brakeman 1.2.2 → 1.3.0

data/README.md

@@ -12,7 +12,7 @@ For even more continuous testing, try the [Guard plugin](https://github.com/oreo
 
 Website: http://brakemanscanner.org/
 
-Twitter: http://twitter.com/brakemanscanner
+Twitter: http://twitter.com/brakeman
 
 Mailing list: brakeman@librelist.com
 
@@ -89,7 +89,7 @@ If Brakeman is running a bit slow, try
 
 This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
 
-By default, Brakeman will return 0 as an exit code unless something when very wrong. To return an error code when warnings were found:
+By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
 
     brakeman -z
 

data/lib/brakeman.rb

@@ -162,7 +162,9 @@ module Brakeman
     require 'brakeman/scanner'
     $stderr.puts "Available Checks:"
     $stderr.puts "-" * 30
-    $stderr.puts Checks.checks.map { |c| c.to_s.match(/^Brakeman::(.*)$/)[1] }.sort.join "\n"
+    $stderr.puts Checks.checks.map { |c|
+      c.to_s.match(/^Brakeman::(.*)$/)[1].ljust(27) << c.description
+    }.sort.join "\n"
   end
 
   #Installs Rake task for running Brakeman,

data/lib/brakeman/checks/base_check.rb

@@ -68,6 +68,8 @@ class Brakeman::BaseCheck < SexpProcessor
       @has_user_input = :params
     elsif cookies? exp[1]
       @has_user_input = :cookies
+    elsif request_env? exp[1]
+      @has_user_input = :request
     elsif sexp? exp[1] and model_name? exp[1][1]
       @has_user_input = :model
     end
@@ -103,13 +105,13 @@ class Brakeman::BaseCheck < SexpProcessor
   end
 
   #Checks if the model inherits from parent,
-  def parent? tracker, model, parent
+  def parent? model, parent
     if model == nil
       false
     elsif model[:parent] == parent
       true
     elsif model[:parent]
-      parent? tracker, tracker.models[model[:parent]], parent
+      parent? tracker.models[model[:parent]], parent
     else
       false
     end
@@ -209,6 +211,8 @@ class Brakeman::BaseCheck < SexpProcessor
         return :params, exp
       elsif cookies? exp[1]
         return :cookies, exp
+      elsif request_env? exp[1]
+        return :request, exp
       else
         false
       end
@@ -396,4 +400,8 @@ class Brakeman::BaseCheck < SexpProcessor
       "config/environment.rb"
     end
   end
+
+  def self.description
+    @description
+  end
 end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for the use of http_basic_authenticate_with"
+
   def run_check
     return if version_between? "0.0.0", "3.0.99"
 

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -14,6 +14,8 @@ require 'set'
 class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for unescaped output in views"
+
   #Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
 
@@ -84,6 +86,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         message = "Unescaped parameter value"
       when :cookies
         message = "Unescaped cookie value"
+      when :request
+        message = "Unescaped request value"
       else
         message = "Unescaped user input value"
       end

data/lib/brakeman/checks/check_default_routes.rb

@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for default routes"
+
   #Checks for :allow_all_actions globally and for individual routes
   #if it is not enabled globally.
   def run_check

data/lib/brakeman/checks/check_escape_function.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for versions before 2.3.14 which have a vulnerable escape method"
+
   def run_check
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Searches for evaluation of user input"
+
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"

data/lib/brakeman/checks/check_execute.rb

@@ -11,6 +11,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckExecute < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Finds instances of possible command injection"
+
   #Check models, controllers, and views for command injection.
   def run_check
     Brakeman.debug "Finding system calls using ``"

data/lib/brakeman/checks/check_file_access.rb

@@ -5,6 +5,8 @@ require 'brakeman/processors/lib/processor_helper'
 class Brakeman::CheckFileAccess < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Finds possible file access using user input"
+
   def run_check
     Brakeman.debug "Finding possible file access"
     methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]

data/lib/brakeman/checks/check_filter_skipping.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for versions 3.0-3.0.9 which had a vulnerability in filters"
+
   def run_check
     if version_between?('3.0.0', '3.0.9') and uses_arbitrary_actions?
 

