brakeman 4.0.1 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a02de773f5ba5a55b62f57cc7871c73457173b19
-  data.tar.gz: 30a430af91340e84dca249fd91ff8fe661ebc125
+  metadata.gz: 5473cad261403087ab82423bcb64eab734d11e8c
+  data.tar.gz: 59a9f5320cdd156c0d6202cd950238ce05a7b92f
 SHA512:
-  metadata.gz: e6f72c29812a8338a90916843de6d2e2488866bd3e625d4071ac94b9f3d23b4a868a3ee96cb72bfb4b2264f1dfd7c2b817578790fe76c4c21fca122e010a1ad7
-  data.tar.gz: d689559c8b6b4b3d1717f834d6bf1706e4d5d0093934901a6b049dbcfa34717ac3529d7963a6ac1dafb3b894b6cb3ef3d4c483da2b231250974bb558995adadc
+  metadata.gz: 72a9fc46b9385feddcb5ef032794470d68c2ce52f551f3eed00157c24e2f36015dff891f6c409a3862f78ec649c8aee2f3d373d5654f1fcfa3769d3cbf90f67c
+  data.tar.gz: 2fb4b886463bea09c6a46b78b83a507d1312d1d2f68df7d94df364d2eb374ea758f9f7fb959299a632d089288bc0b4304ec04f793708505b76f450c7e639ac9d

data/{CHANGES → CHANGES.md}

@@ -1,3 +1,26 @@
+# 4.1.0
+
+* Process models as root sexp instead of each sexp
+* Avoid CSRF warning in Rails 5.2 default config
+* Show better location for Sass errors (Andrew Bromwich)
+* Warn about dynamic values in `Arel.sql`
+* Fix `include_paths` for Code Climate engine (Will Fleming)
+* Add check for dangerous keys in `permit`
+* Try to guess options for `less` pager
+* Better processing of op_asgn1 (e.g. x[:y] += 1)
+* Add optional check for divide by zero
+* Remove errors about divide by zero
+* Avoid warning about file access for temp files
+* Do not warn on params.permit with safe values
+* Add Sexp#call_chain
+* Use HTTPS for warning links
+* Handle nested destructuring/multiple assignment
+* Leave results on screen after paging
+* Do not page if results fit on screen
+* Support `app_path` configuration for Code Climate engine (Noah Davis)
+* Refactor Code Climate engine options parsing (Noah Davis)
+* Fix upgrade version for CVE-2016-6316
+
 # 4.0.1
 
 * Disable pager when `CI` environment variable is set

data/README.md

@@ -2,8 +2,8 @@
 [![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
 
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
-[![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
-[![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
+[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
 [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
 # Brakeman

data/bundle/load.rb

@@ -1,6 +1,5 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/haml-4.0.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/lib"
@@ -9,6 +8,7 @@ $:.unshift "#{path}/bundle/ruby/2.3.0/gems/temple-0.7.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.3.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/slim-3.0.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/erubis-2.7.0/lib"

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Changelog.md

@@ -2,6 +2,12 @@
 
 Below is a complete listing of changes for each revision of HighLine.
 
+### 1.7.10 / 2017-11-23
+* Add gemspec to Gemfile. Address #223. (@abinoam)
+
+### 1.7.9 / 2017-05-08
+* Fix frozen string issue on HighLine::Simulate. (Ivan Giuliani (@ivgiuliani), PR #210)
+
 ### 1.7.8 / 2015-10-09
 * Fix some issues when paginating. (Nick Carboni (@carbonin) and Abinoam P. Marques Jr. (@abinoam), #168, PRs #169 #170)
 

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Gemfile

@@ -1,5 +1,7 @@
 source "https://rubygems.org"
 
+gemspec
+
 gem "rake", :require => false
 gem "rdoc", :require => false
 

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/simulate.rb

@@ -23,7 +23,7 @@ class HighLine
 
     # Simulate StringIO#getbyte by shifting a single character off of the next line of the script
     def getbyte
-      line = gets
+      line = gets.dup
       if line.length > 0
         char = line.slice! 0
         @strings.unshift line

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/version.rb

@@ -1,4 +1,4 @@
 class HighLine
   # The version of the installed library.
-  VERSION = "1.7.8".freeze
+  VERSION = "1.7.10".freeze
 end

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_simulator.rb

@@ -20,4 +20,14 @@ class SimulatorTest < Test::Unit::TestCase
       assert_equal '18', age
     end
   end
+
+  def test_simulate_with_echo_and_frozen_strings
+    HighLine::Simulate.with('the password'.freeze) do
+      password = ask('What is your password?') do |q|
+        q.echo = '*'
+      end
+
+      assert_equal 'the password', password
+    end
+  end
 end

data/lib/brakeman.rb

@@ -402,39 +402,12 @@ module Brakeman
         puts tracker.report.format(output_format)
       end
     else
-      page_output tracker.report.format(output_formats.first)
-    end
-  end
-  private_class_method :write_report_to_formats
-
-  def self.page_output text
-    ci = ENV["CI"]
+      require "brakeman/report/pager"
 
