brakeman 1.8.3 → 1.9.0.pre1

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -31,7 +31,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   CGI = Sexp.new(:const, :CGI)
 
-  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist))
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
 
   #Run check
   def run_check
@@ -60,7 +60,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     json_escape_on = false
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result[-1].first_arg) }
+    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"
       @known_dangerous << :to_json
@@ -115,7 +115,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         :confidence => CONFIDENCE[:high]
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
-      method = match[2]
+      method = if call? match
+                 match.method
+               else
+                 nil
+               end
 
       unless IGNORE_MODEL_METHODS.include? method
         add_result out
@@ -227,7 +231,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     end
 
     method = exp.method
-    args = exp.arglist
 
     #Ignore safe items
     if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
@@ -241,14 +244,14 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
       #exp[0] = :ignore #should not be necessary
       @matched = false
-    elsif sexp? target and model_name? target[1]
+    elsif sexp? target and model_name? target[1] #TODO: use method call?
       @matched = Match.new(:model, exp)
     elsif cookies? exp
       @matched = Match.new(:cookies, exp)
     elsif @inspect_arguments and params? exp
       @matched = Match.new(:params, exp)
     elsif @inspect_arguments
-      process args
+      process_call_args exp
     end
   end
 
@@ -286,9 +289,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Ignore condition in if Sexp
   def process_if exp
-    exp[2..-1].each do |e|
-      process e if sexp? e
-    end
+    process exp.then_clause if sexp? exp.then_clause
+    process exp.else_clause if sexp? exp.else_clause
     exp
   end
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Warns if eval includes user input
   def process_result result
-    if input = include_user_input?(result[:call][-1])
+    if input = include_user_input?(result[:call].arglist)
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :message => "User input in eval",

data/lib/brakeman/checks/check_execute.rb

@@ -30,12 +30,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   #Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
-
-    args = process call[3]
+    args = call.arglist
+    first_arg = call.first_arg
 
     case call.method
     when :system, :exec
-      failure = include_user_input?(args[1]) || include_interp?(args[1])
+      failure = include_user_input?(first_arg) || include_interp?(first_arg)
     else
       failure = include_user_input?(args) || include_interp?(args)
     end

data/lib/brakeman/checks/check_link_to.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     @known_dangerous = []
     #Ideally, I think this should also check to see if people are setting
     #:escape => false
-    methods = tracker.find_call :target => false, :method => :link_to 
+    methods = tracker.find_call :target => false, :method => :link_to
 
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
@@ -40,23 +40,24 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
 
-    args = call.args
+    first_arg = call.first_arg
+    second_arg = call.second_arg
 
     @matched = false
 
     #Skip if no arguments(?) or first argument is a hash
-    return if args.first.nil? or hash? args.first
+    return if first_arg.nil? or hash? first_arg
 
     if version_between? "2.0.0", "2.2.99"
-      check_argument result, args.first
+      check_argument result, first_arg
 
-      if args.second and not hash? args.second
-        check_argument result, args.second
+      if second_arg and not hash? second_arg
+        check_argument result, second_arg
       end
-    elsif args.second
+    elsif second_arg
       #Only check first argument if there is a second argument
       #in Rails 2.3.x
-      check_argument result, args.first
+      check_argument result, first_arg
     end
   end
 
@@ -75,14 +76,14 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
       add_result result
       warn :result => result,
-        :warning_type => "Cross Site Scripting", 
+        :warning_type => "Cross Site Scripting",
         :message => message,
         :user_input => input.match,
         :confidence => CONFIDENCE[:high],
         :link_path => "link_to"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
-      method = match[2]
+      method = match.method
 
       unless IGNORE_MODEL_METHODS.include? method
         add_result result
@@ -94,7 +95,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
           :message => "Unescaped model attribute in link_to",
           :user_input => match,
           :confidence => confidence,
@@ -111,8 +112,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
       if message
         add_result result
 
-        warn :result => result, 
-          :warning_type => "Cross Site Scripting", 
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
           :message => message,
           :user_input => @matched.match,
           :confidence => CONFIDENCE[:med],
@@ -137,6 +138,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     #Bare records create links to the model resource,
     #not a string that could have injection
+    #TODO: Needs test? I think this is broken?
     if model_name? target and context == [:call, :arglist]
       return exp
     end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
-    url_arg = process call.args.second
+    url_arg = process call.second_arg
 
     #Ignore situations where the href is an interpolated string
     #with something before the user input

data/lib/brakeman/checks/check_mail_to.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
     Brakeman.debug "Checking calls to mail_to for javascript encoding"
 
     tracker.find_call(:target => false, :method => :mail_to).each do |result|
-      result[:call].arglist.each do |arg|
+      result[:call].each_arg do |arg|
         if hash? arg
           if option = hash_access(arg, :encode)
             return result if symbol? option and option.value == :javascript

