RubyGems - brakeman-min - Versions diffs - 2.4.1 → 2.4.2 - Mend

brakeman-min 2.4.1 → 2.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +7 -0
data/CHANGES +9 -0
data/lib/brakeman/checks.rb +2 -2
data/lib/brakeman/checks/check_sanitize_methods.rb +3 -0
data/lib/brakeman/processors/alias_processor.rb +1 -1
data/lib/brakeman/processors/erb_template_processor.rb +1 -1
data/lib/brakeman/processors/haml_template_processor.rb +52 -5
data/lib/brakeman/processors/lib/find_all_calls.rb +10 -2
data/lib/brakeman/processors/lib/render_helper.rb +8 -0
data/lib/brakeman/processors/output_processor.rb +1 -1
data/lib/brakeman/processors/template_processor.rb +2 -2
data/lib/brakeman/scanner.rb +8 -8
data/lib/brakeman/version.rb +1 -1
data/lib/ruby_parser/bm_sexp_processor.rb +1 -1
metadata +65 -107
data.tar.gz.sig +0 -0
metadata.gz.sig +0 -2

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 73220a83ef34f7926ef4f7e67491fbd3303b9433
+  data.tar.gz: 4eee59d1bcb0987ff93e3a1be536e67a1a237fc7
+SHA512:
+  metadata.gz: 2d5c03a11006dec392f60d60c208d7ee96f8464ce270ea5c16700b7f809f17ac2c6f6570dc1056f19acc56600497e7ea302ecd53d6068341aa819e17bb55a86d
+  data.tar.gz: b8fd703779f241838ff928aa4f30158eaf966f5f313d976096deb13871abcb257b22b5f07df59bc32c17dbee6c86a51c99901098b33b916e8b964057f25b4244

data/CHANGES CHANGED

@@ -1,3 +1,12 @@
+# 2.4.2
+ * Remove `rescue Exception`
+ * Fix duplicate warnings about sanitize CVE
+ * Reuse duplicate call location information
+ * Only track original template output locations
+ * Skip identically rendered templates
+ * Fix HAML template processing
 # 2.4.1
  * Add check for CVE-2014-0082

data/lib/brakeman/checks.rb CHANGED

@@ -100,7 +100,7 @@ class Brakeman::Checks
         begin
           check.run_check
-        rescue Exception => e
+        rescue => e
           tracker.error e
         end
@@ -138,7 +138,7 @@ class Brakeman::Checks
           begin
             check.run_check
-          rescue Exception => e
+          rescue => e
             error_mutex.synchronize do
               tracker.error e
             end

data/lib/brakeman/checks/check_sanitize_methods.rb CHANGED

@@ -35,6 +35,9 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def check_for_cve method, code, link
     tracker.find_call(:target => false, :method => method).each do |result|
+      next if duplicate? result
+      add_result result
       message = "Rails #{tracker.config[:rails_version]} has a vulnerability in #{method}: upgrade to #{@fix_version} or patch"
       if include_user_input? result[:call]

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -58,7 +58,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
           e
         end
       end
-    rescue Exception => err
+    rescue => err
       @tracker.error err if @tracker
     end

data/lib/brakeman/processors/erb_template_processor.rb CHANGED

@@ -20,7 +20,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         @inside_concat = false
         if exp.second_arg
-          raise Exception.new("Did not expect more than a single argument to _erbout.concat")
+          raise "Did not expect more than a single argument to _erbout.concat"
         end
         arg = exp.first_arg

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -3,6 +3,7 @@ require 'brakeman/processors/template_processor'
 #Processes HAML templates.
 class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
+  HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
   #Processes call, looking for template output
   def process_call exp
@@ -29,7 +30,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
                 out = exp.first_arg = process(arg)
                 @inside_concat = false
               else
-                raise Exception.new("Empty _hamlout.#{method}()?")
+                raise "Empty _hamlout.#{method}()?"
               end
               if string? out
@@ -37,9 +38,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
               else
                 case method.to_s
                 when "push_text"
-                  s = Sexp.new(:output, out)
-                  @current_template[:outputs] << s
-                  s
+                  build_output_from_push_text(out)
                 when HAML_FORMAT_METHOD
                   if $4 == "true"
                     Sexp.new :format_escaped, out
@@ -47,7 +46,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
                     Sexp.new :format, out
                   end
                 else
-                  raise Exception.new("Unrecognized action on _hamlout: #{method}")
+                  raise "Unrecognized action on _hamlout: #{method}"
                 end
               end
@@ -117,4 +116,52 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     exp.target.value == :_hamlout and
     exp.method == :buffer
   end
+  #HAML likes to put interpolated values into _hamlout.push_text
+  #but we want to handle those individually
+  def build_output_from_push_text exp
+    if node_type? exp, :string_interp, :dstr
+      exp.map! do |e|
+        if sexp? e
+          if node_type? e, :string_eval, :evstr
+            e = e.value
+          end
+          get_pushed_value e
+        else
+          e
+        end
+      end
+    end
+  end
+  #Gets outputs from values interpolated into _hamlout.push_text
+  def get_pushed_value exp
+    return exp unless sexp? exp
+    case exp.node_type
+    when :format
+      exp.node_type = :output
+      @current_template[:outputs] << exp
+      exp
+    when :format_escaped
+      exp.node_type = :escaped_output
+      @current_template[:outputs] << exp
+      exp
+    when :str, :ignore, :output, :escaped_output
+      exp
+    when :block, :rlist, :string_interp, :dstr
+      exp.map! { |e| get_pushed_value e }
+    else
+      if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
+        s = Sexp.new(:escaped_output, exp.first_arg)
+      else
+        s = Sexp.new(:output, exp)
+      end
+      s.line(exp.line)
+      @current_template[:outputs] << s
+      s
+    end
+  end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED

@@ -9,6 +9,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     @current_method = nil
     @in_target = false
     @calls = []
+    @cache = {}
   end
   #Process the given source. Provide either class and method being searched
@@ -145,11 +146,18 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   def make_location
     if @current_template
-      { :type => :template,
+      key = [@current_template, @current_file]
+      cached = @cache[key]
+      return cached if cached
+      @cache[key] = { :type => :template,
         :template => @current_template,
         :file => @current_file }
     else
-      { :type => :class,
+      key = [@current_class, @current_method, @current_file]
+      cached = @cache[key]
+      return cached if cached
+      @cache[key] = { :type => :class,
         :class => @current_class,
         :method => @current_method,
         :file => @current_file }

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -129,6 +129,14 @@ module Brakeman::RenderHelper
       #TODO: Add in :locals => { ... } to environment
       src = Brakeman::TemplateAliasProcessor.new(@tracker, template, called_from).process_safely(template[:src], template_env)
+      digest = Digest::SHA1.new.update(name + src.to_s).to_s.to_sym
+      if @tracker.template_cache.include? digest
+        return
+      else
+        @tracker.template_cache << digest
+      end
       #Run alias-processed src through the template processor to pull out
       #information and outputs.
       #This information will be stored in tracker.templates, but with a name

data/lib/brakeman/processors/output_processor.rb CHANGED

@@ -18,7 +18,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   def process exp
     begin
       super exp if sexp? exp and not exp.empty?
-    rescue Exception => e
+    rescue => e
       Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}"
     end
   end

data/lib/brakeman/processors/template_processor.rb CHANGED

@@ -26,7 +26,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   def process exp
     begin
       super
-    rescue Exception => e
+    rescue => e
       except = e.exception("Error when processing #{@current_template[:name]}: #{e.message}")
       except.set_backtrace(e.backtrace)
       raise except
@@ -48,7 +48,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Adds output to the list of outputs.
   def process_output exp
     exp.value = process exp.value
-    @current_template[:outputs] << exp
+    @current_template[:outputs] << exp unless exp.original_line
     exp
   end

data/lib/brakeman/scanner.rb CHANGED

@@ -95,7 +95,7 @@ class Brakeman::Scanner
       @processor.process_config(parse_ruby(@app_tree.read(path)))
     end
-  rescue Exception => e
+  rescue => e
     Brakeman.notify "[Notice] Error while processing #{path}"
     tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
   end
@@ -111,7 +111,7 @@ class Brakeman::Scanner
         @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")))
       end
     end
-  rescue Exception => e
+  rescue => e
     Brakeman.notify "[Notice] Error while processing Gemfile."
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
@@ -131,7 +131,7 @@ class Brakeman::Scanner
       @processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
-    rescue Exception => e
+    rescue => e
       tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
@@ -162,7 +162,7 @@ class Brakeman::Scanner
       @processor.process_lib parse_ruby(@app_tree.read_path(path)), path
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
-    rescue Exception => e
+    rescue => e
       tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
@@ -174,7 +174,7 @@ class Brakeman::Scanner
     if @app_tree.exists?("config/routes.rb")
       begin
         @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
-      rescue Exception => e
+      rescue => e
         tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
         options[:assume_all_routes] = true
@@ -219,7 +219,7 @@ class Brakeman::Scanner
       @processor.process_controller(parse_ruby(@app_tree.read_path(path)), path)
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
-    rescue Exception => e
+    rescue => e
       tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
@@ -305,7 +305,7 @@ class Brakeman::Scanner
       tracker.error e, "could not parse #{path}"
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
-    rescue Exception => e
+    rescue StandardError, LoadError => e
       tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
@@ -339,7 +339,7 @@ class Brakeman::Scanner
       @processor.process_model(parse_ruby(@app_tree.read_path(path)), path)
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}"
-    rescue Exception => e
+    rescue => e
       tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.4.1"
+  Version = "2.4.2"
 end

data/lib/ruby_parser/bm_sexp_processor.rb CHANGED

@@ -88,7 +88,7 @@ class Brakeman::SexpProcessor
   def error_handler(type, exp=nil) # :nodoc:
     begin
       return yield
-    rescue StandardError => err
+    rescue => err
       warn "#{err.class} Exception thrown while processing #{type} for sexp #{exp.inspect} #{caller.inspect}" if $DEBUG
       raise
     end

