brakeman-lib 4.7.2 → 4.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef101a185ff582733d1564d862fcb87afbedb1df01482f1c8815f130bd886a0b
-  data.tar.gz: 938ff3304347e001f5f21880d8d6dfca2bb1d3b26f29dae7d269db67350df70f
+  metadata.gz: 34099e8abef9a4c7108905ea8d956d01afbb6037cab597d2ad0beab8790a9060
+  data.tar.gz: 982be6bfad0eef60f17627001fef1873bad5a23eef76f687ea434d23773ba9b4
 SHA512:
-  metadata.gz: de7d5d8fc614fd226145878158e4e75745e31afce19e87e84e73d19d5182b42128ff36d2a5fa45567286ec989513fa5c1ae40aa53353f56b04c3a7a52a11bef6
-  data.tar.gz: 78006970c55993fbcf96ac56783d3ed04beb1d5bf54d4b716a04158796398577ded0fb1bd7b7070e91074a6daff48e762b6b49515c10ca6d27c84cde0e7b0531
+  metadata.gz: ce68529ca660b85d86b9569b4f8ddfe41c4b7b3bc724d1afc9860f91fa0a945eb473bbd5bb83b4c9d8e61ac6255ab0b11a42878921671a03a0964d2440912178
+  data.tar.gz: 1fbd104e129d5fce136d4c4984296a7daa6c88ffd8f22edbb576613cb6519547676f38364a2f728dcc2c9a322119d0024ae845baf7383ecf38b43038e9e129c6

data/CHANGES.md

@@ -1,3 +1,15 @@
+# Unreleased
+
+* Add JUnit-XML report format (Naoki Kimura)
+* Sort ignore files by fingerprint and line (Ngan Pham)
+* Freeze call index results
+* Fix output test when using newer Minitest
+* Properly render confidence in Markdown report
+* Report old warnings as fixed if zero warnings reported
+* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
+* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
+* Initialize Rails version with `nil` (Carsten Wirth)
+
 # 4.7.2 - 2019-11-25
 
 * Remove version guard for `named_scope` vs. `scope`

data/lib/brakeman.rb

@@ -231,6 +231,8 @@ module Brakeman
       [:to_text]
     when :table, :to_table
       [:to_table]
+    when :junit, :to_junit
+      [:to_junit]
     else
       [:to_text]
     end
@@ -258,6 +260,8 @@ module Brakeman
         :to_text
       when /\.table$/i
         :to_table
+      when /\.junit$/i
+        :to_junit
       else
         :to_text
       end

data/lib/brakeman/checks/base_check.rb

@@ -280,15 +280,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     return location, line
   end
 
-  #Checks if an expression contains string interpolation.
-  #
-  #Returns Match with :interp type if found.
-  def include_interp? exp
-    @string_interp = false
-    process exp
-    @string_interp
-  end
-
   #Checks if _exp_ includes user input in the form of cookies, parameters,
   #request environment, or model attributes.
   #
@@ -504,4 +495,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     @active_record_models
   end
+
+  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
+  private_constant :STRING_METHODS
+
+  def string_building? exp
+    return false unless call? exp and STRING_METHODS.include? exp.method
+
+    node_type? exp.target, :str, :dstr or
+    node_type? exp.first_arg, :str, :dstr or
+    string_building? exp.target or
+    string_building? exp.first_arg
+  end
 end

data/lib/brakeman/checks/check_content_tag.rb

@@ -55,8 +55,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     @current_file = result[:location][:file]
 
