brakeman-min 3.3.0 → 3.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bfbe9bf6ab37921809b33145342e4bcd6df55e8e
-  data.tar.gz: 62f41f3c6a63e4f1b9c662b28779cb821d60a7b9
+  metadata.gz: 0908b7c2b06cb913a06b7857e223ae7845c48036
+  data.tar.gz: 8b162cfe56b7acd0f4717d524c6e7ee1e5b8b516
 SHA512:
-  metadata.gz: 3724d2c9aad208a2c5197decc4e72e46e9306a7745aaecdd6326bb8357367941b6f14586163bab5e299928cec1acb1d4f994f884441b78f521580cc0b26cbbcf
-  data.tar.gz: 26f0ab2c6871b2a304773c7d93c1b25e2958adef16f97d96257a39ba8cf1c085c1451e5180754e2ae18f197b7b5efc2370e081bd21ec6cb2ab17bb9bc554321d
+  metadata.gz: 75ee0836a37948d3f4a8c6e0a639cbe20bd950897440de02375121133ae81f0f708bf92202a85540d068f3c04510a92a95a92155fe6e4bffc851b79cfd44c9fc
+  data.tar.gz: 97275a73c3804586be1c676584a8367403dca3ef043c8a1ec8064925a21cc28089aca9c44af1c51ac0eb8aa1b539a67303dda25862994749659939682e3587cf

data/CHANGES

@@ -1,3 +1,14 @@
+# 3.3.1 
+
+* Delay loading vendored gems and modifying load path
+* Avoid warning about SQL injection with `quoted_primary_key`
+* Support more safe `&.` operations
+* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Only consider `if` branches in templates
+* Avoid overwriting instance/class methods with same name (Tim Wade)
+* Add `--force-scan` option (Neil Matatall)
+* Improved line number accuracy in ERB templates (Patrick Toomey)
+
 # 3.3.0
 
 * Skip processing obviously false if branches (more broadly)

data/README.md

@@ -1,4 +1,5 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
+[![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
 
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
 [![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
@@ -159,9 +160,9 @@ For even more continuous testing, try the [Guard plugin](https://github.com/guar
 
 Website: http://brakemanscanner.org/
 
-Twitter: http://twitter.com/brakeman
+Twitter: https://twitter.com/brakeman
 
-Mailing list: brakeman@librelist.com
+Chat: https://gitter.im/presidentbeef/brakeman
 
 # License
 

data/lib/brakeman.rb

@@ -1,11 +1,5 @@
 require 'set'
 
-path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
-
-if File.exist? path_load
-  require path_load
-end
-
 module Brakeman
 
   #This exit code is used when warnings are found and the --exit-on-warn
@@ -18,6 +12,7 @@ module Brakeman
   @debug = false
   @quiet = false
   @loaded_dependencies = []
+  @vendored_paths = false
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -101,7 +96,7 @@ module Brakeman
     #Load configuration file
     if config = config_file(custom_location, app_path)
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      self.load_brakeman_dependency 'safe_yaml/load'
       options = SafeYAML.load_file config, :deserialize_symbols => true
 
       if options
@@ -167,7 +162,7 @@ module Brakeman
       get_formats_from_output_files options[:output_files]
     else
       begin
-        require 'terminal-table'
+        self.load_brakeman_dependency 'terminal-table', :allow_fail
         return [:to_s]
       rescue LoadError
         return [:to_json]
@@ -433,15 +428,29 @@ module Brakeman
     Brakeman::Differ.new(new_results, previous_results).diff
   end
 
-  def self.load_brakeman_dependency name
+  def self.load_brakeman_dependency name, allow_fail = false
     return if @loaded_dependencies.include? name
 
+    unless @vendored_paths
+      path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
+
+      if File.exist? path_load
+        require path_load
+      end
+
+      @vendored_paths = true
+    end
+
     begin
       require name
     rescue LoadError => e
-      $stderr.puts e.message
-      $stderr.puts "Please install the appropriate dependency: #{name}."
-      exit!(-1)
+      if allow_fail
+        raise e
+      else
+        $stderr.puts e.message
+        $stderr.puts "Please install the appropriate dependency: #{name}."
+        exit!(-1)
+      end
     end
   end
 

data/lib/brakeman/checks/check_sql.rb

@@ -545,9 +545,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     string_building? exp.first_arg
   end
 
