brakeman-min 4.3.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 584a5901c5e070435d5ea8d7a8befbab199032fb7f6b8af11c30e0b9158f82df
-  data.tar.gz: 7daf585c9d8e576b58ae058ef40ac61e900f6478e9e20a5b7691a0dde2b31956
+  metadata.gz: 907164bd18400db5d5653c8af124ca18fb240a4528698c5edd0f2115c1011331
+  data.tar.gz: 35bc513c359c97dec4b2e33a50c16fe80aa03b9e044c8e7b21e35a74c37bab10
 SHA512:
-  metadata.gz: ddb51c50406558283f35e224e4b25abce8d53d13ed50b94f6f47bae9de6a8dbbee1f2411bd8dadde208c552cf4fb1fb30445993b0336c336844900d5c2e01015
-  data.tar.gz: 9b2744b835dc3a8893f39d426582e6e364e997295c1bec67cfd98b2d11749c8e68eeaba8c42bc830361b4cf8254167ef3129b4d10a035397fbc20a7147cb8649
+  metadata.gz: fa036e105bf7ab29d4f14386b1f9e2fdf20dac014db5dcfdb7fdf1a4ca718acb59ade69c818e89ff1a87cf6e16b19223038459fd5f9b7c879e34757a198c883b
+  data.tar.gz: 72ecefa9947339c9e8d92882c5c491911132836c8c3f1bfd6be36a307987d7528a66ad9c02ab211cc3fe368c4d7227e4197c1ea6b906327edc7a7744e9bcd499

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 4.3.1
+
+* Ignore `Object#freeze`, use the target instead
+* Ignore `foreign_key` calls in SQL
+* Handle `included` calls outside of classes/modules
+* Add `:BRAKEMAN_SAFE_LITERAL` to represent known-safe literals
+* Handle `Array#map` and `Array#each` over literal arrays
+* Use safe literal when accessing literal hash with unknown key
+* Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
+* Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
+* Improve handling of conditionals in shell commands (Jacob Evenlyn)
+* Fix error when setting line number in implicit renders
+
 # 4.3.0
 
 * Check exec-type calls even if they are targets

data/README.md

@@ -82,9 +82,9 @@ If Brakeman is running a bit slow, try
 
 This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
 
-By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
+By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
 
-    brakeman -z
+    brakeman --no-exit-on-warn --no-exit-on-error
 
 To skip certain files or directories that Brakeman may have trouble parsing, use:
 

data/lib/brakeman/checks/check_execute.rb

@@ -143,7 +143,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       next if SAFE_VALUES.include? e
       next if shell_escape? e
 
-      if node_type? e, :or, :evstr, :dstr
+      if node_type? e, :if
+        # If we're in a conditional, evaluate the `then` and `else` clauses to
+        # see if they're dangerous.
+        if res = dangerous?(e.values[1..-1])
+          return res
+        end
+      elsif node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
         end

data/lib/brakeman/checks/check_sql.rb

@@ -290,7 +290,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys].include? arg.method
         # Model.where(params[:where])
         arg
       end
@@ -404,6 +404,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       nil
     elsif call? value and value.method == :to_s
       unsafe_string_interp? value.target
+    elsif call? value and safe_literal_target? value
+      nil
     else
       case value.node_type
       when :or
@@ -576,7 +578,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash
+    :where_values_hash, :foreign_key
   ]
 
   def safe_value? exp

data/lib/brakeman/parsers/template_parser.rb

@@ -58,7 +58,11 @@ module Brakeman
         Brakeman::ScannerErubis.new(text, :filename => path).src
       else
         require 'erb'
-        src = ERB.new(text, nil, path).src
+        src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+          ERB.new(text, trim_mode: path).src
+        else
+          ERB.new(text, nil, path).src
+        end
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src
       end

data/lib/brakeman/processors/alias_processor.rb

@@ -2,6 +2,7 @@ require 'brakeman/util'
 require 'ruby_parser/bm_sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/processors/lib/safe_call_helper'
+require 'brakeman/processors/lib/call_conversion_helper'
 
