brakeman-min 2.4.3 → 2.5.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OTcwMjUwMDYwZjJjMmZhZTY4YjBmM2ZjZjBkMmYyZWVmZmFmYTlmZQ==
+  data.tar.gz: !binary |-
+    N2M5MTJlYmMwMjViN2RlMWUxODYwODZlNDBmY2NmMzFhYjNhZTkxOA==
+SHA512:
+  metadata.gz: !binary |-
+    OWRiNDM3ZmYzNWExNGJmZWUyNmE0MDRiODA5YzkxMjgzNWRlMDBlNjBiZTky
+    OTQ1MTZhNmU0YjQ0MjcyZDRkNzY1NzJjNDZkYmM3NjE1NzY2YTZlY2NkZjQx
+    NDFmOTAxYjJhYjI1NDBlMmE3NjkzNTIwZDYwNWEzYzRkNjQ5YjA=
+  data.tar.gz: !binary |-
+    YzU0ZDU0YmZkNDM4MjhiYzZkMTMzNmNjNzVkY2U1NTg4MTJiODY1ODZiMTc1
+    YmJjYjY0OTVkZTVmZDhlYmI1YWE4ZDYyZTViMTgxYTEzMjZmNTQzZjFlZGFm
+    ZmFhOTc5NGQzZWQ4M2QxYzc5ZTA1YjAxMDQwNjg0MjA4Mjk1OTQ=

checksums.yaml.gz.sig

@@ -0,0 +1,3 @@
+�k�uEQ�M\of7i<���C$����B��ڿ/�����cG=����x���^R? �8��b$"�Is�L����yT�Q��Otl�N4SI�R`
�����
++������r�pF��}Is*MP�p0��'�j�~��h�9�F9�w1��b:�F�����g�eFr�Ќ�`��@���p�x({��Dw���
+(�{�iƐ������]*{���q���J�U��

data/CHANGES

@@ -1,3 +1,18 @@
+# 2.5.0
+
+ * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
+ * Add support for Rails 4 `before_actions` and friends
+ * Move SQLi CVE checks to `CheckSQLCVEs`
+ * Check for protected_attributes gem
+ * Fix SQLi detection in chain calls in scopes
+ * Add GitHub-flavored Markdown output format (Greg Ose)
+ * Fix false positives when sanitize() is used in SQL (Jeff Yip)
+ * Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
+ * Check all arguments in Model.select for SQLi
+ * Fix false positive when :host is specified in redirect
+ * Handle more non-literals in routes
+ * Add check for regex denial of service (Ben Toews) 
+
 # 2.4.3
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.

data/lib/brakeman.rb

@@ -24,6 +24,7 @@ module Brakeman
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
   #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :github_repo - github repo to use for file links (user/repo[/path][@ref])
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
@@ -77,6 +78,7 @@ module Brakeman
 
     options[:app_path] = File.expand_path(options[:app_path])
     options[:output_formats] = get_output_formats options
+    options[:github_url] = get_github_url options
 
     options
   end
@@ -166,6 +168,8 @@ module Brakeman
       [:to_tabs]
     when :json, :to_json
       [:to_json]
+    when :markdown, :to_markdown
+      [:to_markdown]
     else
       [:to_s]
     end
@@ -185,6 +189,8 @@ module Brakeman
         :to_tabs
       when /\.json$/i
         :to_json
+      when /\.md$/i
+        :to_markdown
       else
         :to_s
       end
@@ -192,6 +198,22 @@ module Brakeman
   end
   private_class_method :get_formats_from_output_files
 
