brakeman-min 7.1.2 → 8.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7795329b27bb6a83f78b1467d74ff72d9241a4707871f03fa9901ca1118c861c
-  data.tar.gz: bcd9483bcd146a04cbe91164947ba4819f8eb828b73270886d15d4bd29521064
+  metadata.gz: dddb2b335dd5a7b607653373eb3991dd57b63f57479e4eb0802973c3be80acdd
+  data.tar.gz: 0f83d5677d9b28d9e95030972502371dbbc281bd4b9b281b0b127cd4ceeec274
 SHA512:
-  metadata.gz: 4ab8e958b3bbb9d9678a6fc0927a704914db827ce97f097ca3a9154aacaa4931913b11213d1360ff4f5ad3623c8ad80590aa935f37d5d9720e099d300f95b9d9
-  data.tar.gz: 0d62642d8ff249f550b9d8a7187237325e438310b9009894c71f4b92282a49af020d31f377b4c09bca7f291443843832f48ed326c680c870a42c24b854e1956f
+  metadata.gz: ba3ebe3e2ab37afd21acedb9172aa5a5fbced8d9b2cfd79f1bb44bc6944d86e889e4d6ce8671c845dead1e6e0c8b35b73133865a8036339b6c30c7050bcadd82
+  data.tar.gz: 4ffad27ed4985e51342536f6edcd4c7140cfa90b4bcfc4a89236a7fd76f0cfffaf6894e9ae1548478bfbcce74c77177d961571de4b248b60c6494bd491cacc2d

data/CHANGES.md

@@ -1,3 +1,18 @@
+# 8.0.1 - 2026-01-29
+
+* Make sure to reset the cursor even when exit code is 0
+
+# 8.0.0 - 2026-01-29
+
+* No longer produce weak dynamic render path warnings
+* `--skip-libs` removed
+* `--index-libs` removed
+* Revamp of scan progress output and logging
+* Faster file globbing for templates (Mikael Henriksson)
+* Fix singleton method prefixes (viralpraxis)
+* Fix qualified constant lookup to respect module/class context (Mike Dalessio)
+* Replace Erubis with Erubi
+
 # 7.1.2 - 2025-12-25
 
 * Update `ruby_parser` to remove version restriction (Chedli Bourguiba)

data/README.md

@@ -75,7 +75,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github` and `sonar`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github`, `sarif`, and `sonar`.
 
 Multiple output files can be specified:
 

data/lib/brakeman/app_tree.rb

@@ -120,7 +120,7 @@ module Brakeman
 
     def template_paths
       @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
-        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+        find_paths(".", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -213,13 +213,17 @@ module Brakeman
     end
 
     def reject_directories(paths)
-      paths.reject { |path| File.directory?(path) }
+      paths.reject do |path|
+        Brakeman.logger.spin
+        File.directory?(path)
+      end
     end
 
     def select_only_files(paths)
       return paths unless @only_files
 
       paths.select do |path|
+        Brakeman.logger.spin
         match_path @only_files, path
       end
     end
@@ -228,6 +232,7 @@ module Brakeman
       return paths unless @skip_files
 
       paths.reject do |path|
+        Brakeman.logger.spin
         match_path @skip_files, path
       end
     end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -12,7 +12,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
-      Brakeman.notify "[Notice] The `collapse_mass_assignment` option has been removed."
+      Brakeman.alert "The `collapse_mass_assignment` option has been removed."
     end
 
     check_models do |name, model|

data/lib/brakeman/checks/check_render.rb

@@ -17,8 +17,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
     case result[:call].render_type
     when :partial, :template, :action, :file
-      check_for_rce(result) or
-        check_for_dynamic_path(result)
+      check_for_dynamic_path(result)
     when :inline
     when :js
     when :json
@@ -41,8 +40,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         else
           confidence = :high
         end
-      elsif input = include_user_input?(view)
-        confidence = :weak
       else
         return
       end
@@ -62,29 +59,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     end
   end
 
