brakeman-min 4.5.1 → 4.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ccaea38ca4a79de01e6e3b0e0f680a47d975dfb0e1aeac3279747854f71a83e
-  data.tar.gz: 531cb396d3485562e62209cb391d712f938b2c1de1674627373013fd45a6c399
+  metadata.gz: 0f2916d8c800c2d3da1efe112dd1a4dd7fafd68bfc9c0d7c765f495ccec46522
+  data.tar.gz: 3ba195217e6e07fcbcfb59192e1820aa2d4b4d9703d62d8a07205413ce3c904b
 SHA512:
-  metadata.gz: b6177edcd4c59853afd48be4b2643af02c9a233f394b2f813c48cfdacf1614950e1147d9d77ea4921db807d6bab7300364e550ac6b0a8d12befa412f8940e679
-  data.tar.gz: 0157dc06a6be674931c395bf26d72d81deeecdc3bfda2d1cee24518d24165a494d0fe8c82aa23a45ad3ee0f15afc2d1e7029b4ecbbe8b77ef09d029c0036c92d
+  metadata.gz: e1e2cb39f056346a9c9a00a3d3d1afa2291037023396cb64b49681d5039acb0cd1e0f1a7175f88bccebaa8337be3c942a2283c2dd81cac536b4366d73d904d0a
+  data.tar.gz: 8c320ac49aca344b30cdfaf8a68d3909cb181c15cc40a38d5e0bbfeae6ec8de7a4ada8cf7d6e8f70a085e58240d7874cdc4e06f7c73fb0191e96d98bab0b35a5

data/CHANGES.md

@@ -1,3 +1,19 @@
+# 4.6.0
+
+* Skip calls to `dup`
+* Add reverse tabnabbing check (Linos Giannopoulos)
+* Better handling of gems with no version declared
+* Warn people that Haml 5 is not fully supported (Jared Beck)
+* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
+* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
+* Restore `Warning#relative_path`
+* Add check for cookie serialization with Marshal
+* Index calls in initializers
+* Improve template output handling in conditional branches
+* Avoid assigning `nil` line numbers to `Sexp`s
+* Add special warning code for custom checks
+* Add call matching by regular expression
+
 # 4.5.1 
 
 * Add `Brakeman::FilePath` to represent file paths

data/README.md

@@ -1,7 +1,6 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
 [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
-[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
 [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 

data/lib/brakeman/call_index.rb

@@ -27,7 +27,7 @@ class Brakeman::CallIndex
     if options[:chained]
       return find_chain options
     #Find by narrowest category
-    elsif target and method and target.is_a? Array and method.is_a? Array
+    elsif target.is_a? Array and method.is_a? Array
       if target.length > method.length
         calls = filter_by_target calls_by_methods(method), target
       else
@@ -35,6 +35,12 @@ class Brakeman::CallIndex
         calls = filter_by_method calls, method
       end
 
+    elsif target.is_a? Regexp and method
+      calls = filter_by_target(calls_by_method(method), target)
+
+    elsif method.is_a? Regexp and target
+      calls = filter_by_method(calls_by_target(target), method)
+
     #Find by target, then by methods, if provided
     elsif target
       calls = calls_by_target target
@@ -85,6 +91,16 @@ class Brakeman::CallIndex
     end
   end
 
+  def remove_indexes_by_file file
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          call[:location][:file] == file
+        end
+      end
+    end
+  end
+
   def index_calls calls
     calls.each do |call|
       @calls_by_method[call[:method]] ||= []
@@ -116,8 +132,11 @@ class Brakeman::CallIndex
   end
 
   def calls_by_target target
-    if target.is_a? Array
+    case target
+    when Array
       calls_by_targets target
+    when Regexp
+      calls_by_targets_regex target
     else
       @calls_by_target[target] || []
     end
@@ -133,10 +152,24 @@ class Brakeman::CallIndex
     calls
   end
 
+  def calls_by_targets_regex targets_regex
+    calls = []
+
+    @calls_by_target.each do |key, value|
+      case key
+      when String, Symbol
+        calls.concat value if key.match targets_regex
+      end
+    end
+
+    calls
+  end
+
   def calls_by_method method
-    if method.is_a? Array
+    case method
+    when Array
       calls_by_methods method
-    elsif method.is_a? Regexp
+    when Regexp
       calls_by_methods_regex method
     else
       @calls_by_method[method.to_sym] || []
@@ -156,26 +189,28 @@ class Brakeman::CallIndex
 
   def calls_by_methods_regex methods_regex
     calls = []
+
     @calls_by_method.each do |key, value|
-      calls.concat value if key.to_s.match methods_regex
+      calls.concat value if key.match methods_regex
     end
-    calls
-  end
 
