RubyGems - brakeman - Versions diffs - 3.0.5 → 3.1.0 - Mend

brakeman 3.0.5 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

checksums.yaml +4 -4
data/CHANGES +19 -0
data/README.md +3 -13
data/lib/brakeman.rb +3 -0
data/lib/brakeman/checks/base_check.rb +19 -47
data/lib/brakeman/checks/check_basic_auth.rb +3 -3
data/lib/brakeman/checks/check_cross_site_scripting.rb +26 -12
data/lib/brakeman/checks/check_default_routes.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +2 -2
data/lib/brakeman/checks/check_evaluation.rb +3 -0
data/lib/brakeman/checks/check_execute.rb +3 -3
data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
data/lib/brakeman/checks/check_forgery_setting.rb +9 -12
data/lib/brakeman/checks/check_header_dos.rb +1 -1
data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +1 -1
data/lib/brakeman/checks/check_json_parsing.rb +3 -3
data/lib/brakeman/checks/check_link_to.rb +1 -1
data/lib/brakeman/checks/check_link_to_href.rb +9 -2
data/lib/brakeman/checks/check_mass_assignment.rb +5 -2
data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
data/lib/brakeman/checks/check_model_attributes.rb +7 -7
data/lib/brakeman/checks/check_model_serialize.rb +6 -6
data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
data/lib/brakeman/checks/check_number_to_currency.rb +2 -2
data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
data/lib/brakeman/checks/check_redirect.rb +2 -10
data/lib/brakeman/checks/check_render.rb +1 -1
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +2 -2
data/lib/brakeman/checks/check_session_settings.rb +1 -2
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +3 -3
data/lib/brakeman/checks/check_skip_before_filter.rb +5 -7
data/lib/brakeman/checks/check_sql.rb +10 -14
data/lib/brakeman/checks/check_sql_cves.rb +4 -4
data/lib/brakeman/checks/check_ssl_verify.rb +27 -9
data/lib/brakeman/checks/check_strip_tags.rb +5 -5
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +3 -4
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +2 -2
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/file_parser.rb +1 -0
data/lib/brakeman/parsers/template_parser.rb +6 -5
data/lib/brakeman/processor.rb +7 -7
data/lib/brakeman/processors/alias_processor.rb +30 -12
data/lib/brakeman/processors/base_processor.rb +4 -8
data/lib/brakeman/processors/controller_alias_processor.rb +33 -132
data/lib/brakeman/processors/controller_processor.rb +29 -53
data/lib/brakeman/processors/erb_template_processor.rb +4 -6
data/lib/brakeman/processors/erubis_template_processor.rb +8 -11
data/lib/brakeman/processors/gem_processor.rb +19 -35
data/lib/brakeman/processors/haml_template_processor.rb +10 -12
data/lib/brakeman/processors/lib/find_all_calls.rb +3 -5
data/lib/brakeman/processors/lib/find_call.rb +2 -2
data/lib/brakeman/processors/lib/find_return_value.rb +1 -1
data/lib/brakeman/processors/lib/rails2_config_processor.rb +7 -8
data/lib/brakeman/processors/lib/rails3_config_processor.rb +6 -7
data/lib/brakeman/processors/lib/render_helper.rb +15 -14
data/lib/brakeman/processors/lib/render_path.rb +11 -5
data/lib/brakeman/processors/library_processor.rb +13 -35
data/lib/brakeman/processors/model_processor.rb +22 -64
data/lib/brakeman/processors/output_processor.rb +1 -37
data/lib/brakeman/processors/slim_template_processor.rb +6 -8
data/lib/brakeman/processors/template_alias_processor.rb +9 -9
data/lib/brakeman/processors/template_processor.rb +5 -9
data/lib/brakeman/report/report_base.rb +7 -7
data/lib/brakeman/report/report_html.rb +5 -7
data/lib/brakeman/report/report_markdown.rb +4 -6
data/lib/brakeman/report/report_table.rb +4 -6
data/lib/brakeman/rescanner.rb +29 -31
data/lib/brakeman/scanner.rb +17 -8
data/lib/brakeman/tracker.rb +24 -34
data/lib/brakeman/tracker/collection.rb +77 -0
data/lib/brakeman/tracker/config.rb +93 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +17 -9
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +8 -9
data/lib/ruby_parser/bm_sexp.rb +16 -16
data/lib/ruby_parser/bm_sexp_processor.rb +1 -120
metadata +42 -31
checksums.yaml.gz.sig +0 -1
data.tar.gz.sig +0 -0
metadata.gz.sig +0 -0