-  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name, :to_i, :to_f,
-    :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
-    :sanitize_sql_for_conditions, :sanitize_sql_hash,
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]
 

data/lib/brakeman/checks/check_validation_regex.rb

@@ -59,17 +59,37 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
     end
   end
 
+  # Match secure regexp without extended option
+  SECURE_REGEXP_PATTERN = %r{
+    \A
+    \\A
+    .*
+    \\[zZ]
+    \z
+  }x
+
+  # Match secure of regexp with extended option
+  EXTENDED_SECURE_REGEXP_PATTERN = %r{
+    \A
+    \s*
+    \\A
+    .*
+    \\[zZ]
+    \s*
+    \z
+  }mx
+
   #Issue warning if the regular expression does not use
   #+\A+ and +\z+
   def check_regex value, validator
     return unless regexp? value
 
-    regex = value.value.inspect
-    unless regex =~ /\A\/\\A.*\\(z|Z)\/(m|i|x|n|e|u|s|o)*\z/
+    regex = value.value
+    unless secure_regex?(regex)
       warn :model => @current_model,
       :warning_type => "Format Validation",
       :warning_code => :validation_regex,
-      :message => "Insufficient validation for '#{get_name validator}' using #{regex}. Use \\A and \\z as anchors",
+      :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors",
       :line => value.line,
       :confidence => CONFIDENCE[:high]
     end
@@ -85,4 +105,12 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
       name
     end
   end
+
+  private
+
+  def secure_regex?(regex)
+    extended_regex = Regexp::EXTENDED == regex.options & Regexp::EXTENDED
+    regex_pattern = extended_regex ? EXTENDED_SECURE_REGEXP_PATTERN : SECURE_REGEXP_PATTERN
+    regex_pattern =~ regex.source
+  end
 end

data/lib/brakeman/options.rb

@@ -276,6 +276,10 @@ module Brakeman::Options
           options[:show_version] = true
         end
 
+        opts.on "--force-scan", "Scan application even if rails is not detected" do
+          options[:force_scan] = true
+        end
+
         opts.on_tail "-h", "--help", "Display this message" do
           options[:show_help] = true
         end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,54 +1,74 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
-#This is from Rails 3 version of the Erubis handler
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_preamble(src)
-    # src << "_buf = ActionView::SafeBuffer.new;\n"
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
 
-  #This is different from Rails 3 - fixes some line number issues
   def add_text(src, text)
+    return if text.empty?
+
     if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-
-        src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
-      end
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+
+      @newline_pending = 0
+    end
+  end
+
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
     else
-      src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+      super
     end
   end
 
   BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
 
   def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
     if code =~ BLOCK_EXPR
       src << '@output_buffer.append= ' << code
     else
-      src << '@output_buffer.append= (' << code << ');'
+      src << '@output_buffer.append=(' << code << ');'
     end
   end
 
   def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
     if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_append= " << code
+      src << "@output_buffer.safe_expr_append= " << code
     else
-      src << "@output_buffer.safe_append= (" << code << ");"
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
     end
   end
 
-  #Add code to output buffer.
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+
   def add_postamble(src)
-    # src << '_buf.to_s'
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
   end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -1,12 +1,14 @@
 require 'brakeman/util'
 require 'ruby_parser/bm_sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
 
 #Returns an s-expression with aliases replaced with their value.
 #This does not preserve semantics (due to side effects, etc.), but it makes
 #processing easier when searching for various things.
 class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
   include Brakeman::Util
 
   attr_reader :result, :tracker
@@ -94,6 +96,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     return exp if process_call_defn? exp
     target_var = exp.target
     target_var &&= target_var.deep_clone
+    if exp.node_type == :safe_call
+      exp.node_type = :call
+    end
     exp = process_default exp
 
     #In case it is replaced with something else

data/lib/brakeman/processors/base_processor.rb

@@ -1,9 +1,11 @@
 require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
 require 'brakeman/util'
 
