brakeman-min 3.2.1 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 17de56675dc2f00c7a1b4c10e833501ac3b039c2
-  data.tar.gz: 8c9399690ad552f470057f3945248784e1ff7cb4
+  metadata.gz: bfbe9bf6ab37921809b33145342e4bcd6df55e8e
+  data.tar.gz: 62f41f3c6a63e4f1b9c662b28779cb821d60a7b9
 SHA512:
-  metadata.gz: ab231cd491eb31cab3ab399788c2bfab81dd1a79a231bb303e409ab67e66688ba6b2044884f6fb2418c2b408c8f33e69dd7d6cde9188aa9122c4b7647c01de78
-  data.tar.gz: cb931ae85cf06d0607a25d6c4ce10f5f82b11e5a8e7bfa9f31a70a49f72aa769602f8868756f2fb21972ee21cc7cd0555241654bf961859ee0a76e5913d4645b
+  metadata.gz: 3724d2c9aad208a2c5197decc4e72e46e9306a7745aaecdd6326bb8357367941b6f14586163bab5e299928cec1acb1d4f994f884441b78f521580cc0b26cbbcf
+  data.tar.gz: 26f0ab2c6871b2a304773c7d93c1b25e2958adef16f97d96257a39ba8cf1c085c1451e5180754e2ae18f197b7b5efc2370e081bd21ec6cb2ab17bb9bc554321d

data/CHANGES

@@ -1,3 +1,21 @@
+# 3.3.0
+
+* Skip processing obviously false if branches (more broadly)
+* Skip if branches with `Rails.env.test?`
+* Return exit code `4` if no Rails application is detected
+* Avoid warning about mass assignment with `params.slice`
+* Avoid warning about `u` helper (Chad Dollins)
+* Add optional check for secrets in source code
+* Process `Array#first`
+* Allow non-Hash arguments in `protect_from_forgery` (Jason Yeo)
+* Avoid warning on `popen` with array
+* Bundle all dependencies in gem
+* Track constants globally
+* Handle HAML `find_and_preserve` with a block
+* [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
+* [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
+* [Code Climate engine] Report end lines for issues (Gordon Diggs)
+
 # 3.2.1
 
 * Remove `multi_json` dependency from `bin/brakeman`

data/bin/brakeman

@@ -85,5 +85,5 @@ begin
   end
 rescue Brakeman::NoApplication => e
   $stderr.puts e.message
-  exit 1
+  exit Brakeman::No_App_Found_Exit_Code
 end

data/lib/brakeman.rb

@@ -1,12 +1,20 @@
-require 'rubygems'
 require 'set'
 
+path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
+
+if File.exist? path_load
+  require path_load
+end
+
 module Brakeman
 
   #This exit code is used when warnings are found and the --exit-on-warn
   #option is set
   Warnings_Found_Exit_Code = 3
 
+  #Exit code returned when no Rails application is detected
+  No_App_Found_Exit_Code = 4
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []

data/lib/brakeman/call_index.rb

@@ -53,7 +53,7 @@ class Brakeman::CallIndex
     elsif method
       calls = calls_by_method method
     else
-      notify "Invalid arguments to CallCache#find_calls: #{options.inspect}"
+      raise "Invalid arguments to CallCache#find_calls: #{options.inspect}"
     end
 
     return [] if calls.nil?

data/lib/brakeman/checks/check_content_tag.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
+                           :text_field_tag, :url_encode, :u, :url_for,
                            :will_paginate].merge tracker.options[:safe_methods]
 
     @known_dangerous = []

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -286,7 +286,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
+                           :text_field_tag, :url_encode, :u, :url_for,
                            :will_paginate].merge tracker.options[:safe_methods]
 
     @models = tracker.models.keys

data/lib/brakeman/checks/check_execute.rb

@@ -43,6 +43,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     first_arg = call.first_arg
 
     case call.method
+    when :popen
+      unless array? first_arg
+        failure = include_user_input?(args) || dangerous_interp?(args)
+      end
     when :system, :exec
       failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
     else