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Verifies that protect_from_forgery is enabled in ApplicationController"
+
   def run_check
     app_controller = tracker.controllers[:ApplicationController]
     if tracker.config[:rails][:action_controller] and

data/lib/brakeman/checks/check_link_to.rb

@@ -7,6 +7,8 @@ require 'brakeman/checks/check_cross_site_scripting'
 class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   Brakeman::Checks.add self
 
+  @description = "Checks for XSS in link_to in versions before 3.0"
+
   def run_check
     return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
 

data/lib/brakeman/checks/check_mail_to.rb

@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckMailTo < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for mail_to XSS vulnerability in certain versions"
+
   def run_check
     if (version_between? "2.3.0", "2.3.10" or version_between? "3.0.0", "3.0.3") and result = mail_to_javascript?
       message = "Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -7,12 +7,14 @@ require 'set'
 class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Finds instances of mass assignment"
+
   def run_check
     return if mass_assign_disabled?
 
     models = []
     tracker.models.each do |name, m|
-      if parent?(tracker, m, :"ActiveRecord::Base") and m[:attr_accessible].nil?
+      if parent?(m, :"ActiveRecord::Base") and m[:attr_accessible].nil?
         models << name
       end
     end
@@ -45,7 +47,13 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and not @results.include? call
       @results << call
 
-      if include_user_input? call[3] and not hash? call[3][1]
+      model = tracker.models[res[:chain].first]
+
+      attr_protected = (model and model[:options][:attr_protected])
+
+      if attr_protected and tracker.options[:ignore_attr_protected]
+        return
+      elsif include_user_input? call[3] and not hash? call[3][1] and not attr_protected
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:low]

data/lib/brakeman/checks/check_model_attributes.rb

@@ -8,29 +8,63 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
+
   def run_check
     return if mass_assign_disabled?
 
-    names = []
+    #Roll warnings into one warning for all models
+    if tracker.options[:collapse_mass_assignment]
+      no_accessible_names = []
+      protected_names = []
 
-    tracker.models.each do |name, model|
-      if model[:attr_accessible].nil? and parent? tracker, model, :"ActiveRecord::Base"
-        if tracker.options[:collapse_mass_assignment]
-          names << name.to_s
-        else
-          warn :model => name, 
+      check_models do |name, model|
+        if model[:options][:attr_protected].nil?
+          no_accessible_names << name.to_s
+        elsif not tracker.options[:ignore_attr_protected]
+          protected_names << name.to_s
+        end
+      end
+
+      unless no_accessible_names.empty?
+        warn :model => no_accessible_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :message => "Mass assignment is not restricted using attr_accessible",
+          :confidence => CONFIDENCE[:high]
+      end
+
+      unless protected_names.empty?
+        warn :model => protected_names.sort.join(", "),
+          :warning_type => "Attribute Restriction",
+          :message => "attr_accessible is recommended over attr_protected",
+          :confidence => CONFIDENCE[:low]
+      end
+    else #Output one warning per model
+
+      check_models do |name, model|
+        if model[:options][:attr_protected].nil?
+          warn :model => name,
+            :file => model[:file],
             :warning_type => "Attribute Restriction",
-            :message => "Mass assignment is not restricted using attr_accessible", 
+            :message => "Mass assignment is not restricted using attr_accessible",
             :confidence => CONFIDENCE[:high]
+        elsif not tracker.options[:ignore_attr_protected]
+          warn :model => name,
+            :file => model[:file],
+            :line => model[:options][:attr_protected].first.line,
+            :warning_type => "Attribute Restriction",
+            :message => "attr_accessible is recommended over attr_protected",
+            :confidence => CONFIDENCE[:low]
         end
       end
     end
+  end
 
-    if tracker.options[:collapse_mass_assignment] and not names.empty?
-      warn :model => names.sort.join(", "), 
-        :warning_type => "Attribute Restriction", 
-        :message => "Mass assignment is not restricted using attr_accessible", 
-        :confidence => CONFIDENCE[:high]
+  def check_models
+    tracker.models.each do |name, model|
+      if model[:attr_accessible].nil? and parent? model, :"ActiveRecord::Base"
+        yield name, model
+      end
     end
   end
 end

data/lib/brakeman/checks/check_nested_attributes.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for nested attributes vulnerability in Rails 2.3.9 and 3.0.0"
+
   def run_check
     version = tracker.config[:rails_version]
 

