brakeman-min 3.6.1 → 3.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 497251681e0e0b95455890dcb84702e9c0c09afd
-  data.tar.gz: cab61f8a9f3e05237cca4dbfdcffbfa653bb783f
+  metadata.gz: 1d173e8638d2bf363928ad49ee71c06616966193
+  data.tar.gz: 870f491e1cddeca8ea79a07bf7485132021e4326
 SHA512:
-  metadata.gz: d73d62718046e7105d7f201f8a507cae66ade13c06fdd87ee6c206cb1b492543a07603109ec304c5e88302523be05a081eeb80b56d63700a6aa20d7efe8bbc36
-  data.tar.gz: 8be6e0b5ba34326edbc10b3f0216c354d320c61faacf1e94c59ce48aff7d39486826622e94fab28ab82e0cfa8e95dc07d5c89075a82a01590e069038fee1d8c5
+  metadata.gz: 63a59f325b7e11e9bdf8e73cfd089154210048ea3699c016a0cc86ba68797e85d2512dde75666e534f966f4c4e8419c62ec8ae9be3e1b1c843c5b0a5f27970ac
+  data.tar.gz: b348ff285231ee409e06eff2be94de327af2d31991c89130a20890a371bc75323fd88986ae76314a68a07c1913caceb082df8724f8066403d7b28c00ab5280a5

data/CHANGES

@@ -1,3 +1,18 @@
+# 3.6.2
+
+* Handle safe call operator in checks
+* Better handling of `if` expressions in HAML rendering
+* Remove `--rake` option
+* Properly handle template names without `.html` or `.js`
+* Set template file names during rendering for better errors
+* Limit Slim dependency to before 3.0.8
+* Catch YAML parsing errors in session settings check
+* Avoid warning about SQLi with `to_s` in `exists?`
+* Update RubyParser to 3.9.0
+* Do not honor additional check paths in config by default
+* Handle empty `if` expressions when finding return values
+* Fix finding return value from empty `if`
+
 # 3.6.1
 
 * Fix error when using `--compare` (Sean Gransee)

data/bin/brakeman

@@ -28,9 +28,6 @@ elsif options[:show_help]
 elsif options[:show_version]
   puts "brakeman #{Brakeman::Version}"
   exit
-elsif options[:install_rake_task]
-  Brakeman.install_rake_task
-  exit
 end
 
 #Set application path according to the commandline arguments

data/lib/brakeman.rb

@@ -114,6 +114,14 @@ module Brakeman
         # After parsing the yaml config file for options, convert any string keys into symbols.
         options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
+        unless line_options[:allow_check_paths_in_config]
+          if options.include? :additional_checks_path
+            options.delete :additional_checks_path
+
+            notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
+          end
+        end
+
         # notify if options[:quiet] and quiet is nil||false
         notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
         options
@@ -269,43 +277,6 @@ module Brakeman
     end
   end
 
-  #Installs Rake task for running Brakeman,
-  #which basically means copying `lib/brakeman/brakeman.rake` to
-  #`lib/tasks/brakeman.rake` in the current Rails application.
-  def self.install_rake_task install_path = nil
-    if install_path
-      rake_path = File.join(install_path, "Rakefile")
-      task_path = File.join(install_path, "lib", "tasks", "brakeman.rake")
-    else
-      rake_path = "Rakefile"
-      task_path = File.join("lib", "tasks", "brakeman.rake")
-    end
-
-    if not File.exist? rake_path
-      raise RakeInstallError, "No Rakefile detected"
-    elsif File.exist? task_path
-      raise RakeInstallError, "Task already exists"
-    end
-
-    require 'fileutils'
-
-    if not File.exist? "lib/tasks"
-      notify "Creating lib/tasks"
-      FileUtils.mkdir_p "lib/tasks"
-    end
-
-    path = File.expand_path(File.dirname(__FILE__))
-
-    FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
-
-    if File.exist? task_path
-      notify "Task created in #{task_path}"
-      notify "Usage: rake brakeman:run[output_file]"
-    else
-      raise RakeInstallError, "Could not create task"
-    end
-  end
-
   #Output configuration to YAML
   def self.dump_config options
     require 'yaml'
@@ -534,7 +505,6 @@ module Brakeman
   end
 
   class DependencyError < RuntimeError; end
-  class RakeInstallError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end
   class MissingChecksError < RuntimeError; end

data/lib/brakeman/checks/base_check.rb

@@ -6,6 +6,7 @@ require 'brakeman/util'
 #Basis of vulnerability checks.
 class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
   include Brakeman::Util
   attr_reader :tracker, :warnings
 

data/lib/brakeman/checks/check_session_settings.rb

@@ -115,7 +115,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       yaml = @app_tree.read secrets_file
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
-      secrets = SafeYAML.load yaml
+      begin
+        secrets = SafeYAML.load yaml
+      rescue Psych::SyntaxError, RuntimeError => e
+        Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
+        return
+      end
 
       if secrets["production"] and secret = secrets["production"]["secret_key_base"]
         unless secret.include? "<%="

data/lib/brakeman/checks/check_sql.rb

@@ -164,7 +164,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     dangerous_value = case method
                       when :find
                         check_find_arguments call.second_arg
-                      when :exists?, :delete_all, :destroy_all
+                      when :exists?
+                        check_exists call.first_arg
+                      when :delete_all, :destroy_all
                         check_find_arguments call.first_arg
                       when :named_scope, :scope
                         check_scope_arguments call
@@ -633,6 +635,14 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def check_exists arg
+    if call? arg and arg.method == :to_s
+      false
+    else
+      check_find_arguments arg
+    end
+  end
+
   #Prior to Rails 2.1.1, the :offset and :limit parameters were not
   #escaping input properly.
   #

data/lib/brakeman/options.rb

@@ -280,6 +280,10 @@ module Brakeman::Options
           end
         end
 
+        opts.on "--allow-check-paths-in-config", "Allow loading checks from configuration file (Unsafe)" do
+          options[:allow_check_paths_in_config] = true
+        end
+
         opts.separator ""
 
         opts.on "-k", "--checks", "List all available vulnerability checks" do
@@ -290,10 +294,6 @@ module Brakeman::Options
           options[:list_optional_checks] = true
         end
 
-        opts.on "--rake", "Create rake task to run Brakeman" do
-          options[:install_rake_task] = true
-        end
-
         opts.on "-v", "--version", "Show Brakeman version" do
           options[:show_version] = true
         end

data/lib/brakeman/parsers/template_parser.rb

@@ -22,11 +22,11 @@ module Brakeman
         src = case type
               when :erb
                 type = :erubis if erubis?
-                parse_erb text
+                parse_erb path, text
               when :haml
-                parse_haml text
+                parse_haml path, text
               when :slim
-                parse_slim text
+                parse_slim path, text
               else
                 tracker.error "Unknown template type in #{path}"
                 nil
@@ -46,21 +46,21 @@ module Brakeman
       nil
     end
 
-    def parse_erb text
+    def parse_erb path, text
       if tracker.config.escape_html?
         if tracker.options[:rails3]
           require 'brakeman/parsers/rails3_erubis'
-          Brakeman::Rails3Erubis.new(text).src
+          Brakeman::Rails3Erubis.new(text, :filename => path).src
         else
           require 'brakeman/parsers/rails2_xss_plugin_erubis'
-          Brakeman::Rails2XSSPluginErubis.new(text).src
+          Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
         end
       elsif tracker.config.erubis?
         require 'brakeman/parsers/rails2_erubis'
-        Brakeman::ScannerErubis.new(text).src
+        Brakeman::ScannerErubis.new(text, :filename => path).src
       else
         require 'erb'
-        src = ERB.new(text, nil, "-").src
+        src = ERB.new(text, nil, path).src
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src
       end
@@ -71,25 +71,27 @@ module Brakeman
         tracker.config.erubis?
     end
 
-    def parse_haml text
+    def parse_haml path, text
       Brakeman.load_brakeman_dependency 'haml'
       Brakeman.load_brakeman_dependency 'sass'
 
       Haml::Engine.new(text,
+                       :filename => path,
                        :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
     end
 
-    def parse_slim text
+    def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
 
-      Slim::Template.new(:disable_capture => true,
+      Slim::Template.new(path,
+                         :disable_capture => true,
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
 
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(nil, nil)
       tp = self.new(tracker, fp)
-      src = tp.parse_erb text
+      src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb
 
       return type, fp.parse_ruby(src, "_inline_")

data/lib/brakeman/processors/haml_template_processor.rb

@@ -170,6 +170,14 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp
     when :block, :rlist, :dstr
       exp.map! { |e| get_pushed_value e }
+    when :if
+      clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
+
+      if clauses.length > 1
+        s(:or, *clauses)
+      else
+        clauses.first
+      end
     else
       if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
         add_escaped_output exp.first_arg

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -81,7 +81,9 @@ class Brakeman::FindReturnValue
       then_clause = exp.then_clause
       else_clause = exp.else_clause
 
-      if then_clause.nil?
+      if then_clause.nil? and else_clause.nil?
+        nil
+      elsif then_clause.nil?
         last_value else_clause
       elsif else_clause.nil?
         last_value then_clause

data/lib/brakeman/util.rb

@@ -429,7 +429,7 @@ module Brakeman::Util
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
     names = path.split("/")
-    names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
+    names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.6.1"
+  Version = "3.6.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.6.1
+  version: 3.6.2
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-03-24 00:00:00.000000000 Z
+date: 2017-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.3
+        version: 3.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.3
+        version: 3.9.0
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
@@ -82,7 +82,6 @@ files:
 - bin/brakeman
 - lib/brakeman.rb
 - lib/brakeman/app_tree.rb
-- lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
 - lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb

data/lib/brakeman/brakeman.rake

@@ -1,17 +0,0 @@
-namespace :brakeman do
-
-  desc "Run Brakeman"
-  task :run, :output_files do |t, args|
-    require 'brakeman'
-
-    files = args[:output_files].split(' ') if args[:output_files]
-    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
-  end
-
-  desc "Check your code with Brakeman"
-  task :check do
-    require 'brakeman'
-    result = Brakeman.run app_path: '.', print_report: true
-    exit Brakeman::Warnings_Found_Exit_Code unless result.filtered_warnings.empty?
-  end
-end