metadata CHANGED

@@ -1,107 +1,77 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman-min
-version: !ruby/object:Gem::Version
-  hash: 29
-  prerelease:
-  segments:
-  - 2
-  - 4
-  - 1
-  version: 2.4.1
+version: !ruby/object:Gem::Version
+  version: 2.4.2
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDLjCCAhagAwIBAgIBADANBgkqhkiG9w0BAQUFADA9MQwwCgYDVQQDDANnZW0x
-  GDAWBgoJkiaJk/IsZAEZFghicmFrZW1hbjETMBEGCgmSJomT8ixkARkWA29yZzAe
-  Fw0xMzEyMTIwMDMxNTdaFw0xNDEyMTIwMDMxNTdaMD0xDDAKBgNVBAMMA2dlbTEY
-  MBYGCgmSJomT8ixkARkWCGJyYWtlbWFuMRMwEQYKCZImiZPyLGQBGRYDb3JnMIIB
-  IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCHmXCaAcZ4bVjijKoyQFx4N
-  dyN7B7bqY8wOXy6f/UZ6mdC8IRAj82KaWQjNE2LT/ObFUWpCRyLdrwjkDjdFDyOT
-  mZCZkiOeEy2ZxYGfxXMI/xg24c8r5Xmh16ErsYuprRcg+/KZ6s4UjseBNTARmBK4
-  IHcqIdnoWbYa3BWHoflJPaJUIaU+/yTclzFQHpswU7ka8ftIAWeoDQo22gasP/4N
-  HtJvAIyg1DcWPLcn0qbZmdehg8HZv8C+2MuLKX/2qZG9eseegMqMlHHabwwEy9Vv
-  f/t/+ltLjC0CRa2TqZ2EuQ5EEzbOsqAftaZJFmwv9Ut1UhjmdvR5RfN6dWMQ5QID
-  AQABozkwNzALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFPyEKeRy09i8qSr+9KFbeTqw
-  kMCSMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBALEk8/Wnl2VAqchxWlbg
-  RN0MkVUWMf8L0xxUiVKo5QeL4NBViALMBrU6IS4y6zyn+FoULAMEawUjZlZf4Hcg
-  S9unev3p+RTWUyksAnA27wHZs/NRIkW34s1ZI5NNE/xyu4ULOQjfh1wOjlWzyHu9
-  0t41/CtpgNPM2uAjG3RIqlp7QKXlby50cQqWJQCgTH3JNjMhmROEhTsI6COoApvd
-  Ce7Br39yjeoarvekq0wCXBYakUBw/DdZCG7mFZ6xgh01eqnZUsNd8vM+6V6v23Vu
-  jk2tMjFT4L1dA3MEsz3+MP144PDhPCh7tPe6yy81BOvyYTVkKzrAkgKwHD1CuvsH
-  bdw=
-  -----END CERTIFICATE-----
-date: 2014-02-19 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+cert_chain:
+- brakeman-public_cert.pem
+date: 2014-03-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: ruby_parser
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        hash: 23
-        segments:
-        - 3
-        - 4
-        - 0
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
         version: 3.4.0
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: ruby2ruby
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        hash: 5
-        segments:
-        - 2
-        - 0
-        - 5
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
         version: 2.0.5
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: multi_json
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        hash: 11
-        segments:
-        - 1
-        - 2
-        version: "1.2"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id003
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This version of the gem only requires the minimum number of dependencies. Use the 'brakeman' gem for a full install.
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis. This version of the gem only requires the minimum number of
+  dependencies. Use the 'brakeman' gem for a full install.
 email: gem@brakeman.org
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
-- bin/brakeman
+files:
 - CHANGES
-- WARNING_TYPES
 - FEATURES
 - README.md
+- WARNING_TYPES
+- bin/brakeman
+- lib/brakeman.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
+- lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_content_tag.rb
@@ -153,7 +123,6 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
-- lib/brakeman/checks.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/format/style.css
 - lib/brakeman/options.rb
@@ -187,6 +156,7 @@ files:
 - lib/brakeman/processors/slim_template_processor.rb
 - lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report.rb
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
 - lib/brakeman/report/initializers/faster_csv.rb
@@ -210,7 +180,6 @@ files:
 - lib/brakeman/report/templates/template_overview.html.erb
 - lib/brakeman/report/templates/view_warnings.html.erb
 - lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report.rb
 - lib/brakeman/rescanner.rb
 - lib/brakeman/scanner.rb
 - lib/brakeman/tracker.rb
@@ -218,41 +187,30 @@ files:
 - lib/brakeman/version.rb
 - lib/brakeman/warning.rb
 - lib/brakeman/warning_codes.rb
-- lib/brakeman.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
-licenses:
+licenses:
 - MIT
+metadata: {}
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.15
+rubygems_version: 2.2.2
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []

data.tar.gz.sig DELETED

Binary file

metadata.gz.sig DELETED

	@@ -1,2 +0,0 @@
1	- @3+2�4�e��v�=K�Ip��$�(�k�=L��rI�H �� Ȏ&:�,?��i�%��PJ
2	- <:/S��/߸��P�F