RubyGems - brakeman-min - Versions diffs - 4.3.1 → 4.4.0 - Mend

brakeman-min 4.3.1 → 4.4.0

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGES.md +24 -1
data/README.md +35 -6
data/bin/brakeman +2 -0
data/lib/brakeman.rb +5 -3
data/lib/brakeman/app_tree.rb +15 -1
data/lib/brakeman/call_index.rb +7 -4
data/lib/brakeman/checks.rb +16 -8
data/lib/brakeman/checks/base_check.rb +2 -19
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
data/lib/brakeman/checks/check_content_tag.rb +4 -4
data/lib/brakeman/checks/check_create_with.rb +1 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +3 -3
data/lib/brakeman/checks/check_default_routes.rb +3 -3
data/lib/brakeman/checks/check_deserialize.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
data/lib/brakeman/checks/check_digest_dos.rb +4 -4
data/lib/brakeman/checks/check_escape_function.rb +1 -1
data/lib/brakeman/checks/check_execute.rb +5 -4
data/lib/brakeman/checks/check_file_access.rb +13 -3
data/lib/brakeman/checks/check_file_disclosure.rb +1 -1
data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
data/lib/brakeman/checks/check_forgery_setting.rb +3 -3
data/lib/brakeman/checks/check_header_dos.rb +3 -3
data/lib/brakeman/checks/check_i18n_xss.rb +3 -3
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +3 -3
data/lib/brakeman/checks/check_json_parsing.rb +8 -11
data/lib/brakeman/checks/check_link_to.rb +3 -3
data/lib/brakeman/checks/check_link_to_href.rb +2 -2
data/lib/brakeman/checks/check_mail_to.rb +3 -3
data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
data/lib/brakeman/checks/check_model_attributes.rb +4 -4
data/lib/brakeman/checks/check_model_serialize.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes.rb +3 -3
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
data/lib/brakeman/checks/check_number_to_currency.rb +4 -4
data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
data/lib/brakeman/checks/check_regex_dos.rb +1 -1
data/lib/brakeman/checks/check_render.rb +2 -2
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_render_inline.rb +1 -1
data/lib/brakeman/checks/check_response_splitting.rb +1 -1
data/lib/brakeman/checks/check_route_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +3 -3
data/lib/brakeman/checks/check_secrets.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +1 -1
data/lib/brakeman/checks/check_session_manipulation.rb +1 -1
data/lib/brakeman/checks/check_session_settings.rb +1 -1
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +14 -10
data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
data/lib/brakeman/checks/check_sprockets_path_traversal.rb +39 -0
data/lib/brakeman/checks/check_sql.rb +1 -1
data/lib/brakeman/checks/check_sql_cves.rb +2 -2
data/lib/brakeman/checks/check_strip_tags.rb +10 -8
data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +7 -7
data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -1
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +1 -1
data/lib/brakeman/checks/check_weak_hash.rb +18 -19
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/format/style.css +8 -0
data/lib/brakeman/messages.rb +220 -0
data/lib/brakeman/options.rb +13 -0
data/lib/brakeman/parsers/template_parser.rb +2 -2
data/lib/brakeman/processors/alias_processor.rb +7 -0
data/lib/brakeman/processors/config_processor.rb +4 -1
data/lib/brakeman/processors/gem_processor.rb +30 -2
data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -1
data/lib/brakeman/processors/lib/rails3_route_processor.rb +0 -2
data/lib/brakeman/processors/lib/rails4_config_processor.rb +18 -0
data/lib/brakeman/processors/lib/render_helper.rb +5 -0
data/lib/brakeman/processors/lib/render_path.rb +15 -0
data/lib/brakeman/processors/library_processor.rb +1 -1
data/lib/brakeman/report/report_base.rb +17 -161
data/lib/brakeman/report/report_csv.rb +17 -0
data/lib/brakeman/report/report_html.rb +34 -31
data/lib/brakeman/report/report_json.rb +21 -0
data/lib/brakeman/report/report_markdown.rb +13 -6
data/lib/brakeman/report/report_table.rb +157 -0
data/lib/brakeman/report/report_tabs.rb +3 -1
data/lib/brakeman/report/report_text.rb +16 -0
data/lib/brakeman/scanner.rb +5 -1
data/lib/brakeman/tracker/config.rb +1 -1
data/lib/brakeman/util.rb +0 -17
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +9 -4
data/lib/brakeman/warning_codes.rb +1 -0
metadata +9 -6