+  def self.get_github_url options
+    if github_repo = options[:github_repo]
+      full_repo, ref = github_repo.split '@', 2
+      name, repo, path = full_repo.split '/', 3
+      unless name && repo && !(name.empty? || repo.empty?)
+        raise ArgumentError, "Invalid GitHub repository format"
+      end
+      path.chomp '/' if path
+      ref ||= 'master'
+      ['https://github.com', name, repo, 'blob', ref, path].compact.join '/'
+    else
+      nil
+    end
+  end
+  private_class_method :get_github_url
+
   #Output list of checks (for `-k` option)
   def self.list_checks
     require 'brakeman/scanner'

data/lib/brakeman/checks/base_check.rb

@@ -177,7 +177,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
       @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9")
+    elsif version_between?("4.0.0", "4.9.9") and not tracker.config[:gems][:protected_attributes]
       #May need to revisit dependng on what Rails 4 actually does/has
       @mass_assign_disabled = true
     else

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -10,6 +10,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
       version_between? "3.0.0", "3.2.16" or
       version_between? "4.0.0", "4.0.2"
 
+      return if lts_version? "2.3.18.8"
+
       check_number_helper_usage
       generic_warning unless @found_any
     end

data/lib/brakeman/checks/check_redirect.rb

@@ -31,7 +31,11 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     method = call.method
 
-    if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
+    if method == :redirect_to and
+        not only_path?(call) and
+        not explicit_host?(call) and
+        res = include_user_input?(call)
+
       add_result result
 
       if res.type == :immediate
@@ -109,6 +113,16 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     false
   end
 
+  def explicit_host? call
+    arg = call.first_arg
+
+    if hash? arg and value = hash_access(arg, :host)
+      return !has_immediate_user_input?(value)
+    end
+
+    false
+  end
+
   #+url_for+ is only_path => true by default. This checks to see if it is
   #set to false for some reason.
   def check_url_for call

data/lib/brakeman/checks/check_regex_dos.rb

@@ -0,0 +1,69 @@
+require 'brakeman/checks/base_check'
+
+#This check looks for regexes that include user input.
+class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  ESCAPES = {
+    s(:const, :Regexp) => [
+      :escape,
+      :quote
+    ]
+  }
+
+  @description = "Searches regexes including user input"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding dynamic regexes"
+    calls = tracker.find_call :method => [:brakeman_regex_interp]
+
+    Brakeman.debug "Processing dynamic regexes"
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if regex includes user input
+  def process_result result
+    return if duplicate? result
+    add_result result
+
+    call = result[:call]
+    components = call[1..-1]
+
+    components.any? do |component|
+      next unless sexp? component
+
+      if match = has_immediate_user_input?(component)
+        confidence = CONFIDENCE[:high]
+      elsif match = has_immediate_model?(component)
+        match = Match.new(:model, match)
+        confidence = CONFIDENCE[:med]
+      elsif match = include_user_input?(component)
+        confidence = CONFIDENCE[:low]
+      end
+
+      if match
+        message = "#{friendly_type_of(match).capitalize} used in regex"
+
+        warn :result => result,
+          :warning_type => "Denial of Service",
+          :warning_code => :regex_dos,
+          :message => message,
+          :confidence => confidence,
+          :user_input => match.match
+      end
+    end
+  end
+
+  def process_call(exp)
+    if escape_methods = ESCAPES[exp.target]
+      if escape_methods.include? exp.method
+        return exp
+      end
+    end
+
+    super
+  end
+end

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -9,7 +9,9 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
 
   def run_check
 
-    if version_between? "3.0.0", "3.0.11"
+    if lts_version? "2.3.18.7"
+      return
+    elsif version_between? "3.0.0", "3.0.11"
       suggested_version = "3.0.12"
     elsif version_between? "3.1.0", "3.1.3"
       suggested_version = "3.1.4"

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
 
   def run_check
     tracker.controllers.each do |name, controller|
-      filter_skips = (controller[:options][:skip_before_filter] || []) + (controller[:options][:skip_filter] || [])
+      filter_skips = controller[:options].values_at(:skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback).compact.flatten(1)
 
       filter_skips.each do |filter|
         process_skip_filter filter, controller

data/lib/brakeman/checks/check_sql.rb

@@ -46,13 +46,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
-    Brakeman.debug "Checking version of Rails for CVE issues"
-    check_rails_versions_against_cve_issues
-
     Brakeman.debug "Processing possible SQL calls"
     calls.each { |call| process_result call }
-
-    check_CVE_2014_0080
   end
 