 #Base processor for most processors.
 class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
   include Brakeman::Util
 
   IGNORE = Sexp.new :ignore
@@ -83,14 +85,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     call
   end
 
-  def process_safe_call exp
-    if self.respond_to? :process_call
-      process_call exp
-    else
-      process_default exp
-    end
-  end
-
   #String with interpolation.
   def process_dstr exp
     exp = exp.dup

data/lib/brakeman/processors/erb_template_processor.rb

@@ -23,11 +23,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
           raise "Did not expect more than a single argument to _erbout.concat"
         end
 
-        arg = exp.first_arg
-
-        if call? arg and arg.method == :to_s #erb always calls to_s on output
-          arg = arg.target
-        end
+        arg = normalize_output(exp.first_arg)
 
         if arg.node_type == :str #ignore plain strings
           ignore

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -2,7 +2,7 @@ require 'brakeman/processors/template_processor'
 
 #Processes ERB templates using Erubis instead of erb.
 class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
-  
+
   #s(:call, TARGET, :method, ARGS)
   def process_call exp
     target = exp.target
@@ -18,12 +18,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
 
-        arg = exp.first_arg
-
-        #We want the actual content
-        if call? arg and (arg.method == :to_s or arg.method == :html_safe!)
-          arg = arg.target
-        end
+        arg = normalize_output(exp.first_arg)
 
         if arg.node_type == :str #ignore plain strings
           ignore
@@ -70,14 +65,16 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
   #Look for assignments to output buffer that look like this:
   #  @output_buffer.append = some_output
   #  @output_buffer.safe_append = some_output
+  #  @output_buffer.safe_expr_append = some_output
   def process_attrasgn exp
     if exp.target.node_type == :ivar and exp.target.value == :@output_buffer
-      if exp.method == :append= or exp.method == :safe_append=
-        arg = exp.first_arg = process(exp.first_arg)
+      if append_method?(exp.method)
+        exp.first_arg = process(exp.first_arg)
+        arg = normalize_output(exp.first_arg)
 
         if arg.node_type == :str
           ignore
-        elsif exp.method == :safe_append=
+        elsif safe_append_method?(exp.method)
           s = Sexp.new :output, arg
           s.line(exp.line)
           @current_template.add_output s
@@ -95,4 +92,13 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
       super
     end
   end
+
+  private
+  def append_method?(method)
+    method == :append= || safe_append_method?(method)
+  end
+
+  def safe_append_method?(method)
+    method == :safe_append= || method == :safe_expr_append=
+  end
 end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -29,7 +29,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
               if arg
                 @inside_concat = true
-                out = exp.first_arg = process(arg)
+                exp.first_arg = process(arg)
+                out = normalize_output(exp.first_arg)
                 @inside_concat = false
               else
                 raise "Empty _hamlout.#{method}()?"
@@ -73,7 +74,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       #Has something to do with values of blocks?
     elsif sexp? target and method == :<< and is_buffer_target? target
       @inside_concat = true
-      out = exp.first_arg = process(exp.first_arg)
+      exp.first_arg = process(exp.first_arg)
+      out = normalize_output(exp.first_arg)
       @inside_concat = false
 
       if out.node_type == :str #ignore plain strings

data/lib/brakeman/processors/lib/basic_processor.rb

@@ -1,8 +1,10 @@
 require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
 require 'brakeman/util'
 
 class Brakeman::BasicProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
   include Brakeman::Util
 
   def initialize tracker
@@ -15,22 +17,6 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
     process_all exp
   end
 
-  def process_safe_call exp
-    if self.respond_to? :process_call
-      process_call exp
-    else
-      process_default exp
-    end
-  end
-
-  def process_safe_attrasgn exp
-    if self.respond_to? :process_attrasgn
-      process_attrasgn exp
-    else
-      process_default exp
-    end
-  end
-
   def process_if exp
     condition = exp.condition
 

data/lib/brakeman/processors/lib/safe_call_helper.rb

@@ -0,0 +1,16 @@
+module Brakeman
+  module SafeCallHelper
+    [[:process_safe_call, :process_call],
+     [:process_safe_attrasgn, :process_attrasgn],
+     [:process_safe_op_asgn, :process_op_asgn],
+     [:process_safe_op_asgn2, :process_op_asgn2]].each do |call, replacement|
+       define_method(call) do |exp|
+         if self.respond_to? replacement
+           self.send(replacement, exp)
+         else
+           process_default exp
+         end
+       end
+     end
+  end
+end

data/lib/brakeman/processors/output_processor.rb

@@ -1,4 +1,4 @@
-require 'ruby2ruby'
+Brakeman.load_brakeman_dependency 'ruby2ruby'
 require 'brakeman/util'
 