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
+
   def run_check
     if (version_between?('2.0.0', '2.3.13') or 
         version_between?('3.0.0', '3.0.9'))

data/lib/brakeman/checks/check_redirect.rb

@@ -8,6 +8,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckRedirect < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Looks for calls to redirect_to with user input as arguments"
+
   def run_check
     Brakeman.debug "Finding calls to redirect_to()"
 

data/lib/brakeman/checks/check_render.rb

@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckRender < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Finds calls to render that might allow file access"
+
   def run_check
     tracker.find_call(:target => nil, :method => :render).each do |result|
       process_render result

data/lib/brakeman/checks/check_response_splitting.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Report response splitting in Rails 2.3.0 - 2.3.13"
+
   def run_check
     if version_between?('2.3.0', '2.3.13')
 

data/lib/brakeman/checks/check_send_file.rb

@@ -5,6 +5,8 @@ require 'brakeman/processors/lib/processor_helper'
 class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
   Brakeman::Checks.add self
 
+  @description = "Check for user input in uses of send_file"
+
   def run_check
     Brakeman.debug "Finding all calls to send_file()"
 

data/lib/brakeman/checks/check_session_settings.rb

@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Checks for session key length and http_only settings"
+
   def initialize *args
     super
 

data/lib/brakeman/checks/check_sql.rb

@@ -11,6 +11,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSQL < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Check for SQL injection"
+
   def run_check
     @rails_version = tracker.config[:rails_version]
 
@@ -49,7 +51,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         if model[:options][:named_scope]
           model[:options][:named_scope].each do |args|
             call = Sexp.new(:call, nil, :named_scope, args).line(args.line)
-            scope_calls << { :call => call, :location => [:class, name ] }
+            scope_calls << { :call => call, :location => [:class, name ], :method => :named_scope }
           end
         end
        end
@@ -57,8 +59,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       tracker.models.each do |name, model|
         if model[:options][:scope]
           model[:options][:scope].each do |args|
-            call = Sexp.new(:call, nil, :scope, args).line(args.line)
-            scope_calls << { :call => call, :location => [:class, name ] }
+            second_arg = args[2]
+
+            if second_arg.node_type == :iter and
+              (second_arg[-1].node_type == :block or second_arg[-1].node_type == :call)
+              process_scope_with_block name, args
+            elsif second_arg.node_type == :call
+              call = second_arg
+              scope_calls << { :call => call, :location => [:class, name ], :method => call[2] }
+            else
+              call = Sexp.new(:call, nil, :scope, args).line(args.line)
+              scope_calls << { :call => call, :location => [:class, name ], :method => :scope }
+            end
           end
         end
       end
@@ -67,8 +79,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     scope_calls
   end
 
+  def process_scope_with_block model_name, args
+    scope_name = args[1][1]
+    block = args[-1][-1]
+
+    #Search lambda for calls to query methods
+    if block.node_type == :block
+      find_calls = Brakeman::FindAllCalls.new tracker
+
+      find_calls.process_source block, model_name, scope_name
+
+      find_calls.calls.each do |call|
+        if call[:method].to_s =~ /^(find.*|first|last|all|where|order|group|having)$/
+          puts "Looks like #{call.inspect}"
+          process_result call
+        end
+      end
+    elsif block.node_type == :call
+      process_result :target => block[1], :method => block[2], :call => block, :location => [:class, model_name, scope_name]
+    end
+  end
+
   #Process result from Tracker#find_call.
   def process_result result
+    #TODO: I don't like this method at all. It's a pain to figure out what
+    #it is actually doing...
+
     call = result[:call]
 
     args = call[3]
@@ -77,6 +113,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       failed = check_arguments args[1]
     elsif call[2].to_s =~ /^find/
       failed = (args.length > 2 and check_arguments args[-1])
+    elsif tracker.options[:rails3] and result[:method] != :scope
+      #This is for things like where("query = ?")
+      failed = check_arguments args[1]
     else
       failed = (args.length > 1 and check_arguments args[-1])
     end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckStripTags < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Report strip_tags vulnerability in versions before 2.3.13 and 3.0.10"
+
   def run_check
     if (version_between?('2.0.0', '2.3.12') or 
         version_between?('3.0.0', '3.0.9')) and uses_strip_tags?

data/lib/brakeman/checks/check_translate_bug.rb

@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Report XSS vulnerability in translate helper"
+
   def run_check
     if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
         version_between?('3.0.0', '3.0.10') or

data/lib/brakeman/checks/check_validation_regex.rb

@@ -10,6 +10,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Report uses of validates_format_of with improper anchors"
+
   WITH = Sexp.new(:lit, :with)
 
   def run_check

data/lib/brakeman/checks/check_without_protection.rb

@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
+  @description = "Check for mass assignment using without_protection"
+
   def run_check
     if version_between? "0.0.0", "3.0.99"
       return
@@ -14,7 +16,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
     models = []
     tracker.models.each do |name, m|
-      if parent?(tracker, m, :"ActiveRecord::Base")
+      if parent? m, :"ActiveRecord::Base"
         models << name
       end
     end

data/lib/brakeman/format/style.css

@@ -60,6 +60,11 @@ p {
    background-color: white;
  }
 
+ table caption {
+   background-color: #FFE;
+   padding: 2px;
+ }
+
  table.context {
    margin-top: 5px;
    margin-bottom: 5px;

data/lib/brakeman/options.rb

@@ -54,10 +54,6 @@ module Brakeman::Options
           options[:assume_all_routes] = true
         end
 
-        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
-          options[:ignore_model_output] = true
-        end
-
         opts.on "-e", "--escape-html", "Escape HTML by default" do
           options[:escape_html] = true
         end
@@ -67,6 +63,14 @@ module Brakeman::Options
           options[:skip_libs] = true
         end
 
+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+
+        opts.on "--ignore-protected", "Consider models with attr_protected safe" do
+          options[:ignore_attr_protected] = true
+        end
+
         opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
           options[:ignore_ifs] = true
         end
@@ -80,6 +84,11 @@ module Brakeman::Options
           options[:safe_methods].merge methods.map {|e| e.to_sym }
         end
 
+        opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
+          options[:skip_files] ||= Set.new
+          options[:skip_files].merge files.map {|f| f.to_sym }
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end

data/lib/brakeman/processor.rb

@@ -47,7 +47,7 @@ module Brakeman
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new.process result
+      AliasProcessor.new(@tracker).process result
     end
 
     #Process either an ERB or HAML template
@@ -81,7 +81,7 @@ module Brakeman
     #Process source for initializing files
     def process_initializer name, src
       res = BaseProcessor.new(@tracker).process src
-      res = AliasProcessor.new.process res
+      res = AliasProcessor.new(@tracker).process res
       @tracker.initializers[Pathname.new(name).basename.to_s] = res
     end
 

data/lib/brakeman/processors/alias_processor.rb

@@ -17,7 +17,7 @@ class Brakeman::AliasProcessor < SexpProcessor
   #The recommended usage is:
   #
   # AliasProcessor.new.process_safely src
-  def initialize
+  def initialize tracker = nil
     super()
     self.strict = false
     self.auto_shift_type = false
@@ -27,7 +27,8 @@ class Brakeman::AliasProcessor < SexpProcessor
     @env = SexpProcessor::Environment.new
     @inside_if = false
     @ignore_ifs = false
-    @tracker = nil #set in subclass as necessary
+    @exp_context = []
+    @tracker = tracker #set in subclass as necessary
     set_env_defaults
   end
 
@@ -71,9 +72,12 @@ class Brakeman::AliasProcessor < SexpProcessor
   #Process a Sexp. If the Sexp has a value associated with it in the
   #environment, that value will be returned. 
   def process_default exp
+    @exp_context.push exp
+
     begin
-      type = exp.shift
       exp.each_with_index do |e, i|
+        next if i == 0
+
         if sexp? e and not e.empty?
           exp[i] = process e
         else
@@ -82,18 +86,18 @@ class Brakeman::AliasProcessor < SexpProcessor
       end
     rescue Exception => err
       @tracker.error err if @tracker
-    ensure
-      #The type must be put back on, or else later processing
-      #will trip up on it
-      exp.unshift type
     end
 
     #Generic replace
-    if replacement = env[exp]
-      set_line replacement.deep_clone, exp.line
+    if replacement = env[exp] and not duplicate? replacement
+      result = set_line replacement.deep_clone, exp.line
     else
-      exp
+      result = exp
     end
+
+    @exp_context.pop
+
+    result
   end
 
   #Process a method call.
@@ -102,7 +106,9 @@ class Brakeman::AliasProcessor < SexpProcessor
     exp = process_default exp
 