-  def check_for_rce result
-    return unless version_between? "0.0.0", "3.2.22" or
-                  version_between? "4.0.0", "4.1.14" or
-                  version_between? "4.2.0", "4.2.5"
-
-
-    view = result[:call][2]
-    if sexp? view and not duplicate? result
-      if params? view
-        add_result result
-        return if safe_param? view
-
-        warn :result => result,
-          :warning_type => "Remote Code Execution",
-          :warning_code => :dynamic_render_path_rce,
-          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
-          :user_input => view,
-          :confidence => :high,
-          :cwe_id => [22]
-      end
-    end
-  end
-
   def safe_param? exp
     if params? exp and call? exp
       method_name = exp.method

data/lib/brakeman/checks/check_render_rce.rb

@@ -0,0 +1,43 @@
+require 'brakeman/checks/check_render'
+
+class Brakeman::CheckRenderRCE < Brakeman::CheckRender
+  Brakeman::Checks.add self
+
+  @description = "Finds calls to render that might be vulnerable to CVE-2016-0752"
+
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render_result result
+    end
+  end
+
+  def process_render_result result
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_rce(result)
+    end
+  end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view and not safe_param? view
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
+          :user_input => view,
+          :confidence => :high,
+          :cwe_id => [22]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_session_settings.rb

@@ -120,7 +120,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       begin
         secrets = YAML.safe_load yaml, aliases: true
       rescue Psych::SyntaxError, RuntimeError => e
-        Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Brakeman.alert "#{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
         return
       end

data/lib/brakeman/checks.rb

@@ -121,37 +121,43 @@ class Brakeman::Checks
     parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
 
-    checks.each do |c|
-      check_name = get_check_name c
-      Brakeman.notify " - #{check_name}"
+    message = if parallel
+      "Running #{checks.length} checks in parallel"
+    else
+      "Running #{checks.length} checks"
+    end
 
-      if parallel
-        threads << Thread.new do
-          self.run_a_check(c, error_mutex, tracker)
+    Brakeman.process_step(message) do
+      checks.each do |c|
+        check_name = get_check_name c
+        Brakeman.debug " - #{check_name}"
+
+        if parallel
+          threads << Thread.new do
+            self.run_a_check(c, error_mutex, tracker)
+          end
+        else
+          results << self.run_a_check(c, error_mutex, tracker)
         end
-      else
-        results << self.run_a_check(c, error_mutex, tracker)
-      end
-
-      #Maintain list of which checks were run
-      #mainly for reporting purposes
-      check_runner.checks_run << check_name[5..-1]
-    end
 
-    threads.each { |t| t.join }
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        check_runner.checks_run << check_name[5..-1]
+      end
 
-    Brakeman.notify "Checks finished, collecting results..."
+      threads.each { |t| t.join }
 
-    if parallel
-      threads.each do |thread|
-        thread.value.each do |warning|
-          check_runner.add_warning warning
+      if parallel
+        threads.each do |thread|
+          thread.value.each do |warning|
+            check_runner.add_warning warning
+          end
         end
-      end
-    else
-      results.each do |warnings|
-        warnings.each do |warning|
-          check_runner.add_warning warning
+      else
+        results.each do |warnings|
+          warnings.each do |warning|
+            check_runner.add_warning warning
+          end
         end
       end
     end

data/lib/brakeman/commandline.rb

@@ -33,6 +33,8 @@ module Brakeman
         set_options options, default_app_path
         check_latest if options[:ensure_latest]
         run_report options
+
+        quit
       end
 
       # Check for the latest version.
@@ -54,11 +56,13 @@ module Brakeman
             f.puts JSON.pretty_generate(vulns)
           end
 
-          Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+          Brakeman.announce "Comparison saved in '#{options[:comparison_output_file]}'"
         else
           puts JSON.pretty_generate(vulns)
         end
 
+        Brakeman.cleanup(false)
+
         if options[:exit_on_warn] && vulns[:new].count > 0
           quit Brakeman::Warnings_Found_Exit_Code
         end
@@ -117,6 +121,7 @@ module Brakeman
       # Override this method for different behavior.
       def quit exit_code = 0, message = nil
         warn message if message
+        Brakeman.cleanup
         exit exit_code
       end
 
