brakeman-min 4.7.2 → 4.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a6cc961dcc300bf0fd78eeee53b715dc62ae4d7d0e1d27320cc6a6ef00ff5e3
-  data.tar.gz: 0ba044de5c3a3274b90ed2da001914ffa26aa74fd6b2c7d4b15d7b3d120b5c7d
+  metadata.gz: b0fcf3c3ee13f623d43462b52e575c0d89670f9efd97029f024e1dd4428ecdad
+  data.tar.gz: 28ffc613573a1be76a17daa9d47b97fe82c83efb85beeb475543f536f5f16dd9
 SHA512:
-  metadata.gz: ba6ea029432adb3c9c56fa53fc11292f8d71b857eeb03bbacc2ae9f349cfbedfa13c13a74be732616844e5243d8d3bc3690a776e056a9e9f4441f7e0a9d61637
-  data.tar.gz: ba2cf378cc029a7b583b47f69715897012ddc5d07b39749638128ea8cfc92e190b05bb6ea919d68d62c91bfb80ca7ee95d293f7c3b16096d204d15f11d13f197
+  metadata.gz: 9ae9718ffe7c7d062a0de46bd3bc1505c2c626fbfaede605505cad16ffaf89a8c50bc9e134d27f63d5450ce286c8c4aca67b26c8265dc730a83fa0b423cef6cf
+  data.tar.gz: fe49548d88cc579e7a8c540655bcde6107a51015a812440cb385d024e301932e52155f28ec12efa4078305b34b7e7ff21487c102b54cc17d718b715b37c49b17

data/CHANGES.md

@@ -1,3 +1,49 @@
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
+
+* Add JUnit-XML report format (Naoki Kimura)
+* Sort ignore files by fingerprint and line (Ngan Pham)
+* Freeze call index results
+* Fix output test when using newer Minitest
+* Properly render confidence in Markdown report
+* Report old warnings as fixed if zero warnings reported
+* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
+* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
+* Initialize Rails version with `nil` (Carsten Wirth)
+
 # 4.7.2 - 2019-11-25
 
 * Remove version guard for `named_scope` vs. `scope`

data/README.md

@@ -16,9 +16,11 @@ Using RubyGems:
 
 Using Bundler:
 
-    group :development do
-      gem 'brakeman'
-    end
+```ruby
+group :development do
+  gem 'brakeman'
+end
+```
 
 Using Docker:
 
@@ -74,12 +76,16 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
 
 Multiple output files can be specified:
 
     brakeman -o output.html -o output.json
 
+To output to both a file and to the console, with color:
+
+    brakeman --color -o /dev/stdout -o output.json
+
 To suppress informational warnings and just output the report:
 
     brakeman -q
@@ -167,6 +173,8 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
+There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+
 # Building
 
     git clone git://github.com/presidentbeef/brakeman.git

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -231,6 +235,8 @@ module Brakeman
       [:to_text]
     when :table, :to_table
       [:to_table]
+    when :junit, :to_junit
+      [:to_junit]
     else
       [:to_text]
     end
@@ -258,6 +264,8 @@ module Brakeman
         :to_text
       when /\.table$/i
         :to_table
+      when /\.junit$/i
+        :to_junit
       else
         :to_text
       end
@@ -494,6 +502,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/base_check.rb

@@ -280,15 +280,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     return location, line
   end
 
-  #Checks if an expression contains string interpolation.
-  #
-  #Returns Match with :interp type if found.
-  def include_interp? exp
-    @string_interp = false
-    process exp
-    @string_interp
-  end
-
   #Checks if _exp_ includes user input in the form of cookies, parameters,
   #request environment, or model attributes.
   #
@@ -476,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config.get_gem(gem_name)
+    if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
       info
     elsif @app_tree.exists?("Gemfile")
       @app_tree.file_path "Gemfile"
@@ -504,4 +495,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     @active_record_models
   end
+
+  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
+  private_constant :STRING_METHODS
+
+  def string_building? exp
+    return false unless call? exp and STRING_METHODS.include? exp.method
+
+    node_type? exp.target, :str, :dstr or
+    node_type? exp.first_arg, :str, :dstr or
+    string_building? exp.target or
+    string_building? exp.first_arg
+  end
 end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   # Check if the block of a result contains a comparison of password to string
   def include_password_literal? result
+    return false if result[:block_args].nil?
+
     @password_var = result[:block_args].last
     @include_password = false
     process result[:block]

data/lib/brakeman/checks/check_content_tag.rb

@@ -55,8 +55,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     @current_file = result[:location][:file]
 