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -78,13 +78,14 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   #Want to ignore calls to Model.new that have no arguments
   def check_call call
-    args = process_all call.args
+    process_call_args call
+    first_arg = call.first_arg
 
-    if args.empty? #empty new()
+    if first_arg.nil? #empty new()
       false
-    elsif hash? args.first and not include_user_input? args.first
+    elsif hash? first_arg and not include_user_input? first_arg
       false
-    elsif all_literals? args
+    elsif all_literal_args? call
       false
     else
       true
@@ -93,17 +94,30 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   LITERALS = Set[:lit, :true, :false, :nil, :string]
 
-  def all_literals? args
-    args.all? do |arg|
-      if sexp? arg
-        if arg.node_type == :hash
-          all_literals? arg
-        else
-          LITERALS.include? arg.node_type
-        end
+  def all_literal_args? exp
+    if call? exp
+      exp.each_arg do |arg|
+        return false unless literal? arg
+      end
+
+      true
+    else
+      exp.all? do |arg|
+        literal? arg
+      end
+    end
+
+  end
+
+  def literal? exp
+    if sexp? exp
+      if exp.node_type == :hash
+        all_literal_args? exp
       else
-        true
+        LITERALS.include? exp.node_type
       end
+    else
+      true
     end
   end
 end

data/lib/brakeman/checks/check_redirect.rb

@@ -73,12 +73,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     elsif call? arg
       if request_value? arg
         return Match.new(immediate, arg)
-      elsif request_value? arg[1]
-        return Match.new(immediate, arg[1])
-      elsif arg[2] == :url_for and include_user_input? arg
+      elsif request_value? arg.target
+        return Match.new(immediate, arg.target)
+      elsif arg.method == :url_for and include_user_input? arg
         return Match.new(immediate, arg)
         #Ignore helpers like some_model_url?
-      elsif arg[2].to_s =~ /_(url|path)\z/
+      elsif arg.method.to_s =~ /_(url|path)\z/
         return false
       end
     elsif request_value? arg

data/lib/brakeman/checks/check_select_tag.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
     add_result result
 
     #Only concerned if user input is supplied for :prompt option
-    last_arg = result[:call].arglist.last
+    last_arg = result[:call].last_arg
 
     if hash? last_arg
       prompt_option = hash_access last_arg, :prompt

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -35,7 +35,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
   def process_result result
     return if duplicate? result
 
-    third_arg = result[:call].args[2]
+    third_arg = result[:call].third_arg
 
     #Check for user input in options parameter
     if sexp? third_arg and include_user_input? third_arg

data/lib/brakeman/checks/check_send.rb

@@ -16,10 +16,10 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   end
 
   def process_result result
-    args = process_all result[:call].args
+    process_call_args result[:call]
     target = process result[:call].target
 
-    if input = has_immediate_user_input?(args.first)
+    if input = has_immediate_user_input?(result[:call].first_arg)
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User controlled method execution",

data/lib/brakeman/checks/check_session_settings.rb

@@ -9,10 +9,10 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def initialize *args
     super
 
-    if tracker.options[:rails3]
-      @session_settings = Sexp.new(:call, Sexp.new(:colon2, Sexp.new(:const, :Rails3), :Application), :config, Sexp.new(:arglist))
-    else
+    unless tracker.options[:rails3]
       @session_settings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+    else
+      @session_settings = nil
     end
   end
 
@@ -41,8 +41,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
   #in Rails 3.x apps
   def process_call exp
-    if tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session_store
-        check_for_issues exp.args.second, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+    if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
+      check_for_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
     end
       
     exp
@@ -50,6 +50,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
   private
 
+  def settings_target? exp
+    call? exp and
+    exp.method == :config and
+    node_type? exp.target, :colon2 and
+    exp.target.rhs == :Application
+  end
+
   def check_for_issues settings, file
     if settings and hash? settings
       if value = hash_access(settings, :session_http_only)

data/lib/brakeman/checks/check_single_quotes.rb

@@ -52,7 +52,7 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   def process_class exp
     if exp.class_name == :ERB
       @inside_erb = true
-      process exp.body
+      process_all exp.body
       @inside_erb = false
     end
 
@@ -65,7 +65,7 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   def process_module exp
     if @inside_erb and exp.module_name == :Util
       @inside_util = true
-      process exp.body
+      process_all exp.body
       @inside_util = false
     end
 
@@ -78,7 +78,7 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   def process_defn exp
     if @inside_util and exp.method_name == :html_escape
       @inside_html_escape = true
-      process exp.body
+      process_all exp.body
       @inside_html_escape = false
     end
 

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -35,10 +35,11 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   def skip_verify_except? filter
     return false unless call? filter
 
-    args = filter.args
+    first_arg = filter.first_arg
+    last_arg = filter.last_arg
 
