brakeman-lib 4.3.1 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b66e4adfac1e60bdf4c0f7ba2962202120f879e0b15a456e8c6672ecd1320ad4
-  data.tar.gz: 9517cdd9c93e736e9fb8d4cf29c4aab8c9c232fc4166f52111b653982213e2e2
+  metadata.gz: bcbe25d591f6a58b5aa50a84f07d66139df4de6ff9ec635f37bfddf6dcefce5b
+  data.tar.gz: eab5e03f499218467a5c45cc33c629e04e8e8743526b9a8f3add8a314d7d8e10
 SHA512:
-  metadata.gz: 6cb3584795f515314616a5f2e1116feba305333672e599b1b4f9d492fe40895f3d6067e13ad6431f5fc5fd3dfce636fbe39644e2f366b61a9ab12b4030ec4592
-  data.tar.gz: 455f61c1c33200355090cf541e57109416199b6bfe898c69cb972b537374cf315d485422b2065464a4a7519c5bb0e7f446d0f10356a959e9e0c8d776fcc5fb13
+  metadata.gz: ea3d52f2efefe107a2673b9a6c574c864cc3908fdc908bca688f3b465ed0c4a47e02513dfe2f4da7dfe94c1c576df1b9bb20e4b865d2308a8db0a05435cc911c
+  data.tar.gz: 130d5925f04b78320ee0e052a66baadf7eb6094f9572758f6013aa22af03e2031c3109df49dd72a62d974f05add592bdf6309ccbae8d03cdec600397b4ae3044

data/CHANGES.md

@@ -1,3 +1,26 @@
+# 4.4.0
+
+* Set default encoding to UTF-8
+* Update to Slim 4.0.1 (Jake Peterson)
+* Update to RubyParser 3.12.0
+* Add rendered template information to render paths
+* Fix trim mode for ERb templates in old Rails versions
+* Fix thread-safety issue in CallIndex
+* Add `--enable` option to enable optional checks
+* Support reading gem versions from gemspecs
+* Support gem versions which are just major.minor (e.g. 3.0)
+* Treat `if not` like `unless`
+* Handle empty `secrets.yml` files (Naoki Kimura)
+* Correctly set `rel="noreferrer"` in HTML reports
+* Avoid warning about command injection when `String#shellescape` and `Shellwords.shelljoin` are used (George Ogata)
+* Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
+* Trim some unnecessary files from bundled gems
+* Add check for CVE-2018-3760
+* Avoid nils when concatenating arrays
+* Ignore Tempfiles in FileAccess warnings (Christina Koller)
+* Complete overhaul of warning message construction
+* Deadcode and typo fixes found via Coverity
+
 # 4.3.1
 
 * Ignore `Object#freeze`, use the target instead
@@ -8,7 +31,7 @@
 * Use safe literal when accessing literal hash with unknown key
 * Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
 * Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
-* Improve handling of conditionals in shell commands (Jacob Evenlyn)
+* Improve handling of conditionals in shell commands (Jacob Evelyn)
 * Fix error when setting line number in implicit renders
 
 # 4.3.0

data/README.md

@@ -1,5 +1,4 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
-[![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
 
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
 [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
@@ -8,9 +7,7 @@
 
 # Brakeman
 
-Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
-
-Check out [Brakeman Pro](https://brakemanpro.com/) if you are looking for a commercially-supported version with a GUI and advanced features.
+Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
 
 # Installation
 
@@ -21,11 +18,23 @@ Using RubyGems:
 Using Bundler:
 
     group :development do
-      gem 'brakeman', :require => false
+      gem 'brakeman'
     end
 
+Using Docker:
+
+    docker pull presidentbeef/brakeman
+
+Using Docker to build from source:
+
+    git clone https://github.com/presidentbeef/brakeman.git
+    cd brakeman
+    docker build . -t brakeman
+
 # Usage
 
+#### Running locally
+
 From a Rails application's root directory:
 
     brakeman
@@ -34,6 +43,24 @@ Outside of Rails root:
 
     brakeman /path/to/rails/application
 
+#### Running with Docker
+
+From a Rails application's root directory:
+
+    docker run -v "$(pwd)":/code brakeman
+
+With a little nicer color:
+
+    docker run -v "$(pwd)":/code brakeman --color
+
+For an HTML report:
+
+    docker run -v "$(pwd)":/code brakeman -o brakeman_results.html
+
+Outside of Rails root (note that the output file is relative to path/to/rails/application):
+
+    docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html
+
 # Compatibility
 
 Brakeman should work with any version of Rails from 2.3.x to 5.x.
@@ -168,4 +195,6 @@ Chat: https://gitter.im/presidentbeef/brakeman
 
