brakeman-min 6.2.2 → 7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7523d5074d9d9352e585ad32ec90148c7a66452610d27bc29b7de5fe6770df9
-  data.tar.gz: db9859643a7a8ed60a3bb721614fc4a8a2cf2910dcfb5e4b89b32bf20e2af75e
+  metadata.gz: baa16f18d1ceaf0c04654b5b84547e3bb0cd23368409b980742df987f88df059
+  data.tar.gz: 90b31d54feaad0b87250d7e7599c8bcbe4d290a4bca3132e4e60ea2b83af6e25
 SHA512:
-  metadata.gz: 536df54884f0d9b9dba43be944335119b4fb75cd4096b69cdcec15b1058cb039985cd8923542f5d0df667d5609813fac1c1a0f511ee8169d4f0771bebb3be5b0
-  data.tar.gz: 782ec2ca43bb670743915f255510182bc6399bae367aba68cdad17508916b16abddda1bd6d5874c168d690ef67909495e25289a680a69fb921d9a4dcffdb6a2d
+  metadata.gz: ac5c7a446bd842ccf61292ac59505b95f9fc5840ef5749f08f39ce9c4a905d8bf24045377b1ccb035d0f3b5810984c9564d962d1ba27da89f0129044e522f81d
+  data.tar.gz: 54e8dd54503821cb93b9c11aa6e69aaec2da4ba81308d507df9721fe50e2f21cb2124a8d2f46b9e907696f642c137dc05d8d51bcc4d8fb8e794b51b30b186b6d

data/CHANGES.md

@@ -1,3 +1,29 @@
+# 7.0.1 - 2025-04-03
+
+* Avoid warning on evaluation of plain strings
+* Enable use of custom/alternative Gemfiles
+* Fix error on directory with `rb` extension (viralpraxis)
+* Support `terminal-table` 4.0 (Chedli Bourguiba)
+* Better support Prism 1.4.0
+* Only output timing for each file when using `--debug`
+
+# 7.0.0 - 2024-12-30
+
+* Always warn about deserializing from Marshal
+* Output `originalBaseUriIds` for SARIF format report
+* Default to using Prism parser if available (disable with `--no-prism`)
+* Update `terminal-table` version to use latest
+* Update `eval` check to be a little noisier
+* Fix array/hash unknown index handling
+* Disable following symbolic links by default, re-enable with --follow-symlinks
+* Add step (and timing) for finding files
+* Add CSV library as explicit dependency for Ruby 3.4 support
+* Major changes to how rescanning works
+* Raise minimum Ruby version to 3.1
+* Fix hardcoded globally excluded paths
+* Remove updated entry in Brakeman ignore files (Toby Hsieh)
+* Fix recursion when handling multiple assignment expressions
+
 # 6.2.2 - 2024-10-15
 
 * Ignore more native gems when building gem

data/README.md

@@ -63,7 +63,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 7.x.
+Brakeman should work with any version of Rails from 2.3.x to 8.x.
 
 Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 

data/lib/brakeman/app_tree.rb

@@ -22,6 +22,8 @@ module Brakeman
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
       init_options[:skip_vendor] = options[:skip_vendor]
+      init_options[:follow_symlinks] = options[:follow_symlinks]
+
       new(root, init_options)
     end
 
@@ -64,6 +66,7 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @skip_vendor = init_options[:skip_vendor]
+      @follow_symlinks = init_options[:follow_symlinks]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -161,28 +164,38 @@ module Brakeman
     end
 
     def glob_files(directory, name, extensions = ".rb")
-      root_directory = "#{root_search_pattern}#{directory}"
-      patterns = ["#{root_directory}/**/#{name}#{extensions}"]
-
-      Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
-        if File.symlink?(path) && File.directory?(path)
-          symlink_target = File.readlink(path)
-          if Pathname.new(symlink_target).relative?
-            symlink_target = File.join(File.dirname(path), symlink_target)
+      if @follow_symlinks
+        root_directory = "#{root_search_pattern}#{directory}"
+        patterns = ["#{root_directory}/**/#{name}#{extensions}"]
+
+        Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
+          if File.symlink?(path) && File.directory?(path)
+            symlink_target = File.readlink(path)
+            if Pathname.new(symlink_target).relative?
+              symlink_target = File.join(File.dirname(path), symlink_target)
+            end
+            patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
           end
-          patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
         end
-      end
 
-      files = patterns.flat_map { |pattern| Dir.glob(pattern) }
-      files.uniq
+        files = patterns.flat_map { |pattern| Dir.glob(pattern) }
+        files.uniq
+      else
+        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        Dir.glob(pattern)
+      end
     end
 
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
-      reject_global_excludes(paths)
+      paths = reject_global_excludes(paths)
+      reject_directories(paths)
+    end
+
+    def reject_directories(paths)
+      paths.reject { |path| File.directory?(path) }
     end
 
     def select_only_files(paths)
@@ -201,15 +214,14 @@ module Brakeman
       end
     end
 