@@ -186,6 +191,8 @@ module Brakeman
             warn caller
           end
 
+          Brakeman.cleanup
+
           exit!
         end
       end

data/lib/brakeman/file_parser.rb

@@ -13,9 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
-          Brakeman.debug '[Notice] Using Prism parser'
+          Brakeman.debug 'Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end
@@ -46,6 +46,7 @@ module Brakeman
       #
       # Note this method no longer uses read_files
       @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
+        Brakeman.logger.spin
         file_path = @app_tree.file_path(file_name)
         contents = file_path.read
 

data/lib/brakeman/logger.rb

@@ -0,0 +1,264 @@
+module Brakeman
+  module Logger
+    def self.get_logger options, dest = $stderr
+      case
+      when options[:debug]
+        Debug.new(options, dest)
+      when options[:quiet]
+        Quiet.new(options, dest)
+      when options[:report_progress] == false
+        Plain.new(options, dest)
+      when dest.tty?
+        Console.new(options, dest)
+      else
+        Plain.new(options, dest)
+      end
+    end
+
+    class Base
+      def initialize(options, log_destination = $stderr)
+        @dest = log_destination
+        @show_timing = options[:debug] || options[:show_timing]
+      end
+
+      # Output a message to the log.
+      # If newline is `false`, does not output a newline after message.
+      def log(message, newline: true)
+        if newline
+          @dest.puts message
+        else
+          @dest.write message
+        end
+      end
+
+      # Notify about important information - use sparingly
+      def announce(message); end
+
+      # Notify regarding errors - use sparingly
+      def alert(message); end
+
+      # Output debug information
+      def debug(message); end
+
+      # Wraps a step in the scanning process
+      def context(description, &)
+        yield self
+      end
+
+      # Wraps a substep (e.g. processing one file)
+      def single_context(description, &)
+        yield
+      end
+
+      # Update progress towards a known total
+      def update_progress(current, total, type = 'files'); end
+
+      # Show a spinner
+      def spin; end
+
+      # Called on exit
+      def cleanup(newline); end
+
+      def show_timing? = @show_timing
+
+      # Use ANSI codes to color a string
+      def color(message, *)
+        if @highline
+          @highline.color(message, *)
+        else
+          message
+        end
+      end
+
+      def color?
+        @highline and @highline.use_color?
+      end
+
+      private
+
+      def load_highline(output_color)
+        if @dest.tty? or output_color == :force
+          Brakeman.load_brakeman_dependency 'highline'
+          @highline = HighLine.new
+          @highline.use_color = !!output_color
+        else
+          @highline = nil
+        end
+      end
+    end
+
+    class Plain < Base
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+      end
+
+      def announce(message)
+        log color(message, :bold, :green)
+      end
+
+      def alert(message)
+        log color(message, :red)
+      end
+
+      def context(description, &)
+        log "#{color(description, :green)}..."
+
+        if show_timing?
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+
+      def time_step(description, &)
+        start_t = Time.now
+        yield
+        duration = Time.now - start_t
+
+        log color(("Completed #{description.to_s.downcase} in %0.2fs" % duration), :gray)
+      end
+    end
+
+    class Quiet < Base
+      def initialize(*)
+        super
+      end
+    end
+
+    class Debug < Plain
+      def debug(message)
+        log color(message, :gray)
+      end
+
+      def context(description, &)
+        log "#{description}..."
+
+        time_step(description, &)
+      end
+
+      def single_context(description, &)
+        debug "Processing #{description}"
+
+        if show_timing?
+          # Even in debug, only show timing for each file if asked
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+    end
+
+    class Console < Base
+      attr_reader :prefix
+
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+        require 'reline'
+        require 'reline/io/ansi'
+
+        @prefix = ''
+        @post_fix_pos = 0
+        @reline = Reline::ANSI.new
+        @report_progress = options[:report_progress]
+        @spinner = ["⣀", "⣄", "⣤", "⣦", "⣶", "⣷", "⣿"]
+        @percenter = ["⣀", "⣤", "⣶", "⣿"]
+        @spindex = 0
+        @last_spin = Time.now
+        @reline.hide_cursor
+      end
+
+      def announce message
+        clear_line
+        log color(message, :bold, :green)
+        rewrite_prefix
+      end
+
+      def alert message
+        clear_line
+        log color(message, :red)
+        rewrite_prefix
+      end
+
+      def context(description, &)
+        write_prefix description
+
+        time_step(description, &)
+      ensure
+        clear_prefix
+      end
+
+      def time_step(description, &)
+        if show_timing?
+          start_t = Time.now
+          yield
+          duration = Time.now - start_t
+
+          write_after color(('%0.2fs' % duration), :gray)
+          log ''
+        else
+          yield
+        end
+      end
+
+      def update_progress current, total, type = 'files'
+        percent = ((current / total.to_f) * 100).to_i
+        tenths = [(percent / 10), 0].max
+
+        lead = color(@percenter[percent % 10 / 3], :bold, :red)
+        done_blocks = color("⣿" * tenths, :red)
+        remaining = color("⣀" * (9 - tenths), :gray)
+        write_after "#{done_blocks}#{lead}#{remaining}"
+      end
+
+      def write_prefix pref
+        set_prefix pref
+        rewrite_prefix
+      end
+
+      # If an alert was written, redo prefix on next line
+      def rewrite_prefix
+        log(@prefix, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def write_after message
+        @reline.move_cursor_column(@post_fix_pos)
+        log(message, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def set_prefix message
+        @prefix = "#{color('»', :bold, :cyan)} #{color(message, :green)}"
+        @post_fix_pos = HighLine::Wrapper.actual_length(@prefix) + 1
+      end
+
+      def clear_prefix
+        @prefix = ''
+        @post_fix_pos = 0
+        clear_line
+      end
+
+      def clear_line
+        @reline.move_cursor_column(0)
+        @reline.erase_after_cursor
+      end
+
+      def spin
+        return unless (Time.now - @last_spin) > 0.2
+
+        write_after color(@spinner[@spindex], :bold, :red)
+        @spindex = (@spindex + 1) % @spinner.length
+        @last_spin = Time.now
+      end
+
+      def cleanup(newline = true)
+        @reline.show_cursor
+        log('') if newline
+      end
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -131,7 +131,6 @@ module Brakeman::Options
 
