brakeman-min 7.1.1 → 8.0.0

data/lib/brakeman/tracker.rb

@@ -101,15 +101,9 @@ class Brakeman::Tracker
     @app_path ||= File.expand_path @options[:app_path]
   end
 
-  #Iterate over all methods in controllers and models.
+  #Iterate over all methods
   def each_method
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
           src = definition.src
@@ -137,13 +131,7 @@ class Brakeman::Tracker
 
 
   def each_class
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.src.each do |file, src|
           yield src, set_name, file
@@ -329,6 +317,8 @@ class Brakeman::Tracker
     finder = Brakeman::FindAllCalls.new self
 
     method_sets.each do |set|
+      Brakeman.logger.spin
+
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
           src = definition.src
@@ -339,12 +329,14 @@ class Brakeman::Tracker
 
     if locations.include? :templates
       self.each_template do |_name, template|
+        Brakeman.logger.spin
         finder.process_source template.src, :template => template, :file => template.file
       end
     end
 
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
+        Brakeman.logger.spin
         finder.process_all_source src, :file => file_name
       end
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.1.1"
+  Version = "8.0.0"
 end

data/lib/brakeman.rb

@@ -1,4 +1,5 @@
 require 'set'
+require 'brakeman/logger'
 require 'brakeman/version'
 
 module Brakeman
@@ -32,6 +33,7 @@ module Brakeman
   @quiet = false
   @loaded_dependencies = []
   @vendored_paths = false
+  @logger = nil
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -52,7 +54,6 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
-  #  * :index_libs - add libraries to call index (default: true)
   #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
@@ -71,7 +72,6 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :show_ignored - Display warnings that are usually ignored
   #  * :sql_safe_methods - array of sql sanitization methods to consider safe
-  #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
@@ -79,6 +79,10 @@ module Brakeman
   #
   #Alternatively, just supply a path as a string.
   def self.run options
+    if not $stderr.tty? and options[:report_progress].nil?
+      options[:report_progress] = false
+    end
+
     options = set_options options
 
     @quiet = !!options[:quiet]
@@ -88,18 +92,37 @@ module Brakeman
       options[:report_progress] = false
     end
 
+    @logger = options[:logger] || set_default_logger(options)
+
     if options[:use_prism]
       begin
         require 'prism'
-        notify '[Notice] Using Prism parser'
       rescue LoadError => e
-        Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+        Brakeman.alert "Asked to use Prism, but failed to load: #{e}"
       end
     end
 
+    Brakeman.announce "Brakeman v#{Brakeman::Version}"
+
     scan options
   end
 
+  def self.logger
+    @logger
+  end
+
+  def self.logger= log
+    @logger = log
+  end
+
+  def self.set_default_logger(options = {})
+    @logger = Brakeman::Logger.get_logger(options)
+  end
+
+  def self.cleanup(newline = true)
+    @logger.cleanup(newline) if @logger
+  end
+
   #Sets up options for run, checks given application path
   def self.set_options options
     if options.is_a? String
@@ -152,6 +175,9 @@ module Brakeman
       require 'yaml'
       options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
 
+      # Brakeman.logger is probably not set yet
+      logger = Brakeman::Logger.get_logger(options || line_options)
+
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
 
@@ -162,15 +188,16 @@ module Brakeman
           if options.include? :additional_checks_path
             options.delete :additional_checks_path
 
-            notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
+            logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow' unless (options[:quiet] || quiet)
           end
         end
 
         # notify if options[:quiet] and quiet is nil||false
-        notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
+        # potentially remove these checks now that logger is used
+        logger.alert "Using configuration in #{config}" unless (options[:quiet] || quiet)
         options
       else
-        notify "[Notice] Empty configuration file: #{config}" unless quiet
+        logger.alert "Empty configuration file: #{config}" unless quiet
         {}
       end
     else
@@ -209,7 +236,6 @@ module Brakeman
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
       :ignore_model_output => false,
       :ignore_redirect_to_model => true,
-      :index_libs => true,
       :message_limit => 100,
       :min_confidence => 2,
       :output_color => true,
@@ -367,6 +393,12 @@ module Brakeman
 
     options.delete :create_config
 
+    if options[:logger]
+      @logger = options.delete(:logger)
+    else
+      set_default_logger(options)
+    end
+
     options.each do |k,v|
       if v.is_a? Set
         options[k] = v.to_a
@@ -377,9 +409,10 @@ module Brakeman
       File.open file, "w" do |f|
         YAML.dump options, f
       end
-      notify "Output configuration to #{file}"
+
+      announce "Output configuration to #{file}"
     else
-      notify YAML.dump(options)
+      $stdout.puts YAML.dump(options)
     end
   end
 
