brakeman-min 3.1.4 → 3.1.5.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 91f158b5a015d51042b31791edad0d8a79847a6a
-  data.tar.gz: a18ce85d815f421ae093cc2a46b97b067fd244f1
+  metadata.gz: f7ed8514bb16d1d30d4f7b640dfbab79a6e8d034
+  data.tar.gz: 460ed07d68c8a3af9eb3b2f5034310b29bc4bda5
 SHA512:
-  metadata.gz: a9a77a39c6fa4af234c92912517447cb712100a2fb88de86d8151e3ceb1cc666b29b9b885b44e8c14344a0924a7bbce593773519b42d14f53d4aa06b405b6c6d
-  data.tar.gz: 516fb05b82d87ede5efb094d2efc8270df6d1da8f9228817c43182914f35718bce9e42d8fe88d23d4dcec8ded23586f089eadea1b4cbf25dd6b3f83ea7b1cc66
+  metadata.gz: 6c986dcecf527e256507f89e60d93fb72c02f6c534cf04ca30412e05a07a8f5364928d3b1886b0787efdfbf2952d057d6e7dc45db4f89e9fe437fa7aafeeddf9
+  data.tar.gz: 795321abc425629d277e8babc82d7d79e63ffe2bd0ab9da57f6e7451c3da1e6acfcd566932c78cd6f8c3c91ed69b787b93373a11e81d3dd6f6f9d97769eb3c1f

data/CHANGES

@@ -1,3 +1,33 @@
+# 3.2.0.pre1
+
+* Support calls using `&.` operator
+* Update ruby_parser dependency to 3.8.1
+* Remove `fastercsv` dependency
+* Fix finding calls with `targets: nil`
+* Remove `multi-json` dependecy
+* Handle CoffeeScript in HAML
+* Avoid render warnings about params[:action]/params[:controller]
+* Index calls in class bodies but outside methods
+
+# 3.1.5
+
+* Fix CodeClimate construction of --only-files (Will Fleming)
+* Add check for denial of service via routes (CVE-2015-7581)
+* Warn about RCE with `render params` (CVE-2016-0752)
+* Add check for `strip_tags` XSS (CVE-2015-7579)
+* Add check for `sanitize` XSS (CVE-2015-7578/80)
+* Add check for `reject_if` proc bypass (CVE-2015-7577)
+* Add check for mime-type denial of service (CVE-2016-0751)
+* Add check for basic auth timing attack (CVE-2015-7576)
+* Add initial Rails 5 support
+* Check for implict integer comparison in dynamic finders
+* Support directories better in --only-files and --skip-files (Patrick Toomey)
+* Avoid warning about `permit` in SQL
+* Handle guards using `detect`
+* Avoid warning on user input in comparisons
+* Handle module names with self methods
+* Add session manipulation documentation
+
 # 3.1.4
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)

data/README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
 [![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
 [![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
+[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
 # Brakeman
 
@@ -82,9 +83,9 @@ By default, Brakeman will return 0 as an exit code unless something went very wr
 
     brakeman -z
 
-To skip certain files that Brakeman may have trouble parsing, use:
+To skip certain files or directories that Brakeman may have trouble parsing, use:
 
-    brakeman --skip-files file1,file2,etc
+    brakeman --skip-files file1,/path1/,path2/
 
 To compare results of a scan with a previous scan, use the JSON output option and then:
 

data/lib/brakeman.rb

@@ -407,20 +407,20 @@ module Brakeman
 
   # Compare JSON ouptut from a previous scan and return the diff of the two scans
   def self.compare options
-    require 'multi_json'
+    require 'json'
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
 
     begin
-      previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
-    rescue MultiJson::DecodeError
+      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
+    rescue JSON::ParserError
       self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
 
     tracker = run(options)
 
-    new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings]
+    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
 