     #In case it is replaced with something else
-    return exp unless call? exp
+    unless call? exp
+      return exp
+    end
 
     target = exp[1]
     method = exp[2]
@@ -116,12 +122,24 @@ class Brakeman::AliasProcessor < SexpProcessor
         joined = join_arrays target, args[1] 
         joined.line(exp.line)
         exp = joined
-      elsif string? target and string? args[1]
-        joined = join_strings target, args[1]
-        joined.line(exp.line)
-        exp = joined
-      elsif number? target and number? args[1]
-        exp = Sexp.new(:lit, target[1] + args[1][1])
+      elsif string? args[1]
+        if string? target # "blah" + "blah"
+          joined = join_strings target, args[1]
+          joined.line(exp.line)
+          exp = joined
+        elsif call? target and target[2] == :+ and string? target[3][1]
+          joined = join_strings target[3][1], args[1]
+          joined.line(exp.line)
+          target[3][1] = joined
+          exp = target
+        end
+      elsif number? args[1]
+        if number? target
+          exp = Sexp.new(:lit, target[1] + args[1][1])
+        elsif target[2] == :+ and number? target[3][1]
+          target[3][1] = Sexp.new(:lit, target[3][1][1] + args[1][1])
+          exp = target
+        end
       end
     when :-
       if number? target and number? args[1]
@@ -211,10 +229,13 @@ class Brakeman::AliasProcessor < SexpProcessor
   # x = 1
   def process_lasgn exp
     exp[2] = process exp[2] if sexp? exp[2]
+    return exp if exp[2].nil?
+
     local = Sexp.new(:lvar, exp[1]).line(exp.line || -2)
 
     if @inside_if and val = env[local]
-      if val != exp[2] #avoid setting to value it already is (e.g. "1 or 1")
+      #avoid setting to value it already is (e.g. "1 or 1")
+      if val != exp[2] and val[1] != exp[2] and val[2] != exp[2]
         env[local] = Sexp.new(:or, val, exp[2]).line(exp.line || -2)
       end
     else
@@ -283,6 +304,7 @@ class Brakeman::AliasProcessor < SexpProcessor
     tar_variable = exp[1]
     target = exp[1] = process(exp[1])
     method = exp[2]
+
     if method == :[]=
       index = exp[3][1] = process(exp[3][1])
       value = exp[3][2] = process(exp[3][2])
@@ -369,6 +391,10 @@ class Brakeman::AliasProcessor < SexpProcessor
     exp
   end
 
+  def process_svalue exp
+    exp[1]
+  end
+
   #Constant assignments like
   # BIG_CONSTANT = 234810983
   def process_cdecl exp
@@ -400,12 +426,18 @@ class Brakeman::AliasProcessor < SexpProcessor
     else
       exps = exp[2..-1]
     end
-    
+
     was_inside = @inside_if
     @inside_if = !@ignore_ifs
 
     exps.each do |e|
-      process e if sexp? e
+      if sexp? e
+        if e.node_type == :block
+          process_default e #avoid creating new scope
+        else
+          process e
+        end
+      end
     end
 
     @inside_if = was_inside
@@ -451,7 +483,11 @@ class Brakeman::AliasProcessor < SexpProcessor
   def join_strings string1, string2
     result = Sexp.new(:str)
     result[1] = string1[1] + string2[1]
-    result
+    if result[1].length > 50
+      string1
+    else
+      result
+    end
   end
 
   #Returns a new SexpProcessor::Environment containing only instance variables.
@@ -487,4 +523,12 @@ class Brakeman::AliasProcessor < SexpProcessor
       exp
     end
   end
+
+  def duplicate? exp
+    @exp_context[0..-2].reverse_each do |e|
+      return true if exp == e 
+    end
+
+    false
+  end
 end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -84,18 +84,30 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name 
-    method = find_method name, @current_class    
+    filter = find_method name, @current_class
 
-    if method.nil?
+    if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    processor = Brakeman::AliasProcessor.new
-    processor.process_safely(method[3])
+    method = filter[:method]
 
-    processor.only_ivars.all.each do |variable, value|
-      env[variable] = value
+    if ivars = @tracker.filter_cache[[filter[:controller], name]]
+      ivars.each do |variable, value|
+        env[variable] = value
+      end
+    else
+      processor = Brakeman::AliasProcessor.new @tracker
+      processor.process_safely(method[3])
+
+      ivars = processor.only_ivars.all
+
+      @tracker.filter_cache[[filter[:controller], name]] = ivars
+
+      ivars.each do |variable, value|
+        env[variable] = value
+      end
     end
   end
 