-    call = result[:call] = result[:call].dup
-
+    call = result[:call]
     args = call.arglist
 
     tag_name = args[1]

data/lib/brakeman/checks/check_execute.rb

@@ -56,8 +56,20 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     case call.method
     when :popen
-      unless array? first_arg
-        failure = include_user_input?(args) || dangerous_interp?(args)
+      # Normally, if we're in a `popen` call, we only are worried about shell
+      # injection when the argument is not an array, because array elements
+      # are always escaped by Ruby. However, an exception is when the array
+      # contains two values are something like "bash -c" because then the third
+      # element is effectively the command being run and might be a malicious
+      # executable if it comes (partially or fully) from user input.
+      if !array?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
+      elsif dash_c_shell_command?(first_arg[1], first_arg[2])
+        failure = include_user_input?(first_arg[3]) ||
+                  dangerous_interp?(first_arg[3]) ||
+                  dangerous_string_building?(first_arg[3])
       end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
@@ -67,12 +79,18 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # the third argument is effectively the command being run and might be
       # a malicious executable if it comes (partially or fully) from user input.
       if dash_c_shell_command?(first_arg, call.second_arg)
-        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+        failure = include_user_input?(args[3]) ||
+                  dangerous_interp?(args[3]) ||
+                  dangerous_string_building?(args[3])
       else
-        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
       end
     else
-      failure = include_user_input?(args) || dangerous_interp?(args)
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     end
 
     if failure and original? result
@@ -219,6 +237,23 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     false
   end
 
+  #Checks if an expression contains string interpolation.
+  #
+  #Returns Match with :interp type if found.
+  def include_interp? exp
+    @string_interp = false
+    process exp
+    @string_interp
+  end
+
+  def dangerous_string_building? exp
+    if string_building?(exp) && res = dangerous?(exp)
+      return Match.new(:interp, res)
+    end
+
+    false
+  end
+
   def shell_escape? exp
     return false unless call? exp
 

data/lib/brakeman/checks/check_link_to.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     #Have to make a copy of this, otherwise it will be changed to
     #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
 
     first_arg = call.first_arg
     second_arg = call.second_arg

data/lib/brakeman/checks/check_link_to_href.rb

@@ -30,9 +30,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
   end
 
   def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
     @matched = false
 
     url_arg = if result[:block]

data/lib/brakeman/checks/check_sql.rb

@@ -525,8 +525,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     false
   end
 
-  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
-
   def check_for_string_building exp
     return unless call? exp
 
@@ -573,15 +571,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
-  def string_building? exp
-    return false unless call? exp and STRING_METHODS.include? exp.method
-
-    node_type? exp.target, :str, :dstr or
-    node_type? exp.first_arg, :str, :dstr or
-    string_building? exp.target or
-    string_building? exp.first_arg
-  end
-
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
     :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,

data/lib/brakeman/differ.rb

@@ -1,8 +1,6 @@
 # extracting the diff logic to it's own class for consistency. Currently handles
 # an array of Brakeman::Warnings or plain hash representations.  
 class Brakeman::Differ
-  DEFAULT_HASH = {:new => [], :fixed => []}
-  OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
   attr_reader :old_warnings, :new_warnings
 
   def initialize new_warnings, old_warnings
@@ -11,9 +9,6 @@ class Brakeman::Differ
   end
 
   def diff
-    # get the type of elements
-    return DEFAULT_HASH if @new_warnings.empty?
-
     warnings = {}
     warnings[:new] = @new_warnings - @old_warnings
     warnings[:fixed] = @old_warnings - @new_warnings

data/lib/brakeman/options.rb

@@ -225,7 +225,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -60,7 +60,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   end
 
   def process_call exp
-    @calls << create_call_hash(exp)
+    @calls << create_call_hash(exp).freeze
     exp
   end
 
@@ -72,6 +72,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
       call_hash[:block] = exp.block
       call_hash[:block_args] = exp.block_args
+      call_hash.freeze
 
       @calls << call_hash
 
@@ -136,7 +137,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }
+                :parent => @current_call }.freeze
   end
 
   #Gets the target of a call as a Symbol

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -40,6 +40,9 @@ class Brakeman::Report
       return self.to_table
     when :to_pdf
       raise "PDF output is not yet supported."
+    when :to_junit
+      require_report 'junit'
+      Brakeman::Report::JUnit
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/config.rb