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -6,19 +6,25 @@ module Brakeman
       @path = []
     end
-    def add_controller_render controller_name, method_name
+    def add_controller_render controller_name, method_name, line, file
       method_name ||= ""
       @path << { :type => :controller,
                  :class => controller_name.to_sym,
-                 :method => method_name.to_sym }
+                 :method => method_name.to_sym,
+                 :line => line,
+                 :file => file
+                }
       self
     end
-    def add_template_render template_name
+    def add_template_render template_name, line, file
       @path << { :type => :template,
-                 :name => template_name.to_sym }
+                 :name => template_name.to_sym,
+                 :line => line,
+                 :file => file
+               }
       self
     end
@@ -89,7 +95,7 @@ module Brakeman
     end
     def to_json *args
-      MultiJson.dump(self.to_a)
+      MultiJson.dump(@path)
     end
     def initialize_copy original

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -1,5 +1,6 @@
 require 'brakeman/processors/base_processor'
 require 'brakeman/processors/alias_processor'
+require 'brakeman/tracker/library'
 #Process generic library and stores it in Tracker.libs
 class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
@@ -23,29 +24,18 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       outer_class = @current_class
-      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_module
-      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_class = @tracker.libs[name]
-      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
-      @current_class[:src][@file_name] = exp
+      @current_class.add_file @file_name, exp
     else
-      @current_class = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
+      @current_class = Brakeman::Library.new name, parent, @file_name, exp, @tracker
       @tracker.libs[name] = @current_class
     end
@@ -65,28 +55,18 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_module
       outer_module = @current_module
-      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_class
-      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
-      @current_module[:src][@file_name] = exp
+      @current_module.add_file @file_name, exp
     else
-      @current_module = {
-        :name => name,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
+      @current_module = Brakeman::Library.new name, nil, @file_name, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -103,14 +83,13 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def process_defn exp
     exp = @alias_processor.process exp
-    exp.node_type = :methdef
     if @current_class
       exp.body = process_all! exp.body
-      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_class.add_method :public, exp.method_name, exp, @file_name
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_module.add_method :public, exp.method_name, exp, @file_name
     end
     exp
@@ -118,14 +97,13 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def process_defs exp
     exp = @alias_processor.process exp
-    exp.node_type = :selfdef
     if @current_class
       exp.body = process_all! exp.body
-      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_class.add_method :public, exp.method_name, exp, @file_name
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_module.add_method :public, exp.method_name, exp, @file_name
     end
     exp

data/lib/brakeman/processors/model_processor.rb CHANGED

@@ -1,10 +1,9 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/model'
 #Processes models. Puts results in tracker.models
 class Brakeman::ModelProcessor < Brakeman::BaseProcessor
-  ASSOCIATIONS = Set[:belongs_to, :has_one, :has_many, :has_and_belongs_to_many]
   def initialize tracker
     super
     @current_class = nil
@@ -34,31 +33,18 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if @current_class
       outer_class = @current_class
-      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_module
-      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.models[name]
       @current_class = @tracker.models[name]
-      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
-      @current_class[:src][@file_name] = exp
+      @current_class.add_file @file_name, exp
     else
-      @current_class = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {},
-        :src => { @file_name => exp },
-        :associations => {},
-        :files => [ @file_name ]
-      }
+      @current_class = Brakeman::Model.new name, parent, @file_name, exp, @tracker
       @tracker.models[name] = @current_class
     end
@@ -78,30 +64,18 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if @current_module
       outer_module = @current_module
-      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_class
-      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
-      @current_module[:src][@file_name] = exp
+      @current_module.add_file @file_name, exp
     else
-      @current_module = {
-        :name => name,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {},
-        :src => { @file_name => exp },
-        :associations => {},
-        :files => [ @file_name ]
-      }
+      @current_module = Brakeman::Model.new name, nil, @file_name, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -136,37 +110,21 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         when :private, :protected, :public
           @visibility = method
         when :attr_accessible
-          @current_class[:attr_accessible] ||= []
+          @current_class.set_attr_accessible
         else
           #??
         end
       else
         case method
         when :include
-          @current_class[:includes] << class_name(first_arg) if @current_class
+          @current_class.add_include class_name(first_arg) if @current_class
         when :attr_accessible
-          @current_class[:attr_accessible] ||= []
-          args = []
-          exp.each_arg do |e|
-            if node_type? e, :lit
-              args << e.value
-            elsif hash? e
-              @current_class[:options][:role_accessible] ||= []
-              @current_class[:options][:role_accessible].concat args
-            end
-          end
-          @current_class[:attr_accessible].concat args
+          @current_class.set_attr_accessible exp
+        when :attr_protected
+          @current_class.set_attr_protected exp
         else
           if @current_class
-            if ASSOCIATIONS.include? method
-              @current_class[:associations][method] ||= []
-              @current_class[:associations][method].concat exp.args
-            else
-              @current_class[:options][method] ||= []
-              @current_class[:options][method] << exp.arglist.line(exp.line)
-            end
+            @current_class.add_option method, exp
           end
         end
       end
@@ -185,14 +143,14 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
     res
@@ -205,7 +163,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if exp[1].node_type == :self
       if @current_class
-        target = @current_class[:name]
+        target = @current_class.name
       elsif @current_module
         target = @current_module
       else
@@ -216,14 +174,14 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     end
     @current_method = name
-    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
     res
   end