-  def calls_with_no_target
-    @calls_by_target[nil]
+    calls
   end
 
   def filter calls, key, value
-    if value.is_a? Array
+    case value
+    when Array
       values = Set.new value
 
       calls.select do |call|
         values.include? call[key]
       end
-    elsif value.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[key].to_s.match value
+        case call[key]
+        when String, Symbol
+          call[key].match value
+        end
       end
     else
       calls.select do |call|
@@ -197,15 +232,19 @@ class Brakeman::CallIndex
   end
 
   def filter_by_chain calls, target
-    if target.is_a? Array
+    case target
+    when Array
       targets = Set.new target
 
       calls.select do |call|
         targets.include? call[:chain].first
       end
-    elsif target.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[:chain].first.to_s.match target
+        case call[:chain].first
+        when String, Symbol
+          call[:chain].first.match target
+        end
       end
     else
       calls.select do |call|

data/lib/brakeman/checks/base_check.rb

@@ -44,19 +44,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   #Add result to result list, which is used to check for duplicates
-  def add_result result, location = nil
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
-    location = location[:name] if location.is_a? Hash
-    location = location.name if location.is_a? Brakeman::Collection
-    location = location.to_sym
-
-    if result.is_a? Hash
-      line = result[:call].original_line || result[:call].line
-    elsif sexp? result
-      line = result.original_line || result.line
-    else
-      raise ArgumentError
-    end
+  def add_result result
+    location = get_location result
+    location, line = get_location result
 
     @results << [line, location, result]
   end
@@ -170,8 +160,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @mass_assign_disabled = true
     else
       #Check for ActiveRecord::Base.send(:attr_accessible, nil)
-      tracker.check_initializers(:"ActiveRecord::Base", :attr_accessible).each do |result|
-        call = result.call
+      tracker.find_call(target: :"ActiveRecord::Base", method: :attr_accessible).each do |result|
+        call = result[:call]
+
         if call? call
           if call.first_arg == Sexp.new(:nil)
             @mass_assign_disabled = true
@@ -180,26 +171,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
       end
 
-      unless @mass_assign_disabled
-        tracker.check_initializers(:"ActiveRecord::Base", :send).each do |result|
-          call = result.call
-          if call? call
-            if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
-              @mass_assign_disabled = true
-              break
-            end
-          end
-        end
-      end
-
       unless @mass_assign_disabled
         #Check for
         #  class ActiveRecord::Base
         #    attr_accessible nil
         #  end
-        matches = tracker.check_initializers([], :attr_accessible)
-
-        matches.each do |result|
+        tracker.check_initializers([], :attr_accessible).each do |result|
           if result.module == "ActiveRecord" and result.result_class == :Base
             arg = result.call.first_arg
 
@@ -227,10 +204,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
 
       unless @mass_assign_disabled
-        matches = tracker.check_initializers(:"ActiveRecord::Base", [:send, :include])
-
-        matches.each do |result|
-          call = result.call
+        tracker.find_call(target: :"ActiveRecord::Base", method: [:send, :include]).each do |result|
+          call = result[:call]
           if call? call and (call.first_arg == forbidden_protection or call.second_arg == forbidden_protection)
             @mass_assign_disabled = true
           end
@@ -250,6 +225,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil
+    location, line = get_location result
+
+    @results.each do |r|
+      if r[0] == line and r[1] == location
+        if tracker.options[:combine_locations]
+          return true
+        elsif r[2] == result
+          return true
+        end
+      end
+    end
+
+    false
+  end
+
+  def get_location result
     if result.is_a? Hash
       line = result[:call].original_line || result[:call].line
     elsif sexp? result
@@ -258,23 +249,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
 
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template] || result[:location][:file].to_s
 
     location = location[:name] if location.is_a? Hash
     location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
 
-    @results.each do |r|
-      if r[0] == line and r[1] == location
-        if tracker.options[:combine_locations]
-          return true
-        elsif r[2] == result
-          return true
-        end
-      end
-    end
-
-    false
+    return location, line
   end
 
