brakeman-lib 6.2.2 → 7.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43bb8b6197d17937fa07b7d6b69afaf5a0d4c0fad6332f2126a6f317e5e49262
-  data.tar.gz: 29698bd867c9bfd2dc13baf27c463da77132be4f13d93fd1448428977241c9a2
+  metadata.gz: 1312162b44dd8b40558dcfb8cd9d5891ed37f7e46935f12d9890075de7ba41a6
+  data.tar.gz: 1ed9d4308f7c524aafca3d8e058886bc339a12ae9bd761377f57ae5ab2e423c8
 SHA512:
-  metadata.gz: 8513e27561f8608fca48561c64ceaa42bf43042fee54d1b3102f1ad4dc855eb980c5cf963ed7cc48e8056d91b3d168553efab52f86c5064075b53aa49c1278af
-  data.tar.gz: da6eef18fb43bfcb014f46e86cbd5df82c97b359f53abf18f263366940f45cb621bc85f1dc4933ac2319c063c963b2469c1eb936d26fec36e351c89577c822d9
+  metadata.gz: a3679861797e17b76407a24b80318a2395114461138bf9bbd13568dd1218498a34b0945f7f472b6388c09411dc22e9a3cba178bb6dd8cca93913f07c8b9323ed
+  data.tar.gz: de4bffcb73e376aeb00af8489954fe5b5620a7dc4459ed1501c0d665dd0ba7938d1b509f446a7780a487cf827b547a7c80ce07a7e34bc5423a2ac93e102a34e1

data/CHANGES.md

@@ -1,3 +1,20 @@
+# 7.0.0 - 2024-12-30
+
+* Always warn about deserializing from Marshal
+* Output `originalBaseUriIds` for SARIF format report
+* Default to using Prism parser if available (disable with `--no-prism`)
+* Update `terminal-table` version to use latest
+* Update `eval` check to be a little noisier
+* Fix array/hash unknown index handling
+* Disable following symbolic links by default, re-enable with --follow-symlinks
+* Add step (and timing) for finding files
+* Add CSV library as explicit dependency for Ruby 3.4 support
+* Major changes to how rescanning works
+* Raise minimum Ruby version to 3.1
+* Fix hardcoded globally excluded paths
+* Remove updated entry in Brakeman ignore files (Toby Hsieh)
+* Fix recursion when handling multiple assignment expressions
+
 # 6.2.2 - 2024-10-15
 
 * Ignore more native gems when building gem

data/lib/brakeman/app_tree.rb

@@ -22,6 +22,8 @@ module Brakeman
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
       init_options[:skip_vendor] = options[:skip_vendor]
+      init_options[:follow_symlinks] = options[:follow_symlinks]
+
       new(root, init_options)
     end
 
@@ -64,6 +66,7 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @skip_vendor = init_options[:skip_vendor]
+      @follow_symlinks = init_options[:follow_symlinks]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -161,21 +164,26 @@ module Brakeman
     end
 
     def glob_files(directory, name, extensions = ".rb")
-      root_directory = "#{root_search_pattern}#{directory}"
-      patterns = ["#{root_directory}/**/#{name}#{extensions}"]
-
-      Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
-        if File.symlink?(path) && File.directory?(path)
-          symlink_target = File.readlink(path)
-          if Pathname.new(symlink_target).relative?
-            symlink_target = File.join(File.dirname(path), symlink_target)
+      if @follow_symlinks
+        root_directory = "#{root_search_pattern}#{directory}"
+        patterns = ["#{root_directory}/**/#{name}#{extensions}"]
+
+        Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
+          if File.symlink?(path) && File.directory?(path)
+            symlink_target = File.readlink(path)
+            if Pathname.new(symlink_target).relative?
+              symlink_target = File.join(File.dirname(path), symlink_target)
+            end
+            patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
           end
-          patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
         end
-      end
 
-      files = patterns.flat_map { |pattern| Dir.glob(pattern) }
-      files.uniq
+        files = patterns.flat_map { |pattern| Dir.glob(pattern) }
+        files.uniq
+      else
+        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        Dir.glob(pattern)
+      end
     end
 
     def select_files(paths)
@@ -201,15 +209,14 @@ module Brakeman
       end
     end
 