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -13,7 +13,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
-    @intializer_env = nil
+    @initializer_env = nil
   end
   def process_library src, file_name = nil

data/lib/brakeman/report/report_base.rb CHANGED

@@ -22,18 +22,25 @@ class Brakeman::Report::Base
     @warnings_summary = nil
   end
-  #Generate table of how many warnings of each warning type were reported
-  def generate_warning_overview
-    types = warnings_summary.keys
-    types.delete :high_confidence
-    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
-    locals = {:types => types, :warnings_summary => warnings_summary}
+  #Return summary of warnings in hash and store in @warnings_summary
+  def warnings_summary
+    return @warnings_summary if @warnings_summary
+    summary = Hash.new(0)
+    high_confidence_warnings = 0
+    [all_warnings].each do |warnings|
+      warnings.each do |warning|
+        summary[warning.warning_type.to_s] += 1
+        high_confidence_warnings += 1 if warning.confidence == 0
+      end
+    end
-    render_array('warning_overview', ['Warning Type', 'Total'], values, locals)
+    summary[:high_confidence] = high_confidence_warnings
+    @warnings_summary = summary
   end
-  #Generate table of controllers and routes found for those controllers
-  def generate_controllers
+  def controller_information
     controller_rows = []
     tracker.controllers.keys.map{|k| k.to_s}.sort.each do |name|
@@ -67,148 +74,7 @@ class Brakeman::Report::Base
       }
     end
-    cols = ['Name', 'Parent', 'Includes', 'Routes']
-    locals = {:controller_rows => controller_rows}
-    values = controller_rows.collect{|row| row.values_at(*cols) }
-    render_array('controller_overview', cols, values, locals)
-  end
-  #Generate table of errors or return nil if no errors
-  def generate_errors
-    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
-    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
-  end
-  def generate_obsolete
-    values = tracker.unused_fingerprints.collect{|fingerprint| [fingerprint] }
-    render_array('obsolete_ignore_entries', ['fingerprint'], values, {:tracker => tracker})
-  end
-  def generate_warnings
-    render_warnings generic_warnings,
-                    :warning,
-                    'security_warnings',
-                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
-                    'Class'
-  end
-  #Generate table of template warnings or return nil if no warnings
-  def generate_template_warnings
-    render_warnings template_warnings,
-                    :template,
-                    'view_warnings',
-                    ['Confidence', 'Template', 'Warning Type', 'Message'],
-                    'Template'
-  end
-  #Generate table of model warnings or return nil if no warnings
-  def generate_model_warnings
-    render_warnings model_warnings,
-                    :model,
-                    'model_warnings',
-                    ['Confidence', 'Model', 'Warning Type', 'Message'],
-                    'Model'
-  end
-  #Generate table of controller warnings or nil if no warnings
-  def generate_controller_warnings
-    render_warnings controller_warnings,
-                    :controller,
-                    'controller_warnings',
-                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
-                    'Controller'
-  end
-  def generate_ignored_warnings
-    render_warnings ignored_warnings,
-                    :ignored,
-                    'ignored_warnings',
-                    ['Confidence', 'Warning Type', 'File', 'Message'],
-                    'Warning Type'
-  end
-  def render_warnings warnings, type, template, cols, sort_col
-    unless warnings.empty?
-      rows = sort(convert_to_rows(warnings, type), sort_col)
-      values = rows.collect { |row| row.values_at(*cols) }
-      locals = { :warnings => rows }
-      render_array(template, cols, values, locals)
-    else
-      nil
-    end
-  end
-  def convert_to_rows warnings, type = :warning
-    warnings.map do |warning|
-      w = warning.to_row type
-      case type
-      when :warning
-        convert_warning w, warning
-      when :template
-        convert_template_warning w, warning
-      when :model
-        convert_model_warning w, warning
-      when :controller
-        convert_controller_warning w, warning
-      when :ignored
-        convert_ignored_warning w, warning
-      end
-    end
-  end
-  def convert_warning warning, original
-    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
-    warning["Message"] = text_message original, warning["Message"]
-    warning
-  end
-  def convert_template_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_model_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_controller_warning warning, original
-    convert_warning warning, original
-  end
-  def convert_ignored_warning warning, original
-    convert_warning warning, original
-  end
-  def sort rows, sort_col
-    stabilizer = 0
-    rows.sort_by do |row|
-      stabilizer += 1
-      row.values_at("Confidence", "Warning Type", sort_col) << stabilizer
-    end
-  end
-  #Return summary of warnings in hash and store in @warnings_summary
-  def warnings_summary
-    return @warnings_summary if @warnings_summary
-    summary = Hash.new(0)
-    high_confidence_warnings = 0
-    [all_warnings].each do |warnings|
-      warnings.each do |warning|
-        summary[warning.warning_type.to_s] += 1
-        high_confidence_warnings += 1 if warning.confidence == 0
-      end
-    end
-    summary[:high_confidence] = high_confidence_warnings
-    @warnings_summary = summary
+    controller_rows
   end
   def all_warnings
@@ -279,14 +145,4 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
-  #Escape warning message and highlight user input in text output
-  def text_message warning, message
-    if @highlight_user_input and warning.user_input
-      user_input = warning.format_user_input
-      message.gsub(user_input, "+#{user_input}+")
-    else
-      message
-    end
-  end
 end