@@ -217,6 +229,10 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   end
 
   #Finds a method in the given class or a parent class
+  #
+  #Returns nil if the method could not be found.
+  #
+  #If found, returns hash table with controller name and method sexp.
   def find_method method_name, klass
     return nil if sexp? method_name
     method_name = method_name.to_sym
@@ -231,12 +247,14 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       if method.nil?
         controller[:includes].each do |included|
           method = find_method method_name, included
-          return method if method
+          if method
+            return { :controller => controller[:name], :method => method }
+          end
         end
 
         find_method method_name, controller[:parent]
       else
-        method
+        { :controller => controller[:name], :method => method }
       end
     else
       nil

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -120,7 +120,13 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
       when :lit
         exp[1]
       when :colon2
-        class_name exp
+        begin
+          class_name exp
+        rescue StandardError
+          exp
+        end
+      when :self
+        @current_class || @current_module || nil
       else
         exp
       end

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -24,6 +24,8 @@ module Brakeman::ProcessorHelper
         "::#{exp[1]}".to_sym
       when :call
         process exp
+      when :self
+        @current_class || @current_module || nil
       else
         raise "Error: Cannot get class name from #{exp}"
       end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -23,7 +23,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
 
   #Use this method to process configuration file
   def process_config src
-    res = Brakeman::AliasProcessor.new.process_safely(src)
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src)
     process res
   end
 

data/lib/brakeman/processors/library_processor.rb

@@ -7,7 +7,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
     @file_name = nil
-    @alias_processor = Brakeman::AliasProcessor.new
+    @alias_processor = Brakeman::AliasProcessor.new tracker
   end
 
   def process_library src, file_name = nil

data/lib/brakeman/processors/output_processor.rb

@@ -206,7 +206,9 @@ class Brakeman::OutputProcessor < Ruby2Ruby
       exp.clear
       "(Unresolved Model)"
     else
-      super exp
+      out = exp[0].to_s
+      exp.clear
+      out
     end
   end
 

data/lib/brakeman/report.rb

@@ -528,7 +528,8 @@ class Brakeman::Report
     else
       CGI.escapeHTML(message)
     end <<
-    "<table id='#{code_id}' class='context' style='display:none'>"
+    "<table id='#{code_id}' class='context' style='display:none'>" <<
+    "<caption>#{(warning.file || '').gsub(tracker.options[:app_path], "")}</caption>"
 
     unless context.empty?
       if warning.line - 1 == 1 or warning.line + 1 == 1

data/lib/brakeman/rescanner.rb

@@ -23,7 +23,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     tracker.run_checks if @changes
 
-    Brakeman::RescanReport.new @old_results, tracker.checks
+    Brakeman::RescanReport.new @old_results, tracker
   end
 
   #Rescans changed files
@@ -206,9 +206,10 @@ end
 class Brakeman::RescanReport
   attr_reader :old_results, :new_results
 
-  def initialize old_results, new_results
+  def initialize old_results, tracker
+    @tracker = tracker
     @old_results = old_results
-    @new_results = new_results
+    @new_results = tracker.checks
     @all_warnings = nil
     @diff = nil
   end
@@ -253,11 +254,33 @@ class Brakeman::RescanReport
   end
 
   #Output total, fixed, and new warnings
-  def to_s
+  def to_s(verbose = false)
+    if !verbose
     <<-OUTPUT
 Total warnings: #{all_warnings.length}
 Fixed warnings: #{fixed_warnings.length}
 New warnings: #{new_warnings.length}
     OUTPUT
+    else
+      existing_warnings = all_warnings - new_warnings
+
+      "".tap do |out|
+        {:fixed => fixed_warnings, :new => new_warnings, :existing => existing_warnings}.each do |warning_type, warnings|
+          if warnings.length > 0
+            out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
+            table = Ruport::Data::Table(["Confidence", "Class", "Method", "Warning Type", "Message"])
+            warnings.sort_by{|w| w.confidence}.each do |warning|
+              next if warning.confidence > @tracker.options[:min_confidence]
+              w = warning.to_row
+              w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]] if w["Confidence"].is_a?(Numeric)
+              table << warning.to_row
+            end
+            out << table.to_s
+          end
+
+        end
+      end
+
+    end
   end
 end