-    call = result[:call] = result[:call].dup
-
+    call = result[:call]
     args = call.arglist
 
     tag_name = args[1]

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -56,8 +56,20 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     case call.method
     when :popen
-      unless array? first_arg
-        failure = include_user_input?(args) || dangerous_interp?(args)
+      # Normally, if we're in a `popen` call, we only are worried about shell
+      # injection when the argument is not an array, because array elements
+      # are always escaped by Ruby. However, an exception is when the array
+      # contains two values are something like "bash -c" because then the third
+      # element is effectively the command being run and might be a malicious
+      # executable if it comes (partially or fully) from user input.
+      if !array?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
+      elsif dash_c_shell_command?(first_arg[1], first_arg[2])
+        failure = include_user_input?(first_arg[3]) ||
+                  dangerous_interp?(first_arg[3]) ||
+                  dangerous_string_building?(first_arg[3])
       end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
@@ -67,12 +79,18 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # the third argument is effectively the command being run and might be
       # a malicious executable if it comes (partially or fully) from user input.
       if dash_c_shell_command?(first_arg, call.second_arg)
-        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+        failure = include_user_input?(args[3]) ||
+                  dangerous_interp?(args[3]) ||
+                  dangerous_string_building?(args[3])
       else
-        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
       end
     else
-      failure = include_user_input?(args) || dangerous_interp?(args)
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     end
 
     if failure and original? result
@@ -219,6 +237,23 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     false
   end
 
+  #Checks if an expression contains string interpolation.
+  #
+  #Returns Match with :interp type if found.
+  def include_interp? exp
+    @string_interp = false
+    process exp
+    @string_interp
+  end
+
+  def dangerous_string_building? exp
+    if string_building?(exp) && res = dangerous?(exp)
+      return Match.new(:interp, res)
+    end
+
+    false
+  end
+
   def shell_escape? exp
     return false unless call? exp
 

data/lib/brakeman/checks/check_json_entity_escape.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check if HTML escaping is disabled for JSON output"
+
+  def run_check
+    check_config_setting
+    check_manual_disable
+  end
+
+  def check_config_setting
+    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :json_html_escape_config,
+        :message => msg("HTML entities in JSON are not escaped by default"),
+        :confidence => :medium,
+        :file => "config/environments/production.rb",
+        :line => 1
+    end
+  end
+
+  def check_manual_disable
+    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
+      setting = result[:call].first_arg
+
+      if false? setting
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :json_html_escape_module,
+          :message => msg("HTML entities in JSON are not escaped by default"),
+          :confidence => :medium,
+          :file => "config/environments/production.rb"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_link_to.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     #Have to make a copy of this, otherwise it will be changed to
     #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
 
     first_arg = call.first_arg
     second_arg = call.second_arg

data/lib/brakeman/checks/check_link_to_href.rb

@@ -30,9 +30,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
   end
 
   def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
     @matched = false
 
     url_arg = if result[:block]

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   def run_check
     check_mass_assignment
     check_permit!
+    check_permit_all_parameters
   end
 
   def find_mass_assign_calls
@@ -159,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -190,7 +206,21 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
+
+  def check_permit_all_parameters
+    tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
+      call = result[:call]
+
+      if true? call.first_arg
+        warn :result => result,
+          :warning_type => "Mass Assignment",
+          :warning_code => :mass_assign_permit_all,
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
+          :confidence => :high
+      end
+    end
+  end
 end