data/lib/brakeman/report/report_csv.rb CHANGED

@@ -52,4 +52,21 @@ class Brakeman::Report::CSV < Brakeman::Report::Table
     header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
     "BRAKEMAN REPORT\n\n" + header
   end
+  # rely on Terminal::Table to build the structure, extract the data out in CSV format
+  def table_to_csv table
+    return "" unless table
+    Brakeman.load_brakeman_dependency 'terminal-table'
+    headings = table.headings
+    if headings.is_a? Array
+      headings = headings.first
+    end
+    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
+    table.rows.each do |row|
+      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
+    end
+    output
+  end
 end

data/lib/brakeman/report/report_html.rb CHANGED

@@ -1,9 +1,10 @@
 require 'cgi'
+require 'brakeman/report/report_table.rb'
-class Brakeman::Report::HTML < Brakeman::Report::Base
+class Brakeman::Report::HTML < Brakeman::Report::Table
   HTML_CONFIDENCE = [ "<span class='high-confidence'>High</span>",
-    "<span class='med-confidence'>Medium</span>",
-    "<span class='weak-confidence'>Weak</span>" ]
+                      "<span class='med-confidence'>Medium</span>",
+                      "<span class='weak-confidence'>Weak</span>" ]
   def initialize *args
     super
@@ -66,20 +67,18 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   end
   def convert_warning warning, original
-    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
+    warning["Confidence"] = HTML_CONFIDENCE[original.confidence]
     warning["Message"] = with_context original, warning["Message"]
     warning["Warning Type"] = with_link original, warning["Warning Type"]
     warning
   end
   def with_link warning, message
-    "<a rel=\"no-referrer\" href=\"#{warning.link}\">#{message}</a>"
+    "<a rel=\"noreferrer\" href=\"#{warning.link}\">#{message}</a>"
   end
   def convert_template_warning warning, original
-    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
-    warning["Message"] = with_context original, warning["Message"]
-    warning["Warning Type"] = with_link original, warning["Warning Type"]
+    warning = convert_warning warning, original
     warning["Called From"] = original.called_from
     warning["Template Name"] = original.template.name
     warning
@@ -113,29 +112,16 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
+    @element_id += 1
     context = context_for(@app_tree, warning)
-    full_message = nil
-    if tracker.options[:message_limit] and tracker.options[:message_limit] > 0 and message.length > tracker.options[:message_limit]
-      full_message = html_message(warning, message)
-      message = message[0..tracker.options[:message_limit]] << "..."
-    end
     message = html_message(warning, message)
-    return message if context.empty? and not full_message
-    @element_id += 1
     code_id = "context#@element_id"
     message_id = "message#@element_id"
     full_message_id = "full_message#@element_id"
     alt = false
     output = "<div class='warning_message' onClick=\"toggle('#{code_id}');toggle('#{message_id}');toggle('#{full_message_id}')\" >" <<
-    if full_message
-      "<span id='#{message_id}' style='display:block' >#{message}</span>" <<
-      "<span id='#{full_message_id}' style='display:none'>#{full_message}</span>"
-    else
-      message
-    end <<
+    message <<