   #Checks if an expression contains string interpolation.

data/lib/brakeman/checks/check_cookie_serialization.rb

@@ -0,0 +1,22 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for use of Marshal for cookie serialization"
+
+  def run_check
+    tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
+      setting = result[:call].first_arg
+
+      if symbol? setting and setting.value == :marshal or setting.value == :hybrid
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :unsafe_cookie_serialization,
+          :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
+          :confidence => :medium,
+          :link_path => "unsafe_deserialization"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -316,11 +316,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     end
 
     json_escape_on = false
-    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+    initializers = tracker.find_call(target: :ActiveSupport, method: :escape_html_entities_in_json=)
+    initializers.each {|result| json_escape_on = true?(result[:call].first_arg) }
 
     if tracker.config.escape_html_entities_in_json?
-        json_escape_on = true
+      json_escape_on = true
     elsif version_between? "4.0.0", "9.9.9"
       json_escape_on = true
     end

data/lib/brakeman/checks/check_deserialize.rb

@@ -80,13 +80,10 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   def oj_safe_default?
     safe_default = false
 
-    # TODO: Can we just index initializers already??
-    if tracker.check_initializers(:Oj, :mimic_JSON).any?
+    if tracker.find_call(target: :Oj, method: :mimic_JSON).any?
       safe_default = true
-    end
-
-    if result = tracker.check_initializers(:Oj, :default_options=).first
-      options = result.call.first_arg
+    elsif result = tracker.find_call(target: :Oj, method: :default_options=).first
+      options = result[:call].first_arg
 
       if oj_safe_mode? options
         safe_default = true

data/lib/brakeman/checks/check_file_access.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
 
     file_name = call.first_arg
 
-    return if called_on_tempfile?(file_name)
+    return if called_on_tempfile?(file_name) || sanitized?(file_name)
 
     if match = has_immediate_user_input?(file_name)
       confidence = :high
@@ -71,6 +71,12 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     call?(file_name) && file_name.target == s(:const, :Tempfile)
   end
 
+  def sanitized? file
+    call?(file) &&
+      call?(file.target) &&
+      class_name(file.target.target) == :"ActiveStorage::Filename"
+  end
+
   def temp_file_method? exp
     if call? exp
       return true if exp.call_chain.include? :tempfile

data/lib/brakeman/checks/check_header_dos.rb

@@ -25,7 +25,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:ActiveSupport, :on_load).any? and
-    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+    tracker.find_call(target: :ActiveSupport, method: :on_load).any? and
+      tracker.find_call(target: :"ActionView::LookupContext::DetailsKey", method: :class_eval).any?
   end
 end

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -41,8 +41,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
-      match.last.first_arg == s(:lit, :MissingTranslation)
+    tracker.find_call(target: :I18n, method: :const_defined?, chained: true).any? do |match|
+      match[:call].first_arg == s(:lit, :MissingTranslation)
     end
   end
 end

data/lib/brakeman/checks/check_jruby_xml.rb

@@ -20,8 +20,8 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       end
 
     #Check for workaround
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
-      arg = result.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=, chained: true).each do |result|
+      arg = result[:call].first_arg
 
       return if string? arg and arg.value == "REXML"
     end

data/lib/brakeman/checks/check_json_parsing.rb

@@ -44,13 +44,13 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`
   def uses_gem_backend?
-    matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
+    matches = tracker.find_call(target: :'ActiveSupport::JSON', method: :backend=, chained: true)
 
     unless matches.empty?
       json_gem = s(:str, "JSONGem")
 
       matches.each do |result|
-        if result.call.first_arg == json_gem
+        if result[:call].first_arg == json_gem
           return true
         end
       end

data/lib/brakeman/checks/check_mime_type_dos.rb

@@ -30,8 +30,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:Mime, :const_set).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :Mime, method: :const_set).any? do |match|
+      arg = match[:call].first_arg
 
       symbol? arg and arg.value == :LOOKUP
     end

data/lib/brakeman/checks/check_nested_attributes_bypass.rb

@@ -53,6 +53,6 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
   end
 
   def workaround?
-    tracker.check_initializers([], :will_be_destroyed?).any?
+    tracker.find_call(method: :will_be_destroyed?).any?
   end
 end

data/lib/brakeman/checks/check_reverse_tabnabbing.rb

@@ -0,0 +1,54 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Checks for reverse tabnabbing cases on 'link_to' calls"
+
+  def run_check
+    calls = tracker.find_call :methods => :link_to
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    return unless original? result and result[:call].last_arg
+
+    html_opts = result[:call].last_arg
+    return unless hash? html_opts
+
+    target = hash_access html_opts, :target
+    return unless target && string?(target) && target.value == "_blank"
+
+    target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
+
+    # `url_for` and `_path` calls lead to urls on to the same origin.
+    # That means that an adversary would need to run javascript on
+    # the victim application's domain. If that is the case, the adversary
+    # already has the ability to redirect the victim user anywhere.
+    # Also statically provided URLs (interpolated or otherwise) are also
+    # ignored as they produce many false positives.
+    return if !call?(target_url) || target_url.method.match(/^url_for$|_path$/)
+
+    rel = hash_access html_opts, :rel
+    confidence = :medium
+
+    if rel && string?(rel) then
+      rel_opt = rel.value
+      return if rel_opt.include?("noopener") && rel_opt.include?("noreferrer")
+
+      if rel_opt.include?("noopener") ^ rel_opt.include?("noreferrer") then
+        confidence = :weak
+      end
+    end
+
+    warn :result => result,
+      :warning_type => "Reverse Tabnabbing",
+      :warning_code => :reverse_tabnabbing,
+      :message => msg("When opening a link in a new tab without setting ", msg_code('rel: "noopener noreferr"'),
+                      ", the new tab can control the parent tab's location. For example, an attacker could redirect to a phishing page."),
+      :confidence => confidence,
+      :user_input => rel
+  end
+end

data/lib/brakeman/checks/check_sanitize_methods.rb

@@ -70,7 +70,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
 
   def check_cve_2018_8048
     if loofah_vulnerable_cve_2018_8048?
-      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.1.2")
+      message = msg(msg_version(tracker.config.gem_version(:loofah), "loofah gem"), " is vulnerable (CVE-2018-8048). Upgrade to 2.2.1")
 
       if tracker.find_call(:target => false, :method => :sanitize).any?
         confidence = :high
@@ -90,7 +90,7 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
   def loofah_vulnerable_cve_2018_8048?
     loofah_version = tracker.config.gem_version(:loofah)
 
-    loofah_version and loofah_version < "2.1.2"
+    loofah_version and loofah_version < "2.2.1"
   end
 
   def warn_sanitizer_cve cve, link, upgrade_version

data/lib/brakeman/checks/check_session_settings.rb

@@ -21,8 +21,11 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
     check_for_issues settings, @app_tree.file_path("config/environment.rb")
 
-    ["session_store.rb", "secret_token.rb"].each do |file|
-      if tracker.initializers[file] and not ignored? file
+    session_store = @app_tree.file_path("config/initializers/session_store.rb")
+    secret_token = @app_tree.file_path("config/initializers/secret_token.rb")
+
+    [session_store, secret_token].each do |file|
+      if tracker.initializers[file] and not ignored? file.basename
         process tracker.initializers[file]
       end
     end

data/lib/brakeman/checks/check_xml_dos.rb

@@ -34,8 +34,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   end
 
   def has_workaround?
-    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
-      arg = match.call.first_arg
+    tracker.find_call(target: :"ActiveSupport::XmlMini", method: :backend=).any? do |match|
+      arg = match[:call].first_arg
       if string? arg
         value = arg.value
         value == 'Nokogiri' or value == 'LibXML'

data/lib/brakeman/checks/check_yaml_parsing.rb

@@ -48,21 +48,17 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   def disabled_xml_parser?
     if version_between? "0.0.0", "2.3.14"
       #Look for ActionController::Base.param_parsers.delete(Mime::XML)
-      params_parser = s(:call,
-                        s(:colon2, s(:const, :ActionController), :Base),
-                        :param_parsers)
-
-      matches = tracker.check_initializers(params_parser, :delete)
+      matches = tracker.find_call(target: :"ActionController::Base.param_parsers", method: :delete)
     else
       #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+      matches = tracker.find_call(target: :"ActionDispatch::ParamsParser::DEFAULT_PARSERS", method: :delete)
     end
 
     unless matches.empty?
       mime_xml = s(:colon2, s(:const, :Mime), :XML)
 
       matches.each do |result|
-        if result.call.first_arg == mime_xml
+        if result[:call].first_arg == mime_xml
           return true
         end
       end
@@ -74,18 +70,14 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
   #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
   #in Rails 2.x apps
   def enabled_yaml_parser?
-    param_parsers = s(:call,
-                      s(:colon2, s(:const, :ActionController), :Base),
-                      :param_parsers)
-
-    matches = tracker.check_initializers(param_parsers, :[]=)
+    matches = tracker.find_call(target: :'ActionController::Base.param_parsers', method: :[]=)
 
     mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
 
     matches.each do |result|
-      if result.call.first_arg == mime_yaml and
-        symbol? result.call.second_arg and
-        result.call.second_arg.value == :yaml
+      if result[:call].first_arg == mime_yaml and
+        symbol? result[:call].second_arg and
+        result[:call].second_arg.value == :yaml
 
         return true
       end
@@ -96,16 +88,16 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
 
   def disabled_xml_dangerous_types?
     if version_between? "0.0.0", "2.3.14"
-      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", method: :delete)
     else
-      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+      matches = tracker.find_call(target: :"ActiveSupport::XmlMini::PARSING", method: :delete)
     end
 
     symbols_off = false
     yaml_off = false
 
     matches.each do |result|
-      arg = result.call.first_arg
+      arg = result[:call].first_arg
 
       if string? arg
         if arg.value == "yaml"

data/lib/brakeman/file_parser.rb

@@ -33,17 +33,13 @@ module Brakeman
       end
     end
 
-    def parse_ruby input, path, parser = RubyParser.new
+    def parse_ruby input, path
       begin
         Brakeman.debug "Parsing #{path}"
-        parser.parse input, path, @timeout
+        RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        if parser.class == RubyParser
-          return parse_ruby(input, path, RubyParser.latest)
-        else
-          @tracker.error e, "Could not parse #{path}"
-          nil
-        end
+        @tracker.error e, "Could not parse #{path}"
+        nil
       rescue Timeout::Error => e
         @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
         nil

data/lib/brakeman/file_path.rb

@@ -35,6 +35,11 @@ module Brakeman
       @relative = relative_path
     end
 
+    # Just the file name, no path
+    def basename
+      @basename ||= File.basename(self.relative)
+    end
+
     # Read file from absolute path.
     def read
       File.read self.absolute
@@ -67,5 +72,14 @@ module Brakeman
     def to_s
       self.to_str
     end
+
+    def hash
+      @hash ||= [@absolute, @relative].hash
+    end
+
+    def eql? rhs
+      @absolute == rhs.absolute and
+        @relative == rhs.relative
+    end
   end
 end

data/lib/brakeman/processor.rb

@@ -90,7 +90,7 @@ module Brakeman
     def process_initializer file_name, src
       res = BaseProcessor.new(@tracker).process_file src, file_name
       res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
-      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+      @tracker.initializers[file_name] = res
     end
 
     #Process source for a library file

data/lib/brakeman/processors/alias_processor.rb

@@ -265,6 +265,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       unless target.nil?
         exp = target
       end
+    when :dup
+      unless target.nil?
+        exp = target
+      end
     when :join
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
@@ -602,7 +606,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if node_type? exp, :hash
       if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
         kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
-        exp = Sexp.new.concat(rest).line(exp)
+        exp = Sexp.new.concat(rest).line(exp.line)
 
         kwsplats.each do |e|
           exp = process_hash_merge! exp, e.value

data/lib/brakeman/processors/controller_processor.rb

@@ -192,8 +192,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
     args = exp.block_call.arglist
-    args.insert(1, Sexp.new(:lit, filter_name))
-    before_filter_call = make_call(nil, :before_filter, args)
+    args.insert(1, Sexp.new(:lit, filter_name).line(exp.line))
+    before_filter_call = make_call(nil, :before_filter, args).line(exp.line)
 
     if exp.block_args.length > 1
       block_variable = exp.block_args[1]
@@ -210,9 +210,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #Build Sexp for filter method
     body = Sexp.new(:lasgn,
                     block_variable,
-                    Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
+                    Sexp.new(:call, Sexp.new(:const, @current_class.name).line(exp.line), :new).line(exp.line)).line(exp.line)
 
-    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
+    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args).line(exp.line), body).concat(block_inner).line(exp.line)
 
     vis = @visibility
     @visibility = :private

data/lib/brakeman/processors/gem_processor.rb

@@ -29,6 +29,14 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
     @tracker.config.set_rails_version
   end
 
+  # Known issue: Brakeman does not yet support `gem` calls with multiple
+  # "version requirements". Consider the following example from the ruby docs:
+  #
+  #     gem 'rake', '>= 1.1.a', '< 2'
+  #
+  # We are assuming that `second_arg` (eg. '>= 1.1.a') is the only requirement.
+  # Perhaps we should instantiate an array of `::Gem::Requirement`s or even a
+  # `::Gem::Dependency` and pass that to `Tracker::Config#add_gem`?
   def process_call exp
     if exp.target == nil
       if exp.method == :gem
@@ -51,8 +59,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
         end
       end
     elsif @inside_gemspec and exp.method == :add_dependency
-      if string? exp.first_arg and string? exp.last_arg
-        @tracker.config.add_gem exp.first_arg.value, exp.last_arg.value, @gemspec, exp.line
+      if string? exp.first_arg and string? exp.second_arg
+        @tracker.config.add_gem exp.first_arg.value, exp.second_arg.value, @gemspec, exp.line
       end
     end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -179,7 +179,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
 
       if clauses.length > 1
-        s(:or, *clauses)
+        s(:or, *clauses).line(exp.line)
       else
         clauses.first
       end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -5,9 +5,9 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   def initialize tracker
     super
-    @current_class = nil
-    @current_method = nil
+
     @in_target = false
+    @processing_class = false
     @calls = []
     @cache = {}
   end
@@ -23,10 +23,33 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     process exp
   end
 
+  #For whatever reason, originally the indexing of calls
+  #was performed on individual method bodies (see process_defn).
+  #This method explicitly indexes all calls everywhere given any
+  #source.
+  def process_all_source exp, opts
+    @processing_class = true
+    process_source exp, opts
+  ensure
+    @processing_class = false
+  end
+
   #Process body of method
   def process_defn exp
-    return exp unless @current_method
-    process_all exp.body
+    return exp unless @current_method or @processing_class
+
+    # 'Normal' processing assumes the method name was given
+    # as an option to `process_source` but for `process_all_source`
+    # we don't want to do that.
+    if @current_method.nil?
+      @current_method = exp.method_name
+      process_all exp.body
+      @current_method = nil
+    else
+      process_all exp.body
+    end
+
+    exp
   end
 
   alias process_defs process_defn

data/lib/brakeman/processors/lib/find_call.rb

@@ -33,14 +33,13 @@ require 'brakeman/processors/lib/basic_processor'
 # FindCall.new nil, /^g?sub!?$/
 class Brakeman::FindCall < Brakeman::BasicProcessor
 
-  def initialize targets, methods, tracker, in_depth = false
+  def initialize targets, methods, tracker
     super tracker
     @calls = []
     @find_targets = targets
     @find_methods = methods
     @current_class = nil
     @current_method = nil
-    @in_depth = in_depth
   end
 
   #Returns a list of results.
@@ -48,10 +47,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #A result looks like:
   #
   # s(:result, :ClassName, :method_name, s(:call, ...))
-  #
-  #or
-  #
-  # s(:result, :template_name, s(:call, ...))
   def matches
     @calls
   end
@@ -60,10 +55,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #or the template. These names are used when reporting results.
   #
   #Use FindCall#matches to retrieve results.
-  def process_source exp, klass = nil, method = nil, template = nil
-    @current_class = klass
-    @current_method = method
-    @current_template = template
+  def process_source exp
     process exp
   end
 
@@ -74,11 +66,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
 
   alias :process_defs :process_defn
 
-  #Process body of block
-  def process_rlist exp
-    process_all exp
-  end
-
   #Look for matching calls and add them to results
   def process_call exp
     target = get_target exp.target
@@ -87,25 +74,9 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     process_call_args exp
 
     if match(@find_targets, target) and match(@find_methods, method)
-
-      if @current_template
-        @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
-      else
-        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
-      end
-
+      @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
     end
     
-    #Normally FindCall won't match a method invocation that is the target of
-    #another call, such as:
-    #
-    #  User.find(:first, :conditions => "user = '#{params['user']}').name
-    #
-    #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and call? exp.target
-      process exp.target
-    end
-
     exp
   end
 
