brakeman 2.5.0 → 2.6.0

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -31,7 +31,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :message => "Use whitelist (:only => [..]) when skipping CSRF check",
         :code => filter,
         :confidence => CONFIDENCE[:med],
-        :file => controller[:file]
+        :file => controller[:files].first
 
     when :login_required, :authenticate_user!, :require_user
       warn :controller => controller[:name],
@@ -41,7 +41,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
         :code => filter,
         :confidence => CONFIDENCE[:med],
         :link => "authentication_whitelist",
-        :file => controller[:file]
+        :file => controller[:files].first
     end
   end
 

data/lib/brakeman/checks/check_sql.rb

@@ -19,6 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
       :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
+    @sql_targets << :find_by << :find_by! if version_between? "4.0.0", "9.9.9"
 
     @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
       :select_rows, :select_value, :select_values]
@@ -172,7 +173,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having
+                      when :where, :having, :find_by, :find_by!
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist

data/lib/brakeman/file_parser.rb

@@ -0,0 +1,49 @@
+module Brakeman
+  ASTFile = Struct.new(:path, :ast)
+
+  # This class handles reading and parsing files.
+  class FileParser
+    attr_reader :file_list
+
+    def initialize tracker, app_tree
+      @tracker = tracker
+      @app_tree = app_tree
+      @file_list = {}
+    end
+
+    def parse_files list, type
+      read_files list, type do |path, contents|
+        if ast = parse_ruby(contents, path)
+          ASTFile.new(path, ast)
+        end
+      end
+    end
+
+    def read_files list, type
+      @file_list[type] ||= []
+
+      list.each do |path|
+        result = yield path, read_path(path)
+        if result
+          @file_list[type] << result
+        end
+      end
+    end
+
+    def parse_ruby input, path
+      begin
+        RubyParser.new.parse input, path
+      rescue Racc::ParseError => e
+        @tracker.error e, "Could not parse #{path}"
+        nil
+      rescue => e
+        @tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+        nil
+      end
+    end
+
+    def read_path path
+      @app_tree.read_path path
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -87,7 +87,7 @@ module Brakeman::Options
           options[:check_arguments] = !option
         end
 
-        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Consider the specified methods safe" do |methods|
+        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Set methods as safe for unescaped output in views" do |methods|
           options[:safe_methods] ||= Set.new
           options[:safe_methods].merge methods.map {|e| e.to_sym }
         end

data/lib/brakeman/parsers/template_parser.rb

@@ -0,0 +1,88 @@
+module Brakeman
+  class TemplateParser
+    include Brakeman::Util
+    attr_reader :tracker
+    KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+
+    TemplateFile = Struct.new(:path, :ast, :name, :type)
+
+    def initialize tracker, file_parser
+      @tracker = tracker
+      @file_parser = file_parser
+      @file_parser.file_list[:templates] ||= []
+    end
+
+    def parse_template path, text
+      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name path
+
+      begin
+        src = case type
+              when :erb
+                type = :erubis if erubis?
+                parse_erb text
+              when :haml
+                parse_haml text
+              when :slim
+                parse_slim text
+              else
+                tracker.error "Unkown template type in #{path}"
+                nil
+              end
+
+        if src and ast = @file_parser.parse_ruby(src, path)
+          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+        end
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{path}"
+      rescue Haml::Error => e
+        tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      rescue StandardError, LoadError => e
+        tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      end
+
+      nil
+    end
+
+    def parse_erb text
+      if tracker.config[:escape_html]
+        if tracker.options[:rails3]
+          require 'brakeman/parsers/rails3_erubis'
+          Brakeman::Rails3Erubis.new(text).src
+        else
+          require 'brakeman/parsers/rails2_xss_plugin_erubis'
+          Brakeman::Rails2XSSPluginErubis.new(text).src
+        end
+      elsif tracker.config[:erubis]
+        require 'brakeman/parsers/rails2_erubis'
+        Brakeman::ScannerErubis.new(text).src
+      else
+        require 'erb'
+        src = ERB.new(text, nil, "-").src
+        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src
+      end
+    end
+
+    def erubis?
+      tracker.config[:escape_html] or
+      tracker.config[:erubis]
+    end
+
+    def parse_haml text
+      Brakeman.load_brakeman_dependency 'haml'
+      Brakeman.load_brakeman_dependency 'sass'
+
+      Haml::Engine.new(text,
+                       :escape_html => !!tracker.config[:escape_html]).precompiled
+    end
+
+    def parse_slim text
+      Brakeman.load_brakeman_dependency 'slim'
+
+      Slim::Template.new(:disable_capture => true,
+                         :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+    end
+  end
+end

data/lib/brakeman/processors/alias_processor.rb

@@ -257,12 +257,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Local assignment
   # x = 1
   def process_lasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
     exp.rhs = process exp.rhs if sexp? exp.rhs
     return exp if exp.rhs.nil?
 
