brakeman 3.1.2 → 3.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d7d20b349b33016522595eb63c5ef4cc0e257fa
-  data.tar.gz: 9dd081fae534c5ffb2f42f63178cdba9b912a27d
+  metadata.gz: 0a5242c2a00eaa622ccfd793730c516642f1835c
+  data.tar.gz: 9e684857baaddfc23a7c8b517797e9361fd9d0a1
 SHA512:
-  metadata.gz: 889ad360ae4655bfff280157ca45ff548945fa8f3cf6f6d03333f0e04ac107d3489015cd0d837ecb0b0f8ea55fd985243f7d57e87d99d15c0ca76f8d0647ac81
-  data.tar.gz: a45beea309a50f727dc2a3d25628b89f5344126d8fc5231ca219fab4e4d601dbaee871bc8008aad006895a221415715ea5b5063bc00c01dedcb65ab012fb14b1
+  metadata.gz: 75051e388396af7a75b9f9773ba4f16971f1033441fc74dcc2968a0b5421e8cd4117d6f0e18b23d61c891aba78dcd02a24bb255786e559bd12f1b661be984089
+  data.tar.gz: 403638a85e9dff267149e9204cf4789a439112cbebb35df79191f8a036d981f916dc7dfb1a22488f677cda45ffee21f29e18123136db834be2febd0d82962fb7

data/CHANGES

@@ -1,3 +1,17 @@
+# 3.1.3
+
+* Check for session secret in secrets.yml
+* Respect `exit_on_warn` in config file
+* Avoid warning on `without_protection: true` with hash literals
+* Make sure before_filter call with block is still a call
+* CallIndex improvements
+* Restore minimum Highline version (Kevin Glowacz)
+* Add Code Climate output format (Ashley Baldwin-Hunter/Devon Blandin/John Pignata/Michael Bernstein)
+* Iteratively replace values
+* Output nil instead of false for user_input in JSON
+* Depend on safe_yaml 1.0 or later
+* Test coverage improvements for Brakema module (Bethany Rentz)
+
 # 3.1.2
 
 * Treat `current_user` like a model

data/README.md

@@ -6,7 +6,9 @@
 
 # Brakeman
 
-Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
+Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
+
+Check out [Brakeman Pro](https://brakemanpro.com/) if you are looking for a commercially-supported version with a GUI and advanced features.
 
 # Installation
 
@@ -42,7 +44,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, and `csv`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
 
 Multiple output files can be specified:
 

data/bin/brakeman

@@ -78,7 +78,7 @@ begin
     tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
     #Return error code if --exit-on-warn is used and warnings were found
-    if options[:exit_on_warn] and not tracker.filtered_warnings.empty?
+    if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end

data/lib/brakeman.rb

@@ -97,7 +97,7 @@ module Brakeman
 
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
-        
+
         # After parsing the yaml config file for options, convert any string keys into symbols.
         options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
@@ -180,6 +180,8 @@ module Brakeman
       [:to_json]
     when :markdown, :to_markdown
       [:to_markdown]
+    when :cc, :to_cc, :codeclimate, :to_codeclimate
+      [:to_codeclimate]
     else
       [:to_s]
     end
@@ -201,6 +203,8 @@ module Brakeman
         :to_json
       when /\.md$/i
         :to_markdown
+      when /(\.cc|\.codeclimate)$/i
+        :to_codeclimate
       else
         :to_s
       end
@@ -303,11 +307,10 @@ module Brakeman
       File.open file, "w" do |f|
         YAML.dump options, f
       end
-      puts "Output configuration to #{file}"
+      notify "Output configuration to #{file}"
     else
-      puts YAML.dump(options)
+      notify YAML.dump(options)
     end
-    exit
   end
 
   #Run a scan. Generally called from Brakeman.run instead of directly.