 #Returns an s-expression with aliases replaced with their value.
 #This does not preserve semantics (due to side effects, etc.), but it makes
@@ -10,6 +11,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::SafeCallHelper
   include Brakeman::Util
+  include Brakeman::CallConversionHelper
 
   attr_reader :result, :tracker
 
@@ -122,7 +124,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     if hash? t
-      if v = hash_access(t, exp.first_arg)
+      if v = process_hash_access(t, exp.first_arg)
         v.deep_clone(exp.line)
       else
         case t.node_type
@@ -202,49 +204,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     case method
     when :+
       if array? target and array? first_arg
-        joined = join_arrays target, first_arg
-        joined.line(exp.line)
-        exp = joined
+        exp = join_arrays(target, first_arg, exp)
       elsif string? first_arg
-        if string? target # "blah" + "blah"
-          joined = join_strings target, first_arg
-          joined.line(exp.line)
-          exp = joined
-        elsif call? target and target.method == :+ and string? target.first_arg
-          joined = join_strings target.first_arg, first_arg
-          joined.line(exp.line)
-          target.first_arg = joined
-          exp = target
-        end
+        exp = join_strings(target, first_arg, exp)
       elsif number? first_arg
-        if number? target
-          exp = Sexp.new(:lit, target.value + first_arg.value)
-        elsif call? target and target.method == :+ and number? target.first_arg
-          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
-          exp = target
-        end
-      end
-    when :-
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value - first_arg.value)
-      end
-    when :*
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value * first_arg.value)
-      end
-    when :/
-      if number? target and number? first_arg
-        unless first_arg.value == 0 and not target.value.is_a? Float
-          exp = Sexp.new(:lit, target.value / first_arg.value)
-        end
+        exp = math_op(:+, target, first_arg, exp)
       end
+    when :-, :*, :/
+      exp = math_op(method, target, first_arg, exp)
     when :[]
       if array? target
-        temp_exp = process_array_access target, exp.args
-        exp = temp_exp if temp_exp
+        exp = process_array_access(target, exp.args, exp)
       elsif hash? target
-        temp_exp = process_hash_access target, first_arg
-        exp = temp_exp if temp_exp
+        exp = process_hash_access(target, first_arg, exp)
       end
     when :merge!, :update
       if hash? target and hash? first_arg
@@ -287,8 +259,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target[1]
       end
     when :freeze
-      if string? target
-        exp = process exp.target
+      unless target.nil?
+        exp = target
       end
     when :join
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
@@ -364,28 +336,37 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @exp_context.push exp
     exp[1] = process exp.block_call
     if array_detect_all_literals? exp[1]
-      return exp.block_call.target[1]
+      return safe_literal(exp.line)
     end
 
     @exp_context.pop
 
     env.scope do
-      exp.block_args.each do |e|
-        #Force block arg(s) to be local
-        if node_type? e, :lasgn
-          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
-        elsif node_type? e, :kwarg
-          env.current[Sexp.new(:lvar, e[1])] = e[2]
-        elsif node_type? e, :masgn, :shadow
-          e[1..-1].each do |var|
-            local = Sexp.new(:lvar, var)
+      call = exp.block_call
+      block_args = exp.block_args
+
+      if call? call and [:each, :map].include? call.method and all_literals? call.target and block_args.length == 2 and block_args.last.is_a? Symbol
+        # Iterating over an array of all literal values
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = safe_literal(exp.line)
+      else
+        block_args.each do |e|
+          #Force block arg(s) to be local
+          if node_type? e, :lasgn
+            env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
+          elsif node_type? e, :kwarg
+            env.current[Sexp.new(:lvar, e[1])] = e[2]
+          elsif node_type? e, :masgn, :shadow
+            e[1..-1].each do |var|
+              local = Sexp.new(:lvar, var)
+              env.current[local] = local
+            end
+          elsif e.is_a? Symbol
+            local = Sexp.new(:lvar, e)
             env.current[local] = local
+          else
+            raise "Unexpected value in block args: #{e.inspect}"
           end
-        elsif e.is_a? Symbol
-          local = Sexp.new(:lvar, e)
-          env.current[local] = local
-        else
-          raise "Unexpected value in block args: #{e.inspect}"
         end
       end
 
@@ -715,18 +696,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
     exp.first_arg.nil? and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   #Sets @inside_if = true
@@ -767,12 +744,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             # set x to "a" inside the true branch
             var = condition.first_arg
             previous_value = env.current[var]
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
           elsif i == 1 and array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
           else
             exp[branch_index] = process_if_branch branch
@@ -911,45 +888,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.or_depth >= @or_depth_limit
   end
 