data/lib/brakeman/scanner.rb

@@ -36,6 +36,13 @@ class Brakeman::Scanner
     @path = options[:app_path]
     @app_path = File.join(@path, "app")
     @processor = processor || Brakeman::Processor.new(options)
+    @skip_files = nil
+
+    #Convert files into Regexp for matching
+    if options[:skip_files]
+      list = "(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$"
+      @skip_files = Regexp.new(list)
+    end
 
     if RUBY_1_9
       @ruby_parser = ::Ruby19Parser
@@ -123,7 +130,10 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    Dir.glob(@path + "/config/initializers/**/*.rb").sort.each do |f|
+    initializer_files = Dir.glob(@path + "/config/initializers/**/*.rb").sort
+    initializer_files.reject! { |f| @skip_files.match f } if @skip_files
+
+    initializer_files.each do |f|
       process_initializer f
     end
   end
@@ -149,6 +159,8 @@ class Brakeman::Scanner
     end
 
     lib_files = Dir.glob(@path + "/lib/**/*.rb").sort
+    lib_files.reject! { |f| @skip_files.match f } if @skip_files
+
     total = lib_files.length
     current = 0
 
@@ -196,6 +208,8 @@ class Brakeman::Scanner
   #Adds processed controllers to tracker.controllers
   def process_controllers
     controller_files = Dir.glob(@app_path + "/controllers/**/*.rb").sort
+    controller_files.reject! { |f| @skip_files.match f } if @skip_files
+
     total = controller_files.length * 2
     current = 0
 
@@ -222,6 +236,9 @@ class Brakeman::Scanner
 
       @processor.process_controller_alias controller[:src]
     end
+
+    #No longer need these processed filter methods
+    tracker.filter_cache.clear
   end
 
   def process_controller path
@@ -244,6 +261,8 @@ class Brakeman::Scanner
     count = 0
 
     template_files = Dir.glob(views_path).sort
+    template_files.reject! { |f| @skip_files.match f } if @skip_files
+
     total = template_files.length
 
     template_files.each do |path|
@@ -327,6 +346,7 @@ class Brakeman::Scanner
   #Adds the processed models to tracker.models
   def process_models
     model_files = Dir.glob(@app_path + "/models/*.rb").sort
+    model_files.reject! { |f| @skip_files.match f } if @skip_files
 
     total = model_files.length
     current = 0

data/lib/brakeman/tracker.rb

@@ -9,7 +9,7 @@ require 'brakeman/processors/lib/find_all_calls'
 class Brakeman::Tracker
   attr_accessor :controllers, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
-    :template_cache, :options
+    :template_cache, :options, :filter_cache
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -42,6 +42,7 @@ class Brakeman::Tracker
     @checks = nil
     @processed = nil
     @template_cache = Set.new
+    @filter_cache = {}
     @call_index = nil
   end
 

data/lib/brakeman/util.rb

@@ -11,6 +11,8 @@ module Brakeman::Util
 
   REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :request_parameters, Sexp.new(:arglist))
 
+  REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :env, Sexp.new(:arglist))
+
   PARAMETERS = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
 
   COOKIES = Sexp.new(:call, nil, :cookies, Sexp.new(:arglist))
@@ -179,7 +181,10 @@ module Brakeman::Util
     end
 
     false
+  end
 
+  def request_env? exp
+    call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
   end
 
   #Check if _exp_ is a Sexp.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.2.2"
+  Version = "1.3.0"
 end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 27
+  prerelease: 
   segments: 
   - 1
-  - 2
-  - 2
-  version: 1.2.2
+  - 3
+  - 0
+  version: 1.3.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-01-26 00:00:00 -08:00
-default_executable: 
+date: 2012-02-09 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -25,6 +25,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
@@ -38,6 +39,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
@@ -51,6 +53,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 11
         segments: 
         - 1
         - 2
@@ -65,6 +68,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 1
         - 6
@@ -79,6 +83,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 15
         segments: 
         - 2
         - 6
@@ -93,6 +98,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 7
         segments: 
         - 3
         - 0
@@ -107,6 +113,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 7
         segments: 
         - 3
         - 0
@@ -195,7 +202,6 @@ files:
 - lib/brakeman/processor.rb
 - lib/brakeman.rb
 - lib/brakeman/format/style.css
-has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
 
@@ -209,6 +215,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
@@ -217,13 +224,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.