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -155,7 +155,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!).each do |result|
-      if params? result[:target]
+      if params? result[:call].target
         warn_on_permit! result
       end
     end

data/lib/brakeman/checks/check_session_settings.rb

@@ -19,13 +19,17 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def run_check
     settings = tracker.config.session_settings 
 
-    check_for_issues settings, "#{tracker.app_path}/config/environment.rb"
+    check_for_issues settings, @app_tree.expand_path("config/environment.rb")
 
     ["session_store.rb", "secret_token.rb"].each do |file|
       if tracker.initializers[file] and not ignored? file
         process tracker.initializers[file]
       end
     end
+
+    if tracker.options[:rails4]
+      check_secrets_yaml
+    end
   end
 
   #Looks for ActionController::Base.session = { ... }
@@ -38,13 +42,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
-      check_for_issues exp.first_arg, "#{tracker.app_path}/config/initializers/session_store.rb"
+      check_for_issues exp.first_arg, @app_tree.expand_path("config/initializers/session_store.rb")
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
       (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
-      warn_about_secret_token exp, "#{tracker.app_path}/config/initializers/secret_token.rb"
+      warn_about_secret_token exp.line, @app_tree.expand_path("config/initializers/secret_token.rb")
     end
 
     exp
@@ -54,7 +58,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
-      check_for_rails3_issues exp.second_arg, "#{tracker.app_path}/config/initializers/session_store.rb"
+      check_for_rails3_issues exp.second_arg, @app_tree.expand_path("config/initializers/session_store.rb")
     end
 
     exp
@@ -76,13 +80,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
                   hash_access(settings, :httponly))
 
         if false? value
-          warn_about_http_only value, file
+          warn_about_http_only value.line, file
         end
       end
 
       if value = hash_access(settings, :secret)
         if string? value
-          warn_about_secret_token value, file
+          warn_about_secret_token value.line, file
         end
       end
     end
@@ -92,43 +96,61 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     if settings and hash? settings
       if value = hash_access(settings, :httponly)
         if false? value
-          warn_about_http_only value, file
+          warn_about_http_only value.line, file
         end
       end
 
       if value = hash_access(settings, :secure)
         if false? value
-          warn_about_secure_only value, file
+          warn_about_secure_only value.line, file
+        end
+      end
+    end
+  end
+
+  def check_secrets_yaml
+    secrets_file = "config/secrets.yml"
+
+    if @app_tree.exists? secrets_file
+      yaml = @app_tree.read secrets_file
+      require 'safe_yaml/load'
+      secrets = SafeYAML.load yaml
+
+      if secrets["production"] and secret = secrets["production"]["secret_key_base"]
+        unless secret.include? "<%="
+          line = yaml.lines.find_index { |l| l.include? secret } + 1
+
+          warn_about_secret_token line, @app_tree.expand_path(secrets_file)
         end
       end
     end
   end
 
-  def warn_about_http_only value, file
+  def warn_about_http_only line, file
     warn :warning_type => "Session Setting",
       :warning_code => :http_cookies,
       :message => "Session cookies should be set to HTTP only",
       :confidence => CONFIDENCE[:high],
-      :line => value.line,
+      :line => line,
       :file => file
 
   end
 
-  def warn_about_secret_token value, file
+  def warn_about_secret_token line, file
     warn :warning_type => "Session Setting",
       :warning_code => :session_secret,
       :message => "Session secret should not be included in version control",
       :confidence => CONFIDENCE[:high],
-      :line => value.line,
+      :line => line,
       :file => file
   end
 
-  def warn_about_secure_only value, file
+  def warn_about_secure_only line, file
     warn :warning_type => "Session Setting",
       :warning_code => :secure_cookies,
       :message => "Session cookie should be set to secure only",
       :confidence => CONFIDENCE[:high],
-      :line => value.line,
+      :line => line,
       :file => file
   end
 

data/lib/brakeman/checks/check_without_protection.rb

@@ -43,6 +43,8 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
           if input = include_user_input?(call.arglist)
             confidence = CONFIDENCE[:high]
+          elsif all_literals? call
+            return
           else
             confidence = CONFIDENCE[:med]
           end
@@ -59,4 +61,20 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
       end
     end
   end
+
+  def all_literals? call
+    call.each_arg do |arg|
+      if hash? arg
+        hash_iterate arg do |k, v|
+          unless node_type? k, :str, :lit, :false, :true and node_type? v, :str, :lit, :false, :true
+            return false
+          end
+        end
+      else
+        return false
+      end
+    end
+
+    true
+  end
 end

data/lib/brakeman/options.rb

@@ -165,7 +165,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/processors/alias_processor.rb