@@ -394,43 +427,39 @@ module Brakeman
   #Run a scan. Generally called from Brakeman.run instead of directly.
   def self.scan options
     #Load scanner
-    notify "Loading scanner..."
+    scanner, tracker = nil
 
-    begin
-      require 'brakeman/scanner'
-    rescue LoadError
-      raise NoBrakemanError, "Cannot find lib/ directory."
-    end
+    process_step 'Loading scanner' do
+      begin
+        require 'brakeman/scanner'
+      rescue LoadError
+        raise NoBrakemanError, 'Cannot find lib/ directory.'
+      end
 
-    add_external_checks options
+      add_external_checks options
 
-    #Start scanning
-    scanner = Scanner.new options
-    tracker = scanner.tracker
+      #Start scanning
+      scanner = Scanner.new options
+      tracker = scanner.tracker
 
-    check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+      check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+    end
 
-    notify "Processing application in #{tracker.app_path}"
+    logger.announce "Scanning #{tracker.app_path}"
     scanner.process
 
-    if options[:parallel_checks]
-      notify "Running checks in parallel..."
-    else
-      notify "Running checks..."
-    end
-
     tracker.run_checks
 
     self.filter_warnings tracker, options
 
     if options[:output_files]
-      notify "Generating report..."
-
-      write_report_to_files tracker, options[:output_files]
+      process_step 'Generating report' do
+        write_report_to_files tracker, options[:output_files]
+      end
     elsif options[:print_report]
-      notify "Generating report..."
-
-      write_report_to_formats tracker, options[:output_formats]
+      process_step 'Generating report' do
+        write_report_to_formats tracker, options[:output_formats]
+      end
     end
 
     tracker
@@ -449,7 +478,8 @@ module Brakeman
       File.open output_file, "w" do |f|
         f.write tracker.report.format(tracker.options[:output_formats][idx])
       end
-      notify "Report saved in '#{output_file}'"
+
+      logger.announce "Report saved in '#{output_file}'"
     end
   end
   private_class_method :write_report_to_files
@@ -493,12 +523,16 @@ module Brakeman
     Rescanner.new(options, tracker.processor, files).recheck
   end
 
-  def self.notify message
-    $stderr.puts message unless @quiet
+  def self.announce message
+    logger.announce message
+  end
+
+  def self.alert message
+    logger.alert message
   end
 
   def self.debug message
-    $stderr.puts message if @debug
+    logger.debug message
   end
 
   # Compare JSON output from a previous scan and return the diff of the two scans
@@ -510,7 +544,7 @@ module Brakeman
     begin
       previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
     rescue JSON::ParserError
-      self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
+      self.alert "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
 
@@ -565,6 +599,7 @@ module Brakeman
 
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
+    config = nil
 
     app_tree = Brakeman::AppTree.from_options(options)
 
@@ -576,16 +611,17 @@ module Brakeman
       return
     end
 
-    notify "Filtering warnings..."
-
-    if options[:interactive_ignore]
-      require 'brakeman/report/ignore/interactive'
-      config = InteractiveIgnorer.new(file, tracker.warnings).start
-    else
-      notify "[Notice] Using '#{file}' to filter warnings"
-      config = IgnoreConfig.new(file, tracker.warnings)
-      config.read_from_file
-      config.filter_ignored
+    process_step "Filtering warnings..." do
+      if options[:interactive_ignore]
+        require 'brakeman/report/ignore/interactive'
+        logger.cleanup
+        config = InteractiveIgnorer.new(file, tracker.warnings).start
+      else
+        logger.announce "Using '#{file}' to filter warnings"
+        config = IgnoreConfig.new(file, tracker.warnings)
+        config.read_from_file
+        config.filter_ignored
+      end
     end
 
     tracker.ignored_filter = config
@@ -615,6 +651,10 @@ module Brakeman
     @quiet = val
   end
 
+  def self.process_step(description, &)
+    logger.context(description, &)
+  end
+
   class DependencyError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end

data/lib/ruby_parser/bm_sexp.rb

@@ -172,6 +172,20 @@ class Sexp
     self[2] = name
   end
 
+  # Number of arguments in a method call.
+  def num_args
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+
+    case self.node_type
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
+      self.length - 3
+    when :super
+      self.length - 1
+    when :zsuper
+      0
+    end
+  end
+
   #Sets the arglist in a method call.
   def arglist= exp
     expect :call, :attrasgn, :safe_call, :safe_attrasgn

