brakeman-lib 4.1.1 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 52f1866bbb46d9c31465b38923c8b3af801b3d13
-  data.tar.gz: ba9389b8a21a103ca0a68b237e642ad0a7638074
+SHA256:
+  metadata.gz: 1a02aad3664741bec5ac0228bb7010df63d372fe2720fa3dde272aed8e92c070
+  data.tar.gz: d882ea01bc6b151920763b3c9f8ca9220c0abfbd6c443c41d72ef447014c6bfa
 SHA512:
-  metadata.gz: 55209544e41fadfc1d042116fa93d5cd583ce08913401003d05d58f6e9975f8b75b9f541e200a7dcc29ae78ae6b60c43457317222292bf7c78e29c5c1d05c543
-  data.tar.gz: 68934d7abc0916646abf934d2f329b5157c0f92df6b588b501611e98c3f5c1c45405d6329b56fd9aa5338df66daae98011104469af0da0f6e4a203a88afe15dd
+  metadata.gz: bdce57e4ee118d55722a174c0f411dc19d3cc9a7f636c080124a2ebdc954e8f063e6022460d989c59cf265a7f5ef58978191a06057fb37c5f02e29d120d5b348
+  data.tar.gz: 1ac676aaefc2a521af60b0bf12f9f3dc94df6e0b1925dc0918e41542b2f8f7f79d8d621e00dd3486b3a1205e1992358aa7173dfddd88e0db3bf713f2e13ee3c3

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 4.2.0
+
+* Avoid warning about symbol DoS on `Model#attributes`
+* Avoid warning about open redirects with model methods ending with `_path`
+* Avoid warning about command injection with `Shellwords.escape`
+* Use ivars from `initialize` in libraries
+* `Sexp#body=` can accept `:rlist` from `Sexp#body_list`
+* Update RubyParser to 3.11.0
+* Fix multiple assignment of globals
+* Warn about SQL injection in `not`
+* Exclude template folders in `lib/` (kru0096)
+* Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
+
 # 4.1.1
 
 * Remove check for use of `permit` with `*_id` keys

data/lib/brakeman/app_tree.rb

@@ -110,7 +110,7 @@ module Brakeman
     end
 
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" } +
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
                      find_additional_lib_paths +
                      find_helper_paths
     end

data/lib/brakeman/checks/base_check.rb

@@ -62,12 +62,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Default Sexp processing. Iterates over each value in the Sexp
   #and processes them if they are also Sexps.
   def process_default exp
-    exp.each_with_index do |e, _i|
-      if sexp? e
-        process e
-      else
-        e
-      end
+    exp.each do |e|
+      process e if sexp? e
     end
 
     exp

data/lib/brakeman/checks/check_execute.rb

@@ -17,6 +17,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   s(:call, s(:const, :Rails), :root),
                   s(:call, s(:const, :Rails), :env)]
 
+  SHELL_ESCAPES = [:escape, :shellescape, :join]
+
+  SHELLWORDS = s(:const, :Shellwords)
+
   #Check models, controllers, and views for command injection.
   def run_check
     Brakeman.debug "Finding system calls using ``"
@@ -127,15 +131,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       :confidence => confidence
   end
 
+  # This method expects a :dstr or :evstr node
   def dangerous? exp
     exp.each_sexp do |e|
-      next if node_type? e, :lit, :str
-      next if SAFE_VALUES.include? e
-
       if call? e and e.method == :to_s
         e = e.target
       end
 
+      next if node_type? e, :lit, :str
+      next if SAFE_VALUES.include? e
+      next if shell_escape? e
+
       if node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
@@ -161,4 +167,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     false
   end
+
+  def shell_escape? exp
+    return false unless call? exp
+
+    if exp.target == SHELLWORDS and SHELL_ESCAPES.include? exp.method
+      true
+    elsif exp.method == :shelljoin
+      true
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_redirect.rb

@@ -79,7 +79,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     end
 
     if res = has_immediate_model?(arg)
-      return Match.new(immediate, res)
+      unless call? arg and arg.method.to_s =~ /_path/
+        return Match.new(immediate, res)
+      end
     elsif call? arg
       if request_value? arg
         return Match.new(immediate, arg)

data/lib/brakeman/checks/check_sql.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! if tracker.options[:rails4]
+    @sql_targets << :find_by << :find_by! << :not if tracker.options[:rails4]
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -184,7 +184,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!
+                      when :where, :having, :find_by, :find_by!, :not
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -33,8 +33,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       confidence = :medium
     end
 
+
     if confidence
       return if safe_parameter? input.match
+      return if symbolizing_attributes? input
 
       message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
 
@@ -60,4 +62,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       false
     end
   end
+
+  def symbolizing_attributes? input
+    input.type == :model and
+      call? input.match and
+      input.match.method == :attributes
+  end
 end

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -10,7 +10,11 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     Brakeman.debug("Finding instances of #find on models with associations")
 
     associated_model_names = active_record_models.keys.select do |name|
-      active_record_models[name].associations[:belongs_to]
+      if belongs_to = active_record_models[name].associations[:belongs_to]
+        not optional_belongs_to? belongs_to
+      else
+        false
+      end
     end
 
     calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
@@ -38,4 +42,16 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       :confidence   => :weak,
       :user_input   => input
   end
+
+  def optional_belongs_to? exp
+    return false unless exp.is_a? Array
+
+    exp.each do |e|
+      if hash? e and true? hash_access(e, :optional)
+        return true
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -431,9 +431,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     match = Sexp.new(:gvar, exp.lhs)
     exp.rhs = process(exp.rhs)
     value = get_rhs(exp)
-    value.line = exp.line
 
-    set_value match, value
+    if value
+      value.line = exp.line
+
+      set_value match, value
+    end
 
     exp
   end

data/lib/brakeman/processors/base_processor.rb

@@ -37,11 +37,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp = exp.dup
 
     exp.each_with_index do |e, i|
-      if sexp? e and not e.empty?
-        exp[i] = process e
-      else
-        e
-      end
+      exp[i] = process e if sexp? e and not e.empty?
     end
 
     exp

data/lib/brakeman/processors/erb_template_processor.rb

@@ -14,7 +14,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
     
     #_erbout is the default output variable for erb
     if node_type? target, :lvar and target.value == :_erbout
-      if method == :concat
+      if method == :concat or method == :<<
         @inside_concat = true
         exp.arglist = process(exp.arglist)
         @inside_concat = false

data/lib/brakeman/processors/library_processor.rb

@@ -13,6 +13,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
+    @intializer_env = nil
   end
 
   def process_library src, file_name = nil
@@ -29,7 +30,14 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_defn exp
-    exp = @alias_processor.process exp
+    if exp.method_name == :initialize
+      @alias_processor.process_safely exp.body_list
+      @initializer_env = @alias_processor.only_ivars
+    elsif node_type? exp, :defn
+      exp = @alias_processor.process_safely exp, @initializer_env
+    else
+      exp = @alias_processor.process exp
+    end
 
     if @current_class
       exp.body = process_all! exp.body

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.1.1"
+  Version = "4.2.0"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -506,6 +506,10 @@ class Sexp
 
     self.slice!(index..-1) #Remove old body
 
+    if exp.first == :rlist
+      exp = exp[1..-1]
+    end
+
     #Insert new body
     exp.each do |e|
       self[index] = e

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.2.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-12-19 00:00:00.000000000 Z
+date: 2018-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.10.0
+        version: 3.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.10.0
+        version: 3.11.0
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -380,7 +380,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.