brakeman-min 4.8.1 → 4.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92ecc405f5d8aa44662d99820f962df8e9b2fe6391837b06639511c7cb7a24bc
-  data.tar.gz: e991cb7e2732104d3859973aedad74ddce99157f5143c0799c90c2c489289e44
+  metadata.gz: d0d7f92e4d46129b7c1861da8af2bd27a0127640865d04dacc07e92dfcc2457a
+  data.tar.gz: a917080c19ddeed2b76e9509e9ffc9cfde9ff103f506085ee22681c5d5feef4c
 SHA512:
-  metadata.gz: 6fc22f32bfead785a7fe0b5ac06289b323b2a047528f4d1da238b8e0d233ecfabb37a869a51c72698974d9b15e7818d47ef2fafc8dd57fc578bce46c3f3a29b3
-  data.tar.gz: 5b96b57238d6e2813dbd83744c32ba546e116e205d0b3546bc52010621394ee7c8f012c258155aed021010e535c8f8ee706108059f7c8ef54019a66a25658d03
+  metadata.gz: 16bfcae603909f9a89719fdb3f92e7d5d75cabe4285e5b40bdff759da2cbc82f361b6c190a7b9f0d5fa1199e1bd9f39e17e9894966ddf646fba9463db1089a5f
+  data.tar.gz: 766484db48898d8495a3ade3930edf52d508267f134b581938f426d43684c0bdd1929c3c0bc96cd73ce7e9c16e975e5b3fa24e7911f83c84fb396bf30349b830

data/CHANGES.md

@@ -1,3 +1,42 @@
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
 # 4.8.1 - 2020-04-06
 
 * Check SQL query strings using `String#strip` or `String.squish`

data/README.md

@@ -16,9 +16,11 @@ Using RubyGems:
 
 Using Bundler:
 
-    group :development do
-      gem 'brakeman'
-    end
+```ruby
+group :development do
+  gem 'brakeman'
+end
+```
 
 Using Docker:
 

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -233,6 +237,8 @@ module Brakeman
       [:to_table]
     when :junit, :to_junit
       [:to_junit]
+    when :sarif, :to_sarif
+      [:to_sarif]
     else
       [:to_text]
     end
@@ -262,6 +268,8 @@ module Brakeman
         :to_table
       when /\.junit$/i
         :to_junit
+      when /\.sarif$/i
+        :to_sarif
       else
         :to_text
       end
@@ -498,6 +506,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/base_check.rb

@@ -467,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config.get_gem(gem_name)
+    if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
       info
     elsif @app_tree.exists?("Gemfile")
       @app_tree.file_path "Gemfile"

data/lib/brakeman/checks/check_basic_auth.rb

@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   # Check if the block of a result contains a comparison of password to string
   def include_password_literal? result
+    return false if result[:block_args].nil?
+
     @password_var = result[:block_args].last
     @include_password = false
     process result[:block]

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.values[1..-1])
+        if res = dangerous?(e.sexp_body.sexp_body)
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_json_entity_escape.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check if HTML escaping is disabled for JSON output"
+
+  def run_check
+    check_config_setting
+    check_manual_disable
+  end
+
+  def check_config_setting
+    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :json_html_escape_config,
+        :message => msg("HTML entities in JSON are not escaped by default"),
+        :confidence => :medium,
+        :file => "config/environments/production.rb",
+        :line => 1
+    end
+  end
+
+  def check_manual_disable
+    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
+      setting = result[:call].first_arg
+
+      if false? setting
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :json_html_escape_module,
+          :message => msg("HTML entities in JSON are not escaped by default"),
+          :confidence => :medium,
+          :file => "config/environments/production.rb"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -160,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -191,7 +206,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
 
