brakeman-lib 4.2.1 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7070db1a411e9196bbb90fe7a34209ecd8cf15210e5fa21be1442c668e8f00d0
-  data.tar.gz: 940132f27d3803e1fa445d51c869cf426a712d065892f49b6e138222dc66ba71
+  metadata.gz: '08b3a1c2f84d6667c990309480405c61baa2f2ac878dfdc12dbefacdff64a52e'
+  data.tar.gz: 58ba877ea3b52c2e464bb4cca233edf1823f199db71e009df8eb92ce748ee9cf
 SHA512:
-  metadata.gz: dfbb4f4f11b1e8b00a206a6185e3e58862061f954a43cdf611fb38d6bd97b0e04ef6439adcc68b6ea6dc1675b5853f8a9af03c378be3d7cc6d9f4f49a61f5d5d
-  data.tar.gz: 77cb923ae34ee9a094200e1dc08a120ca001b4f646907fcb896bc147694041c989bfea7dc3023d876c0ee1461bedd5dc35cae53b94ef36ee6971baff980ceaae
+  metadata.gz: 905adec5711738aaddf2fbfd2bebd9ce9aa039a556fcacbef39177e1d34b44dd953952bf56904444211876466da5c16ae2c2bd8d42ebca00b6a7755a26e600de
+  data.tar.gz: da402133851cb1f3035cbe1784bf4c2e36831bd5167914c2bac82665b57430e2b9dbe9a4aa283e1365556dfcbfb07c933726049f9ee96377b83a676e56f1566f

data/CHANGES.md

@@ -1,3 +1,19 @@
+# 4.3.0
+
+* Check exec-type calls even if they are targets
+* Convert `Array#join` to string interpolation
+* `BaseCheck#include_interp?` should return first string interpolation
+* Add `--parser-timeout` option
+* Track parent calls in CallIndex
+* Warn about dangerous `link_to` href with `sanitize()`
+* Ignore `params#to_h` and `params#to_hash` in SQL checks
+* Change "".freeze to just ""
+* Ignore `Process.pid` in system calls
+* Index Kernel#\` calls even if they are targets
+* Code Climate: omit leading dot from `only_files` (Todd Mazierski)
+* `--color` can be used to force color output
+* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
+
 # 4.2.1
 
 * Add warning for CVE-2018-3741

data/lib/brakeman.rb

@@ -51,6 +51,7 @@ module Brakeman
   #  * :output_files - files for output
   #  * :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
   #  * :parallel_checks - run checks in parallel (default: true)
+  #  * :parser_timeout - set timeout for parsing an individual file (default: 10 seconds)
   #  * :print_report - if no output file specified, print to stdout (default: false)
   #  * :quiet - suppress most messages (default: true)
   #  * :rails3 - force Rails 3 mode (automatic)
@@ -174,6 +175,7 @@ module Brakeman
       :output_color => true,
       :pager => true,
       :parallel_checks => true,
+      :parser_timeout => 10,
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
@@ -376,7 +378,7 @@ module Brakeman
 
   def self.write_report_to_files tracker, output_files
     require 'fileutils'
-    tracker.options[:output_color] = false
+    tracker.options[:output_color] = false unless tracker.options[:output_color] == :force
 
     output_files.each_with_index do |output_file, idx|
       dir = File.dirname(output_file)
@@ -393,7 +395,7 @@ module Brakeman
   private_class_method :write_report_to_files
 
   def self.write_report_to_formats tracker, output_formats
-    unless $stdout.tty?
+    unless $stdout.tty? or tracker.options[:output_color] == :force
       tracker.options[:output_color] = false
     end
 

data/lib/brakeman/checks/base_check.rb

@@ -119,7 +119,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    @string_interp = Match.new(:interp, exp)
+    unless @string_interp # don't overwrite existing value
+      @string_interp = Match.new(:interp, exp)
+    end
+
     process_default exp
   end
 

data/lib/brakeman/checks/check_execute.rb

@@ -15,7 +15,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
   SAFE_VALUES = [s(:const, :RAILS_ROOT),
                   s(:call, s(:const, :Rails), :root),
-                  s(:call, s(:const, :Rails), :env)]
+                  s(:call, s(:const, :Rails), :env),
+                  s(:call, s(:const, :Process), :pid)]
 
   SHELL_ESCAPES = [:escape, :shellescape, :join]
 
@@ -32,7 +33,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
       :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
         :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
-        :popen3, :spawn, :syscall, :system]
+        :popen3, :spawn, :syscall, :system], :nested => true
 
     Brakeman.debug "Processing system calls"
     calls.each do |result|

data/lib/brakeman/checks/check_link_to_href.rb

@@ -71,14 +71,15 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     end
   end
 
+  CHECK_INSIDE_METHODS = [:url_for, :h, :sanitize]
+
   def check_argument? url_arg
     return unless call? url_arg
 
     target = url_arg.target
     method = url_arg.method
 
-    method == :url_for or
-      method == :h or
+    CHECK_INSIDE_METHODS.include? method or
       cgi_escaped? target, method
   end
 

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -46,12 +46,6 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
       message = "Rails #{rails_version} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
 