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -13,7 +13,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
     app_controller = tracker.controllers[:ApplicationController]
     return unless app_controller and app_controller.ancestor? :"ActionController::Base"
 
-    if tracker.config.allow_forgery_protection? 
+    if tracker.config.allow_forgery_protection?
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_protection_disabled,
@@ -53,7 +53,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
     elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller.options[:protect_from_forgery]
 
       unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
-          access_arg = hash_access(forgery_opts.first.first_arg, :with) and access_arg.value == :exception
+          access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and
+          access_arg.value == :exception
 
         args = {
           :controller => :ApplicationController,

data/lib/brakeman/checks/check_link_to.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
+                           :text_field_tag, :url_encode, :u, :url_for,
                            :will_paginate].merge tracker.options[:safe_methods]
 
     @known_dangerous = []

data/lib/brakeman/checks/check_link_to_href.rb

@@ -15,9 +15,9 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @ignore_methods = Set[:button_to, :check_box,
                            :field_field, :fields_for, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :mail_to, :polymorphic_url, :radio_button, :select,
+                           :mail_to, :polymorphic_url, :radio_button, :select, :slice,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
+                           :text_field_tag, :url_encode, :u, :url_for,
                            :will_paginate].merge(tracker.options[:url_safe_methods] || [])
 
     @models = tracker.models.keys

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -160,7 +160,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!).each do |result|
-      if params? result[:call].target
+      if params? result[:call].target and not result[:chain].include? :slice
         warn_on_permit! result
       end
     end

data/lib/brakeman/checks/check_redirect.rb

@@ -38,6 +38,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if method == :redirect_to and
         not only_path?(call) and
         not explicit_host?(call.first_arg) and
+        not slice_call?(call.first_arg) and
         res = include_user_input?(call)
 
       add_result result
@@ -206,4 +207,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     model.association? meth
   end
+
+  def slice_call? exp
+    return unless call? exp
+    exp.method == :slice
+  end
 end

data/lib/brakeman/checks/check_secrets.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSecrets < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for secrets stored in source code"
+
+  def run_check
+    check_constants
+  end
+
+  def check_constants
+    @warned = Set.new
+
+    @tracker.constants.each do |constant|
+      name = constant.name.last
+      value = constant.value
+
+      if string? value and not value.value.empty? and looks_like_secret? name
+        match = [name, value, value.line]
+
+        unless @warned.include? match
+          @warned << match
+
+          warn :warning_code => :secret_in_source,
+            :warning_type => "Authentication",
+            :message => "Hardcoded value for #{name} in source code",
+            :confidence => CONFIDENCE[:med],
+            :file => constant.file,
+            :line => constant.line
+        end
+      end
+    end
+  end
+
+  def looks_like_secret? name
+    # REST_AUTH_SITE_KEY is the pepper in Devise
+    name.match /password|secret|(rest_auth_site|api)_key$/i
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -264,7 +264,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and arg.method == :permit
+      unless call? arg and params? arg.target and [:permit, :slice].include? arg.method
         # Model.where(params[:where])
         arg
       end

data/lib/brakeman/processor.rb

@@ -22,8 +22,8 @@ module Brakeman
     end
 
     #Process configuration file source
-    def process_config src
-      ConfigProcessor.new(@tracker).process_config src
+    def process_config src, file_name
+      ConfigProcessor.new(@tracker).process_config src, file_name
     end
 
     #Process Gemfile
@@ -88,10 +88,10 @@ module Brakeman
     end
 
     #Process source for initializing files
-    def process_initializer name, src
-      res = BaseProcessor.new(@tracker).process src
-      res = AliasProcessor.new(@tracker).process res
-      @tracker.initializers[Pathname.new(name).basename.to_s] = res
+    def process_initializer file_name, src
+      res = BaseProcessor.new(@tracker).process_file src, file_name
+      res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
+      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
     end
 
     #Process source for a library file

data/lib/brakeman/processors/alias_processor.rb

@@ -16,7 +16,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #The recommended usage is:
   #
   # AliasProcessor.new.process_safely src
-  def initialize tracker = nil
+  def initialize tracker = nil, file_name = nil
     super()
     @env = SexpProcessor::Environment.new
     @inside_if = false
@@ -28,6 +28,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @helper_method_info = Hash.new({})
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
+    @file_name = file_name
     set_env_defaults
   end
 
@@ -39,7 +40,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   #This method returns a new Sexp with variables replaced with their values,
   #where possible.
-  def process_safely src, set_env = nil
+  def process_safely src, set_env = nil, file_name = nil
+    @file_name = file_name
     @env = set_env || SexpProcessor::Environment.new
     @result = src.deep_clone
     process @result
@@ -73,8 +75,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
+
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
+    elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
     else
       exp
     end
@@ -82,6 +87,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
+  RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
 
   #Process a method call.
   def process_call exp
@@ -110,8 +116,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:array, *exp.args)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
       return Sexp.new(:hash)
+    elsif exp == RAILS_TEST
+      return Sexp.new(:false)
     end
 
+
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -204,6 +213,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target = find_push_target(target_var)
         env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
+    when :first
+      if array? target and first_arg.nil? and sexp? target[1]
+        exp = target[1]
+      end
     end
 
     exp
@@ -504,6 +517,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.rhs = process exp.rhs
     end
 
+    file = case
+           when @file_name
+             @file_name
+           when @current_class.is_a?(Brakeman::Collection)
+             @current_class.file
+           when @current_module.is_a?(Brakeman::Collection)
+             @current_module.file
+           else
+             nil
+           end
+
+    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+
     if exp.lhs.is_a? Symbol
       match = Sexp.new(:const, exp.lhs)
     else
@@ -543,7 +569,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
     end
 
-    condition = process exp.condition
+    condition = exp.condition = process exp.condition
 
     #Check if a branch is obviously going to be taken
     if true? condition

data/lib/brakeman/processors/base_processor.rb

@@ -13,7 +13,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     super()
     @last = nil
     @tracker = tracker
-    @current_template = @current_module = @current_class = @current_method = nil
+    @current_template = @current_module = @current_class = @current_method = @file_name = nil
+  end
+
+  def process_file exp, file_name
+    @file_name = file_name
+    process exp
   end
 
   def ignore
@@ -43,9 +48,19 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #Process an if statement.
   def process_if exp
     exp = exp.dup
-    exp[1] = process exp.condition
-    exp[2] = process exp.then_clause if exp.then_clause
-    exp[3] = process exp.else_clause if exp.else_clause
+    condition = exp[1] = process exp.condition
+
+    if true? condition
+      exp[2] = process exp.then_clause if exp.then_clause
+      exp[3] = nil
+    elsif false? condition
+      exp[2] = nil
+      exp[3] = process exp.else_clause if exp.else_clause
+    else
+      exp[2] = process exp.then_clause if exp.then_clause
+      exp[3] = process exp.else_clause if exp.else_clause
+    end
+
     exp
   end
 
@@ -173,6 +188,22 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_cdecl exp
+    file = case
+           when @file_name
+             @file_name
+           when @current_class.is_a?(Brakeman::Collection)
+             @current_class.file
+           when @current_module.is_a?(Brakeman::Collection)
+             @current_module.file
+           else
+             nil
+           end
+
+    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+    exp
+  end
+
   #Convenience method for `make_render exp, true`
   def make_render_in_view exp
     make_render exp, true

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -20,13 +20,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     @method_cache = {} #Cache method lookups
   end
 
-  def process_controller name, src, file
+  def process_controller name, src, file_name
     if not node_type? src, :class
       Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
       return
     else
       @current_class = name
-      @file = file
+      @file_name = file_name
 
       process_default src
 
@@ -59,7 +59,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
           method = processor.process method
         end
 
-        @file = mixin.file
+        @file_name = mixin.file
         #Then process it like any other method in the controller
         process method
       end
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       end
     end
 
-    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file))
+    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file_name))
     super name, args, render_path, line
   end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       #Process call to render()
       exp.arglist = process exp.arglist
       make_render_in_view exp
-    elsif target == nil and method == :find_and_preserve
+    elsif target == nil and method == :find_and_preserve and exp.first_arg
       process exp.first_arg
     elsif method == :render_with_options
       if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER

data/lib/brakeman/processors/lib/basic_processor.rb

@@ -30,4 +30,22 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
       process_default exp
     end
   end
+
+  def process_if exp
+    condition = exp.condition
+
+    process condition
+
+    if true? condition
+      process exp.then_clause
+    elsif false? condition
+      process exp.else_clause
+    else
+      [exp.then_clause, exp.else_clause].compact.map do |e|
+        process e
+      end
+    end
+
+    exp
+  end
 end

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -27,8 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
 
   #Use this method to process configuration file
-  def process_config src
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src)
+  def process_config src, file_name
+    @file_name = file_name
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
     process res
   end
 

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -16,6 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
+    @file_name = "config/routes.rb"
   end
 
   #Call this with parsed route file information.
@@ -23,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
   end
 
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -24,8 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
 
   #Use this method to process configuration file
-  def process_config src
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src)
+  def process_config src, file_name
+    @file_name = file_name
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
     process res
   end
 

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -17,10 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
+    @file_name = "config/routes.rb"
   end
 
   def process_routes exp
-    process exp.dup
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
   end
 
   def process_call exp

data/lib/brakeman/processors/template_alias_processor.rb

@@ -18,8 +18,8 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   end
 
   #Process template
-  def process_template name, args, _, line = nil
-    file = relative_path(@template.file || @tracker.templates[@template.name])
+  def process_template name, args, _, line = nil, file_name = nil
+    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
 
     if @called_from
       if @called_from.include_template? name
@@ -27,9 +27,9 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
         return
       end
 
-      super name, args, @called_from.dup.add_template_render(@template.name, line, file)
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name)
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, file)
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name)
     end
   end
 

data/lib/brakeman/processors/template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   def initialize tracker, template_name, called_from = nil, file_name = nil
     super(tracker) 
     @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
+    @file_name = file_name
 
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym

data/lib/brakeman/report/report_codeclimate.rb

@@ -26,7 +26,8 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
       location: {
         path: warning.relative_path,
         lines: {
-          begin: warning.line || 1
+          begin: warning.line || 1,
+          end: warning.line || 1,
         }
       },
       content: {

data/lib/brakeman/scanner.rb

@@ -116,7 +116,7 @@ class Brakeman::Scanner
     path = "config/#{file}"
 
     if @app_tree.exists?(path)
-      @processor.process_config(parse_ruby(@app_tree.read(path)))
+      @processor.process_config(parse_ruby(@app_tree.read(path)), path)
     end
 
   rescue => e

data/lib/brakeman/tracker.rb

@@ -5,10 +5,11 @@ require 'brakeman/report'
 require 'brakeman/processors/lib/find_call'
 require 'brakeman/processors/lib/find_all_calls'
 require 'brakeman/tracker/config'
+require 'brakeman/tracker/constants'
 
 #The Tracker keeps track of all the processed information.
 class Brakeman::Tracker
-  attr_accessor :controllers, :templates, :models, :errors,
+  attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
     :duration, :ignored_filter
@@ -38,6 +39,7 @@ class Brakeman::Tracker
     @initializers = {}
     @errors = []
     @libs = {}
+    @constants = Brakeman::Constants.new
     @checks = nil
     @processed = nil
     @template_cache = Set.new
@@ -188,6 +190,14 @@ class Brakeman::Tracker
     end
   end
 