@@ -203,7 +218,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
         warn :result => result,
           :warning_type => "Mass Assignment",
           :warning_code => :mass_assign_permit_all,
-          :message => "Parameters should be whitelisted for mass assignment",
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
           :confidence => :high
       end
     end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_model_attributes.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
 
   def run_check
-    return if mass_assign_disabled?
+    return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]

data/lib/brakeman/checks/check_page_caching_cve.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for page caching vulnerability (CVE-2020-8159)"
+
+  def run_check
+    gem_name = 'actionpack-page_caching'
+    gem_version = tracker.config.gem_version(gem_name.to_sym)
+    upgrade_version = '1.2.2'
+    cve = 'CVE-2020-8159'
+
+    return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
+
+    message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
+
+    if uses_caches_page?
+      confidence = :high
+    else
+      confidence = :weak
+    end
+
+    warn :warning_type => 'Directory Traversal',
+      :warning_code => :CVE_2020_8159,
+      :message => message,
+      :confidence => confidence,
+      :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
+      :gem_info => gemfile_or_environment(gem_name)
+  end
+
+  def uses_caches_page?
+    tracker.controllers.any? do |name, controller|
+      controller.options.has_key? :caches_page
+    end
+  end
+end

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
 
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call[1..-1]
+    components = call.sexp_body
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_sql.rb

@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
-  TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
+  TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp

data/lib/brakeman/checks/check_template_injection.rb

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input through template injection"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/file_parser.rb

@@ -33,7 +33,12 @@ module Brakeman
       end
     end
 
+    # _path_ can be a string or a Brakeman::FilePath
     def parse_ruby input, path
+      if path.is_a? Brakeman::FilePath
+        path = path.relative
+      end
+
       begin
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -225,7 +229,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
@@ -301,6 +305,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
 
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+
+          options[:text_fields] = format.map(&:to_sym)
+
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -237,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true
@@ -942,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args[1..-1]
+      exp.arglist = args.sexp_body
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -10,7 +10,7 @@ module Brakeman
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -137,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }.freeze
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -214,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
+
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report.rb

@@ -43,6 +43,8 @@ class Brakeman::Report
     when :to_junit
       require_report 'junit'
       Brakeman::Report::JUnit
+    when :to_sarif
+      return self.to_sarif
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -85,6 +87,11 @@ class Brakeman::Report
   alias to_plain to_text
   alias to_s to_text
 
+  def to_sarif
+    require_report 'sarif'
+    generate Brakeman::Report::SARIF
+  end
+
   def generate reporter
     reporter.new(@tracker).generate_report
   end

data/lib/brakeman/report/ignore/config.rb

@@ -94,6 +94,10 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/report/report_sarif.rb

@@ -0,0 +1,114 @@
+class Brakeman::Report::SARIF < Brakeman::Report::Base
+  def generate_report
+    sarif_log = {
+      :version => '2.1.0',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :runs => runs,
+    }
+    JSON.pretty_generate sarif_log
+  end
+
+  def runs
+    [
+      {
+        :tool => {
+          :driver => {
+            :name => 'Brakeman',
+            :informationUri => 'https://brakemanscanner.org',
+            :semanticVersion => Brakeman::Version,
+            :rules => rules,
+          },
+        },
+        :results => results,
+      },
+    ]
+  end
+
+  def rules
+    @rules ||= unique_warnings_by_warning_code.map do |warning|
+      rule_id = render_id warning
+      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_description = render_message check_descriptions[check_name]
+      {
+        :id => rule_id,
+        :name => "#{check_name}/#{warning.warning_type}",
+        :fullDescription => {
+          :text => check_description,
+        },
+        :helpUri => warning.link,
+        :help => {
+          :text => "More info: #{warning.link}.",
+          :markdown => "[More info](#{warning.link}).",
+        },
+        :properties => {
+          :tags => [check_name],
+        },
+      }
+    end
+  end
+
+  def results
+    @results ||= all_warnings.map do |warning|
+      rule_id = render_id warning
+      result_level = infer_level warning
+      message_text = render_message warning.message.to_s
+      result = {
+        :ruleId => rule_id,
+        :ruleIndex => rules.index { |r| r[:id] == rule_id },
+        :level => result_level,
+        :message => {
+          :text => message_text,
+        },
+        :locations => [
+          :physicalLocation => {
+            :artifactLocation => {
+              :uri => warning.file.relative,
+              :uriBaseId => '%SRCROOT%',
+            },
+            :region => {
+              :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
+            },
+          },
+        ],
+      }
+
+      result
+    end
+  end
+
+  # Returns a hash of all check descriptions, keyed by check namne
+  def check_descriptions
+    @check_descriptions ||= Brakeman::Checks.checks.map do |check|
+      [check.name.gsub(/^Check/, ''), check.description]
+    end.to_h
+  end
+
+  # Returns a de-duplicated set of warnings, used to generate rules
+  def unique_warnings_by_warning_code
+    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+  end
+
+  def render_id warning
+    # Include alpha prefix to provide 'compiler error' appearance
+    "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
+  end
+
+  def render_message message
+    # Ensure message ends with a period
+    if message.end_with? "."
+      message
+    else
+      "#{message}."
+    end
+  end
+
+  def infer_level warning
+    # Infer result level from warning confidence
+    @@levels_from_confidence ||= Hash.new('warning').update({
+      0 => 'error',    # 0 represents 'high confidence', which we infer as 'error'
+      1 => 'warning',  # 1 represents 'medium confidence' which we infer as 'warning'
+      2 => 'note',     # 2 represents 'weak, or low, confidence', which we infer as 'note'
+    })
+    @@levels_from_confidence[warning.confidence]
+  end
+end