@@ -62,18 +62,23 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       @tracker.error err if @tracker
     end
 
-    #Generic replace
-    if replacement = env[exp] and not duplicate? replacement
-      result = replacement.deep_clone(exp.line)
-    else
-      result = exp
-    end
-
+    result = replace(exp)
+  
     @exp_context.pop
 
     result
   end
 
+  def replace exp, int = 0
+    return exp if int > 3
+
+    if replacement = env[exp] and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
+    else
+      exp
+    end
+  end
+
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
 

data/lib/brakeman/processors/controller_processor.rb

@@ -236,9 +236,14 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Look for before_filters and add fake ones if necessary
   def process_iter exp
-    block_call_name = exp.block_call.method
-    if block_call_name == :before_filter  or block_call_name == :before_action
-      add_fake_filter exp
+    if @current_method.nil? and call? exp.block_call
+      block_call_name = exp.block_call.method
+
+      if block_call_name == :before_filter  or block_call_name == :before_action
+        add_fake_filter exp
+      else
+        super
+      end
     else
       super
     end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -126,7 +126,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   #Gets the target of a call as a Symbol
   #if possible
-  def get_target exp
+  def get_target exp, include_calls = false
     if sexp? exp
       case exp.node_type
       when :ivar, :lvar, :const, :lit
@@ -137,6 +137,23 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
         class_name exp
       when :self
         @current_class || @current_module || nil
+      when :params, :session, :cookies
+        exp.node_type
+      when :call
+        if include_calls
+          if exp.target.nil?
+            exp.method
+          else
+            t = get_target(exp.target, :include_calls)
+            if t.is_a? Symbol
+              :"#{t}.#{exp.method}"
+            else
+              exp
+            end
+          end
+        else
+          exp
+        end
       else
         exp
       end
@@ -187,6 +204,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
       @in_target = true
       process target
       @in_target = already_in_target
+
+      target = get_target(target, :include_calls)
     end
 
     method = exp.method

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate]
 
   def initialize app_tree, tracker
     @app_tree = app_tree
@@ -15,6 +15,9 @@ class Brakeman::Report
 
   def format format
     reporter = case format
+    when :to_codeclimate
+      require_report 'codeclimate'
+      Brakeman::Report::CodeClimate
     when :to_csv
       require_report 'csv'
       Brakeman::Report::CSV

data/lib/brakeman/report/config/remediation.yml

@@ -0,0 +1,71 @@
+---
+basic_auth_password: 300000
+cross_site_scripting: 300000
+xss_content_tag: 300000
+CVE_2014_3514_call: 600000
+all_default_routes: 2000000
+unsafe_deserialize: 2000000
+local_request_config: 100000
+CVE_2012_3424: 4000000
+CVE_2011_2932: 8000000
+code_eval: 2000000
+command_injection: 2000000
+file_access: 2000000
+CVE_2014_7829: 4000000
+CVE_2011_2929: 4000000
+csrf_protection_disabled: 4000000
+CVE_2013_6414: 4000000
+CVE_2013_4491: 4000000
+CVE_2013_1856: 4000000
+CVE_2015_3226: 4000000
+CVE_2013_0333: 4000000
+xss_link_to: 300000
+xss_link_to_href: 300000
+CVE_2011_0446: 300000
+mass_assign_call: 2000000
+dangerous_attr_accessible: 2000000
+no_attr_accessible: 2000000
+CVE_2013_0277: 2000000
+CVE_2010_3933: 4000000
+CVE_2014_0081: 300000
+CVE_2011_2930: 600000
+open_redirect: 300000
+regex_dos: 600000
+dynamic_render_path: 4000000
+CVE_2014_0082: 4000000
+cross_site_scripting_inline: 600000
+CVE_2011_3186: 2000000
+safe_buffer_vuln: 4000000
+CVE_2013_1855: 4000000
+CVE_2013_1857: 4000000
+CVE_2012_3463: 600000
+select_options_vuln: 4000000
+dangerous_send: 600000
+session_key_manipulation: 600000
+http_cookies: 600000
+session_secret: 600000
+secure_cookies: 600000
+CVE_2013_6416: 600000
+CVE_2012_3464: 4000000
+csrf_blacklist: 300000
+auth_blacklist: 300000
+sql_injection: 1200000
+CVE-2012-2660: 4000000
+CVE-2012-2661: 4000000
+CVE-2012-2695: 4000000
+CVE-2012-5664: 4000000
+CVE-2013-0155: 4000000
+CVE-2013-6417: 4000000
+CVE-2014-3482: 4000000
+CVE-2014-3483: 4000000
+ssl_verification_bypass: 2500000
+CVE_2011_2931: 4000000
+unsafe_symbol_creation: 300000
+translate_vuln: 300000
+unsafe_constantize: 600000
+unscoped_find: 300000
+validation_regex: 300000
+mass_assign_without_protection: 600000
+CVE_2015_3227: 4000000
+CVE_2013_0156: 4000000
+weak_hash_digest: 800000

