,7 @@ class Brakeman::CallIndex
 
   def remove_template_indexes template_name = nil
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           from_template call, template_name
         end
@@ -77,7 +77,7 @@ class Brakeman::CallIndex
 
   def remove_indexes_by_class classes
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           call[:location][:type] == :class and classes.include? call[:location][:class]
         end

data/lib/brakeman/checks/base_check.rb

@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::Util
   attr_reader :tracker, :warnings
 
-  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
+  # This is for legacy support.
+  # Use :high, :medium, or :low instead when creating warnings.
+  CONFIDENCE = Brakeman::Warning::CONFIDENCE
 
   Match = Struct.new(:type, :match)
 
@@ -60,7 +62,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Default Sexp processing. Iterates over each value in the Sexp
   #and processes them if they are also Sexps.
   def process_default exp
-    exp.each_with_index do |e, i|
+    exp.each_with_index do |e, _i|
       if sexp? e
         process e
       else

data/lib/brakeman/checks/check_basic_auth.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   end
 
   def check_basic_auth_filter
-    controllers = tracker.controllers.select do |name, c|
+    controllers = tracker.controllers.select do |_name, c|
       c.options[:http_basic_authenticate_with]
     end
 
@@ -30,7 +30,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
               :code => call,
-              :confidence => 0,
+              :confidence => :high,
               :file => controller.file
           break
         end
@@ -50,7 +50,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :confidence => 0
+              :confidence => :high
       end
     end
   end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
         :warning_type => "Timing Attack",
         :warning_code => :CVE_2015_7576,
         :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
     end
   end

data/lib/brakeman/checks/check_content_tag.rb

@@ -66,7 +66,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     #Attribute keys are never escaped, so check them for user input
     if not @matched and hash? attributes and not request_value? attributes
-      hash_iterate(attributes) do |k, v|
+      hash_iterate(attributes) do |k, _v|
         check_argument result, k
         return if @matched
       end
@@ -79,7 +79,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       if request_value? attributes or not hash? attributes
         check_argument result, attributes
       else #check hash values
-        hash_iterate(attributes) do |k, v|
+        hash_iterate(attributes) do |_k, v|
           check_argument result, v
           return if @matched
         end
@@ -101,11 +101,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link_path => "content_tag"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
@@ -113,13 +113,13 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         add_result result
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_content_tag,
           :message => "Unescaped model attribute in content_tag",
           :user_input => match,
@@ -135,11 +135,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "content_tag"
     end
   end
@@ -159,9 +159,9 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def check_cve_2016_6316
     if cve_2016_6316?
       confidence = if @content_tags.any?
-                     CONFIDENCE[:high]
+                     :high
                    else
-                     CONFIDENCE[:med]
+                     :medium
                    end
 
       fix_version = case
@@ -179,7 +179,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                       return
                     end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2016_6316,
         :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
         :confidence => confidence,

data/lib/brakeman/checks/check_create_with.rb

@@ -51,15 +51,15 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
     if call? exp and exp.method == :permit
       nil
     elsif request_value? exp
-      CONFIDENCE[:high]
+      :high
     elsif hash? exp
       nil
     elsif has_immediate_user_input?(exp)
-      CONFIDENCE[:high]
+      :high
     elsif include_user_input? exp
-      CONFIDENCE[:med]
+      :medium
     else
-      CONFIDENCE[:low]
+      :weak
     end
   end
 
@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
         :warning_code => :CVE_2014_3514,
         :message => @message,
         :gem_info => gemfile_or_environment,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -73,11 +73,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       message = "Unescaped #{friendly_type_of input}"
 
       warn :template => @current_template,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
       method = if call? match
@@ -90,9 +90,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         add_result exp
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         message = "Unescaped model attribute"
@@ -106,7 +106,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         end
 
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => warning_code,
           :message => message,
           :code => match,
@@ -178,18 +178,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warning_code = :cross_site_scripting
 
           if @known_dangerous.include? exp.method
-            confidence = CONFIDENCE[:high]
+            confidence = :high
             if exp.method == :to_json
               message += " in JSON hash"
               link_path += "_to_json"
               warning_code = :xss_to_json
             end
           else
-            confidence = CONFIDENCE[:low]
+            confidence = :weak
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => warning_code,
             :message => message,
             :code => exp,

data/lib/brakeman/checks/check_default_routes.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
         :line => tracker.routes[:allow_all_actions].line,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :file => "#{tracker.app_path}/config/routes.rb"
     end
   end
@@ -43,7 +43,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
           :warning_code => :controller_default_routes,
           :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
           :line => actions[2],
-          :confidence => CONFIDENCE[:med],
+          :confidence => :medium,
           :file => "#{tracker.app_path}/config/routes.rb"
       end
     end
@@ -67,9 +67,9 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
     end
 
     if allow_all_actions? or @actions_allowed_on_controller
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     warn :warning_type => "Remote Code Execution",