brakeman-min 4.9.0 → 5.0.0

data/lib/brakeman/options.rb

@@ -166,6 +166,10 @@ module Brakeman::Options
           options[:only_files].merge files
         end
 
+        opts.on "--[no-]skip-vendor", "Skip processing vendor directory (Default)" do |skip|
+          options[:skip_vendor] = skip
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end
@@ -229,7 +233,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/parsers/template_parser.rb

@@ -9,7 +9,6 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
-      @file_parser.file_list[:templates] ||= []
     end
 
     def parse_template path, text
@@ -33,7 +32,7 @@ module Brakeman
               end
 
         if src and ast = @file_parser.parse_ruby(src, path)
-          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+          @file_parser.file_list << TemplateFile.new(path, ast, name, type)
         end
       rescue Racc::ParseError => e
         tracker.error e, "Could not parse #{path}"
@@ -97,7 +96,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker)
+      fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processors/alias_processor.rb

@@ -161,6 +161,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
   RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
+  RAILS_DEV = s(:call, s(:call, s(:const, :Rails), :env), :development?)
 
   #Process a method call.
   def process_call exp
@@ -186,7 +187,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method = exp.method
     first_arg = exp.first_arg
 
-    if method == :send or method == :try
+    if method == :send or method == :__send__ or method == :try
       collapse_send_call exp, first_arg
     end
 
@@ -197,7 +198,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:array, *exp.args)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
       return Sexp.new(:hash)
-    elsif exp == RAILS_TEST
+    elsif exp == RAILS_TEST or exp == RAILS_DEV
       return Sexp.new(:false)
     end
 
@@ -236,7 +237,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -346,6 +347,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  TEMP_FILE_CLASS = s(:const, :Tempfile)
+
+  def temp_file_open? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :open
+  end
+
+  def temp_file_new line
+    s(:call, TEMP_FILE_CLASS, :new).line(line)
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -363,6 +376,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         # Iterating over an array of all literal values
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = safe_literal(exp.line)
+      elsif temp_file_open? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local
@@ -941,7 +957,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args[1..-1]
+      exp.arglist = args.sexp_body
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -10,7 +10,7 @@ module Brakeman
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -0,0 +1,64 @@
+module Brakeman
+  class FileTypeDetector < BaseProcessor
+    def initialize
+      super(nil)
+      reset
+    end
+
+    def detect_type(file)
+      reset
+      process(file.ast)
+
+      if @file_type.nil?
+        @file_type = guess_from_path(file.path.relative)
+      end
+
+      @file_type || :libs
+    end
+
+    MODEL_CLASSES = [
+      :'ActiveRecord::Base',
+      :ApplicationRecord
+    ]
+
+    def process_class exp
+      name = class_name(exp.class_name)
+      parent = class_name(exp.parent_name)
+
+      if name.match(/Controller$/)
+        @file_type = :controllers
+        return exp
+      elsif MODEL_CLASSES.include? parent
+        @file_type = :models
+        return exp
+      end
+
+      super
+    end
+
+    def guess_from_path path
+      case
+      when path.include?('app/models')
+        :models
+      when path.include?('app/controllers')
+        :controllers
+      when path.include?('config/initializers')
+        :initializers
+      when path.include?('lib/')
+        :libs
+      when path.match?(%r{config/environments/(?!production\.rb)$})
+        :skip
+      when path.match?(%r{environments/production\.rb$})
+        :skip
+      when path.match?(%r{application\.rb$})
+        :skip
+      end
+    end
+
+    private
+
+    def reset
+      @file_type = nil
+    end
+  end
+end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     exp
   end
 
+  #Look for configuration settings that
+  #are just a call like
+  #
+  #  config.load_defaults 5.2
+  def process_call exp
+    return exp unless @inside_config
+
+    if exp.target == RAILS_CONFIG and exp.first_arg
+      @tracker.config.rails[exp.method] = exp.first_arg
+    end
+
+    exp
+  end
+
   #Look for configuration settings
   def process_attrasgn exp
     return exp unless @inside_config
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
         @tracker.config.rails[attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
-      options = get_rails_config exp
-      level = @tracker.config.rails
-      options[0..-2].each do |o|
-        level[o] ||= {}
-
-        option = level[o]
-
-        if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
-          return exp
-        end
-
-        level = level[o]
-      end
-
-      level[options.last] = exp.first_arg
+      options_path = get_rails_config exp
+      @tracker.config.set_rails_config(exp.first_arg, *options_path)
     end
 
     exp

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
+
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report.rb