   #Find calls to named_scope() or scope() in models
@@ -65,7 +60,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         call = make_call(nil, :named_scope, args).line(args.line)
         scope_calls << scope_call_hash(call, name, :named_scope)
       end
-    elsif version_between?("3.1.0", "3.9.9")
+    elsif version_between?("3.1.0", "4.9.9")
       ar_scope_calls(:scope) do |name, args|
         second_arg = args[2]
         next unless sexp? second_arg
@@ -114,8 +109,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
     elsif block.node_type == :call
-      process_result :target => block.target, :method => block.method, :call => block,
-        :location => { :type => :class, :class => model_name, :method => scope_name }
+      while call? block
+        process_result :target => block.target, :method => block.method, :call => block,
+         :location => { :type => :class, :class => model_name, :method => scope_name }
+
+        block = block.target
+      end
     end
   end
 
@@ -179,13 +178,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         check_order_arguments call.arglist
                       when :joins
                         check_joins_arguments call.first_arg
-                      when :from, :select
+                      when :from
                         unsafe_sql? call.first_arg
                       when :lock
                         check_lock_arguments call.first_arg
                       when :pluck
                         unsafe_sql? call.first_arg
-                      when :update_all
+                      when :update_all, :select
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg
@@ -540,7 +539,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql]
+    :to_sql, :sanitize]
 
   def safe_value? exp
     return true unless sexp? exp
@@ -639,82 +638,4 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
-
-  # TODO: Move all SQL CVE checks to separate class
-  def check_CVE_2014_0080
-    return unless version_between? "4.0.0", "4.0.2" and
-                  @tracker.config[:gems].include? :pg
-
-    warn :warning_type => 'SQL Injection',
-      :warning_code => :CVE_2014_0080,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
-      :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
-      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
-  end
-
-  def upgrade_version? versions
-    versions.each do |low, high, upgrade|
-      return upgrade if version_between? low, high
-    end
-
-    false
-  end
-
-  def check_rails_versions_against_cve_issues
-    issues = [
-      {
-        :cve => "CVE-2012-2660",
-        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
-      },
-      {
-        :cve => "CVE-2012-2661",
-        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
-      },
-      {
-        :cve => "CVE-2012-2695",
-        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
-      },
-      {
-        :cve => "CVE-2012-5664",
-        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
-      },
-      {
-        :cve => "CVE-2013-0155",
-        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
-        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
-      },
-
-    ]
-
-    unless lts_version? '2.3.18.6'
-     issues << {
-        :cve => "CVE-2013-6417",
-        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
-        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
-      }
-    end
-
-    issues.each do |cve_issue|
-      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
-    end
-  end
-
-  def cve_warning_for versions, cve, link
-    upgrade_version = upgrade_version? versions
-    return unless upgrade_version
-
-    code = cve.tr('-', '_').to_sym
-
-    warn :warning_type => 'SQL Injection',
-      :warning_code => code,
-      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
-      :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
-      :link_path => link
-  end
 end