@@ -97,7 +97,11 @@ module Brakeman
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        begin
+          @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        rescue => e
+          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
+        end
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -118,7 +122,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| w[:fingerprint] }
+      end.sort_by { |w| [w[:fingerprint], w[:line]] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_junit.rb

@@ -0,0 +1,104 @@
+require 'time'
+require "stringio"
+require 'rexml/document'
+
+class Brakeman::Report::JUnit < Brakeman::Report::Base
+  def generate_report
+    io = StringIO.new
+    doc = REXML::Document.new
+    doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
+
+    test_suites = REXML::Element.new 'testsuites'
+    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
+    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
+
+    errors = test_suites.add_element 'brakeman:errors'
+    tracker.errors.each { |e|
+      error = errors.add_element 'brakeman:error'
+      error.add_attribute 'brakeman:message', e[:error]
+      e[:backtrace].each { |b|
+        backtrace = error.add_element 'brakeman:backtrace'
+        backtrace.add_text b
+      }
+    }
+
+    obsolete = test_suites.add_element 'brakeman:obsolete'
+    tracker.unused_fingerprints.each { |fingerprint|
+      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
+    }
+
+    ignored = test_suites.add_element 'brakeman:ignored'
+    ignored_warnings.each { |w|
+      warning = ignored.add_element 'brakeman:warning'
+      warning.add_attribute 'brakeman:message', w.message
+      warning.add_attribute 'brakeman:category', w.warning_type
+      warning.add_attribute 'brakeman:file', warning_file(w)
+      warning.add_attribute 'brakeman:line', w.line
+      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
+      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:code', w.format_code
+      warning.add_text w.to_s
+    }
+
+    hostname = `hostname`.strip
+    i = 0
+    all_warnings
+      .map { |warning| [warning.file, [warning]] }
+      .reduce({}) { |entries, entry|
+        key, value = entry
+        entries[key] = entries[key] ? entries[key].concat(value) : value
+        entries
+      }
+      .each { |file, warnings|
+        i += 1
+        test_suite = test_suites.add_element 'testsuite'
+        test_suite.add_attribute 'id', i
+        test_suite.add_attribute 'package', 'brakeman'
+        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
+        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
+        test_suite.add_attribute 'tests', checks.checks_run.length
+        test_suite.add_attribute 'failures', warnings.length
+        test_suite.add_attribute 'errors', '0'
+        test_suite.add_attribute 'time', '0'
+
+        test_suite.add_element 'properties'
+
+        warnings.each { |warning|
+          test_case = test_suite.add_element 'testcase'
+          test_case.add_attribute 'name', 'run_check'
+          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'time', '0'
+
+          failure = test_case.add_element 'failure'
+          failure.add_attribute 'message', warning.message
+          failure.add_attribute 'type', warning.warning_type
+          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
+          failure.add_attribute 'brakeman:file', warning_file(warning)
+          failure.add_attribute 'brakeman:line', warning.line
+          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:code', warning.format_code
+          failure.add_text warning.to_s
+        }
+
+        test_suite.add_element 'system-out'
+        test_suite.add_element 'system-err'
+      }
+
+    doc.add test_suites
+    doc.write io
+    io.string
+  end
+end

data/lib/brakeman/report/report_markdown.rb

@@ -84,7 +84,6 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
   end
 
   def convert_warning warning, original
-    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
     warning["Message"] = markdown_message original, warning["Message"]
     warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
     warning

data/lib/brakeman/tracker/config.rb

@@ -15,6 +15,7 @@ module Brakeman
       @escape_html = nil
       @erubis = nil
       @ruby_version = ""
+      @rails_version = nil
     end
 
     def default_protect_from_forgery?

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.7.2"
+  Version = "4.8.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.7.2
+  version: 4.8.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-25 00:00:00.000000000 Z
+date: 2020-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -348,6 +348,7 @@ files:
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb
 - lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
@@ -405,7 +406,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.