RubyGems - brakeman-min - Versions diffs - 4.3.1 → 4.4.0 - Mend

brakeman-min 4.3.1 → 4.4.0

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGES.md +24 -1
data/README.md +35 -6
data/bin/brakeman +2 -0
data/lib/brakeman.rb +5 -3
data/lib/brakeman/app_tree.rb +15 -1
data/lib/brakeman/call_index.rb +7 -4
data/lib/brakeman/checks.rb +16 -8
data/lib/brakeman/checks/base_check.rb +2 -19
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
data/lib/brakeman/checks/check_content_tag.rb +4 -4
data/lib/brakeman/checks/check_create_with.rb +1 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +3 -3
data/lib/brakeman/checks/check_default_routes.rb +3 -3
data/lib/brakeman/checks/check_deserialize.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
data/lib/brakeman/checks/check_digest_dos.rb +4 -4
data/lib/brakeman/checks/check_escape_function.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +5 -4
data/lib/brakeman/checks/check_file_access.rb +13 -3
data/lib/brakeman/checks/check_file_disclosure.rb +1 -1
data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
data/lib/brakeman/checks/check_forgery_setting.rb +3 -3
data/lib/brakeman/checks/check_header_dos.rb +3 -3
data/lib/brakeman/checks/check_i18n_xss.rb +3 -3
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +3 -3
data/lib/brakeman/checks/check_json_parsing.rb +8 -11
data/lib/brakeman/checks/check_link_to.rb +3 -3
data/lib/brakeman/checks/check_link_to_href.rb +2 -2
data/lib/brakeman/checks/check_mail_to.rb +3 -3
data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +4 -4
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes.rb +3 -3
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
data/lib/brakeman/checks/check_number_to_currency.rb +4 -4
data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
data/lib/brakeman/checks/check_regex_dos.rb +1 -1
data/lib/brakeman/checks/check_render.rb +2 -2
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_render_inline.rb +1 -1
data/lib/brakeman/checks/check_response_splitting.rb +1 -1
data/lib/brakeman/checks/check_route_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +1 -1
data/lib/brakeman/checks/check_session_manipulation.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +1 -1
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +14 -10
data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
data/lib/brakeman/checks/check_sprockets_path_traversal.rb +39 -0
data/lib/brakeman/checks/check_sql.rb +1 -1
data/lib/brakeman/checks/check_sql_cves.rb +2 -2
data/lib/brakeman/checks/check_strip_tags.rb +10 -8
data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +7 -7
data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -1
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_weak_hash.rb +18 -19
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/format/style.css +8 -0
data/lib/brakeman/messages.rb +220 -0
data/lib/brakeman/options.rb +13 -0
data/lib/brakeman/parsers/template_parser.rb +2 -2
data/lib/brakeman/processors/alias_processor.rb +7 -0
data/lib/brakeman/processors/config_processor.rb +4 -1
data/lib/brakeman/processors/gem_processor.rb +30 -2
data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -1
data/lib/brakeman/processors/lib/rails3_route_processor.rb +0 -2
data/lib/brakeman/processors/lib/rails4_config_processor.rb +18 -0
data/lib/brakeman/processors/lib/render_helper.rb +5 -0
data/lib/brakeman/processors/lib/render_path.rb +15 -0
data/lib/brakeman/processors/library_processor.rb +1 -1
data/lib/brakeman/report/report_base.rb +17 -161
data/lib/brakeman/report/report_csv.rb +17 -0
data/lib/brakeman/report/report_html.rb +34 -31
data/lib/brakeman/report/report_json.rb +21 -0
data/lib/brakeman/report/report_markdown.rb +13 -6
data/lib/brakeman/report/report_table.rb +157 -0
data/lib/brakeman/report/report_tabs.rb +3 -1
data/lib/brakeman/report/report_text.rb +16 -0
data/lib/brakeman/scanner.rb +5 -1
data/lib/brakeman/tracker/config.rb +1 -1
data/lib/brakeman/util.rb +0 -17
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +9 -4
data/lib/brakeman/warning_codes.rb +1 -0
metadata +9 -6

data/lib/brakeman/checks/check_xml_dos.rb CHANGED

@@ -23,7 +23,7 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
     return if has_workaround?
-    message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+    message = msg(msg_version(version), " is vulnerable to denial of service via XML parsing ", msg_cve("CVE-2015-3227"), ". Upgrade to ", msg_version(fix_version))
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2015_3227,

data/lib/brakeman/checks/check_yaml_parsing.rb CHANGED

@@ -22,7 +22,7 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
                       "3.2.11"
                     end
-      message = "Rails #{rails_version} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+      message = msg(msg_version(rails_version), " has a remote code execution vulnerability. Upgrade to ", msg_version(new_version), " or disable XML parsing")
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0156,