@@ -123,8 +94,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
       case exp.node_type
       when :ivar, :lvar, :const, :lit
         exp.value
-      when :true, :false
-        exp.node_type
       when :colon2
         class_name exp
       else
@@ -141,43 +110,13 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     when Symbol
       if search_terms == item
         true
-      elsif sexp? item
-        is_instance_of? item, search_terms
       else
         false
       end
-    when Sexp
-      search_terms == item
     when Enumerable
       if search_terms.empty?
         item == nil
-      else
-        search_terms.each do|term|
-          if match(term, item)
-            return true
-          end
-        end
-        false
       end
-    when Regexp
-      search_terms.match item.to_s
-    when nil
-      true
-    else
-      raise "Cannot match #{search_terms} and #{item}"
-    end
-  end
-
-  #Checks if +item+ is an instance of +klass+ by looking for Klass.new
-  def is_instance_of? item, klass
-    if call? item
-      if sexp? item.target
-        item.method == :new and item.target.node_type == :const and item.target.value == klass
-      else
-        item.method == :new and item.target == klass
-      end
-    else
-      false
     end
   end
 end

data/lib/brakeman/processors/template_processor.rb

@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       branches = [arg.then_clause, arg.else_clause].compact
 
       if branches.empty?
-        s(:nil)
+        s(:nil).line(arg.line)
       elsif branches.length == 2
-        Sexp.new(:or, *branches)
+        Sexp.new(:or, *branches).line(arg.line)
       else
         branches.first
       end
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   end
 
   def add_output output, type = :output
-    s = Sexp.new(type, output)
-    s.line(output.line)
-    @current_template.add_output s
-    s
+    if node_type? output, :or
+      Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
+    else
+      s = Sexp.new(type, output)
+      s.line(output.line)
+      @current_template.add_output s
+      s
+    end
   end
 end

data/lib/brakeman/rescanner.rb

@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_initializer path
+    tracker.reset_initializer path
+
     parse_ruby_files([path]).each do |astfile|
       process_initializer astfile
     end
+
+    @reindex << :initializers
   end
 
   #Handle rescanning when a file is deleted

data/lib/brakeman/tracker.rb

@@ -227,6 +227,10 @@ class Brakeman::Tracker
       finder.process_source template.src, :template => template, :file => template.file
     end
 
+    self.initializers.each do |file_name, src|
+      finder.process_all_source src, :file => file_name
+    end
+
     @call_index = Brakeman::CallIndex.new finder.calls
   end
 
@@ -237,8 +241,8 @@ class Brakeman::Tracker
   #
   #This will limit reindexing to the given sets
   def reindex_call_sites locations
-    #If reindexing templates, models, and controllers, just redo
-    #everything
+    #If reindexing templates, models, controllers,
+    #just redo everything.
     if locations.length == 3
       return index_call_sites
     end
@@ -260,6 +264,12 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        @call_index.remove_indexes_by_file file_name
+      end
+    end
+
     @call_index.remove_indexes_by_class classes_to_reindex
 
     finder = Brakeman::FindAllCalls.new self
@@ -279,6 +289,12 @@ class Brakeman::Tracker
       end
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        finder.process_all_source src, :file => file_name
+      end
+    end
+
     @call_index.index_calls finder.calls
   end
 
@@ -363,4 +379,12 @@ class Brakeman::Tracker
   def reset_routes
     @routes = {}
   end
+
+  def reset_initializer path
+    @initializers.delete_if do |file, src|
+      path.relative.include? file
+    end
+
+    @call_index.remove_indexes_by_file path
+  end
 end

data/lib/brakeman/tracker/config.rb

@@ -19,16 +19,9 @@ module Brakeman
       @ruby_version = ""
     end
 
-    def allow_forgery_protection?
-      @rails[:action_controller] and
-        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
-    end
-
     def default_protect_from_forgery?
       if version_between? "5.2.0", "9.9.9"
-        if @rails[:action_controller] and
-            @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)
-
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
           return false
         else
           return true
@@ -48,17 +41,15 @@ module Brakeman
 
     def escape_html_entities_in_json?
       #TODO add version-specific information here
-      @rails[:active_support] and
-        true? @rails[:active_support][:escape_html_entities_in_json]
+      true? @rails.dig(:active_support, :escape_html_entities_in_json)
     end
 
     def whitelist_attributes?
-      @rails[:active_record] and
-        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+      @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
     end
 