data/lib/brakeman/report/report_codeclimate.rb

@@ -0,0 +1,68 @@
+require "json"
+require "yaml"
+
+class Brakeman::Report::CodeClimate < Brakeman::Report::Base
+  DOCUMENTATION_PATH = File.expand_path("../../../../docs/warning_types", __FILE__)
+  REMEDIATION_POINTS_CONFIG_PATH = File.expand_path("../config/remediation.yml", __FILE__)
+  REMEDIATION_POINTS_DEFAULT = 300_000
+
+  def generate_report
+    all_warnings.map { |warning| issue_json(warning) }.join("\0")
+  end
+
+  private
+
+  def issue_json(warning)
+    warning_code_name = name_for(warning.warning_code)
+
+    {
+      type: "Issue",
+      check_name: warning_code_name,
+      description: warning.message,
+      categories: ["Security"],
+      severity: severity_level_for(warning.confidence),
+      remediation_points: remediation_points_for(warning_code_name),
+      location: {
+        path: warning.relative_path,
+        lines: {
+          begin: warning.line || 1
+        }
+      },
+      content: {
+        body: content_for(warning.warning_code, warning.link)
+      }
+    }.to_json
+  end
+
+  def severity_level_for(confidence)
+    if confidence == 0
+      "critical"
+    else
+      "normal"
+    end
+  end
+
+  def remediation_points_for(warning_code)
+    @remediation_points ||= YAML.load_file(REMEDIATION_POINTS_CONFIG_PATH)
+    @remediation_points.fetch(name_for(warning_code), REMEDIATION_POINTS_DEFAULT)
+  end
+
+  def name_for(warning_code)
+    @warning_codes ||= Brakeman::WarningCodes::Codes.invert
+    @warning_codes[warning_code].to_s
+  end
+
+  def content_for(warning_code, link)
+    @contents ||= {}
+    unless link.nil?
+      @contents[warning_code] ||= local_content_for(link) || "Read more: #{link}"
+    end
+  end
+
+  def local_content_for(link)
+    directory = link.split("/").last
+    filename = File.join(DOCUMENTATION_PATH, directory, "index.markdown")
+
+    File.read(filename) if File.exist?(filename)
+  end
+end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.2"
+  Version = "3.1.3"
 end

data/lib/brakeman/warning.rb

@@ -60,6 +60,8 @@ class Brakeman::Warning
     if @user_input.is_a? Brakeman::BaseCheck::Match
       @user_input_type = @user_input.type
       @user_input = @user_input.match
+    elsif @user_input == false
+      @user_input = nil
     end
 
     if not @line

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.2
+  version: 3.1.3
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-10-28 00:00:00.000000000 Z
+date: 2015-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -91,16 +91,22 @@ dependencies:
   name: highline
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: 1.6.20
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.20
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
@@ -189,14 +195,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
 email: gem@brakeman.org
@@ -315,12 +321,14 @@ files:
 - lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/template_processor.rb
 - lib/brakeman/report.rb
+- lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
 - lib/brakeman/report/initializers/faster_csv.rb
 - lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
+- lib/brakeman/report/report_codeclimate.rb
 - lib/brakeman/report/report_csv.rb
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb