brakeman 3.1.1 → 3.1.2

data/lib/brakeman/checks/check_simple_format.rb

@@ -54,6 +54,6 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
       :message => "Values passed to simple_format are not safe in Rails #{rails_version}",
       :confidence => CONFIDENCE[:high],
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
-      :user_input => match.match
+      :user_input => match
   end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -197,7 +197,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       input = include_user_input? dangerous_value
       if input
         confidence = CONFIDENCE[:high]
-        user_input = input.match
+        user_input = input
       else
         confidence = CONFIDENCE[:med]
         user_input = dangerous_value
@@ -342,7 +342,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_hash_keys exp
     hash_iterate(exp) do |key, value|
       unless symbol?(key)
-        unsafe_key = unsafe_sql? value
+        unsafe_key = unsafe_sql? key
         return unsafe_key if unsafe_key
       end
     end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -41,7 +41,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
         :warning_type => "Denial of Service",
         :warning_code => :unsafe_symbol_creation,
         :message => message,
-        :user_input => input.match,
+        :user_input => input,
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -44,7 +44,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
         :warning_type => "Remote Code Execution",
         :warning_code => :unsafe_constantize,
         :message => message,
-        :user_input => input.match,
+        :user_input => input,
         :confidence => confidence
     end
   end

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -36,6 +36,6 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       :message      => "Unscoped call to #{result[:target]}##{result[:method]}",
       :code         => result[:call],
       :confidence   => CONFIDENCE[:low],
-      :user_input   => input.match
+      :user_input   => input
   end
 end

data/lib/brakeman/checks/check_weak_hash.rb

@@ -30,7 +30,6 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
 
     if DIGEST_CALLS.include? call.method
       if input = user_input_as_arg?(call)
-        input = input.match
         confidence = CONFIDENCE[:high]
       elsif input = hashing_password?(call)
         confidence = CONFIDENCE[:high]

data/lib/brakeman/checks/check_without_protection.rb

@@ -43,10 +43,8 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
           if input = include_user_input?(call.arglist)
             confidence = CONFIDENCE[:high]
-            user_input = input.match
           else
             confidence = CONFIDENCE[:med]
-            user_input = nil
           end
 
           warn :result => res, 
@@ -54,7 +52,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
             :warning_code => :mass_assign_without_protection,
             :message => "Unprotected mass assignment",
             :code => call, 
-            :user_input => user_input,
+            :user_input => input,
             :confidence => confidence
 
         end

data/lib/brakeman/processors/alias_processor.rb

@@ -79,6 +79,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   #Process a method call.
   def process_call exp
+    return exp if process_call_defn? exp
     target_var = exp.target
     target_var &&= target_var.deep_clone
     exp = process_default exp
@@ -142,7 +143,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :/
       if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value / first_arg.value)
+        if first_arg.value == 0 and not target.value.is_a? Float
+          if @tracker
+            location = [@current_class, @current_method, "line #{first_arg.line}"].compact.join(' ')
+            require 'brakeman/processors/output_processor'
+            code = Brakeman::OutputProcessor.new.format(exp)
+            @tracker.error Exception.new("Potential divide by zero: #{code} (#{location})")
+          end
+        else
+          exp = Sexp.new(:lit, target.value / first_arg.value)
+        end
       end
     when :[]
       if array? target

data/lib/brakeman/processors/base_processor.rb

@@ -103,7 +103,10 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #Processes the inside of an interpolated String.
   def process_evstr exp
     exp = exp.dup
-    exp[1] = process exp[1]
+    if exp[1]
+      exp[1] = process exp[1]
+    end
+
     exp
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -109,6 +109,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Look for specific calls inside the controller
   def process_call exp
+    return exp if process_call_defn? exp
+
     target = exp.target
     if sexp? target
       target = process target

data/lib/brakeman/processors/haml_template_processor.rb

@@ -141,7 +141,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     if string_interp? exp
       exp.map! do |e|
         if sexp? e
-          if node_type? e, :evstr
+          if node_type? e, :evstr and e[1]
             e = e.value
           end
 

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -59,4 +59,17 @@ module Brakeman::ProcessorHelper
 
     exp
   end
+
+  # e.g. private defn
+  def process_call_defn? exp
+    if call? exp and exp.target.nil? and node_type? exp.first_arg, :defn, :defs and [:private, :public, :protected].include? exp.method
+      prev_visibility = @visibility
+      @visibility = exp.method
+      process exp.first_arg
+      @visibility = prev_visibility
+      exp
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -108,4 +108,12 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
     exp
   end
+
+  def process_call exp
+    if process_call_defn? exp
+      exp
+    else
+      process_default exp
+    end
+  end
 end

data/lib/brakeman/processors/model_processor.rb

@@ -94,6 +94,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   #such as include, attr_accessible, private, etc.
   def process_call exp
     return exp unless @current_class
+    return exp if process_call_defn? exp
+
     target = exp.target
     if sexp? target
       target = process target

data/lib/brakeman/report/report_html.rb

@@ -139,6 +139,16 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
     "<table id='#{code_id}' class='context' style='display:none'>" <<
     "<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
 
+    output << <<-HTML
+      <thead style='display:none'>
+        <tr>
+          <th>line number</th>
+          <th>line content</th>
+        </tr>
+      </thead>
+      <tbody>
+    HTML
+
     unless context.empty?
       if warning.line - 1 == 1 or warning.line + 1 == 1
         error = " near_error"
@@ -184,7 +194,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
       end
     end
 
-    output << "</table></div>"
+    output << "</tbody></table></div>"
   end
 
   #Escape warning message and highlight user input in HTML output

data/lib/brakeman/report/templates/controller_overview.html.erb

@@ -1,18 +1,22 @@
 <h2>Controllers</h2>
 
 <table>
-  <tr>
-    <th>Name</th>
-    <th>Parent</th>
-    <th>Includes</th>
-    <th>Routes</th>
-  </tr>
-<% controller_rows.each do |row| %>
-  <tr>
-    <td><%= row['Name'] %></td>
-    <td><%= row['Parent'] %></td>
-    <td><%= row['Includes'] %></td>
-    <td><%= row['Routes'] %></td>
-  </tr>
-<% end %>
+  <thead>
+    <tr>
+      <th>Name</th>
+      <th>Parent</th>
+      <th>Includes</th>
+      <th>Routes</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% controller_rows.each do |row| %>
+    <tr>
+      <td><%= row['Name'] %></td>
+      <td><%= row['Parent'] %></td>
+      <td><%= row['Includes'] %></td>
+      <td><%= row['Routes'] %></td>
+    </tr>
+  <% end %>
+  </tbody>
 </table>

data/lib/brakeman/report/templates/controller_warnings.html.erb

@@ -1,17 +1,21 @@
 <p>Controller Warnings</p>
 <table>
-  <tr>
-    <th>Confidence</th>
-    <th>Controller</th>
-    <th>Warning Type</th>
-    <th>Message</th>
-  </tr>
-<% warnings.each do |warning| %>
-  <tr>
-    <td><%= warning['Confidence']%></td>
-    <td><%= warning['Controller']%></td>
-    <td><%= warning['Warning Type']%></td>
-    <td><%= warning['Message']%></td>
-  </tr>
-<% end %>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Controller</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each do |warning| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Controller']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
 </table>

data/lib/brakeman/report/templates/error_overview.html.erb

@@ -2,10 +2,13 @@
   <div>
     <div id='errors_table' style='display:none'> 
       <table>
-        <tr>
-          <th>Error</th>
-          <th>Location</th>
-        </tr>
+        <thead>
+          <tr>
+            <th>Error</th>
+            <th>Location</th>
+          </tr>
+        </thead>
+        <tbody>
         <% tracker.errors.each do |warning| %>
           <tr>
             <td><%= CGI.escapeHTML warning[:error] %></td>
@@ -20,6 +23,7 @@
             </td>
           </tr>
         <% end %>
+        </tbody>
       </table>
     </div>
   </div>

data/lib/brakeman/report/templates/header.html.erb

@@ -3,7 +3,9 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <title>Brakeman Report</title>
-  <script>
+  <script type="text/javascript" src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
+  <script type="text/javascript" src="https://cdn.datatables.net/1.10.9/js/jquery.dataTables.min.js"></script>
+  <script type="text/javascript">
     function toggle(context) {
       var elem = document.getElementById(context);
 
@@ -14,6 +16,14 @@
 
       elem.parentNode.scrollIntoView();
     }
+
+    $(document).ready(function() {
+      $('table').DataTable({
+        searching: false,
+        paging:    false,
+        info:      false
+      });
+    });
   </script>
   <style>
     <%= css %>
@@ -23,22 +33,26 @@
 
 <h1>Brakeman Report</h1>
 <table>
-  <tr>
-    <th>Application Path</th>
-    <th>Rails Version</th>
-    <th>Brakeman Version</th>
-    <th>Report Time</th>
-    <th>Checks Performed</th>
-  </tr>
-  <tr>
-    <td><%= tracker.app_path %></td>
-    <td><%= rails_version %></td>
-    <td><%= brakeman_version %>
-    <td>
-      <%= tracker.start_time %><br><br>
-      <%= tracker.duration %> seconds
-    </td>
-    <td><%= checks.checks_run.sort.join(", ") %></td>
-  </tr>
+  <thead>
+    <tr>
+      <th>Application Path</th>
+      <th>Rails Version</th>
+      <th>Brakeman Version</th>
+      <th>Report Time</th>
+      <th>Checks Performed</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><%= tracker.app_path %></td>
+      <td><%= rails_version %></td>
+      <td><%= brakeman_version %>
+      <td>
+        <%= tracker.start_time %><br><br>
+        <%= tracker.duration %> seconds
+      </td>
+      <td><%= checks.checks_run.sort.join(", ") %></td>
+    </tr>
+  </tbody>
 </table>
 <br>

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -1,13 +1,16 @@
 <div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
 <div>
   <table style="display:none" id="ignored_table">
-    <tr>
-      <th>Confidence</th>
-      <th>File</th>
-      <th>Warning Type</th>
-      <th>Message</th>
-      <th>Note</th>
-    </tr>
+    <thead>
+      <tr>
+        <th>Confidence</th>
+        <th>File</th>
+        <th>Warning Type</th>
+        <th>Message</th>
+        <th>Note</th>
+      </tr>
+    </thead>
+    <tbody>
     <% warnings.each do |warning| %>
       <tr>
         <td><%= warning['Confidence']%></td>
@@ -17,5 +20,6 @@
         <td><%= warning['Note']%></td>
       </tr>
     <% end %>
+    </tbody>
   </table>
 </div>

data/lib/brakeman/report/templates/model_warnings.html.erb

@@ -1,17 +1,21 @@
 <p>Model Warnings</p>
 <table>
-  <tr>
-    <th>Confidence</th>
-    <th>Model</th>
-    <th>Warning Type</th>
-    <th>Message</th>
-  </tr>
-<% warnings.each do |warning| %>
-  <tr>
-    <td><%= warning['Confidence']%></td>
-    <td><%= warning['Model']%></td>
-    <td><%= warning['Warning Type']%></td>
-    <td><%= warning['Message']%></td>
-  </tr>
-<% end %>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Model</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each do |warning| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Model']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
 </table>