     local = Sexp.new(:lvar, exp.lhs).line(exp.line || -2)
 
-    set_value local, exp.rhs
+    if self_assign
+      # Skip branching
+      env[local] = exp.rhs
+    else
+      set_value local, exp.rhs
+    end
 
     exp
   end
@@ -270,10 +276,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Instance variable assignment
   # @x = 1
   def process_iasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
     exp.rhs = process exp.rhs
     ivar = Sexp.new(:ivar, exp.lhs).line(exp.line)
 
-    set_value ivar, exp.rhs
+    if self_assign
+      if env[ivar].nil? and @meth_env
+        @meth_env[ivar] = exp.rhs
+      else
+        env[ivar] = exp.rhs
+      end
+    else
+      set_value ivar, exp.rhs
+    end
 
     exp
   end
@@ -727,6 +742,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  #Return true if for x += blah or @x += blah
+  def self_assign? var, value
+    call? value and
+    value.method == :+ and
+    node_type? value.target, :lvar, :ivar and
+    value.target.value == var
+  end
+
   def value_from_if exp
     if block? exp.else_clause or block? exp.then_clause
       #If either clause is more than a single expression, just use entire

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -48,7 +48,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
-        method = mixin[:public][name].deep_clone
+        method = mixin[:public][name][:src].deep_clone
 
         if node_type? method, :methdef
           method = processor.process_defn method
@@ -206,7 +206,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       true
     else
       routes = @tracker.routes[@current_class]
-      routes and (routes == :allow_all_actions or routes.include? method)
+      routes and (routes.include? :allow_all_actions or routes.include? method)
     end
   end
 
@@ -323,7 +323,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
         @method_cache[method_name] = find_method method_name, controller[:parent]
       else
-        @method_cache[method_name] = { :controller => controller[:name], :method => method }
+        @method_cache[method_name] = { :controller => controller[:name], :method => method[:src] }
       end
     else
       nil

data/lib/brakeman/processors/controller_processor.rb

@@ -7,7 +7,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def initialize app_tree, tracker
     super(tracker)
     @app_tree = app_tree
-    @controller = nil
+    @current_class = nil
     @current_method = nil
     @current_module = nil
     @visibility = :public
@@ -28,7 +28,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #If inside a real controller, treat any other classes as libraries.
     #But if not inside a controller already, then the class may include
     #a real controller, so we can't take this shortcut.
-    if @controller and @controller[:name].to_s.end_with? "Controller"
+    if @current_class and @current_class[:name].to_s.end_with? "Controller"
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
       return exp
@@ -36,57 +36,98 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     if not name.to_s.end_with? "Controller"
       Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
-
-      current_controller = @controller
-
       #Set the class to be a module in order to get the right namespacing.
       #Add class to libraries, in case it is needed later (e.g. it's used
       #as a parent class for a controller.)
       #However, still want to process it in this class, so have to set
-      #@controller to this not-really-a-controller thing.
-      process_module exp do
-        name = @current_module
-
-        if @tracker.libs[name.to_sym]
-          @controller = @tracker.libs[name]
-        else
-          set_controller name, parent, exp
-          @tracker.libs[name.to_sym] = @controller
-        end
-
-        process_all exp.body
-      end
-
-      @controller = current_controller
+      #@current_class to this not-really-a-controller thing.
+      process_module exp, parent
 
       return exp
     end
 
-    if @current_module
-      name = (@current_module.to_s + "::" + name.to_s).to_sym
+    if @current_class
+      outer_class = @current_class
+      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
     end
 
-    set_controller name, parent, exp
+    if @current_module
+      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+    end
 
-    @tracker.controllers[@controller[:name]] = @controller
+    if @tracker.controllers[name]
+      @current_class = @tracker.controllers[name]
+      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
+      @current_class[:src][@file_name] = exp
+    else
+      @current_class = {
+        :name => name,
+        :parent => parent,
+        :includes => [],
+        :public => {},
+        :private => {},
+        :protected => {},
+        :options => {:before_filters => []},
+        :src => { @file_name => exp },
+        :files => [ @file_name ]
+      }
+
+      @tracker.controllers[name] = @current_class
+    end
 
     exp.body = process_all! exp.body
     set_layout_name
 
-    @controller = nil
+    if outer_class
+      @current_class = outer_class
+    else
+      @current_class = nil
+    end
+
     exp
   end
 