 #Produces formatted output strings from Sexps.

data/lib/brakeman/processors/slim_template_processor.rb

@@ -13,11 +13,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
     method = exp.method
 
     if method == :safe_concat and (target == SAFE_BUFFER or target == OUTPUT_BUFFER)
-      arg = exp.first_arg
-
-      if call? arg and arg.method == :to_s
-        arg = arg.target
-      end
+      arg = normalize_output(exp.first_arg)
 
       if is_escaped? arg
         make_escaped_output arg

data/lib/brakeman/processors/template_processor.rb

@@ -52,4 +52,23 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   def process_escaped_output exp
     process_output exp
   end
+
+  # Pull out actual output value from template
+  def normalize_output arg
+    if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
+      arg.target
+    elsif node_type? arg, :if
+      branches = [arg.then_clause, arg.else_clause].compact
+
+      if branches.empty?
+        s(:nil)
+      elsif branches.length == 2
+        Sexp.new(:or, *branches)
+      else
+        branches.first
+      end
+    else
+      arg
+    end
+  end
 end

data/lib/brakeman/rescanner.rb

@@ -1,5 +1,4 @@
 require 'brakeman/scanner'
-require 'terminal-table'
 require 'brakeman/util'
 require 'brakeman/differ'
 
@@ -449,6 +448,8 @@ class Brakeman::RescanReport
 
   #Output total, fixed, and new warnings
   def to_s(verbose = false)
+    Brakeman.load_brakeman_dependency 'terminal-table'
+
     if !verbose
       <<-OUTPUT
 Total warnings: #{all_warnings.length}

data/lib/brakeman/scanner.rb

@@ -1,7 +1,5 @@
-require 'rubygems'
-
 begin
-  require 'ruby_parser'
+  Brakeman.load_brakeman_dependency 'ruby_parser'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'
@@ -24,7 +22,7 @@ class Brakeman::Scanner
     @options = options
     @app_tree = Brakeman::AppTree.from_options(options)
 
-    if !@app_tree.root || !@app_tree.exists?("app")
+    if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
       raise Brakeman::NoApplication, "Please supply the path to a Rails application."
     end
 

data/lib/brakeman/tracker.rb

@@ -90,12 +90,7 @@ class Brakeman::Tracker
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
           src = definition[:src]
-          if src.node_type == :defs
-            method_name = "#{src[1]}.#{method_name}"
-          end
-
           yield src, set_name, method_name, definition[:file]
-
         end
       end
     end
@@ -254,10 +249,6 @@ class Brakeman::Tracker
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
           src = definition[:src]
-          if src.node_type == :defs
-            method_name = "#{src[1]}.#{method_name}"
-          end
-
           finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
         end
       end

data/lib/brakeman/tracker/collection.rb

@@ -45,6 +45,10 @@ module Brakeman
     end
 
     def add_method visibility, name, src, file_name
+      if src.node_type == :defs
+        name = :"#{src[1]}.#{name}"
+      end
+
       @methods[visibility][name] = { :src => src, :file => file_name }
     end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.3.0"
+  Version = "3.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.3.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-05-05 00:00:00.000000000 Z
+date: 2016-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -184,6 +184,7 @@ files:
 - lib/brakeman/processors/lib/render_helper.rb
 - lib/brakeman/processors/lib/render_path.rb
 - lib/brakeman/processors/lib/route_helper.rb
+- lib/brakeman/processors/lib/safe_call_helper.rb
 - lib/brakeman/processors/library_processor.rb
 - lib/brakeman/processors/model_processor.rb
 - lib/brakeman/processors/output_processor.rb