     Brakeman::Differ.new(new_results, previous_results).diff
   end

data/lib/brakeman/app_tree.rb

@@ -1,3 +1,5 @@
+require 'pathname'
+
 module Brakeman
   class AppTree
     VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb html.slim].join(",")
@@ -10,15 +12,45 @@ module Brakeman
       # Convert files into Regexp for matching
       init_options = {}
       if options[:skip_files]
-        init_options[:skip_files] = Regexp.new("(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$")
+        init_options[:skip_files] = regex_for_paths(options[:skip_files])
       end
+
       if options[:only_files]
-        init_options[:only_files] = Regexp.new("(?:" << options[:only_files].map { |f| Regexp.escape f }.join("|") << ")")
+        init_options[:only_files] = regex_for_paths(options[:only_files])
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       new(root, init_options)
     end
 
+    # Accepts an array of filenames and paths with the following format and
+    # returns a Regexp to match them:
+    #   * "path1/file1.rb" - Matches a specific filename in the project directory.
+    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
+    #
+    def self.regex_for_paths(paths)
+      path_regexes = paths.map do |f|
+        # If path ends in a file separator then we assume it is a path rather
+        # than a filename.
+        if f.end_with?(File::SEPARATOR)
+          # If path starts with a file separator then we assume that they
+          # want the project relative path to start with this path prefix.
+          if f.start_with?(File::SEPARATOR)
+            "\\A#{Regexp.escape f}"
+          # If it ends in a file separator, but does not begin with a file
+          # separator then we assume the path can match any path component in
+          # the project.
+          else
+            Regexp.escape f
+          end
+        else
+          "#{Regexp.escape f}\\z"
+        end
+      end
+      Regexp.new("(?:" << path_regexes.join("|") << ")")
+    end
+    private_class_method(:regex_for_paths)
+
     def initialize(root, init_options = {})
       @root = root
       @skip_files = init_options[:skip_files]
@@ -96,13 +128,34 @@ module Brakeman
 
     def select_only_files(paths)
       return paths unless @only_files
-      paths.select { |f| @only_files.match f }
+      project_root  = Pathname.new(@root)
+      paths.select do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @only_files.match(project_relative_path)
+      end
     end
 
     def reject_skipped_files(paths)
       return paths unless @skip_files
-      paths.reject { |f| @skip_files.match f }
+      project_root  = Pathname.new(@root)
+      paths.reject do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @skip_files.match(project_relative_path)
+      end
     end
-
   end
 end

data/lib/brakeman/call_index.rb

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
 
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new
-    @calls_by_target = Hash.new
+    @calls_by_method = Hash.new { |h, k| h[k] = [] }
+    @calls_by_target = Hash.new { |h, k| h[k] = [] }
 
     index_calls calls
   end
@@ -45,7 +45,7 @@ class Brakeman::CallIndex
 
     #Find calls with no explicit target
     #with either :target => nil or :target => false
-    elsif options.key? :target and not target and method
+    elsif (options.key? :target or options.key? :targets) and not target and method
       calls = calls_by_method method
       calls = filter_by_target calls, nil
 
@@ -66,44 +66,35 @@ class Brakeman::CallIndex
   end
 
   def remove_template_indexes template_name = nil
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
-      end
-    end
-
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          from_template call, template_name
+        end
       end
     end
   end
 
   def remove_indexes_by_class classes
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
-      end
-    end
-
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          call[:location][:type] == :class and classes.include? call[:location][:class]
+        end
       end
     end
   end
 
   def index_calls calls
     calls.each do |call|
-      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
 
-      if not call[:target].is_a? Sexp
-        @calls_by_target[call[:target]] ||= []
-        @calls_by_target[call[:target]] << call
-      elsif call[:target].node_type == :params or call[:target].node_type == :session
-        @calls_by_target[call[:target].node_type] ||= []
-        @calls_by_target[call[:target].node_type] << call
+      target = call[:target]
+
+      if not target.is_a? Sexp
+        @calls_by_target[target] << call
+      elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] << call
       end
     end
   end
@@ -115,7 +106,7 @@ class Brakeman::CallIndex
     method = options[:method] || options[:methods]
 
     calls = calls_by_method method
-    
+
     return [] if calls.nil?
 
     calls = filter_by_chain calls, target
@@ -145,7 +136,7 @@ class Brakeman::CallIndex
     elsif method.is_a? Regexp
       calls_by_methods_regex method
     else
-      @calls_by_method[method.to_sym] || []
+      @calls_by_method[method.to_sym]
     end
   end
 
@@ -169,7 +160,7 @@ class Brakeman::CallIndex
   end
 
   def calls_with_no_target
-    @calls_by_target[nil] || []
+    @calls_by_target[nil]
   end
 
   def filter calls, key, value

data/lib/brakeman/checks.rb

@@ -93,91 +93,49 @@ class Brakeman::Checks
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
   def self.run_checks(app_tree, tracker)
-    if tracker.options[:parallel_checks]
-      self.run_checks_parallel(app_tree, tracker)
-    else
-      self.run_checks_sequential(app_tree, tracker)
-    end
-  end
-
-  #Run checks sequentially
-  def self.run_checks_sequential(app_tree, tracker)
+    checks = self.checks_to_run(tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-
-    self.checks_to_run(tracker).each do |c|
-      check_name = get_check_name c
-
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-
-        Brakeman.notify " - #{check_name}"
-
-        check = c.new(app_tree, tracker)
-
-        begin
-          check.run_check
-        rescue => e
-          tracker.error e
-        end
-
-        check.warnings.each do |w|
-          check_runner.add_warning w
-        end
-
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
-      end
-    end
-
-    check_runner
+    self.actually_run_checks(checks, check_runner, app_tree, tracker)
   end
 
-  #Run checks in parallel threads
-  def self.run_checks_parallel(app_tree, tracker)
-    threads = []
+  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    threads = [] # Results for parallel
+    results = [] # Results for sequential
+    parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
 
-    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-
-    self.checks_to_run(tracker).each do |c|
+    checks.each do |c|
       check_name = get_check_name c
+      Brakeman.notify " - #{check_name}"
 
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-
-        Brakeman.notify " - #{check_name}"
-
+      if parallel
         threads << Thread.new do
-          check = c.new(app_tree, tracker)
-
-          begin
-            check.run_check
-          rescue => e
-            error_mutex.synchronize do
-              tracker.error e
-            end
-          end
-
-          check.warnings
+          self.run_a_check(c, error_mutex, app_tree, tracker)
         end
-
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
+      else
+        results << self.run_a_check(c, error_mutex, app_tree, tracker)
       end
+
+      #Maintain list of which checks were run
+      #mainly for reporting purposes
+      check_runner.checks_run << check_name[5..-1]
     end
 
     threads.each { |t| t.join }
 
     Brakeman.notify "Checks finished, collecting results..."
 
-    #Collect results
-    threads.each do |thread|
-      thread.value.each do |warning|
-        check_runner.add_warning warning
+    if parallel
+      threads.each do |thread|
+        thread.value.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    else
+      results.each do |warnings|
+        warnings.each do |warning|
+          check_runner.add_warning warning
+        end
       end
     end
 
@@ -191,11 +149,39 @@ class Brakeman::Checks
   end
 
   def self.checks_to_run tracker
-    if tracker.options[:run_all_checks] or tracker.options[:run_checks]
-      @checks + @optional_checks
-    else
-      @checks
+    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+               @checks + @optional_checks
+             else
+               @checks
+             end
+
+    self.filter_checks to_run, tracker
+  end
+
+  def self.filter_checks checks, tracker
+    skipped = tracker.options[:skip_checks]
+    explicit = tracker.options[:run_checks]
+
+    checks.reject do |c|
+      check_name = self.get_check_name(c)
+
+      skipped.include? check_name or
+        (explicit and not explicit.include? check_name)
+    end
+  end
+
+  def self.run_a_check klass, mutex, app_tree, tracker
+    check = klass.new(app_tree, tracker)
+
+    begin
+      check.run_check
+    rescue => e
+      mutex.synchronize do
+        tracker.error e
+      end
     end
+
+    check.warnings
   end
 end