data/lib/brakeman/processors/output_processor.rb CHANGED

@@ -43,9 +43,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     "cookies"
   end
-  alias process_string_interp process_dstr
-  alias process_string_eval process_evstr
   def process_rlist exp
     out = exp.map do |e|
       res = process e
@@ -80,9 +77,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     return "def #{name}#{args}\n#{body}\nend".gsub(/\n\s*\n+/, "\n")
   end
-  alias process_methdef process_defn
-  def process_call_with_block exp
+  def process_iter exp
     call = process exp[0]
     block = process_rlist exp[2..-1]
     out = "#{call} do\n #{block}\n end"
@@ -173,35 +168,4 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     exp.clear
     out
   end
-  #This is copied from Ruby2Ruby, except the :string_eval type has been added
-  def util_dthing(type, exp)
-    s = []
-    # first item in sexp is a string literal
-    s << dthing_escape(type, exp.shift)
-    until exp.empty?
-      pt = exp.shift
-      case pt
-      when Sexp then
-        case pt.first
-        when :str then
-          s << dthing_escape(type, pt.last)
-        when :evstr, :string_eval then
-          s << '#{' << process(pt) << '}' # do not use interpolation here
-        else
-          raise "unknown type: #{pt.inspect}"
-        end
-      when String then
-        s << pt
-      else
-        # HACK: raise "huh?: #{pt.inspect}" -- hitting # constants in regexps
-        # do nothing for now
-      end
-    end
-    s.join
-  end
 end

data/lib/brakeman/processors/slim_template_processor.rb CHANGED

@@ -25,7 +25,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
         ignore
       elsif render? arg
         make_output make_render_in_view arg
-      elsif node_type? arg, :interp, :dstr
+      elsif string_interp? arg
         process_inside_interp arg
       elsif node_type? arg, :ignore
         ignore
@@ -38,24 +38,22 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       exp.arglist = process exp.arglist
       make_render_in_view exp
     else
-      call = make_call target, method, process_all!(exp.args)
-      call.original_line = exp.original_line
-      call.line(exp.line)
-      call
+      exp.arglist = process exp.arglist
+      exp
     end
   end
   def make_output exp
     s = Sexp.new :output, exp
     s.line(exp.line)
-    @current_template[:outputs] << s
+    @current_template.add_output s
     s
   end
   def make_escaped_output exp
     s = Sexp.new :escaped_output, exp.first_arg
     s.line(exp.line)
-    @current_template[:outputs] << s
+    @current_template.add_output s
     s
   end
@@ -63,7 +61,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
   #Better to pull those values out directly.
   def process_inside_interp exp
     exp.map! do |e|
-      if node_type? e, :evstr, :string_eval
+      if node_type? e, :evstr
         e.value = process_interp_output e.value
         e
       else

data/lib/brakeman/processors/template_alias_processor.rb CHANGED

@@ -18,23 +18,25 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   end
   #Process template
-  def process_template name, args
+  def process_template name, args, _, line = nil
+    file = relative_path(@template.file || @tracker.templates[@template.name])
     if @called_from
       if @called_from.include_template? name
-        Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
+        Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template[:name])
+      super name, args, @called_from.dup.add_template_render(@template.name, line, file)
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template[:name])
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, file)
     end
   end
   #Determine template name
   def template_name name
-    if !name.to_s.include?('/') && @template[:name].to_s.include?('/')
-      name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
+    if !name.to_s.include?('/') && @template.name.to_s.include?('/')
+      name = "#{@template.name.to_s.match(/^(.*\/).*$/)[1]}#{name}"
     end
     name
   end
@@ -43,7 +45,7 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   FORM_BUILDER_CALL = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
   #Looks for form methods and iterating over collections of Models
-  def process_call_with_block exp
+  def process_iter exp
     process_default exp
     call = exp.block_call
@@ -77,8 +79,6 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     exp
   end
-  alias process_iter process_call_with_block
   #Checks if +exp+ is a call to Model.all or Model.find*
   def get_model_target exp
     if call? exp