data/lib/brakeman/checks/check_sql_cves.rb

@@ -0,0 +1,89 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for several SQL CVEs"
+
+  def run_check
+    check_rails_versions_against_cve_issues
+    check_cve_2014_0080
+  end
+
+  def check_rails_versions_against_cve_issues
+    issues = [
+      {
+        :cve => "CVE-2012-2660",
+        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"
+      },
+      {
+        :cve => "CVE-2012-2661",
+        :versions => [%w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.5]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-2695",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.13 3.0.14], %w[3.1.0 3.1.5 3.1.6], %w[3.2.0 3.2.5 3.2.6]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"
+      },
+      {
+        :cve => "CVE-2012-5664",
+        :versions => [%w[2.0.0 2.3.14 2.3.15], %w[3.0.0 3.0.17 3.0.18], %w[3.1.0 3.1.8 3.1.9], %w[3.2.0 3.2.9 3.2.18]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"
+      },
+      {
+        :cve => "CVE-2013-0155",
+        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
+        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
+      },
+
+    ]
+
+    unless lts_version? '2.3.18.6'
+     issues << {
+        :cve => "CVE-2013-6417",
+        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
+      }
+    end
+
+    issues.each do |cve_issue|
+      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
+    end
+  end
+
+  def cve_warning_for versions, cve, link
+    upgrade_version = upgrade_version? versions
+    return unless upgrade_version
+
+    code = cve.tr('-', '_').to_sym
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => code,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (#{cve}). Upgrade to #{upgrade_version}",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => link
+  end
+
+  def upgrade_version? versions
+    versions.each do |low, high, upgrade|
+      return upgrade if version_between? low, high
+    end
+
+    false
+  end
+
+  def check_cve_2014_0080
+    return unless version_between? "4.0.0", "4.0.2" and
+                  @tracker.config[:gems].include? :pg
+
+    warn :warning_type => 'SQL Injection',
+      :warning_code => :CVE_2014_0080,
+      :message => "Rails #{tracker.config[:rails_version]} contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+  end
+end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -3,6 +3,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
+
   @description = "Checks for versions with ActiveRecord symbol denial of service, or code with a similar vulnerability"
 
   def run_check
@@ -26,7 +28,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
         :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
     end
 
-    tracker.find_call(:methods => [:to_sym, :literal_to_sym], :nested => true).each do |result|
+    tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)
     end
 
@@ -39,10 +41,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
 
     call = result[:call]
 
-    if result[:method] == :to_sym
-      args = [call.target]
-    else
+    if result[:method] == :literal_to_sym
       args = call.select { |e| sexp? e }
+    else
+      args = [call.target]
     end
 
     if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first

data/lib/brakeman/options.rb

@@ -142,7 +142,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
@@ -158,7 +158,7 @@ module Brakeman::Options
         end
 
         opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
-          options[:interactive_ignore] = true 
+          options[:interactive_ignore] = true
         end
 
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
@@ -198,6 +198,10 @@ module Brakeman::Options
           options[:absolute_paths] = true
         end
 
+        opts.on "--github-repo USER/REPO[/PATH][@REF]", "Output links to GitHub in markdown and HTML reports using specified repo" do |repo|
+          options[:github_repo] = repo
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processors/controller_processor.rb

@@ -116,9 +116,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
         case method
         when :include
           @controller[:includes] << class_name(first_arg) if @controller
-        when :before_filter, :append_before_filter
+        when :before_filter, :append_before_filter, :before_action, :append_before_action
           @controller[:options][:before_filters] << exp.args
-        when :prepend_before_filter
+        when :prepend_before_filter, :prepend_before_action
           @controller[:options][:before_filters].unshift exp.args
         when :layout
           if string? last_arg
@@ -196,7 +196,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Look for before_filters and add fake ones if necessary
   def process_iter exp
-    if exp.block_call.method == :before_filter
+    block_call_name = exp.block_call.method
+    if block_call_name == :before_filter  or block_call_name == :before_action
       add_fake_filter exp
     else
       super

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -106,6 +106,19 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     exp
   end
 
+  # Process a dynamic regex like a call
+  def process_dregx exp
+    exp.each { |arg| process arg if sexp? arg }
+
+    @calls << { :target => nil,
+                :method => :brakeman_regex_interp,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+
+    exp
+  end
+
   #Process an assignment like a call
   def process_attrasgn exp
     process_call exp

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -58,7 +58,10 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_namespace exp
-    name = exp.block_call.first_arg.value
+    arg = exp.block_call.first_arg
+    return exp unless symbol? arg or string? arg 
+
+    name = arg.value
     block = exp.block
 
     @prefix << camelize(name)
@@ -197,6 +200,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
     first_arg = exp.first_arg
     second_arg = exp.second_arg
 