data/lib/brakeman/report/report_text.rb

@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   end
 
   def output_warning w
-    out = [
-      label('Confidence', confidence(w.confidence)),
-      label('Category', w.warning_type.to_s),
-      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
+    text_format = tracker.options[:text_fields] ||
+      [:confidence, :category, :check, :message, :code, :file, :line]
+
+    text_format.map do |option|
+      format_line(w, option)
+    end.compact
+  end
+
+  def format_line w, option
+    case option
+    when :confidence
+      label('Confidence', confidence(w.confidence))
+    when :category
+      label('Category', w.warning_type.to_s)
+    when :check
+      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+    when :message
       label('Message', w.message)
-    ]
-
-    if w.code
-      out << label('Code', format_code(w))
-    end
-
-    out << label('File', warning_file(w))
-
-    if w.line
-      out << label('Line', w.line)
+    when :code
+      if w.code
+        label('Code', format_code(w))
+      end
+    when :file
+      label('File', warning_file(w))
+    when :line
+      if w.line
+        label('Line', w.line)
+      end
+    when :link
+      label('Link', w.link)
+    when :fingerprint
+      label('Fingerprint', w.fingerprint)
+    when :category_id
+      label('Category ID', w.warning_code)
+    when :render_path
+      if w.called_from
+        label('Render Path', w.called_from.join(" > "))
+      end
     end
-
-    out
   end
 
   def double_space title, values

data/lib/brakeman/scanner.rb

@@ -94,11 +94,14 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
+    # Sometimes folks like to put constants in environment.rb
+    # so let's always process it even for newer Rails versions
+    process_config_file "environment.rb"
+
     if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
-      process_config_file "environment.rb"
       process_config_file "gems.rb"
     end
 

data/lib/brakeman/tracker.rb

@@ -198,8 +198,10 @@ class Brakeman::Tracker
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end
 
+  # This method does not return all constants at this time,
+  # just ones with "simple" values.
   def constant_lookup name
-    @constants.get_literal name unless @options[:disable_constant_tracking]
+    @constants.get_simple_value name unless @options[:disable_constant_tracking]
   end
 
   def find_class name

data/lib/brakeman/tracker/config.rb

@@ -54,7 +54,7 @@ module Brakeman
     end
 
     def gem_version name
-      extract_version @gems.dig(name, :version)
+      extract_version @gems.dig(name.to_sym, :version)
     end
 
     def add_gem name, version, file, line
@@ -67,11 +67,11 @@ module Brakeman
     end
 
     def has_gem? name
-      !!@gems[name]
+      !!@gems[name.to_sym]
     end
 
     def get_gem name
-      @gems[name]
+      @gems[name.to_sym]
     end
 
     def set_rails_version version = nil
@@ -79,7 +79,9 @@ module Brakeman
                   # Only used by Rails2ConfigProcessor right now
                   extract_version(version)
                 else
-                  gem_version(:rails) || gem_version(:railties)
+                  gem_version(:rails) ||
+                    gem_version(:railties) ||
+                    gem_version(:activerecord)
                 end
 
       if version

data/lib/brakeman/tracker/constants.rb

@@ -1,7 +1,10 @@
 require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 module Brakeman
   class Constant
+    include Brakeman::Util
+
     attr_reader :name, :name_array, :file, :value, :context
 
     def initialize name, value, context = {}
@@ -107,13 +110,11 @@ module Brakeman
       @constants[base_name] << Constant.new(name, value, context)
     end
 