-  def set_controller name, parent, exp
-    @controller = { :name => name,
-                    :parent => parent,
-                    :includes => [],
-                    :public => {},
-                    :private => {},
-                    :protected => {},
-                    :options => {:before_filters => []},
-                    :src => exp,
-                    :file => @file_name }
+  def process_module exp, parent = nil
+    name = class_name(exp.module_name)
+
+    if @current_module
+      outer_module = @current_module
+      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+    end
+
+    if @current_class
+      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+    end
+
+    if @tracker.libs[name]
+      @current_module = @tracker.libs[name]
+      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
+      @current_module[:src][@file_name] = exp
+    else
+      @current_module = {
+        :name => name,
+        :parent => parent,
+        :includes => [],
+        :public => {},
+        :private => {},
+        :protected => {},
+        :options => {:before_filters => []},
+        :src => { @file_name => exp },
+        :files => [ @file_name ]
+      }
+
+      @tracker.libs[name] = @current_module
+    end
+
+    exp.body = process_all! exp.body
+
+    if outer_module
+      @current_module = outer_module
+    else
+      @current_module = nil
+    end
+
+    exp
   end
 
   #Look for specific calls inside the controller
@@ -102,41 +143,41 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     #Methods called inside class definition
     #like attr_* and other settings
-    if @current_method.nil? and target.nil? and @controller
+    if @current_method.nil? and target.nil? and @current_class
       if first_arg.nil? #No args
         case method
         when :private, :protected, :public
           @visibility = method
         when :protect_from_forgery
-          @controller[:options][:protect_from_forgery] = true
+          @current_class[:options][:protect_from_forgery] = true
         else
           #??
         end
       else
         case method
         when :include
-          @controller[:includes] << class_name(first_arg) if @controller
+          @current_class[:includes] << class_name(first_arg) if @current_class
         when :before_filter, :append_before_filter, :before_action, :append_before_action
-          @controller[:options][:before_filters] << exp.args
+          @current_class[:options][:before_filters] << exp.args
         when :prepend_before_filter, :prepend_before_action
-          @controller[:options][:before_filters].unshift exp.args
+          @current_class[:options][:before_filters].unshift exp.args
         when :layout
           if string? last_arg
             #layout "some_layout"
 
             name = last_arg.value.to_s
             if @app_tree.layout_exists?(name)
-              @controller[:layout] = "layouts/#{name}"
+              @current_class[:layout] = "layouts/#{name}"
             else
               Brakeman.debug "[Notice] Layout not found: #{name}"
             end
           elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil
-            @controller[:layout] = false
+            @current_class[:layout] = false
           end
         else
-          @controller[:options][method] ||= []
-          @controller[:options][method] << exp
+          @current_class[:options][method] ||= []
+          @current_class[:options][method] << exp
         end
       end
 
@@ -165,7 +206,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
-    @controller[@visibility][name] = res unless @controller.nil?
+
+    if @current_class
+      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+    elsif @current_module
+      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+    end
+
     res
   end
 
@@ -174,8 +221,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     name = exp.method_name
 
     if exp[1].node_type == :self
-      if @controller
-        target = @controller[:name]
+      if @current_class
+        target = @current_class[:name]
       elsif @current_module
         target = @current_module
       else
@@ -189,7 +236,12 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
-    @controller[@visibility][name] = res unless @controller.nil?
+
+    if @current_class
+      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+    elsif @current_module
+      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+    end
 
     res
   end
@@ -206,13 +258,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Sets default layout for renders inside Controller
   def set_layout_name
-    return if @controller[:layout]
+    return if @current_class[:layout]
 
-    name = underscore(@controller[:name].to_s.split("::")[-1].gsub("Controller", ''))
+    name = underscore(@current_class[:name].to_s.split("::")[-1].gsub("Controller", ''))
 
     #There is a layout for this Controller
     if @app_tree.layout_exists?(name)
-      @controller[:layout] = "layouts/#{name}"
+      @current_class[:layout] = "layouts/#{name}"
     end
   end
 
@@ -221,7 +273,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   #We build a new method and process that the same way as usual
   #methods and filters.
   def add_fake_filter exp
-    unless @controller
+    unless @current_class
       Brakeman.debug "Skipping before_filter outside controller: #{exp}"
       return exp
     end
@@ -245,8 +297,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     #Build Sexp for filter method
     body = Sexp.new(:lasgn,
-                    block_variable, 
-                    Sexp.new(:call, Sexp.new(:const, @controller[:name]), :new))
+                    block_variable,
+                    Sexp.new(:call, Sexp.new(:const, @current_class[:name]), :new))
 
     filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)