+    return exp unless symbol? first_arg or string? first_arg
+
     if second_arg and second_arg.node_type == :hash
       self.current_controller = first_arg.value
       #handle hash

data/lib/brakeman/processors/output_processor.rb

@@ -1,3 +1,10 @@
+#Temporary fix for https://github.com/seattlerb/ruby_parser/issues/154
+class Regexp
+  [:ENC_NONE, :ENC_EUC, :ENC_SJIS, :ENC_UTF8].each do |enc|
+    remove_const enc if const_defined? enc
+  end
+end
+
 require 'ruby2ruby'
 require 'brakeman/util'
 

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown]
 
   def initialize app_tree, tracker
     @app_tree = app_tree
@@ -29,6 +29,8 @@ class Brakeman::Report
     when :to_hash
       require_report 'hash'
       Brakeman::Report::Hash
+    when :to_markdown
+      return self.to_markdown
     when :to_s
       return self.to_s
     when :to_pdf
@@ -62,6 +64,11 @@ class Brakeman::Report
     generate Brakeman::Report::Table
   end
 
+  def to_markdown
+    require_report 'markdown'
+    generate Brakeman::Report::Markdown
+  end
+
   def generate reporter
     reporter.new(@app_tree, @tracker).generate_report
   end

data/lib/brakeman/report/report_html.rb

@@ -139,7 +139,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
       message
     end <<
     "<table id='#{code_id}' class='context' style='display:none'>" <<
-    "<caption>#{warning_file(warning) || ''}</caption>"
+    "<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
 
     unless context.empty?
       if warning.line - 1 == 1 or warning.line + 1 == 1
@@ -193,6 +193,11 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
   def html_message warning, message
     message = CGI.escapeHTML(message)
 
+    if warning.file
+      github_url = github_url warning.file, warning.line
+      message.gsub!(/(near line \d+)/, "<a href='#{URI.escape github_url, /'/}' target='_blank'>\\1</a>") if github_url
+    end
+
     if @highlight_user_input and warning.user_input
       user_input = CGI.escapeHTML(warning.format_user_input)
       message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")