     def gem_version name
-      @gems[name] and @gems[name][:version]
+      @gems.dig(name, :version)
     end
 
     def add_gem name, version, file, line
@@ -111,6 +102,8 @@ module Brakeman
         @escape_html = true
         Brakeman.notify "[Notice] Escaping HTML by default"
       end
+
+      check_haml_version
     end
 
     def set_ruby_version version
@@ -152,12 +145,26 @@ module Brakeman
     end
 
     def session_settings
-      @rails[:action_controller] &&
-        @rails[:action_controller][:session]
+      @rails.dig(:action_controller, :session)
     end
 
     private
 
+    # Brakeman does not support Haml 5 yet.
+    # (https://github.com/presidentbeef/brakeman/issues/1370) Fortunately, Haml
+    # 5 doesn't add much new syntax, and brakeman (which uses the haml 4 parser)
+    # will parse most Haml 5 files without errors. Therefore, we only print a
+    # warning here, instead of raising an error.
+    def check_haml_version
+      return if supported_haml_version?
+      Brakeman.notify <<~EOS
+        Brakeman does not fully support Haml 5 yet. Your Gemfile (or gemspec)
+        allows Haml 5. Brakeman uses the Haml 4 parser and thus may produce
+        errors when parsing Haml 5 syntax. If Brakeman encounters such an error,
+        it will be unable to scan that file.
+      EOS
+    end
+
     def convert_version_number value
       if value.match(/\A\d+\z/)
         value.to_i
@@ -174,6 +181,23 @@ module Brakeman
       end
     end
 
+    # Brakeman does not support Haml 5 yet. See `check_haml_version`.
+    #
+    # This method is messy because all we have is a version `Requirement` (like
+    # `~> 5.0.3`, or `> 4.99`) The only way I could think of was to loop over
+    # known Haml 5 versions and test whether the `Requirement` is satisfied. I
+    # included '5.99.99' in the list so that this method might stand a chance of
+    # working in the future.
+    def supported_haml_version?
+      haml_version = gem_version(:haml)
+      return true unless haml_version
+
+      requirement = Gem::Requirement.new(haml_version)
+      ['5.99.99', '5.1.1', '5.1.0', '5.0.4', '5.0.3', '5.0.2', '5.0.1', '5.0.0'].none? do |v|
+        requirement.satisfied_by?(Gem::Version.new(v))
+      end
+    end
+
     def higher? lhs, rhs
       if lhs.class == rhs.class
         lhs > rhs

data/lib/brakeman/tracker/constants.rb

@@ -49,7 +49,7 @@ module Brakeman
     include Brakeman::Util
 
     def initialize
-      @constants = Hash.new { |h, k| h[k] = [] }
+      @constants = {}
     end
 
     def size
@@ -103,6 +103,7 @@ module Brakeman
       end
 
       base_name = Constants.get_constant_base_name(name)
+      @constants[base_name] ||= []
       @constants[base_name] << Constant.new(name, value, context)
     end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.5.1"
+  Version = "4.6.0"
 end

data/lib/brakeman/warning.rb

@@ -271,6 +271,10 @@ class Brakeman::Warning
     end
   end
 
+  def relative_path
+    self.file.relative
+  end
+
   def to_hash absolute_paths: true
     if self.called_from and not absolute_paths
       render_path = self.called_from.with_relative_paths

data/lib/brakeman/warning_codes.rb

@@ -111,6 +111,9 @@ module Brakeman::WarningCodes
     :CVE_2018_3741 => 107,
     :CVE_2018_3760 => 108,
     :force_ssl_disabled => 109,
+    :unsafe_cookie_serialization => 110,
+    :reverse_tabnabbing => 111,
+    :custom_check => 9090,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -40,7 +40,7 @@ class Sexp
       s.line(line)
     else
       s.original_line = self.original_line
-      s.line(self.line)
+      s.line(self.line) if self.line
     end
 
     s

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.5.1
+  version: 4.6.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2019-05-11 00:00:00.000000000 Z
+date: 2019-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -144,6 +144,7 @@ files:
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_basic_auth_timing_attack.rb
 - lib/brakeman/checks/check_content_tag.rb
+- lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
 - lib/brakeman/checks/check_default_routes.rb
@@ -184,6 +185,7 @@ files:
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
 - lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_reverse_tabnabbing.rb
 - lib/brakeman/checks/check_route_dos.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
@@ -321,8 +323,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.