     "<table id='#{code_id}' class='context' style='display:none'>" <<
     "<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
@@ -199,18 +185,35 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   #Escape warning message and highlight user input in HTML output
   def html_message warning, message
-    message = CGI.escapeHTML(message)
+    message = message.to_html
     if warning.file
-      github_url = github_url warning.file, warning.line
-      message.gsub!(/(near line \d+)/, "<a href=\"#{github_url}\" target='_blank'>\\1</a>") if github_url
+      if github_url = github_url(warning.file, warning.line)
+        message << " <a href=\"#{github_url}\" target='_blank'>near line #{warning.line}</a>"
+      elsif warning.line
+        message << " near line #{warning.line}"
+      end
     end
-    if @highlight_user_input and warning.user_input
-      user_input = CGI.escapeHTML(warning.format_user_input)
-      message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
-    end
+    if warning.code
+      code = warning.format_with_user_input do |_, user_input|
+        "[BMP_UI]#{user_input}[/BMP_UI]"
+      end
+      code = "<span class=\"code\">#{CGI.escapeHTML(code).gsub("[BMP_UI]", "<span class=\"user_input\">").gsub("[/BMP_UI]", "</span>")}</span>"
+      full_message = "#{message}: #{code}"
-    message
+      if warning.code.mass > 20
+        message_id = "message#@element_id"
+        full_message_id = "full_message#@element_id"
+        "<span id='#{message_id}' style='display:block'>#{message}: ...</span>" <<
+        "<span id='#{full_message_id}' style='display:none'>#{full_message}</span>"
+      else
+        full_message
+      end
+    else
+      message
+    end
   end
 end

data/lib/brakeman/report/report_json.rb CHANGED

@@ -38,8 +38,29 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
   def convert_to_hashes warnings
     warnings.map do |w|
       hash = w.to_hash
+      hash[:render_path] = convert_render_path hash[:render_path]
       hash[:file] = warning_file w
       hash
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
+  def convert_render_path render_path
+    return unless render_path and not @tracker.options[:absolute_paths]
+    render_path.map do |r|
+      r = r.dup
+      if r[:file]
+        r[:file] = relative_path(r[:file])
+      end
+      if r[:rendered] and r[:rendered][:file]
+        r[:rendered] = r[:rendered].dup
+        r[:rendered][:file] = relative_path(r[:rendered][:file])
+      end
+      r
+    end
+  end
 end

data/lib/brakeman/report/report_markdown.rb CHANGED

@@ -92,16 +92,23 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
   # Escape and code format warning message
   def markdown_message warning, message
+    message = message.to_s
     if warning.file
       github_url = github_url warning.file, warning.line
-      message.gsub!(/(near line \d+)/, "[\\1](#{github_url})") if github_url
+      if github_url
+        message << " near line [#{warning.line}](#{github_url})"
+      elsif warning.line
+        message << " near line #{warning.line}"
+      end
     end
     if warning.code
-      code = warning.format_code
-      message.gsub(code, "`#{code.gsub('`','``').gsub(/\A``|``\z/, '` `')}`")
-    else
-      message
+      code = warning.format_code.gsub('`','``').gsub(/\A``|``\z/, '` `')
+      message << ": `#{code}`"
     end
-  end
+    message
+  end
 end