data/lib/brakeman/format/style.css CHANGED

@@ -131,3 +131,11 @@ p {
  div.template_name:hover {
    background-color: white;
  }
+ span.code {
+   font-family: monospace;
+ }
+ span.filename {
+   font-family: monospace;
+ }

data/lib/brakeman/messages.rb ADDED

@@ -0,0 +1,220 @@
+module Brakeman
+  module Messages
+    # Create a new message from a list of messages.
+    # Strings are converted to Brakeman::Messages::Plain objects.
+    def msg *args
+      parts = args.map do |a|
+        if a.is_a? String
+          Plain.new(a)
+        else
+          a
+        end
+      end
+      Message.new(*parts)
+    end
+    # Create a new code message fragment
+    def msg_code code
+      Code.new code
+    end
+    # Create a new message fragment with a CVE identifier
+    def msg_cve cve
+      CVE.new cve
+    end
+    # Create a new message fragment representing a file name
+    def msg_file str
+      Messages::FileName.new str
+    end
+    # Create a new message fragment from a user input type (e.g. `:params`).
+    # The input type will be converted to a friendly version (e.g. "parameter value").
+    def msg_input input
+      Input.new input
+    end
+    # Create a new message fragment which will not be modified during output
+    def msg_lit str
+      Literal.new str
+    end
+    # Create a new plain string message fragment
+    def msg_plain str
+      Plain.new str
+    end
+    # Create a message fragment representing the version of a library
+    def msg_version version, lib = "Rails"
+      Version.new version, lib
+    end
+  end
+end
+# Class to represent a list of message types
+class Brakeman::Messages::Message
+  def initialize *args
+    @parts = args.map do |a|
+      case a
+      when String, Symbol
+        Brakeman::Messages::Plain.new(a.to_s)
+      else
+        a
+      end
+    end
+  end
+  def << msg
+    if msg.is_a? String
+      @parts << Brakeman::Messages::Plain.new(msg)
+    else
+      @parts << msg
+    end
+  end
+  def to_s
+    output = @parts.map(&:to_s).join
+    case @parts.first
+    when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
+    else
+      output[0] = output[0].capitalize
+    end
+    output
+  end
+  def to_html
+    require 'cgi'
+    output = @parts.map(&:to_html).join
+    case @parts.first
+    when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
+    else
+      output[0] = output[0].capitalize
+    end
+    output
+  end
+end
+class Brakeman::Messages::Code
+  def initialize code
+    @code = code.to_s
+  end
+  def to_s
+    "`#{@code}`"
+  end
+  def to_html
+    "<span class=\"code\">#{CGI.escapeHTML(@code)}</span>"
+  end
+end
+class Brakeman::Messages::CVE
+  def initialize cve
+    @cve = cve
+  end
+  def to_s
+    "(#{@cve})"
+  end
+  def to_html
+    "(<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@cve}\" target=\"_blank\" rel=\"noreferrer\">#{@cve}</a>)"
+  end
+end
+class Brakeman::Messages::FileName
+  def initialize file
+    @file = file
+  end
+  def to_s
+    "`#{@file}`"
+  end
+  def to_html
+    "<span class=\"filename\">#{CGI.escapeHTML(@file)}</span>"
+  end
+end
+class Brakeman::Messages::Input
+  def initialize input
+    @input = input
+    @value = friendly_type_of(@input)
+  end
+  def friendly_type_of input_type
+    if input_type.is_a? Brakeman::BaseCheck::Match
+      input_type = input_type.type
+    end
+    case input_type
+    when :params
+      "parameter value"
+    when :cookies
+      "cookie value"
+    when :request
+      "request value"
+    when :model
+      "model attribute"
+    else
+      "user input"
+    end
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    self.to_s
+  end
+end
+class Brakeman::Messages::Literal
+  def initialize value
+    @value = value.to_s
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    @value
+  end
+end
+class Brakeman::Messages::Plain
+  def initialize string
+    @value = string
+  end
+  def to_s
+    @value
+  end
+  def to_html
+    CGI.escapeHTML(@value)
+  end
+end
+class Brakeman::Messages::Version
+  def initialize version, lib
+    @version = version
+    @library = lib
+  end
+  def to_s
+    "#{@library} #{@version}"
+  end
+  def to_html
+    CGI.escapeHTML(self.to_s)
+  end
+end

data/lib/brakeman/options.rb CHANGED

@@ -169,6 +169,19 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
+        opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
+          checks.map! do |check|
+            if check.start_with? "Check"
+              check
+            else
+              "Check" << check
+            end
+          end
+          options[:enable_checks] ||= Set.new
+          options[:enable_checks].merge checks
+        end
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"