-    LITERALS = [:lit, :false, :str, :true, :array, :hash]
-    def literal? exp
-      exp.is_a? Sexp and LITERALS.include? exp.node_type
-    end
-
-    def get_literal name
-      if x = self[name] and literal? x
+    # Returns constant values that are not too complicated.
+    # Right now that means literal values (string, array, etc.)
+    # or calls on Dir.glob(..).whatever.
+    def get_simple_value name
+      if x = self[name] and (literal? x or dir_glob? x)
         x
       else
         nil

data/lib/brakeman/tracker/controller.rb

@@ -125,7 +125,7 @@ module Brakeman
         value = args[-1][2]
         case value.node_type
         when :array
-          filter[option] = value[1..-1].map {|v| v[1] }
+          filter[option] = value.sexp_body.map {|v| v[1] }
         when :lit, :str
           filter[option] = value[1]
         else

data/lib/brakeman/util.rb

@@ -293,6 +293,22 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+
+  def literal? exp
+    exp.is_a? Sexp and LITERALS.include? exp.node_type
+  end
+
+  DIR_CONST = s(:const, :Dir)
+
+  # Dir.glob(...).whatever
+  def dir_glob? exp
+    exp = exp.block_call if node_type? exp, :iter
+    return unless call? exp
+
+    (exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
+  end
+
   #Returns true if the given _exp_ contains a :class node.
   #
   #Useful for checking if a module is just a module or if it is a namespace.
@@ -305,7 +321,7 @@ module Brakeman::Util
       if node_type? current, :class
         return true
       elsif sexp? current
-        todo = current[1..-1].concat todo
+        todo = current.sexp_body.concat todo
       end
     end
 
@@ -318,7 +334,7 @@ module Brakeman::Util
     if args.empty? or args.first.empty?
       #nothing to do
     elsif node_type? args.first, :arglist
-      call.concat args.first[1..-1]
+      call.concat args.first.sexp_body
     elsif args.first.node_type.is_a? Sexp #just a list of args
       call.concat args.first
     else

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.1"
+  Version = "4.10.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -114,6 +114,12 @@ module Brakeman::WarningCodes
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
     :mass_assign_permit_all => 112,
+    :json_html_escape_config => 113,
+    :json_html_escape_module => 114,
+    :CVE_2020_8159 => 115,
+    :CVE_2020_8166 => 116,
+    :erb_template_injection => 117,
+
     :custom_check => 9090,
   }
 

data/lib/ruby_parser/bm_sexp.rb

@@ -175,7 +175,7 @@ class Sexp
     start_index = 3
 
     if exp.is_a? Sexp and exp.node_type == :arglist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
 
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
-      self[3..-1].unshift :arglist
+      self.sexp_body(3).unshift :arglist
     when :super, :zsuper
       if self[1]
-        self[1..-1].unshift :arglist
+        self.sexp_body.unshift :arglist
       else
         Sexp.new(:arglist)
       end
@@ -218,13 +218,13 @@ class Sexp
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
-        self[3..-1]
+        self.sexp_body(3)
       else
         Sexp.new
       end
     when :super, :zsuper
       if self[1]
-        self[1..-1]
+        self.sexp_body
       else
         Sexp.new
       end
@@ -512,7 +512,7 @@ class Sexp
     self.slice!(index..-1) #Remove old body
 
     if exp.first == :rlist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     #Insert new body
@@ -529,11 +529,11 @@ class Sexp
 
     case self.node_type
     when :defn, :class
-      self[3..-1]
+      self.sexp_body(3)
     when :defs
-      self[4..-1]
+      self.sexp_body(4)
     when :module
-      self[2..-1]
+      self.sexp_body(2)
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.8.1
+  version: 4.10.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-07 00:00:00.000000000 Z
+date: 2020-12-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-html
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -146,6 +160,7 @@ files:
 - lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
@@ -164,6 +179,7 @@ files:
 - lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_json_encoding.rb
+- lib/brakeman/checks/check_json_entity_escape.rb
 - lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
@@ -176,6 +192,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_page_caching_cve.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -205,6 +222,7 @@ files:
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb
@@ -274,6 +292,7 @@ files:
 - lib/brakeman/report/report_json.rb
 - lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
+- lib/brakeman/report/report_sarif.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/report_text.rb
@@ -330,7 +349,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
+rubygems_version: 3.2.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.