brakeman-min 7.1.1 → 8.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd61d8da658d0f4da21e1f854a04c0e9423a91797bd93ec2a754ee6cc113570f
-  data.tar.gz: 2a725267c5b8296686867da71b9c2286c4ed423c12bb43f204dd10697afbe08f
+  metadata.gz: 7d15924ac980c6134c4f95cfa14845277421e202e57d7caec7bbf8a082ebb2e2
+  data.tar.gz: 7688a14d0e3d2905f820ddebce4f3adbacdb68033fd1fa9b7a01fdb73067d159
 SHA512:
-  metadata.gz: a85e7dfae5e7dad5a99043c1f785c063a9deee56ab797d70a718ef3f6f8031dbe6b9a3307124d83c016443ae34ef15485a3f594282edf8775797a90d64a5384c
-  data.tar.gz: 70fd83ef6e68861ff57a4809098548c729fcbb67e164f541a5da4a523bb2e7a0d9a3e43f730332317e13917c9432a132af5393a8e5f0368d06abb2ea32ff6b52
+  metadata.gz: '019fdc83e9b63ac345bfbe52a4357cb6dbfd16629a1da905c935a72e4b97dac497dd27e48dc6e64a6f0812b0628364c2f5fdf3ca1eacf6490171c0c010bb8f10'
+  data.tar.gz: c1b2e308b5484b4fdb9907921065b0623175c9889ee1e4831c9d6e64ca5c748c56102b0e21cdeea41b5d52cbb1f645cc7c99e59bf22bd4418cfb3b5c8f4e4e2d

data/CHANGES.md

@@ -1,3 +1,22 @@
+# 8.0.0 - 2026-01-29
+
+* No longer produce weak dynamic render path warnings
+* `--skip-libs` removed
+* `--index-libs` removed
+* Revamp of scan progress output and logging
+* Faster file globbing for templates (Mikael Henriksson)
+* Fix singleton method prefixes (viralpraxis)
+* Fix qualified constant lookup to respect module/class context (Mike Dalessio)
+* Replace Erubis with Erubi
+
+# 7.1.2 - 2025-12-25
+
+* Update `ruby_parser` to remove version restriction (Chedli Bourguiba)
+* Raise minimum required Ruby to 3.2.0
+* Use Minitest 6.0
+* Reduce SQL injection false positives from `count` calls
+* Ignore more Haml attribute builder methods
+
 # 7.1.1 - 2025-11-03
 
 * Fix false positive when calling `with_content` on ViewComponents (Peer Allan)

data/README.md

@@ -65,7 +65,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 8.x.
 
-Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
+Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.2.0 to run.
 
 # Basic Options
 
@@ -75,7 +75,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github`, `sarif`, and `sonar`.
 
 Multiple output files can be specified:
 

data/lib/brakeman/app_tree.rb

@@ -120,7 +120,7 @@ module Brakeman
 
     def template_paths
       @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
-        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+        find_paths(".", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -213,13 +213,17 @@ module Brakeman
     end
 
     def reject_directories(paths)
-      paths.reject { |path| File.directory?(path) }
+      paths.reject do |path|
+        Brakeman.logger.spin
+        File.directory?(path)
+      end
     end
 
     def select_only_files(paths)
       return paths unless @only_files
 
       paths.select do |path|
+        Brakeman.logger.spin
         match_path @only_files, path
       end
     end
@@ -228,6 +232,7 @@ module Brakeman
       return paths unless @skip_files
 
       paths.reject do |path|
+        Brakeman.logger.spin
         match_path @skip_files, path
       end
     end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -12,7 +12,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
-      Brakeman.notify "[Notice] The `collapse_mass_assignment` option has been removed."
+      Brakeman.alert "The `collapse_mass_assignment` option has been removed."
     end
 
     check_models do |name, model|

data/lib/brakeman/checks/check_render.rb

@@ -17,8 +17,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
     case result[:call].render_type
     when :partial, :template, :action, :file
-      check_for_rce(result) or
-        check_for_dynamic_path(result)
+      check_for_dynamic_path(result)
     when :inline
     when :js
     when :json
@@ -41,8 +40,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         else
           confidence = :high
         end
-      elsif input = include_user_input?(view)
-        confidence = :weak
       else
         return
       end
@@ -62,29 +59,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     end
   end
 
-  def check_for_rce result
-    return unless version_between? "0.0.0", "3.2.22" or
-                  version_between? "4.0.0", "4.1.14" or
-                  version_between? "4.2.0", "4.2.5"
-
-
-    view = result[:call][2]
-    if sexp? view and not duplicate? result
-      if params? view
-        add_result result
-        return if safe_param? view
-
-        warn :result => result,
-          :warning_type => "Remote Code Execution",
-          :warning_code => :dynamic_render_path_rce,
-          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
-          :user_input => view,
-          :confidence => :high,
-          :cwe_id => [22]
-      end
-    end
-  end
-
   def safe_param? exp
     if params? exp and call? exp
       method_name = exp.method

data/lib/brakeman/checks/check_render_rce.rb

@@ -0,0 +1,43 @@
+require 'brakeman/checks/check_render'
+
+class Brakeman::CheckRenderRCE < Brakeman::CheckRender
+  Brakeman::Checks.add self
+
+  @description = "Finds calls to render that might be vulnerable to CVE-2016-0752"
+
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render_result result
+    end
+  end
+
+  def process_render_result result
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_rce(result)
+    end
+  end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view and not safe_param? view
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
+          :user_input => view,
+          :confidence => :high,
+          :cwe_id => [22]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_session_settings.rb

@@ -120,7 +120,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       begin
         secrets = YAML.safe_load yaml, aliases: true
       rescue Psych::SyntaxError, RuntimeError => e
-        Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Brakeman.alert "#{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
         return
       end

data/lib/brakeman/checks/check_sql.rb

@@ -188,18 +188,20 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                       when :find_by_sql, :count_by_sql
                         check_by_sql_arguments call.first_arg
                       when :calculate
-                        if call.arglist.length > 2
+                        if call.num_args > 2
                           unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
-                        elsif call.arglist.length > 1
+                        elsif call.num_args > 1
                           unsafe_sql?(call.second_arg)
                         end
                       when :last, :first, :all
                         check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if call.arglist.length > 1
-                          unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
+                        if call.num_args > 1
+                          if version_between?("0.0.0", "4.9.9") # In Rails 5+ these do not accept multiple arguments
+                            check_find_arguments(call.first_arg) or check_find_arguments(call.second_arg)
+                          end
                         else
-                          check_find_arguments call.last_arg
+                          check_find_arguments call.first_arg
                         end
                       when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist

data/lib/brakeman/checks.rb

@@ -121,37 +121,43 @@ class Brakeman::Checks
     parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
 
-    checks.each do |c|
-      check_name = get_check_name c
-      Brakeman.notify " - #{check_name}"
+    message = if parallel
+      "Running #{checks.length} checks in parallel"
+    else
+      "Running #{checks.length} checks"
+    end
 
-      if parallel
-        threads << Thread.new do
-          self.run_a_check(c, error_mutex, tracker)
+    Brakeman.process_step(message) do
+      checks.each do |c|
+        check_name = get_check_name c
+        Brakeman.debug " - #{check_name}"
+
+        if parallel
+          threads << Thread.new do
+            self.run_a_check(c, error_mutex, tracker)
+          end
+        else
+          results << self.run_a_check(c, error_mutex, tracker)
         end
-      else
-        results << self.run_a_check(c, error_mutex, tracker)
-      end
-
-      #Maintain list of which checks were run
-      #mainly for reporting purposes
-      check_runner.checks_run << check_name[5..-1]
-    end
 
-    threads.each { |t| t.join }
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        check_runner.checks_run << check_name[5..-1]
+      end
 
-    Brakeman.notify "Checks finished, collecting results..."
+      threads.each { |t| t.join }
 
-    if parallel
-      threads.each do |thread|
-        thread.value.each do |warning|
-          check_runner.add_warning warning
+      if parallel
+        threads.each do |thread|
+          thread.value.each do |warning|
+            check_runner.add_warning warning
+          end
         end
-      end
-    else
-      results.each do |warnings|
-        warnings.each do |warning|
-          check_runner.add_warning warning
+      else
+        results.each do |warnings|
+          warnings.each do |warning|
+            check_runner.add_warning warning
+          end
         end
       end
     end

data/lib/brakeman/commandline.rb

@@ -54,11 +54,13 @@ module Brakeman
             f.puts JSON.pretty_generate(vulns)
           end
 
-          Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+          Brakeman.announce "Comparison saved in '#{options[:comparison_output_file]}'"
         else
           puts JSON.pretty_generate(vulns)
         end
 
+        Brakeman.cleanup(false)
+
         if options[:exit_on_warn] && vulns[:new].count > 0
           quit Brakeman::Warnings_Found_Exit_Code
         end
@@ -117,6 +119,7 @@ module Brakeman
       # Override this method for different behavior.
       def quit exit_code = 0, message = nil
         warn message if message
+        Brakeman.cleanup
         exit exit_code
       end
 
@@ -186,6 +189,8 @@ module Brakeman
             warn caller
           end
 
+          Brakeman.cleanup
+
           exit!
         end
       end

data/lib/brakeman/file_parser.rb

@@ -13,9 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
-          Brakeman.debug '[Notice] Using Prism parser'
+          Brakeman.debug 'Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end
@@ -46,6 +46,7 @@ module Brakeman
       #
       # Note this method no longer uses read_files
       @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
+        Brakeman.logger.spin
         file_path = @app_tree.file_path(file_name)
         contents = file_path.read
 

data/lib/brakeman/logger.rb

@@ -0,0 +1,264 @@
+module Brakeman
+  module Logger
+    def self.get_logger options, dest = $stderr
+      case
+      when options[:debug]
+        Debug.new(options, dest)
+      when options[:quiet]
+        Quiet.new(options, dest)
+      when options[:report_progress] == false
+        Plain.new(options, dest)
+      when dest.tty?
+        Console.new(options, dest)
+      else
+        Plain.new(options, dest)
+      end
+    end
+
+    class Base
+      def initialize(options, log_destination = $stderr)
+        @dest = log_destination
+        @show_timing = options[:debug] || options[:show_timing]
+      end
+
+      # Output a message to the log.
+      # If newline is `false`, does not output a newline after message.
+      def log(message, newline: true)
+        if newline
+          @dest.puts message
+        else
+          @dest.write message
+        end
+      end
+
+      # Notify about important information - use sparingly
+      def announce(message); end
+
+      # Notify regarding errors - use sparingly
+      def alert(message); end
+
+      # Output debug information
+      def debug(message); end
+
+      # Wraps a step in the scanning process
+      def context(description, &)
+        yield self
+      end
+
+      # Wraps a substep (e.g. processing one file)
+      def single_context(description, &)
+        yield
+      end
+
+      # Update progress towards a known total
+      def update_progress(current, total, type = 'files'); end
+
+      # Show a spinner
+      def spin; end
+
+      # Called on exit
+      def cleanup(newline); end
+
+      def show_timing? = @show_timing
+
+      # Use ANSI codes to color a string
+      def color(message, *)
+        if @highline
+          @highline.color(message, *)
+        else
+          message
+        end
+      end
+
+      def color?
+        @highline and @highline.use_color?
+      end
+
+      private
+
+      def load_highline(output_color)
+        if @dest.tty? or output_color == :force
+          Brakeman.load_brakeman_dependency 'highline'
+          @highline = HighLine.new
+          @highline.use_color = !!output_color
+        else
+          @highline = nil
+        end
+      end
+    end
+
+    class Plain < Base
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+      end
+
+      def announce(message)
+        log color(message, :bold, :green)
+      end
+
+      def alert(message)
+        log color(message, :red)
+      end
+
+      def context(description, &)
+        log "#{color(description, :green)}..."
+
+        if show_timing?
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+
+      def time_step(description, &)
+        start_t = Time.now
+        yield
+        duration = Time.now - start_t
+
+        log color(("Completed #{description.to_s.downcase} in %0.2fs" % duration), :gray)
+      end
+    end
+
+    class Quiet < Base
+      def initialize(*)
+        super
+      end
+    end
+
+    class Debug < Plain
+      def debug(message)
+        log color(message, :gray)
+      end
+
+      def context(description, &)
+        log "#{description}..."
+
+        time_step(description, &)
+      end
+
+      def single_context(description, &)
+        debug "Processing #{description}"
+
+        if show_timing?
+          # Even in debug, only show timing for each file if asked
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+    end
+
+    class Console < Base
+      attr_reader :prefix
+
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+        require 'reline'
+        require 'reline/io/ansi'
+
+        @prefix = ''
+        @post_fix_pos = 0
+        @reline = Reline::ANSI.new
+        @report_progress = options[:report_progress]
+        @spinner = ["⣀", "⣄", "⣤", "⣦", "⣶", "⣷", "⣿"]
+        @percenter = ["⣀", "⣤", "⣶", "⣿"]
+        @spindex = 0
+        @last_spin = Time.now
+        @reline.hide_cursor
+      end
+
+      def announce message
+        clear_line
+        log color(message, :bold, :green)
+        rewrite_prefix
+      end
+
+      def alert message
+        clear_line
+        log color(message, :red)
+        rewrite_prefix
+      end
+
+      def context(description, &)
+        write_prefix description
+
+        time_step(description, &)
+      ensure
+        clear_prefix
+      end
+
+      def time_step(description, &)
+        if show_timing?
+          start_t = Time.now
+          yield
+          duration = Time.now - start_t
+
+          write_after color(('%0.2fs' % duration), :gray)
+          log ''
+        else
+          yield
+        end
+      end
+
+      def update_progress current, total, type = 'files'
+        percent = ((current / total.to_f) * 100).to_i
+        tenths = [(percent / 10), 0].max
+
+        lead = color(@percenter[percent % 10 / 3], :bold, :red)
+        done_blocks = color("⣿" * tenths, :red)
+        remaining = color("⣀" * (9 - tenths), :gray)
+        write_after "#{done_blocks}#{lead}#{remaining}"
+      end
+
+      def write_prefix pref
+        set_prefix pref
+        rewrite_prefix
+      end
+
+      # If an alert was written, redo prefix on next line
+      def rewrite_prefix
+        log(@prefix, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def write_after message
+        @reline.move_cursor_column(@post_fix_pos)
+        log(message, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def set_prefix message
+        @prefix = "#{color('»', :bold, :cyan)} #{color(message, :green)}"
+        @post_fix_pos = HighLine::Wrapper.actual_length(@prefix) + 1
+      end
+
+      def clear_prefix
+        @prefix = ''
+        @post_fix_pos = 0
+        clear_line
+      end
+
+      def clear_line
+        @reline.move_cursor_column(0)
+        @reline.erase_after_cursor
+      end
+
+      def spin
+        return unless (Time.now - @last_spin) > 0.2
+
+        write_after color(@spinner[@spindex], :bold, :red)
+        @spindex = (@spindex + 1) % @spinner.length
+        @last_spin = Time.now
+      end
+
+      def cleanup(newline = true)
+        @reline.show_cursor
+        log('') if newline
+      end
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -131,7 +131,6 @@ module Brakeman::Options
 
         opts.on "--faster", "Faster, but less accurate scan" do
           options[:ignore_ifs] = true
-          options[:skip_libs] = true
           options[:disable_constant_tracking] = true
         end
 
@@ -143,10 +142,6 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
-        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
-          options[:index_libs] = index
-        end
-
         opts.on "--interprocedural", "Process method calls to known methods" do
           options[:interprocedural] = true
         end
@@ -212,10 +207,6 @@ module Brakeman::Options
           options[:skip_vendor] = skip
         end
 
-        opts.on "--skip-libs", "Skip processing lib directory" do
-          options[:skip_libs] = true
-        end
-
         opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
           options[:additional_libs_path] ||= Set.new
           options[:additional_libs_path].merge paths