metadata

@@ -1,17 +1,30 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 7.1.1
+  version: 8.0.0
 platform: ruby
 authors:
 - Justin Collins
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: minitest-ci
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -25,7 +38,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest-ci
+  name: minitest-mock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -72,14 +85,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.20.2
+        version: 3.22.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.20.2
+        version: 3.22.0
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -190,6 +203,7 @@ files:
 - lib/brakeman/checks/check_render.rb
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
+- lib/brakeman/checks/check_render_rce.rb
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_reverse_tabnabbing.rb
 - lib/brakeman/checks/check_route_dos.rb
@@ -232,14 +246,12 @@ files:
 - lib/brakeman/file_parser.rb
 - lib/brakeman/file_path.rb
 - lib/brakeman/format/style.css
+- lib/brakeman/logger.rb
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
-- lib/brakeman/parsers/erubis_patch.rb
 - lib/brakeman/parsers/haml6_embedded.rb
 - lib/brakeman/parsers/haml_embedded.rb
-- lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
-- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/rails_erubi.rb
 - lib/brakeman/parsers/slim_embedded.rb
 - lib/brakeman/parsers/template_parser.rb
 - lib/brakeman/processor.rb
@@ -249,7 +261,7 @@ files:
 - lib/brakeman/processors/controller_alias_processor.rb
 - lib/brakeman/processors/controller_processor.rb
 - lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/erubi_template_procesor.rb
 - lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml6_template_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
@@ -337,7 +349,6 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -345,15 +356,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []

data/lib/brakeman/parsers/erubis_patch.rb

@@ -1,11 +0,0 @@
-module Brakeman::ErubisPatch
-  # Simple patch to make `erubis` compatible with frozen string literals
-  def convert(input)
-    codebuf = +"" # Modified line, the rest is identitical
-    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
-    convert_input(codebuf, input)
-    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
-    @_proc = nil    # clear cached proc object
-    return codebuf  # or codebuf.join()
-  end
-end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,9 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-#Erubis processor which ignores any output which is plain text.
-class Brakeman::ScannerErubis < Erubis::Eruby
-  include Erubis::NoTextEnhancer
-  include Brakeman::ErubisPatch
-end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,52 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-#This is from the rails_xss plugin for Rails 2
-class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
-  include Brakeman::ErubisPatch
-
-  def add_preamble(src)
-    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
-  end
-
-  #This is different from rails_xss - fixes some line number issues
-  def add_text(src, text)
-    if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-
-        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
-      end
-    else
-      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-    end
-  end
-
-  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
-    else
-      src << '@output_buffer << ((' << code << ').to_s);'
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    src << '@output_buffer << ' << escaped_expr(code) << ';'
-  end
-
-  def add_postamble(src)
-    #src << '@output_buffer.to_s'
-  end
-end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,85 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-# This is from Rails 5 version of the Erubis handler
-# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
-class Brakeman::Rails3Erubis < ::Erubis::Eruby
-  include Brakeman::ErubisPatch
-
-  def add_preamble(src)
-    @newline_pending = 0
-    src << "_this_is_to_make_yields_syntactally_correct {"
-    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
-  end
-
-  def add_text(src, text)
-    return if text.empty?
-
-    if text == "\n"
-      @newline_pending += 1
-    else
-      src << "@output_buffer.safe_append='"
-      src << "\n" * @newline_pending if @newline_pending > 0
-      src << escape_text(text)
-      src << "'.freeze;"
-
-      @newline_pending = 0
-    end
-  end
-
-  # Erubis toggles <%= and <%== behavior when escaping is enabled.
-  # We override to always treat <%== as escaped.
-  def add_expr(src, code, indicator)
-    case indicator
-    when '=='
-      add_expr_escaped(src, code)
-    else
-      super
-    end
-  end
-
-  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    flush_newline_if_pending(src)
-    if code =~ BLOCK_EXPR
-      src << '@output_buffer.append= ' << code
-    else
-      src << '@output_buffer.append=(' << code << ');'
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    flush_newline_if_pending(src)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_expr_append= " << code
-    else
-      src << "@output_buffer.safe_expr_append=(" << code << ");"
-    end
-  end
-
-  def add_stmt(src, code)
-    flush_newline_if_pending(src)
-    super
-  end
-
-  def add_postamble(src)
-    flush_newline_if_pending(src)
-    src << '@output_buffer.to_s; }'
-  end
-
-  def flush_newline_if_pending(src)
-    if @newline_pending > 0
-      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
-      @newline_pending = 0
-    end
-  end
-
-  # This is borrowed from graphql's erb plugin:
-  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
-  def convert_input(src, input)
-    input = input.gsub(/<%graphql/, "<%#")
-    super(src, input)
-  end
-end