-    EXCLUDED_PATHS = %w[
-      /generators/
+    EXCLUDED_PATHS = regex_for_paths %w[
+      generators/
       lib/tasks/
       lib/templates/
       db/
       spec/
       test/
       tmp/
-      log/
     ]
 
     def reject_global_excludes(paths)
@@ -219,9 +226,7 @@ module Brakeman
         if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
           true
         else
-          EXCLUDED_PATHS.any? do |excluded|
-            relative_path.include? excluded
-          end
+          match_path EXCLUDED_PATHS, path
         end
       end
     end

data/lib/brakeman/checks/check_deserialize.rb

@@ -76,10 +76,13 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
       confidence = :high
     elsif input = include_user_input?(arg)
       confidence = :medium
+    elsif target == :Marshal
+      confidence = :low
+      message = msg("Use of ", msg_code("#{target}.#{method}"), " may be dangerous")
     end
 
     if confidence
-      message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
+      message ||= msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_evaluation.rb

@@ -23,13 +23,31 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     return unless original? result
 
     if input = include_user_input?(result[:call].arglist)
+      confidence = :high
+      message = msg(msg_input(input), " evaluated as code")
+    elsif string_evaluation? result[:call].first_arg
+      confidence = :low
+      message = "Dynamic string evaluated as code"
+    elsif safe_literal? result[:call].first_arg
+      # don't warn
+    elsif result[:call].method == :eval
+      confidence = :low
+      message = "Dynamic code evaluation"
+    end
+
+    if confidence
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :warning_code => :code_eval,
-        :message => "User input in eval",
+        :message => message,
         :user_input => input,
-        :confidence => :high,
+        :confidence => confidence,
         :cwe_id => [913, 95]
     end
   end
+
+  def string_evaluation? exp
+    string_interp? exp or
+      (call? exp and string? exp.target)
+  end
 end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
               :confidence => confidence,
               :code => Sexp.new(:lit, attribute),
               :cwe_id => [915]
+
             break # Prevent from matching single attr multiple times
           end
         end

data/lib/brakeman/file_parser.rb

@@ -13,8 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end

data/lib/brakeman/options.rb

@@ -161,14 +161,13 @@ module Brakeman::Options
 
         opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
           if use_prism
-            prism_version = '0.30'
+            min_prism_version = '1.0.0'
 
             begin
-              # Specifying minimum version here,
-              # since it can't be in the gem dependency list because it is optional
-              gem 'prism', "~>#{prism_version}"
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
             rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
-              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
               raise e
             end
           end
@@ -223,6 +222,10 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb

@@ -97,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -666,7 +668,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     unless array? exp[1] and array? exp[2]
-      return process_default(exp)
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
 
     vars = exp[1].dup

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
 
-      @file_type || :libs
+      @file_type || :lib
     end
 
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
 
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
 
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end
 

data/lib/brakeman/report/ignore/config.rb

@@ -130,7 +130,6 @@ module Brakeman
 
       output = {
         :ignored_warnings => warnings,
-        :updated => Time.now.to_s,
         :brakeman_version => Brakeman::Version
       }
 

data/lib/brakeman/report/report_sarif.rb

@@ -1,8 +1,10 @@
+require 'uri'
+
 class Brakeman::Report::SARIF < Brakeman::Report::Base
   def generate_report
     sarif_log = {
       :version => '2.1.0',
-      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json',
       :runs => runs,
     }
     JSON.pretty_generate sarif_log
@@ -20,10 +22,122 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
           },
         },
         :results => results,
-      },
+      }.merge(original_uri_base_ids)
     ]
   end
 
+  # Output base URIs
+  # based on what the user specified for the application path
+  # and whether or not --absolute-paths was set.
+  def original_uri_base_ids
+    if tracker.options[:app_path] == '.'
+      # Probably no app_path was specified, as that's the default
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # This avoids any paths appearing in the report
+        # that are not part of the application directory.
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+
+      end
+    elsif tracker.options[:app_path] != tracker.app_tree.root
+      # Path was specified and it was relative
+
+      if absolute_paths?
+        # Include absolute root and relative application path
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Just include relative application path.
+        # Not clear this is 100% valid, but there is one example in the spec like this
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      end
+    else
+      # app_path was absolute
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+      end
+    end
+  end
+
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
@@ -130,4 +244,10 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     })
     @@levels_from_confidence[warning.confidence]
   end
+
+  # File URI as a string with trailing forward-slash
+  # as required by SARIF standard
+  def file_uri(path)
+    URI::File.build(path: File.join(path, '/')).to_s
+  end
 end