-  #Process single integer access to an array.
-  #
-  #Returns the value inside the array, if possible.
-  def process_array_access target, args
-    if args.length == 1 and integer? args.first
-      index = args.first.value
-
-      #Have to do this because first element is :array and we have to skip it
-      target[1..-1][index]
-    else
-      nil
-    end
-  end
-
-  #Process hash access by returning the value associated
-  #with the given argument.
-  def process_hash_access target, index
-    hash_access(target, index)
-  end
-
-  #Join two array literals into one.
-  def join_arrays array1, array2
-    result = Sexp.new(:array)
-    result.concat array1[1..-1]
-    result.concat array2[1..-1]
-  end
-
-  #Join two string literals into one.
-  def join_strings string1, string2
-    result = Sexp.new(:str)
-    result.value = string1.value + string2.value
-
-    if result.value.length > 50
-      string1
-    else
-      result
-    end
-  end
-
   # Change x.send(:y, 1) to x.y(1)
   def collapse_send_call exp, first_arg
     # Handle try(&:id)

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -179,8 +179,11 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        line = meth[:src] && meth[:src].last && meth[:src].last.line
-        line += 1
+        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+          line += 1
+        else
+          line = 1
+        end
       end
     end
 

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -0,0 +1,90 @@
+module Brakeman
+  module CallConversionHelper
+    def all_literals? exp, expected_type = :array
+      node_type? exp, expected_type and
+        exp.length > 1 and
+        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    end
+
+    # Join two array literals into one.
+    def join_arrays lhs, rhs, original_exp = nil
+      if array? lhs and array? rhs
+        result = Sexp.new(:array).line(lhs.line)
+        result.concat lhs[1..-1]
+        result.concat rhs[1..-1]
+        result
+      else
+        original_exp
+      end
+    end
+
+    # Join two string literals into one.
+    def join_strings lhs, rhs, original_exp = nil
+      if string? lhs and string? rhs
+        result = Sexp.new(:str).line(lhs.line)
+        result.value = lhs.value + rhs.value
+
+        if result.value.length > 50
+          # Avoid gigantic strings
+          lhs
+        else
+          result
+        end
+      elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
+        joined = join_strings lhs.first_arg, rhs
+        lhs.first_arg = joined
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    def math_op op, lhs, rhs, original_exp = nil
+      if number? lhs and number? rhs
+        if op == :/ and rhs.value == 0 and not lhs.value.is_a? Float
+          # Avoid division by zero
+          return original_exp
+        else
+          value = lhs.value.send(op, rhs.value)
+          Sexp.new(:lit, value).line(lhs.line)
+        end
+      elsif call? lhs and lhs.method == :+ and number? lhs.first_arg and number? rhs
+        # (x + 1) + 2 -> (x + 3)
+        lhs.first_arg = Sexp.new(:lit, lhs.first_arg.value + rhs.value).line(lhs.first_arg.line)
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    # Process single integer access to an array.
+    #
+    # Returns the value inside the array, if possible.
+    def process_array_access array, args, original_exp = nil
+      if args.length == 1 and integer? args.first
+        index = args.first.value
+
+        #Have to do this because first element is :array and we have to skip it
+        array[1..-1][index] or original_exp
+      else
+        original_exp
+      end
+    end
+
+    # Process hash access by returning the value associated
+    # with the given argument.
+    def process_hash_access hash, index, original_exp = nil
+      if value = hash_access(hash, index)
+        value # deep_clone?
+      elsif all_literals? hash, :hash
+        safe_literal(hash.line)
+      else
+        original_exp
+      end
+    end
+  end
+end

data/lib/brakeman/processors/library_processor.rb

@@ -64,7 +64,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     res = process_default exp
 
     if node_type? res, :iter and call? exp.block_call # sometimes this changes after processing
-      if exp.block_call.method == :included
+      if exp.block_call.method == :included and (@current_module or @current_class)
         (@current_module || @current_class).options[:included] = res.block
       end
     end

data/lib/brakeman/util.rb

@@ -26,6 +26,8 @@ module Brakeman::Util
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 
+  SAFE_LITERAL = s(:lit, :BRAKEMAN_SAFE_LITERAL)
+
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #
   #Taken from ActiveSupport.
@@ -307,6 +309,22 @@ module Brakeman::Util
     call
   end
 
+  def safe_literal line = nil
+    s(:lit, :BRAKEMAN_SAFE_LITERAL).line(line || 0)
+  end
+
+  def safe_literal? exp
+    exp == SAFE_LITERAL
+  end
+
+  def safe_literal_target? exp
+    if call? exp
+      safe_literal_target? exp.target
+    else
+      safe_literal? exp
+    end
+  end
+
   def rails_version
     @tracker.config.rails_version
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.3.0"
+  Version = "4.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2018-05-11 00:00:00.000000000 Z
+date: 2018-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -189,6 +189,7 @@ files:
 - lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
+- lib/brakeman/processors/lib/call_conversion_helper.rb
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb