RubyGems - brakeman - Versions diffs - 3.0.5 → 3.1.0 - Mend

brakeman 3.0.5 → 3.1.0

Files changed (94) hide show

checksums.yaml +4 -4
data/CHANGES +19 -0
data/README.md +3 -13
data/lib/brakeman.rb +3 -0
data/lib/brakeman/checks/base_check.rb +19 -47
data/lib/brakeman/checks/check_basic_auth.rb +3 -3
data/lib/brakeman/checks/check_cross_site_scripting.rb +26 -12
data/lib/brakeman/checks/check_default_routes.rb +1 -1
data/lib/brakeman/checks/check_detailed_exceptions.rb +2 -2
data/lib/brakeman/checks/check_evaluation.rb +3 -0
data/lib/brakeman/checks/check_execute.rb +3 -3
data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
data/lib/brakeman/checks/check_forgery_setting.rb +9 -12
data/lib/brakeman/checks/check_header_dos.rb +1 -1
data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_encoding.rb +1 -1
data/lib/brakeman/checks/check_json_parsing.rb +3 -3
data/lib/brakeman/checks/check_link_to.rb +1 -1
data/lib/brakeman/checks/check_link_to_href.rb +9 -2
data/lib/brakeman/checks/check_mass_assignment.rb +5 -2
data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
data/lib/brakeman/checks/check_model_attributes.rb +7 -7
data/lib/brakeman/checks/check_model_serialize.rb +6 -6
data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
data/lib/brakeman/checks/check_number_to_currency.rb +2 -2
data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
data/lib/brakeman/checks/check_redirect.rb +2 -10
data/lib/brakeman/checks/check_render.rb +1 -1
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_sanitize_methods.rb +1 -1
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +2 -2
data/lib/brakeman/checks/check_session_settings.rb +1 -2
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +3 -3
data/lib/brakeman/checks/check_skip_before_filter.rb +5 -7
data/lib/brakeman/checks/check_sql.rb +10 -14
data/lib/brakeman/checks/check_sql_cves.rb +4 -4
data/lib/brakeman/checks/check_ssl_verify.rb +27 -9
data/lib/brakeman/checks/check_strip_tags.rb +5 -5
data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
data/lib/brakeman/checks/check_translate_bug.rb +3 -4
data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
data/lib/brakeman/checks/check_validation_regex.rb +2 -2
data/lib/brakeman/checks/check_xml_dos.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
data/lib/brakeman/file_parser.rb +1 -0
data/lib/brakeman/parsers/template_parser.rb +6 -5
data/lib/brakeman/processor.rb +7 -7
data/lib/brakeman/processors/alias_processor.rb +30 -12
data/lib/brakeman/processors/base_processor.rb +4 -8
data/lib/brakeman/processors/controller_alias_processor.rb +33 -132
data/lib/brakeman/processors/controller_processor.rb +29 -53
data/lib/brakeman/processors/erb_template_processor.rb +4 -6
data/lib/brakeman/processors/erubis_template_processor.rb +8 -11
data/lib/brakeman/processors/gem_processor.rb +19 -35
data/lib/brakeman/processors/haml_template_processor.rb +10 -12
data/lib/brakeman/processors/lib/find_all_calls.rb +3 -5
data/lib/brakeman/processors/lib/find_call.rb +2 -2
data/lib/brakeman/processors/lib/find_return_value.rb +1 -1
data/lib/brakeman/processors/lib/rails2_config_processor.rb +7 -8
data/lib/brakeman/processors/lib/rails3_config_processor.rb +6 -7
data/lib/brakeman/processors/lib/render_helper.rb +15 -14
data/lib/brakeman/processors/lib/render_path.rb +11 -5
data/lib/brakeman/processors/library_processor.rb +13 -35
data/lib/brakeman/processors/model_processor.rb +22 -64
data/lib/brakeman/processors/output_processor.rb +1 -37
data/lib/brakeman/processors/slim_template_processor.rb +6 -8
data/lib/brakeman/processors/template_alias_processor.rb +9 -9
data/lib/brakeman/processors/template_processor.rb +5 -9
data/lib/brakeman/report/report_base.rb +7 -7
data/lib/brakeman/report/report_html.rb +5 -7
data/lib/brakeman/report/report_markdown.rb +4 -6
data/lib/brakeman/report/report_table.rb +4 -6
data/lib/brakeman/rescanner.rb +29 -31
data/lib/brakeman/scanner.rb +17 -8
data/lib/brakeman/tracker.rb +24 -34
data/lib/brakeman/tracker/collection.rb +77 -0
data/lib/brakeman/tracker/config.rb +93 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +17 -9
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +8 -9
data/lib/ruby_parser/bm_sexp.rb +16 -16
data/lib/ruby_parser/bm_sexp_processor.rb +1 -120
metadata +42 -31
checksums.yaml.gz.sig +0 -1
data.tar.gz.sig +0 -0
metadata.gz.sig +0 -0

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -6,19 +6,25 @@ module Brakeman
       @path = []
     end
-    def add_controller_render controller_name, method_name
+    def add_controller_render controller_name, method_name, line, file
       method_name ||= ""
       @path << { :type => :controller,
                  :class => controller_name.to_sym,
-                 :method => method_name.to_sym }
+                 :method => method_name.to_sym,
+                 :line => line,
+                 :file => file
+                }
       self
     end
-    def add_template_render template_name
+    def add_template_render template_name, line, file
       @path << { :type => :template,
-                 :name => template_name.to_sym }
+                 :name => template_name.to_sym,
+                 :line => line,
+                 :file => file
+               }
       self
     end
@@ -89,7 +95,7 @@ module Brakeman
     end
     def to_json *args
-      MultiJson.dump(self.to_a)
+      MultiJson.dump(@path)
     end
     def initialize_copy original

data/lib/brakeman/processors/library_processor.rb CHANGED

@@ -1,5 +1,6 @@
 require 'brakeman/processors/base_processor'
 require 'brakeman/processors/alias_processor'
+require 'brakeman/tracker/library'
 #Process generic library and stores it in Tracker.libs
 class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
@@ -23,29 +24,18 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_class
       outer_class = @current_class
-      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_module
-      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_class = @tracker.libs[name]
-      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
-      @current_class[:src][@file_name] = exp
+      @current_class.add_file @file_name, exp
     else
-      @current_class = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
+      @current_class = Brakeman::Library.new name, parent, @file_name, exp, @tracker
       @tracker.libs[name] = @current_class
     end
@@ -65,28 +55,18 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @current_module
       outer_module = @current_module
-      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_class
-      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
-      @current_module[:src][@file_name] = exp
+      @current_module.add_file @file_name, exp
     else
-      @current_module = {
-        :name => name,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
+      @current_module = Brakeman::Library.new name, nil, @file_name, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -103,14 +83,13 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def process_defn exp
     exp = @alias_processor.process exp
-    exp.node_type = :methdef
     if @current_class
       exp.body = process_all! exp.body
-      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_class.add_method :public, exp.method_name, exp, @file_name
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_module.add_method :public, exp.method_name, exp, @file_name
     end
     exp
@@ -118,14 +97,13 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def process_defs exp
     exp = @alias_processor.process exp
-    exp.node_type = :selfdef
     if @current_class
       exp.body = process_all! exp.body
-      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_class.add_method :public, exp.method_name, exp, @file_name
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
+      @current_module.add_method :public, exp.method_name, exp, @file_name
     end
     exp

data/lib/brakeman/processors/model_processor.rb CHANGED

@@ -1,10 +1,9 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/model'
 #Processes models. Puts results in tracker.models
 class Brakeman::ModelProcessor < Brakeman::BaseProcessor
-  ASSOCIATIONS = Set[:belongs_to, :has_one, :has_many, :has_and_belongs_to_many]
   def initialize tracker
     super
     @current_class = nil
@@ -34,31 +33,18 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if @current_class
       outer_class = @current_class
-      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_module
-      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.models[name]
       @current_class = @tracker.models[name]
-      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
-      @current_class[:src][@file_name] = exp
+      @current_class.add_file @file_name, exp
     else
-      @current_class = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {},
-        :src => { @file_name => exp },
-        :associations => {},
-        :files => [ @file_name ]
-      }
+      @current_class = Brakeman::Model.new name, parent, @file_name, exp, @tracker
       @tracker.models[name] = @current_class
     end
@@ -78,30 +64,18 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if @current_module
       outer_module = @current_module
-      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
     end
     if @current_class
-      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
     end
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
-      @current_module[:src][@file_name] = exp
+      @current_module.add_file @file_name, exp
     else
-      @current_module = {
-        :name => name,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {},
-        :src => { @file_name => exp },
-        :associations => {},
-        :files => [ @file_name ]
-      }
+      @current_module = Brakeman::Model.new name, nil, @file_name, exp, @tracker
       @tracker.libs[name] = @current_module
     end
@@ -136,37 +110,21 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         when :private, :protected, :public
           @visibility = method
         when :attr_accessible
-          @current_class[:attr_accessible] ||= []
+          @current_class.set_attr_accessible
         else
           #??
         end
       else
         case method
         when :include
-          @current_class[:includes] << class_name(first_arg) if @current_class
+          @current_class.add_include class_name(first_arg) if @current_class
         when :attr_accessible
-          @current_class[:attr_accessible] ||= []
-          args = []
-          exp.each_arg do |e|
-            if node_type? e, :lit
-              args << e.value
-            elsif hash? e
-              @current_class[:options][:role_accessible] ||= []
-              @current_class[:options][:role_accessible].concat args
-            end
-          end
-          @current_class[:attr_accessible].concat args
+          @current_class.set_attr_accessible exp
+        when :attr_protected
+          @current_class.set_attr_protected exp
         else
           if @current_class
-            if ASSOCIATIONS.include? method
-              @current_class[:associations][method] ||= []
-              @current_class[:associations][method].concat exp.args
-            else
-              @current_class[:options][method] ||= []
-              @current_class[:options][method] << exp.arglist.line(exp.line)
-            end
+            @current_class.add_option method, exp
           end
         end
       end
@@ -185,14 +143,14 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
     res
@@ -205,7 +163,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     if exp[1].node_type == :self
       if @current_class
-        target = @current_class[:name]
+        target = @current_class.name
       elsif @current_module
         target = @current_module
       else
@@ -216,14 +174,14 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     end
     @current_method = name
-    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
     res
   end

data/lib/brakeman/processors/output_processor.rb CHANGED

@@ -43,9 +43,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     "cookies"
   end
-  alias process_string_interp process_dstr
-  alias process_string_eval process_evstr
   def process_rlist exp
     out = exp.map do |e|
       res = process e
@@ -80,9 +77,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     return "def #{name}#{args}\n#{body}\nend".gsub(/\n\s*\n+/, "\n")
   end
-  alias process_methdef process_defn
-  def process_call_with_block exp
+  def process_iter exp
     call = process exp[0]
     block = process_rlist exp[2..-1]
     out = "#{call} do\n #{block}\n end"
@@ -173,35 +168,4 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     exp.clear
     out
   end
-  #This is copied from Ruby2Ruby, except the :string_eval type has been added
-  def util_dthing(type, exp)
-    s = []
-    # first item in sexp is a string literal
-    s << dthing_escape(type, exp.shift)
-    until exp.empty?
-      pt = exp.shift
-      case pt
-      when Sexp then
-        case pt.first
-        when :str then
-          s << dthing_escape(type, pt.last)
-        when :evstr, :string_eval then
-          s << '#{' << process(pt) << '}' # do not use interpolation here
-        else
-          raise "unknown type: #{pt.inspect}"
-        end
-      when String then
-        s << pt
-      else
-        # HACK: raise "huh?: #{pt.inspect}" -- hitting # constants in regexps
-        # do nothing for now
-      end
-    end
-    s.join
-  end
 end

data/lib/brakeman/processors/slim_template_processor.rb CHANGED

@@ -25,7 +25,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
         ignore
       elsif render? arg
         make_output make_render_in_view arg
-      elsif node_type? arg, :interp, :dstr
+      elsif string_interp? arg
         process_inside_interp arg
       elsif node_type? arg, :ignore
         ignore
@@ -38,24 +38,22 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       exp.arglist = process exp.arglist
       make_render_in_view exp
     else
-      call = make_call target, method, process_all!(exp.args)
-      call.original_line = exp.original_line
-      call.line(exp.line)
-      call
+      exp.arglist = process exp.arglist
+      exp
     end
   end
   def make_output exp
     s = Sexp.new :output, exp
     s.line(exp.line)
-    @current_template[:outputs] << s
+    @current_template.add_output s
     s
   end
   def make_escaped_output exp
     s = Sexp.new :escaped_output, exp.first_arg
     s.line(exp.line)
-    @current_template[:outputs] << s
+    @current_template.add_output s
     s
   end
@@ -63,7 +61,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
   #Better to pull those values out directly.
   def process_inside_interp exp
     exp.map! do |e|
-      if node_type? e, :evstr, :string_eval
+      if node_type? e, :evstr
         e.value = process_interp_output e.value
         e
       else

data/lib/brakeman/processors/template_alias_processor.rb CHANGED

@@ -18,23 +18,25 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   end
   #Process template
-  def process_template name, args
+  def process_template name, args, _, line = nil
+    file = relative_path(@template.file || @tracker.templates[@template.name])
     if @called_from
       if @called_from.include_template? name
-        Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
+        Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
-      super name, args, @called_from.dup.add_template_render(@template[:name])
+      super name, args, @called_from.dup.add_template_render(@template.name, line, file)
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template[:name])
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, file)
     end
   end
   #Determine template name
   def template_name name
-    if !name.to_s.include?('/') && @template[:name].to_s.include?('/')
-      name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
+    if !name.to_s.include?('/') && @template.name.to_s.include?('/')
+      name = "#{@template.name.to_s.match(/^(.*\/).*$/)[1]}#{name}"
     end
     name
   end
@@ -43,7 +45,7 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   FORM_BUILDER_CALL = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
   #Looks for form methods and iterating over collections of Models
-  def process_call_with_block exp
+  def process_iter exp
     process_default exp
     call = exp.block_call
@@ -77,8 +79,6 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     exp
   end
-  alias process_iter process_call_with_block
   #Checks if +exp+ is a call to Model.all or Model.find*
   def get_model_target exp
     if call? exp