@@ -43,6 +43,11 @@ class Brakeman::Report
     when :to_junit
       require_report 'junit'
       Brakeman::Report::JUnit
+    when :to_sarif
+      return self.to_sarif
+    when :to_sonar
+      require_report 'sonar'
+      Brakeman::Report::Sonar
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -67,6 +72,11 @@ class Brakeman::Report
     generate Brakeman::Report::JSON
   end
 
+  def to_sonar
+    require_report 'sonar'
+    generate Brakeman::Report::Sonar
+  end
+
   def to_table
     require_report 'table'
     generate Brakeman::Report::Table
@@ -85,6 +95,11 @@ class Brakeman::Report
   alias to_plain to_text
   alias to_s to_text
 
+  def to_sarif
+    require_report 'sarif'
+    generate Brakeman::Report::SARIF
+  end
+
   def generate reporter
     reporter.new(@tracker).generate_report
   end

data/lib/brakeman/report/report_base.rb

@@ -11,8 +11,6 @@ class Brakeman::Report::Base
 
   attr_reader :tracker, :checks
 
-  TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-
   def initialize tracker
     @app_tree = tracker.app_tree
     @tracker = tracker

data/lib/brakeman/report/report_csv.rb

@@ -1,72 +1,49 @@
 require 'csv'
-require "brakeman/report/report_table"
 
-class Brakeman::Report::CSV < Brakeman::Report::Table
+class Brakeman::Report::CSV < Brakeman::Report::Base
   def generate_report
-    output = csv_header
-    output << "\nSUMMARY\n"
-
-    output << table_to_csv(generate_overview) << "\n"
-
-    output << table_to_csv(generate_warning_overview) << "\n"
-
-    #Return output early if only summarizing
-    if tracker.options[:summary_only]
-      return output
-    end
-
-    if tracker.options[:report_routes] or tracker.options[:debug]
-      output << "CONTROLLERS\n"
-      output << table_to_csv(generate_controllers) << "\n"
-    end
-
-    if tracker.options[:debug]
-      output << "TEMPLATES\n\n"
-      output << table_to_csv(generate_templates) << "\n"
+    headers = [
+      "Confidence",
+      "Warning Type",
+      "File",
+      "Line",
+      "Message",
+      "Code",
+      "User Input",
+      "Check Name",
+      "Warning Code",
+      "Fingerprint",
+      "Link"
+    ]
+
+    rows = tracker.filtered_warnings.sort_by do |w|
+      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+    end.map do |warning|
+      generate_row(headers, warning)
     end
 
-    res = generate_errors
-    output << "ERRORS\n" << table_to_csv(res) << "\n" if res
-
-    res = generate_warnings
-    output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
+    table = CSV::Table.new(rows)
 
-    output << "Controller Warnings\n"
-    res = generate_controller_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    output << "Model Warnings\n"
-    res = generate_model_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    res = generate_template_warnings
-    output << "Template Warnings\n"
-    output << table_to_csv(res) << "\n" if res
-
-    output
+    table.to_csv
   end
 
-  #Generate header for CSV output
-  def csv_header
-    header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
-    "BRAKEMAN REPORT\n\n" + header
+  def generate_row headers, warning
+    CSV::Row.new headers, warning_row(warning)
   end
 
-  # rely on Terminal::Table to build the structure, extract the data out in CSV format
-  def table_to_csv table
-    return "" unless table
-
-    Brakeman.load_brakeman_dependency 'terminal-table'
-    headings = table.headings
-    if headings.is_a? Array
-      headings = headings.first
-    end
-
-    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
-    table.rows.each do |row|
-      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
-    end
-    output
+  def warning_row warning
+    [
+      warning.confidence_name,
+      warning.warning_type,
+      warning_file(warning),
+      warning.line,
+      warning.message,
+      warning.code && warning.format_code(false),
+      warning.user_input && warning.format_user_input(false),
+      warning.check_name,
+      warning.warning_code,
+      warning.fingerprint,
+      warning.link,
+    ]
   end
 end