-    if symbol? args.first and args.first.value == :verify_authenticity_token and hash? args.last
-      if hash_access(args.last, :except)
+    if symbol? first_arg and first_arg.value == :verify_authenticity_token and hash? last_arg
+      if hash_access(last_arg, :except)
         return true
       end
     end

data/lib/brakeman/checks/check_sql.rb

@@ -61,7 +61,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.each do |name, model|
         if model[:options][:named_scope]
           model[:options][:named_scope].each do |args|
-            call = Sexp.new(:call, nil, :named_scope, args).line(args.line)
+            call = make_call(nil, :named_scope, args).line(args.line)
             scope_calls << { :call => call, :location => [:class, name ], :method => :named_scope }
           end
         end
@@ -80,7 +80,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
               call = second_arg
               scope_calls << { :call => call, :location => [:class, name ], :method => call.method }
             else
-              call = Sexp.new(:call, nil, :scope, args).line(args.line)
+              call = make_call(nil, :scope, args).line(args.line)
               scope_calls << { :call => call, :location => [:class, name ], :method => :scope }
             end
           end
@@ -173,37 +173,36 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     call = result[:call]
     method = call.method
-    args = call.args
 
     dangerous_value = case method
                       when :find
-                        check_find_arguments args.second
+                        check_find_arguments call.second_arg
                       when :exists?
-                        check_find_arguments args.first
+                        check_find_arguments call.first_arg
                       when :named_scope, :scope
-                        check_scope_arguments call.arglist
+                        check_scope_arguments call
                       when :find_by_sql, :count_by_sql
-                        check_by_sql_arguments args.first
+                        check_by_sql_arguments call.first_arg
                       when :calculate
-                        check_find_arguments args[2]
+                        check_find_arguments call.third_arg
                       when :last, :first, :all
-                        check_find_arguments args.first
+                        check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if args.length > 2
-                          unsafe_sql?(args.first) or check_find_arguments(args.last)
+                        if call.length > 5
+                          unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
                         else
-                          check_find_arguments args.last
+                          check_find_arguments call.last_arg
                         end
                       when :where, :having
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist
                       when :joins
-                        check_joins_arguments args.first
+                        check_joins_arguments call.first_arg
                       when :from, :select
-                        unsafe_sql? args.first
+                        unsafe_sql? call.first_arg
                       when :lock
-                        check_lock_arguments args.first
+                        check_lock_arguments call.first_arg
                       else
                         Brakeman.debug "Unhandled SQL method: #{method}"
                       end
@@ -226,8 +225,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         :confidence => confidence
     end
 
-    if check_for_limit_or_offset_vulnerability args[-1]
-      if include_user_input? args[-1]
+    if check_for_limit_or_offset_vulnerability call.last_arg
+      if include_user_input? call.last_arg
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:low]
@@ -259,25 +258,26 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     unsafe_sql? arg
   end
 
-  def check_scope_arguments args
-    return unless node_type? args, :arglist
+  def check_scope_arguments call
+    scope_arg = call.second_arg #first arg is name of scope
 
-    if node_type? args[2], :iter
-      unsafe_sql? args[2][-1]
+    if node_type? scope_arg, :iter
+      unsafe_sql? scope_arg.block
     else
-      unsafe_sql? args[2]
+      unsafe_sql? scope_arg
     end
   end
 
   def check_query_arguments arg
     return unless sexp? arg
+    first_arg = arg[1]
 
     if node_type? arg, :arglist
-      if arg.length > 2 and node_type? arg[1], :string_interp, :dstr
+      if arg.length > 2 and node_type? first_arg, :string_interp, :dstr
         # Model.where("blah = ?", blah)
-        return check_string_interp arg[1]
+        return check_string_interp first_arg
       else
-        arg = arg[1]
+        arg = first_arg
       end
     end
 
@@ -319,7 +319,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_by_sql_arguments arg
     return unless sexp? arg
 
-    #This is kind of necessary, because unsafe_sql? will handle an array
+    #This is kind of unnecessary, because unsafe_sql? will handle an array
     #correctly, but might be better to be explicit.
     if array? arg
       unsafe_sql? arg[1]
@@ -457,7 +457,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_hash_values exp
     hash_iterate(exp) do |key, value|
       if symbol? key
-        unsafe = case key[1]
+        unsafe = case key.value
                  when :conditions, :having, :select
                    check_query_arguments value
                  when :order, :group
@@ -486,9 +486,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     target = exp.target
     method = exp.method
-    args = exp.args
 
-    if string? target or string? args.first
+    if string? target or string? exp.first_arg
       if STRING_METHODS.include? method
         return exp
       end
@@ -500,7 +499,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
-    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions]
+    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
+    :to_sql]
 
   def safe_value? exp
     return true unless sexp? exp