-    EXCLUDED_PATHS = %w[
-      /generators/
+    EXCLUDED_PATHS = regex_for_paths %w[
+      generators/
       lib/tasks/
       lib/templates/
       db/
       spec/
       test/
       tmp/
-      log/
     ]
 
     def reject_global_excludes(paths)
@@ -219,9 +231,7 @@ module Brakeman
         if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
           true
         else
-          EXCLUDED_PATHS.any? do |excluded|
-            relative_path.include? excluded
-          end
+          match_path EXCLUDED_PATHS, path
         end
       end
     end

data/lib/brakeman/checks/check_deserialize.rb

@@ -76,10 +76,13 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
       confidence = :high
     elsif input = include_user_input?(arg)
       confidence = :medium
+    elsif target == :Marshal
+      confidence = :low
+      message = msg("Use of ", msg_code("#{target}.#{method}"), " may be dangerous")
     end
 
     if confidence
-      message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
+      message ||= msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_evaluation.rb

@@ -22,14 +22,51 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   def process_result result
     return unless original? result
 
-    if input = include_user_input?(result[:call].arglist)
-      warn :result => result,
-        :warning_type => "Dangerous Eval",
-        :warning_code => :code_eval,
-        :message => "User input in eval",
-        :user_input => input,
-        :confidence => :high,
-        :cwe_id => [913, 95]
+    first_arg = result[:call].first_arg
+
+    unless safe_value? first_arg
+      if input = include_user_input?(first_arg)
+        confidence = :high
+        message = msg(msg_input(input), " evaluated as code")
+      elsif string_evaluation? first_arg
+        confidence = :low
+        message = "Dynamic string evaluated as code"
+      elsif result[:call].method == :eval
+        confidence = :low
+        message = "Dynamic code evaluation"
+      end
+
+      if confidence
+        warn :result => result,
+          :warning_type => "Dangerous Eval",
+          :warning_code => :code_eval,
+          :message => message,
+          :user_input => input,
+          :confidence => confidence,
+          :cwe_id => [913, 95]
+      end
+    end
+  end
+
+  def string_evaluation? exp
+    string_interp? exp or
+      (call? exp and string? exp.target)
+  end
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.sexp_type
+    when :dstr
+      exp.all? { |e| safe_value? e}
+    when :evstr
+      safe_value? exp.value
+    when :str, :lit
+      true
+    when :call
+      always_safe_method? exp.method
+    else
+      false
     end
   end
 end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
               :confidence => confidence,
               :code => Sexp.new(:lit, attribute),
               :cwe_id => [915]
+
             break # Prevent from matching single attr multiple times
           end
         end

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -87,7 +87,7 @@ class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
 
     if string? padding_arg
       padding_arg = padding_arg.deep_clone(padding_arg.line)
-      padding_arg.value.downcase!
+      padding_arg.value = padding_arg.value.downcase
     end
 
     case padding_arg

data/lib/brakeman/file_parser.rb

@@ -13,8 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end

data/lib/brakeman/options.rb

@@ -161,14 +161,13 @@ module Brakeman::Options
 
         opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
           if use_prism
-            prism_version = '0.30'
+            min_prism_version = '1.0.0'
 
             begin
-              # Specifying minimum version here,
-              # since it can't be in the gem dependency list because it is optional
-              gem 'prism', "~>#{prism_version}"
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
             rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
-              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
               raise e
             end
           end
@@ -223,6 +222,14 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb

@@ -97,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -268,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -276,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg
@@ -666,7 +669,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     unless array? exp[1] and array? exp[2]
-      return process_default(exp)
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
 
     vars = exp[1].dup

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
 
-      @file_type || :libs
+      @file_type || :lib
     end
 
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
 
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
 
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end
 

data/lib/brakeman/report/ignore/config.rb

@@ -130,7 +130,6 @@ module Brakeman
 
       output = {
         :ignored_warnings => warnings,
-        :updated => Time.now.to_s,
         :brakeman_version => Brakeman::Version
       }
 

data/lib/brakeman/report/report_sarif.rb

@@ -1,8 +1,10 @@
+require 'uri'
+
 class Brakeman::Report::SARIF < Brakeman::Report::Base
   def generate_report
     sarif_log = {
       :version => '2.1.0',
-      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json',
       :runs => runs,
     }
     JSON.pretty_generate sarif_log
@@ -20,10 +22,122 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
           },
         },
         :results => results,
-      },
+      }.merge(original_uri_base_ids)
     ]
   end
 
+  # Output base URIs
+  # based on what the user specified for the application path
+  # and whether or not --absolute-paths was set.
+  def original_uri_base_ids
+    if tracker.options[:app_path] == '.'
+      # Probably no app_path was specified, as that's the default
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # This avoids any paths appearing in the report
+        # that are not part of the application directory.
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+
+      end
+    elsif tracker.options[:app_path] != tracker.app_tree.root
+      # Path was specified and it was relative
+
+      if absolute_paths?
+        # Include absolute root and relative application path
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Just include relative application path.
+        # Not clear this is 100% valid, but there is one example in the spec like this
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      end
+    else
+      # app_path was absolute
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+      end
+    end
+  end
+
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
@@ -130,4 +244,10 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     })
     @@levels_from_confidence[warning.confidence]
   end
+
+  # File URI as a string with trailing forward-slash
+  # as required by SARIF standard
+  def file_uri(path)
+    URI::File.build(path: File.join(path, '/')).to_s
+  end
 end