data/lib/brakeman/report/report_markdown.rb

@@ -0,0 +1,158 @@
+Brakeman.load_brakeman_dependency 'terminal-table'
+
+class Brakeman::Report::Markdown < Brakeman::Report::Base
+
+  class MarkdownTable < Terminal::Table
+
+    def initialize options = {}, &block
+      options[:style] ||= {}
+      options[:style].merge!({
+          :border_x => '-',
+          :border_y => '|',
+          :border_i => '|'
+      })
+      super options, &block
+    end
+
+    def render
+      super.split("\n")[1...-1].join("\n")
+    end
+    alias :to_s :render
+
+  end
+
+  def generate_report
+    out = "# BRAKEMAN REPORT\n\n" <<
+    generate_metadata.to_s << "\n\n" <<
+    generate_checks.to_s << "\n\n" <<
+    "### SUMMARY\n\n" <<
+    generate_overview.to_s << "\n\n" <<
+    generate_warning_overview.to_s << "\n\n"
+
+    #Return output early if only summarizing
+    return out if tracker.options[:summary_only]
+
+    if tracker.options[:report_routes] or tracker.options[:debug]
+      out << "### CONTROLLERS"  << "\n\n" <<
+      generate_controllers.to_s << "\n\n"
+    end
+
+    if tracker.options[:debug]
+      out << "### TEMPLATES\n\n" <<
+      generate_templates.to_s << "\n\n"
+    end
+
+    res = generate_errors
+    out << "### Errors\n\n" << res.to_s << "\n\n" if res
+
+    res = generate_warnings
+    out << "### SECURITY WARNINGS\n\n" << res.to_s << "\n\n" if res
+
+    res = generate_controller_warnings
+    out << "### Controller Warnings:\n\n" << res.to_s << "\n\n" if res
+
+    res = generate_model_warnings
+    out << "### Model Warnings:\n\n" << res.to_s << "\n\n" if res
+
+    res = generate_template_warnings
+    out << "### View Warnings:\n\n" << res.to_s << "\n\n" if res
+
+    out
+  end
+
+  def generate_metadata
+    MarkdownTable.new(
+      :headings =>
+        ['Application path', 'Rails version', 'Brakeman version', 'Started at', 'Duration']
+    ) do |t|
+      t.add_row([
+        File.expand_path(tracker.options[:app_path]),
+        rails_version,
+        Brakeman::Version,
+        tracker.start_time,
+        "#{tracker.duration} seconds",
+      ])
+    end
+  end
+
+  def generate_checks
+    MarkdownTable.new(:headings => ['Checks performed']) do |t|
+      t.add_row([checks.checks_run.sort.join(", ")])
+    end
+  end
+
+  def generate_overview
+    num_warnings = all_warnings.length
+
+    MarkdownTable.new(:headings => ['Scanned/Reported', 'Total']) do |t|
+      t.add_row ['Controllers', tracker.controllers.length]
+      t.add_row ['Models', tracker.models.length - 1]
+      t.add_row ['Templates', number_of_templates(@tracker)]
+      t.add_row ['Errors', tracker.errors.length]
+      t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
+      t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
+    end
+  end
+
+  #Generate listings of templates and their output
+  def generate_templates
+    out_processor = Brakeman::OutputProcessor.new
+    template_rows = {}
+    tracker.templates.each do |name, template|
+      unless template[:outputs].empty?
+        template[:outputs].each do |out|
+          out = out_processor.format out
+          template_rows[name] ||= []
+          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
+        end
+      end
+    end
+
+    template_rows = template_rows.sort_by{|name, value| name.to_s}
+
+    output = ''
+    template_rows.each do |template|
+      output << template.first.to_s << "\n\n"
+      table = MarkdownTable.new(:headings => ['Output']) do |t|
+        # template[1] is an array of calls
+        template[1].each do |v|
+          t.add_row [v]
+        end
+      end
+
+      output << table.to_s << "\n\n"
+    end
+
+    output
+  end
+
+  def render_array template, headings, value_array, locals
+    return if value_array.empty?
+
+    MarkdownTable.new(:headings => headings) do |t|
+      value_array.each { |value_row| t.add_row value_row }
+    end
+  end
+
+  def convert_warning warning, original
+    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
+    warning["Message"] = markdown_message original, warning["Message"]
+    warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
+    warning
+  end
+
+  # Escape and code format warning message
+  def markdown_message warning, message
+    if warning.file
+      github_url = github_url warning.file, warning.line
+      message.gsub!(/(near line \d+)/, "[\\1](#{github_url})") if github_url
+    end
+    if warning.code
+      code = warning.format_code
+      message.gsub(code, "`#{code.gsub('`','``').gsub(/\A``|``\z/, '` `')}`")
+    else
+      message
+    end
+  end
+
+end

data/lib/brakeman/util.rb

@@ -383,6 +383,15 @@ module Brakeman::Util
     end
   end
 
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
+      url = "#{repo_url}/#{relative_path(file)}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
+
   def truncate_table str
     @terminal_width ||= if @tracker.options[:table_width]
                           @tracker.options[:table_width]

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.4.3"
+  Version = "2.5.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -76,6 +76,7 @@ module Brakeman::WarningCodes
     :CVE_2014_0081 => 73,
     :CVE_2014_0081_call => 74,
     :CVE_2014_0082 => 75,
+    :regex_dos => 76
   }
 