 # License
 
-see [MIT-LICENSE](MIT-LICENSE)
+Brakeman is free for non-commercial use.
+
+See [COPYING](COPYING.md) for details.

data/bin/brakeman

@@ -2,6 +2,8 @@
 #Adjust path in case called directly and not through gem
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
+Encoding.default_external = 'UTF-8'
+
 require 'brakeman'
 require 'brakeman/commandline'
 

data/lib/brakeman.rb

@@ -348,7 +348,7 @@ module Brakeman
     scanner = Scanner.new options
     tracker = scanner.tracker
 
-    check_for_missing_checks options[:run_checks], options[:skip_checks]
+    check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
 
     notify "Processing application in #{tracker.app_path}"
     scanner.process
@@ -521,8 +521,10 @@ module Brakeman
     end if options[:additional_checks_path]
   end
 
-  def self.check_for_missing_checks included_checks, excluded_checks
-    missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
+  def self.check_for_missing_checks included_checks, excluded_checks, enabled_checks
+    checks = included_checks.to_a + excluded_checks.to_a + enabled_checks.to_a
+
+    missing = Brakeman::Checks.missing_checks(checks)
 
     unless missing.empty?
       raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"

data/lib/brakeman/app_tree.rb

@@ -61,6 +61,7 @@ module Brakeman
       @engine_paths = init_options[:engine_paths] || []
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
+      @gemspec = nil
     end
 
     def expand_path(path)
@@ -116,6 +117,18 @@ module Brakeman
                      find_job_paths
     end
 
+    def gemspec
+      return @gemspec unless @gemspec.nil?
+
+      gemspecs =  Dir.glob(File.join(@root, "*.gemspec"))
+
+      if gemspecs.length > 1 or gemspecs.empty?
+        @gemspec = false
+      else
+        @gemspec = File.basename(gemspecs.first)
+      end
+    end
+
   private
 
     def find_helper_paths
@@ -176,12 +189,13 @@ module Brakeman
 
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
+
       abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
       rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
 
       roots = ([@root] + abs).join(",")
       rel_engines = (rel + [""]).join("/,")
-      @root_search_patrern = "{#{roots}}/{#{rel_engines}}"
+      @root_search_pattern = "{#{roots}}/{#{rel_engines}}"
     end
 
     def prioritize_concerns paths

data/lib/brakeman/call_index.rb

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
 
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new { |h, k| h[k] = [] }
-    @calls_by_target = Hash.new { |h, k| h[k] = [] }
+    @calls_by_method = {}
+    @calls_by_target = {}
 
     index_calls calls
   end
@@ -87,13 +87,16 @@ class Brakeman::CallIndex
 
   def index_calls calls
     calls.each do |call|
+      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
 
       target = call[:target]
 
       if not target.is_a? Sexp
+        @calls_by_target[target] ||= []
         @calls_by_target[target] << call
       elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] ||= []
         @calls_by_target[target.node_type] << call
       end
     end
@@ -116,7 +119,7 @@ class Brakeman::CallIndex
     if target.is_a? Array
       calls_by_targets target
     else
-      @calls_by_target[target]
+      @calls_by_target[target] || []
     end
   end
 
@@ -136,7 +139,7 @@ class Brakeman::CallIndex
     elsif method.is_a? Regexp
       calls_by_methods_regex method
     else
-      @calls_by_method[method.to_sym]
+      @calls_by_method[method.to_sym] || []
     end
   end
 

data/lib/brakeman/checks.rb

@@ -37,15 +37,14 @@ class Brakeman::Checks
     end
   end
 
-  def self.missing_checks included_checks, excluded_checks
-    included_checks = included_checks.map(&:to_s).to_set
-    excluded_checks = excluded_checks.map(&:to_s).to_set
+  def self.missing_checks check_args
+    check_args = check_args.to_a.map(&:to_s).to_set
 
-    if included_checks == Set['CheckNone']
+    if check_args == Set['CheckNone']
       return []
     else
       loaded = self.checks.map { |name| name.to_s.gsub('Brakeman::', '') }.to_set
-      missing = (included_checks - loaded) + (excluded_checks - loaded)
+      missing = check_args - loaded
 
       unless missing.empty?
         return missing
@@ -170,8 +169,16 @@ class Brakeman::Checks
     to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
                @checks + @optional_checks
              else
-               @checks
-             end
+               @checks.dup
+             end.to_set
+
+    if enabled_checks = tracker.options[:enable_checks]
+      @optional_checks.each do |c|
+        if enabled_checks.include? self.get_check_name(c)
+          to_run << c
+        end
+      end
+    end
 
     self.filter_checks to_run, tracker
   end
@@ -179,12 +186,13 @@ class Brakeman::Checks
   def self.filter_checks checks, tracker
     skipped = tracker.options[:skip_checks]
     explicit = tracker.options[:run_checks]
+    enabled = tracker.options[:enable_checks] || []
 
     checks.reject do |c|
       check_name = self.get_check_name(c)
 
       skipped.include? check_name or
-        (explicit and not explicit.include? check_name)
+        (explicit and not explicit.include? check_name and not enabled.include? check_name)
     end
   end
 

data/lib/brakeman/checks/base_check.rb

@@ -2,12 +2,14 @@ require 'brakeman/processors/output_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/warning'
 require 'brakeman/util'
+require 'brakeman/messages'
 