+  def add_constant name, value, context = nil
+    @constants.add name, value, context
+  end
+
+  def constant_lookup name
+    @constants.get_literal name
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 

data/lib/brakeman/tracker/constants.rb

@@ -0,0 +1,101 @@
+require 'brakeman/processors/output_processor'
+
+module Brakeman
+  class Constant
+    attr_reader :name, :file
+
+    def initialize name, value = nil, context = nil 
+      set_name name, context
+      @values = [ value ]
+      @context = context
+
+      if @context
+        @file = @context[:file]
+      end
+    end
+
+    def line
+      if @values.first.is_a? Sexp
+        @values.first.line
+      end
+    end
+
+    def set_name name, context
+      @name = Constants.constant_as_array(name)
+    end
+
+    def match? name
+      @name.reverse.zip(name.reverse).reduce(true) { |m, a| a[1] ? a[0] == a[1] && m : m }
+    end
+
+    def value
+      @values.reverse.reduce do |m, v|
+        Sexp.new(:or, v, m)
+      end
+    end
+
+    def add_value exp
+      unless @values.include? exp
+        @values << exp
+      end
+    end
+  end
+
+  class Constants
+    include Brakeman::Util
+
+    def initialize
+      @constants = []
+    end
+
+    def [] exp
+      return unless constant? exp
+      match = find_constant exp
+
+      if match
+        match.value
+      else
+        nil
+      end
+    end
+
+    def find_constant exp
+      name = Constants.constant_as_array(exp)
+      @constants.find do |c|
+        c.match? name
+      end
+    end
+
+    def add name, value, context = nil
+      if existing = self.find_constant(name)
+        existing.add_value value
+      else
+        @constants << Constant.new(name, value, context)
+      end
+    end
+
+    def get_literal name
+      if x = self[name] and [:lit, :false, :str, :true, :array, :hash].include? x.node_type
+        x
+      else
+        nil
+      end
+    end
+
+    def each &block
+      @constants.each &block
+    end
+
+    def self.constant_as_array exp
+      get_constant_name(exp).split('::')
+    end
+
+    def self.get_constant_name exp
+      if exp.is_a? Sexp
+        Brakeman::OutputProcessor.new.format(exp)
+      else
+        exp.to_s
+      end
+    end
+  end
+end

data/lib/brakeman/util.rb

@@ -254,6 +254,10 @@ module Brakeman::Util
     request_env? exp
   end
 
+  def constant? exp
+    node_type? exp, :const, :colon2, :colon3
+  end
+
   #Check if _exp_ is a Sexp.
   def sexp? exp
     exp.is_a? Sexp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.2.1"
+  Version = "3.3.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -102,6 +102,7 @@ module Brakeman::WarningCodes
     :CVE_2015_7579 => 98,
     :dynamic_render_path_rce => 99,
     :CVE_2015_7581 => 100,
+    :secret_in_source => 101,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -326,6 +326,12 @@ class Sexp
     self[1]
   end
 
+  def condition= exp
+    expect :if
+    self[1] = exp
+  end
+
+
   #Returns 'then' clause of an if expression:
   #
   #    s(:if,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 3.3.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-02-25 00:00:00.000000000 Z
+date: 2016-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -130,6 +130,7 @@ files:
 - lib/brakeman/checks/check_route_dos.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
+- lib/brakeman/checks/check_secrets.rb
 - lib/brakeman/checks/check_select_tag.rb
 - lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_send.rb
@@ -220,6 +221,7 @@ files:
 - lib/brakeman/tracker.rb
 - lib/brakeman/tracker/collection.rb
 - lib/brakeman/tracker/config.rb
+- lib/brakeman/tracker/constants.rb
 - lib/brakeman/tracker/controller.rb
 - lib/brakeman/tracker/library.rb
 - lib/brakeman/tracker/model.rb
@@ -250,7 +252,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.