data/lib/brakeman/report/report_table.rb CHANGED

@@ -62,6 +62,96 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
+  #Generate table of how many warnings of each warning type were reported
+  def generate_warning_overview
+    types = warnings_summary.keys
+    types.delete :high_confidence
+    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
+    locals = {:types => types, :warnings_summary => warnings_summary}
+    render_array('warning_overview', ['Warning Type', 'Total'], values, locals)
+  end
+  #Generate table of controllers and routes found for those controllers
+  def generate_controllers
+    controller_rows = controller_information
+    cols = ['Name', 'Parent', 'Includes', 'Routes']
+    locals = {:controller_rows => controller_rows}
+    values = controller_rows.collect{|row| row.values_at(*cols) }
+    render_array('controller_overview', cols, values, locals)
+  end
+  #Generate table of errors or return nil if no errors
+  def generate_errors
+    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
+    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
+  end
+  def generate_obsolete
+    values = tracker.unused_fingerprints.collect{|fingerprint| [fingerprint] }
+    render_array('obsolete_ignore_entries', ['fingerprint'], values, {:tracker => tracker})
+  end
+  def generate_warnings
+    render_warnings generic_warnings,
+                    :warning,
+                    'security_warnings',
+                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
+                    'Class'
+  end
+  #Generate table of template warnings or return nil if no warnings
+  def generate_template_warnings
+    render_warnings template_warnings,
+                    :template,
+                    'view_warnings',
+                    ['Confidence', 'Template', 'Warning Type', 'Message'],
+                    'Template'
+  end
+  #Generate table of model warnings or return nil if no warnings
+  def generate_model_warnings
+    render_warnings model_warnings,
+                    :model,
+                    'model_warnings',
+                    ['Confidence', 'Model', 'Warning Type', 'Message'],
+                    'Model'
+  end
+  #Generate table of controller warnings or nil if no warnings
+  def generate_controller_warnings
+    render_warnings controller_warnings,
+                    :controller,
+                    'controller_warnings',
+                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
+                    'Controller'
+  end
+  def generate_ignored_warnings
+    render_warnings ignored_warnings,
+                    :ignored,
+                    'ignored_warnings',
+                    ['Confidence', 'Warning Type', 'File', 'Message'],
+                    'Warning Type'
+  end
+  def render_warnings warnings, type, template, cols, sort_col
+    unless warnings.empty?
+      rows = sort(convert_to_rows(warnings, type), sort_col)
+      values = rows.collect { |row| row.values_at(*cols) }
+      locals = { :warnings => rows }
+      render_array(template, cols, values, locals)
+    else
+      nil
+    end
+  end
   #Generate listings of templates and their output
   def generate_templates
     out_processor = Brakeman::OutputProcessor.new
@@ -92,6 +182,44 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     output
   end
+  def convert_to_rows warnings, type = :warning
+    warnings.map do |warning|
+      w = warning.to_row type
+      case type
+      when :warning
+        convert_warning w, warning
+      when :ignored
+        convert_ignored_warning w, warning
+      when :template
+        convert_template_warning w, warning
+      else
+        convert_warning w, warning
+      end
+    end
+  end
+  def convert_warning warning, original
+    warning
+  end
+  def convert_ignored_warning warning, original
+    convert_warning warning, original
+  end
+  def convert_template_warning warning, original
+    convert_warning warning, original
+  end
+  def sort rows, sort_col
+    stabilizer = 0
+    rows.sort_by do |row|
+      stabilizer += 1
+      row.values_at("Confidence", "Warning Type", sort_col) << stabilizer
+    end
+  end
   def render_array template, headings, value_array, locals
     return if value_array.empty?
@@ -100,6 +228,35 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
+  def convert_warning warning, original
+    warning["Message"] = text_message original, warning["Message"]
+    warning
+  end
+  #Escape warning message and highlight user input in text output
+  def text_message warning, message
+    message = message.to_s
+    if warning.line
+      message << " near line #{warning.line}"
+    end
+    if warning.code
+      if @highlight_user_input and warning.user_input
+        code = warning.format_with_user_input do |user_input, user_input_string|
+          "+#{user_input_string}+"
+        end
+      else
+        code = warning.format_code
+      end
+      message << ": #{code}"
+    end
+    message
+  end
   #Generate header for text output
   def text_header
     <<-HEADER