 #Basis of vulnerability checks.
 class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::SafeCallHelper
   include Brakeman::Util
+  include Brakeman::Messages
   attr_reader :tracker, :warnings
 
   # This is for legacy support.
@@ -483,23 +485,4 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     @active_record_models
   end
-
-  def friendly_type_of input_type
-    if input_type.is_a? Match
-      input_type = input_type.type
-    end
-
-    case input_type
-    when :params
-      "parameter value"
-    when :cookies
-      "cookie value"
-    when :request
-      "request value"
-    when :model
-      "model attribute"
-    else
-      "user input"
-    end
-  end
 end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "Timing Attack",
         :warning_code => :CVE_2015_7576,
-        :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+        :message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
         :confidence => :high,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
     end

data/lib/brakeman/checks/check_content_tag.rb

@@ -96,7 +96,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
     end
 
     if input = has_immediate_user_input?(arg)
-      message = "Unescaped #{friendly_type_of input} in content_tag"
+      message = msg("Unescaped ", msg_input(input), " in ", msg_code("content_tag"))
 
       add_result result
 
@@ -121,7 +121,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         warn :result => result,
           :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_content_tag,
-          :message => "Unescaped model attribute in content_tag",
+          :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
           :user_input => match,
           :confidence => confidence,
           :link_path => "content_tag"
@@ -130,7 +130,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
     elsif @matched
       return if @matched.type == :model and tracker.options[:ignore_model_output]
 
-      message = "Unescaped #{friendly_type_of @matched} in content_tag"
+      message = msg("Unescaped ", msg_input(@matched), " in ", msg_code("content_tag"))
 
       add_result result
 
@@ -181,7 +181,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
       warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2016_6316,
-        :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
+        :message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
         :confidence => confidence,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"

data/lib/brakeman/checks/check_create_with.rb

@@ -16,7 +16,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
       return
     end
 
-    @message = "create_with is vulnerable to strong params bypass. Upgrade to Rails #{suggested_version} or patch"
+    @message = msg(msg_code("create_with"), " is vulnerable to strong params bypass. Upgrade to ", msg_version(suggested_version), " or patch")
 
     tracker.find_call(:method => :create_with, :nested => true).each do |result|
       process_result result

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     if input = has_immediate_user_input?(out)
       add_result exp
 
-      message = "Unescaped #{friendly_type_of input}"
+      message = msg("Unescaped ", msg_input(input))
 
       warn :template => @current_template,
         :warning_type => "Cross-Site Scripting",
@@ -168,7 +168,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
       if @matched
         unless @matched.type and tracker.options[:ignore_model_output]
-          message = "Unescaped #{friendly_type_of @matched}"
+          message = msg("Unescaped ", msg_input(@matched))
         end
 
         if message and not duplicate? exp
@@ -180,7 +180,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           if @known_dangerous.include? exp.method
             confidence = :high
             if exp.method == :to_json
-              message += " in JSON hash"
+              message << msg_plain(" in JSON hash")
               link_path += "_to_json"
               warning_code = :xss_to_json
             end

data/lib/brakeman/checks/check_default_routes.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
       #Default routes are enabled globally
       warn :warning_type => "Default Routes",
         :warning_code => :all_default_routes,
-        :message => "All public methods in controllers are available as actions in routes.rb",
+        :message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
         :line => tracker.routes[:allow_all_actions].line,
         :confidence => :high,
         :file => "#{tracker.app_path}/config/routes.rb"
@@ -41,7 +41,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         warn :controller => name,
           :warning_type => "Default Routes",
           :warning_code => :controller_default_routes,
-          :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
+          :message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
           :line => actions[2],
           :confidence => :medium,
           :file => "#{tracker.app_path}/config/routes.rb"
@@ -74,7 +74,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
 
     warn :warning_type => "Remote Code Execution",
       :warning_code => :CVE_2014_0130,
-      :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
+      :message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
       :confidence => confidence,
       :file => "#{tracker.app_path}/config/routes.rb",
       :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"

data/lib/brakeman/checks/check_deserialize.rb

@@ -42,7 +42,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     end
 
     if confidence
-      message = "#{target}.#{method} called with #{friendly_type_of input}"
+      message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",