   def self.code name

metadata

@@ -1,107 +1,103 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: brakeman-min
-version: !ruby/object:Gem::Version 
-  hash: 25
-  prerelease: 
-  segments: 
-  - 2
-  - 4
-  - 3
-  version: 2.4.3
+version: !ruby/object:Gem::Version
+  version: 2.5.0
 platform: ruby
-authors: 
+authors:
 - Justin Collins
 autorequire: 
 bindir: bin
-cert_chain: 
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDLjCCAhagAwIBAgIBADANBgkqhkiG9w0BAQUFADA9MQwwCgYDVQQDDANnZW0x
-  GDAWBgoJkiaJk/IsZAEZFghicmFrZW1hbjETMBEGCgmSJomT8ixkARkWA29yZzAe
-  Fw0xMzEyMTIwMDMxNTdaFw0xNDEyMTIwMDMxNTdaMD0xDDAKBgNVBAMMA2dlbTEY
-  MBYGCgmSJomT8ixkARkWCGJyYWtlbWFuMRMwEQYKCZImiZPyLGQBGRYDb3JnMIIB
-  IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCHmXCaAcZ4bVjijKoyQFx4N
-  dyN7B7bqY8wOXy6f/UZ6mdC8IRAj82KaWQjNE2LT/ObFUWpCRyLdrwjkDjdFDyOT
-  mZCZkiOeEy2ZxYGfxXMI/xg24c8r5Xmh16ErsYuprRcg+/KZ6s4UjseBNTARmBK4
-  IHcqIdnoWbYa3BWHoflJPaJUIaU+/yTclzFQHpswU7ka8ftIAWeoDQo22gasP/4N
-  HtJvAIyg1DcWPLcn0qbZmdehg8HZv8C+2MuLKX/2qZG9eseegMqMlHHabwwEy9Vv
-  f/t/+ltLjC0CRa2TqZ2EuQ5EEzbOsqAftaZJFmwv9Ut1UhjmdvR5RfN6dWMQ5QID
-  AQABozkwNzALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFPyEKeRy09i8qSr+9KFbeTqw
-  kMCSMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBALEk8/Wnl2VAqchxWlbg
-  RN0MkVUWMf8L0xxUiVKo5QeL4NBViALMBrU6IS4y6zyn+FoULAMEawUjZlZf4Hcg
-  S9unev3p+RTWUyksAnA27wHZs/NRIkW34s1ZI5NNE/xyu4ULOQjfh1wOjlWzyHu9
-  0t41/CtpgNPM2uAjG3RIqlp7QKXlby50cQqWJQCgTH3JNjMhmROEhTsI6COoApvd
-  Ce7Br39yjeoarvekq0wCXBYakUBw/DdZCG7mFZ6xgh01eqnZUsNd8vM+6V6v23Vu
-  jk2tMjFT4L1dA3MEsz3+MP144PDhPCh7tPe6yy81BOvyYTVkKzrAkgKwHD1CuvsH
-  bdw=
-  -----END CERTIFICATE-----
-
-date: 2014-03-23 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+cert_chain:
+- !binary |-
+  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJB
+  Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREE5TVF3d0NnWURWUVFEREFOblpX
+  MHgKR0RBV0Jnb0praWFKay9Jc1pBRVpGZ2hpY21GclpXMWhiakVUTUJFR0Nn
+  bVNKb21UOGl4a0FSa1dBMjl5WnpBZQpGdzB4TXpFeU1USXdNRE14TlRkYUZ3
+  MHhOREV5TVRJd01ETXhOVGRhTUQweEREQUtCZ05WQkFNTUEyZGxiVEVZCk1C
+  WUdDZ21TSm9tVDhpeGtBUmtXQ0dKeVlXdGxiV0Z1TVJNd0VRWUtDWkltaVpQ
+  eUxHUUJHUllEYjNKbk1JSUIKSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4
+  QU1JSUJDZ0tDQVFFQXhDSG1YQ2FBY1o0YlZqaWpLb3lRRng0TgpkeU43Qjdi
+  cVk4d09YeTZmL1VaNm1kQzhJUkFqODJLYVdRak5FMkxUL09iRlVXcENSeUxk
+  cndqa0RqZEZEeU9UCm1aQ1praU9lRXkyWnhZR2Z4WE1JL3hnMjRjOHI1WG1o
+  MTZFcnNZdXByUmNnKy9LWjZzNFVqc2VCTlRBUm1CSzQKSUhjcUlkbm9XYllh
+  M0JXSG9mbEpQYUpVSWFVKy95VGNsekZRSHBzd1U3a2E4ZnRJQVdlb0RRbzIy
+  Z2FzUC80TgpIdEp2QUl5ZzFEY1dQTGNuMHFiWm1kZWhnOEhadjhDKzJNdUxL
+  WC8ycVpHOWVzZWVnTXFNbEhIYWJ3d0V5OVZ2CmYvdC8rbHRMakMwQ1JhMlRx
+  WjJFdVE1RUV6Yk9zcUFmdGFaSkZtd3Y5VXQxVWhqbWR2UjVSZk42ZFdNUTVR
+  SUQKQVFBQm96a3dOekFMQmdOVkhROEVCQU1DQkxBd0hRWURWUjBPQkJZRUZQ
+  eUVLZVJ5MDlpOHFTcis5S0ZiZVRxdwprTUNTTUFrR0ExVWRFd1FDTUFBd0RR
+  WUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFMRWs4L1dubDJWQXFjaHhXbGJnClJO
+  ME1rVlVXTWY4TDB4eFVpVktvNVFlTDROQlZpQUxNQnJVNklTNHk2enluK0Zv
+  VUxBTUVhd1VqWmxaZjRIY2cKUzl1bmV2M3ArUlRXVXlrc0FuQTI3d0hacy9O
+  UklrVzM0czFaSTVOTkUveHl1NFVMT1FqZmgxd09qbFd6eUh1OQowdDQxL0N0
+  cGdOUE0ydUFqRzNSSXFscDdRS1hsYnk1MGNRcVdKUUNnVEgzSk5qTWhtUk9F
+  aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
+  Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