-      if include_user_input? result[:call]
-        confidence = :high
-      else
-        confidence = :medium
-      end
-
       warn :result => result,
         :warning_type => "Cross-Site Scripting",
         :warning_code => code,
@@ -87,7 +81,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
       warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2018_8048,
         :message => message,
-        :gem_info => gemfile_or_environment,
+        :gem_info => gemfile_or_environment(:loofah),
         :confidence => confidence,
         :link_path => "https://github.com/flavorjones/loofah/issues/144"
     end
@@ -111,7 +105,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
     warn :warning_type => "Cross-Site Scripting",
       :warning_code => cve.tr('-', '_').to_sym,
       :message => message,
-      :gem_info => gemfile_or_environment,
+      :gem_info => gemfile_or_environment(:'rails-html-sanitizer'),
       :confidence => confidence,
       :link_path => link
   end

data/lib/brakeman/checks/check_sql.rb

@@ -290,7 +290,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash].include? arg.method
         # Model.where(params[:where])
         arg
       end

data/lib/brakeman/codeclimate/engine_configuration.rb

@@ -87,9 +87,9 @@ module Brakeman
 
       def stripped_include_path(prefix, subprefixes, path)
         if path.start_with?(prefix)
-          path.sub(%r{^#{prefix}/?}, "./")
+          path.sub(%r{^#{prefix}/?}, "/")
         elsif subprefixes.any? { |subprefix| path =~ %r{^#{subprefix}/?$} }
-          "./"
+          "/"
         end
       end
     end

data/lib/brakeman/file_parser.rb

@@ -7,6 +7,7 @@ module Brakeman
 
     def initialize tracker, app_tree
       @tracker = tracker
+      @timeout = @tracker.options[:parser_timeout]
       @app_tree = app_tree
       @file_list = {}
     end
@@ -33,10 +34,13 @@ module Brakeman
     def parse_ruby input, path
       begin
         Brakeman.debug "Parsing #{path}"
-        RubyParser.new.parse input, path
+        RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         @tracker.error e, "Could not parse #{path}"
         nil
+      rescue Timeout::Error => e
+        @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
+        nil
       rescue => e
         @tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
         nil

data/lib/brakeman/options.rb

@@ -127,6 +127,10 @@ module Brakeman::Options
           options[:branch_limit] = limit
         end
 
+        opts.on "--parser-timeout SECONDS", Integer, "Set parse timeout (Default: 10)" do |timeout|
+          options[:parser_timeout] = timeout
+        end
+
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -229,7 +233,11 @@ module Brakeman::Options
         end
 
         opts.on "--[no-]color", "Use ANSI colors in report (Default)" do |color|
-          options[:output_color] = color
+          if color
+            options[:output_color] = :force
+          else
+            options[:output_color] = color
+          end
         end
 
         opts.on "-m", "--routes", "Report controller information" do

data/lib/brakeman/parsers/template_parser.rb

@@ -93,7 +93,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(nil, nil)
+      fp = Brakeman::FileParser.new(tracker, nil)
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processors/alias_processor.rb

@@ -197,7 +197,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false)
     end
 
-
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -287,11 +286,80 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
       end
+    when :freeze
+      if string? target
+        exp = process exp.target
+      end
+    when :join
+      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
+        exp = process_array_join(target, first_arg)
+      end
     end
 
     exp
   end
 
+  # Painful conversion of Array#join into string interpolation
+  def process_array_join array, join_str
+    result = s()
+
+    join_value = if string? join_str
+                   join_str.value
+                 else
+                   nil
+                 end
+
+    array[1..-2].each do |e|
+      result << join_item(e, join_value)
+    end
+
+    result << join_item(array.last, nil)
+
+    # Combine the strings at the beginning because that's what RubyParser does
+    combined_first = ""
+    result.each do |e|
+      if string? e
+        combined_first << e.value
+      elsif e.is_a? String
+        combined_first << e
+      else
+        break
+      end
+    end
+
+    # Remove the strings at the beginning
+    result.reject! do |e|
+      if e.is_a? String or string? e
+        true
+      else
+        break
+      end
+    end
+
+    result.unshift combined_first
+
+    # Have to fix up strings that follow interpolation
+    result.reduce(s(:dstr)) do |memo, e|
+      if string? e and node_type? memo.last, :evstr
+        e.value = "#{join_value}#{e.value}"
+      elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
+        memo << s(:str, join_value)
+      end
+
+      memo << e
+    end
+  end
+
+  def join_item item, join_value
+    if item.is_a? String
+      "#{item}#{join_value}"
+    elsif string? item or symbol? item or number? item
+      s(:str, "#{item.value}#{join_value}")
+    else
+      s(:evstr, item)
+    end
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -19,6 +19,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_method = opts[:method]
     @current_template = opts[:template]
     @current_file = opts[:file]
+    @current_call = nil
     process exp
   end
 
@@ -111,7 +112,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :method => method_name,
                 :call => exp,
                 :nested => false,
-                :location => make_location }
+                :location => make_location,
+                :parent => @current_call }
   end
 
   #Gets the target of a call as a Symbol
@@ -189,7 +191,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def create_call_hash exp
     target = get_target exp.target
 
-    if call? target
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
       already_in_target = @in_target
       @in_target = true
       process target
@@ -199,13 +201,24 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     end
 
     method = exp.method
-    process_call_args exp
 
-    { :target => target,
+    call_hash = {
+      :target => target,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
-      :location => make_location }
+      :location => make_location,
+      :parent => @current_call
+    }
+
+    old_parent = @current_call
+    @current_call = call_hash
+
+    process_call_args exp
+
+    @current_call = old_parent
+
+    call_hash
   end
 end

data/lib/brakeman/report/pager.rb

@@ -102,7 +102,9 @@ module Brakeman
     end
 
     def set_color
-      unless @tracker and less_options.include? "-R "
+      return unless @tracker
+
+      unless less_options.include? "-R " or @tracker.options[:output_color] == :force
         @tracker.options[:output_color] = false
       end
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.2.1"
+  Version = "4.3.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.2.1
+  version: 4.3.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2018-03-24 00:00:00.000000000 Z
+date: 2018-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -380,7 +380,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.