         opts.on "--faster", "Faster, but less accurate scan" do
           options[:ignore_ifs] = true
-          options[:skip_libs] = true
           options[:disable_constant_tracking] = true
         end
 
@@ -143,10 +142,6 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
-        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
-          options[:index_libs] = index
-        end
-
         opts.on "--interprocedural", "Process method calls to known methods" do
           options[:interprocedural] = true
         end
@@ -212,10 +207,6 @@ module Brakeman::Options
           options[:skip_vendor] = skip
         end
 
-        opts.on "--skip-libs", "Skip processing lib directory" do
-          options[:skip_libs] = true
-        end
-
         opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
           options[:additional_libs_path] ||= Set.new
           options[:additional_libs_path].merge paths

data/lib/brakeman/parsers/rails_erubi.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+# Copied almost verbatim from Rails
+# https://github.com/rails/rails/blob/5359cf8a5b093b04170e884ee8da5a1e076b8a0d/actionview/lib/action_view/template/handlers/erb/erubi.rb#L9
+
+Brakeman.load_brakeman_dependency "erubi"
+
+module Brakeman
+  class Erubi < ::Erubi::Engine
+    # :nodoc: all
+    def initialize(input, properties = {})
+      @newline_pending = 0
+
+      # Dup properties so that we don't modify argument
+      properties = Hash[properties]
+
+      properties[:bufvar]     ||= "@output_buffer"
+      properties[:preamble]   ||= ""
+      properties[:postamble]  ||= "#{properties[:bufvar]}"
+
+      # Tell Erubi whether the template will be compiled with `frozen_string_literal: true`
+      # properties[:freeze_template_literals] = !Template.frozen_string_literal
+      properties[:freeze_template_literals] = false
+
+      properties[:escapefunc] = ""
+
+      super
+    end
+
+  private
+    def add_text(text)
+      return if text.empty?
+
+      if text == "\n"
+        @newline_pending += 1
+      else
+        with_buffer do
+          src << ".safe_append='"
+          src << "\n" * @newline_pending if @newline_pending > 0
+          src << text.gsub(/['\\]/, '\\\\\&') << @text_end
+        end
+        @newline_pending = 0
+      end
+    end
+
+    BLOCK_EXPR = /((\s|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+    def add_expression(indicator, code)
+      flush_newline_if_pending(src)
+
+      with_buffer do
+        if (indicator == "==") || @escape
+          src << ".safe_expr_append="
+        else
+          src << ".append="
+        end
+
+        if BLOCK_EXPR.match?(code)
+          src << " " << code
+        else
+          src << "(" << code << ")"
+        end
+      end
+    end
+
+    def add_code(code)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def add_postamble(_)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def flush_newline_if_pending(src)
+      if @newline_pending > 0
+        with_buffer { src << ".safe_append='#{"\n" * @newline_pending}" << @text_end }
+        @newline_pending = 0
+      end
+    end
+  end
+end