+  QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
+  RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+date: 2014-04-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: ruby_parser
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 23
-        segments: 
-        - 3
-        - 4
-        - 0
+      - !ruby/object:Gem::Version
         version: 3.4.0
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: ruby2ruby
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 5
-        segments: 
-        - 2
-        - 0
-        - 5
+      - !ruby/object:Gem::Version
         version: 2.0.5
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: multi_json
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 11
-        segments: 
-        - 1
-        - 2
-        version: "1.2"
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id003
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This version of the gem only requires the minimum number of dependencies. Use the 'brakeman' gem for a full install.
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis. This version of the gem only requires the minimum number of
+  dependencies. Use the 'brakeman' gem for a full install.
 email: gem@brakeman.org
-executables: 
+executables:
 - brakeman
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-- bin/brakeman
+files:
 - CHANGES
-- WARNING_TYPES
 - FEATURES
 - README.md
+- WARNING_TYPES
+- bin/brakeman
+- lib/brakeman.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
+- lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_content_tag.rb
@@ -131,6 +127,7 @@ files:
 - lib/brakeman/checks/check_number_to_currency.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_regex_dos.rb
 - lib/brakeman/checks/check_render.rb
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_response_splitting.rb
@@ -145,6 +142,7 @@ files:
 - lib/brakeman/checks/check_single_quotes.rb
 - lib/brakeman/checks/check_skip_before_filter.rb
 - lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_sql_cves.rb
 - lib/brakeman/checks/check_ssl_verify.rb
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
@@ -153,7 +151,6 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
-- lib/brakeman/checks.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/format/style.css
 - lib/brakeman/options.rb
@@ -187,6 +184,7 @@ files:
 - lib/brakeman/processors/slim_template_processor.rb
 - lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report.rb
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
 - lib/brakeman/report/initializers/faster_csv.rb
@@ -197,6 +195,7 @@ files:
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb
 - lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/templates/controller_overview.html.erb
@@ -210,7 +209,6 @@ files:
 - lib/brakeman/report/templates/template_overview.html.erb
 - lib/brakeman/report/templates/view_warnings.html.erb
 - lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report.rb
 - lib/brakeman/rescanner.rb
 - lib/brakeman/scanner.rb
 - lib/brakeman/tracker.rb
@@ -218,41 +216,30 @@ files:
 - lib/brakeman/version.rb
 - lib/brakeman/warning.rb
 - lib/brakeman/warning_codes.rb
-- lib/brakeman.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
-licenses: 
+licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.15
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
-