data/lib/brakeman/parsers/template_parser.rb CHANGED

@@ -59,9 +59,9 @@ module Brakeman
       else
         require 'erb'
         src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
-          ERB.new(text, trim_mode: path).src
+          ERB.new(text, trim_mode: '-').src
         else
-          ERB.new(text, nil, path).src
+          ERB.new(text, nil, '-').src
         end
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -731,6 +731,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp[2 + i] = process_if_branch branch
       end
     else
+      # Translate `if !...` into `unless ...`
+      # Technically they are different but that's only if someone overrides `!`
+      if call? condition and condition.method == :!
+        condition = condition.target
+        exps.reverse!
+      end
       was_inside = @inside_if
       @inside_if = true

data/lib/brakeman/processors/config_processor.rb CHANGED

@@ -1,11 +1,14 @@
 require 'brakeman/processors/base_processor'
 require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/rails4_config_processor.rb'
 require 'brakeman/processors/lib/rails3_config_processor.rb'
 require 'brakeman/processors/lib/rails2_config_processor.rb'
 class Brakeman::ConfigProcessor
   def self.new tracker
-    if tracker.options[:rails3]
+    if tracker.options[:rails4]
+      Brakeman::Rails4ConfigProcessor.new tracker
+    elsif tracker.options[:rails3]
       Brakeman::Rails3ConfigProcessor.new tracker
     else
       Brakeman::Rails2ConfigProcessor.new tracker

data/lib/brakeman/processors/gem_processor.rb CHANGED

@@ -10,8 +10,17 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def process_gems gem_files
     @gem_files = gem_files
-    @gemfile = gem_files[:gemfile][:file]
-    process gem_files[:gemfile][:src]
+    @gemfile = gem_files[:gemfile] && gem_files[:gemfile][:file]
+    @gemspec = gem_files[:gemspec] && gem_files[:gemspec][:file]
+    if @gemspec
+      process gem_files[:gemspec][:src]
+    end
+    if @gemfile
+      process gem_files[:gemfile][:src]
+    end
     if gem_files[:gemlock]
       process_gem_lock
@@ -41,11 +50,30 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
           @tracker.config.set_ruby_version version.value
         end
       end
+    elsif @inside_gemspec and exp.method == :add_dependency
+      if string? exp.first_arg and string? exp.last_arg
+        @tracker.config.add_gem exp.first_arg.value, exp.last_arg.value, @gemspec, exp.line
+      end
     end
     exp
   end
+  GEM_SPEC = s(:colon2, s(:const, :Gem), :Specification)
+  def process_iter exp
+    if exp.block_call.target == GEM_SPEC and exp.block_call.method == :new
+      @inside_gemspec = true
+      process exp.block if sexp? exp.block
+      exp
+    else
+      process_default exp
+    end
+  ensure
+    @inside_gemspec = false
+  end
   def process_gem_lock
     line_num = 1
     file = @gem_files[:gemlock][:file]

data/lib/brakeman/processors/lib/call_conversion_helper.rb CHANGED

@@ -9,7 +9,8 @@ module Brakeman
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
-        result = Sexp.new(:array).line(lhs.line)
+        result = Sexp.new(:array)
+        result.line(lhs.line || rhs.line)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED

@@ -183,8 +183,6 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
       else
         add_route route[1], route[0]
       end
-    elsif in_controller_block? and symbol? first_arg
-      add_route first_arg
     else hash? first_arg
       hash_iterate first_arg do |k, v|
         if string? k

data/lib/brakeman/processors/lib/rails4_config_processor.rb ADDED

@@ -0,0 +1,18 @@
+require 'brakeman/processors/lib/rails3_config_processor'
+class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
+  APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  # Look for Rails.application.configure do ... end
+  def process_iter exp
+    if exp.block_call == APPLICATION_CONFIG
+      @inside_config = true
+      process exp.block if sexp? exp.block
+      @inside_config = false
+    else
+      super
+    end
+    exp
+  end
+end

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -65,6 +65,11 @@ module Brakeman::RenderHelper
       return
     end
+    if called_from
+      # Track actual template that was rendered
+      called_from.last_template = template
+    end
     template_env = only_ivars(:include_request_vars)
     #Hash the environment and the source of the template to avoid

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -29,6 +29,17 @@ module Brakeman
       self
     end
+    def last_template= template
+      if @path.last
+        @path.last[:rendered] = {
+          name: template.name,
+          file: template.file,
+        }
+      else
+        Brakeman.debug "[Notice] No render path to add template information"
+      end
+    end
     def include_template? name
       name = name.to_sym
@@ -71,6 +82,10 @@ module Brakeman
       @path.length
     end
+    def map &block
+      @path.map &block
+    end
     def to_a
       @path.map do |loc|
         case loc[:type]