-    if ci.is_a? String and ci.downcase == "true"
-      puts text
-    elsif system("which less")
-      # Adapted from https://github.com/piotrmurach/tty-pager/
-      write_io = open("|less -R", 'w')
-      pid = write_io.pid
-
-      write_io.write(text)
-      write_io.close
-
-      Process.waitpid2(pid, Process::WNOHANG)
-    else
-      load_brakeman_dependency 'highline'
-      h = ::HighLine.new
-      h.page_at = :auto
-      h.say text
+      Brakeman::Pager.new(tracker).page_report(tracker.report, output_formats.first)
     end
-  rescue Errno::ECHILD
-    # on jruby 9x waiting on pid raises (per tty-pager)
-    true
-  rescue => e
-    warn "[Error] #{e}"
-    warn "[Error] Could not use pager. Set --no-pager to avoid this issue."
-    puts text
   end
+  private_class_method :write_report_to_formats
 
   #Rescan a subset of files in a Rails application.
   #

data/lib/brakeman/checks/base_check.rb

@@ -445,41 +445,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     false
   end
 
-  #Returns true if low_version <= RAILS_VERSION <= high_version
-  #
-  #If the Rails version is unknown, returns false.
-  def version_between? low_version, high_version, current_version = nil
-    current_version ||= rails_version
-    return false unless current_version
-
-    version = current_version.split(".").map! { |n| n.to_i }
-    low_version = low_version.split(".").map! { |n| n.to_i }
-    high_version = high_version.split(".").map! { |n| n.to_i }
-
-    version.each_with_index do |v, i|
-      if v < low_version.fetch(i, 0)
-        return false
-      elsif v > low_version.fetch(i, 0)
-        break
-      end
-    end
-
-    version.each_with_index do |v, i|
-      if v > high_version.fetch(i, 0)
-        return false
-      elsif v < high_version.fetch(i, 0)
-        break
-      end
-    end
-
-    true
-  end
-
   def lts_version? version
     tracker.config.has_gem? :'railslts-version' and
     version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
   end
 
+
+  def version_between? low_version, high_version, current_version = nil
+    tracker.config.version_between? low_version, high_version, current_version
+  end
+
   def gemfile_or_environment gem_name = :rails
     if gem_name and info = tracker.config.get_gem(gem_name)
       info

data/lib/brakeman/checks/check_content_tag.rb

@@ -170,7 +170,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                     when version_between?("4.0.0", "4.2.7.0")
                       "4.2.7.1"
                     when version_between?("5.0.0", "5.0.0")
-                      "5.0.0"
+                      "5.0.0.1"
                     when (version.nil? and tracker.options[:rails3])
                       "3.2.22.4"
                     when (version.nil? and tracker.options[:rails4])

data/lib/brakeman/checks/check_divide_by_zero.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Warns on potential division by zero"
+
+  def run_check
+    tracker.find_call(:method => :"/").each do |result|
+      check_division result
+    end
+  end
+
+  def check_division result
+    call = result[:call]
+
+    denominator = call.first_arg
+
+    if number? denominator and denominator.value == 0
+      numerator = call.target
+
+      if number? numerator
+        if numerator.value.is_a? Float
+          return # 0.0 / 0 is NaN and 1.0 / 0 is Infinity
+        else
+          confidence = :medium
+        end
+      else
+        confidence = :weak
+      end
+
+      warn :result => result,
+        :warning_type => "Divide by Zero",
+        :warning_code => :divide_by_zero,
+        :message => "Potential division by zero",
+        :confidence => confidence,
+        :user_input => denominator
+    end
+  end
+end

data/lib/brakeman/checks/check_file_access.rb

@@ -47,7 +47,8 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
       end
     end
 
-    if match
+    if match and not temp_file? match.match
+
       message = "#{friendly_type_of(match).capitalize} used in file name"
 
       warn :result => result,
@@ -59,4 +60,12 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
         :user_input => match
     end
   end
+
+  def temp_file? exp
+    if call? exp
+      return true if exp.call_chain.include? :tempfile
+
+      params? exp.target and exp.method == :path
+    end
+  end
 end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -10,6 +10,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
   @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base"
 
   def run_check
+    return if tracker.config.default_protect_from_forgery?
+
     tracker.controllers
     .select { |_, controller| controller.parent == :"ActionController::Base" }
     .each do |name, controller|

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -0,0 +1,43 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+
+  SUSPICIOUS_KEYS = {
+    admin: :high,
+    account_id: :high,
+    role: :medium,
+    banned: :medium,
+  }
+
+  def run_check
+    tracker.find_call(:method => :permit).each do |result|
+      check_permit result
+    end
+  end
+
+  def check_permit result
+    call = result[:call]
+
+    call.each_arg do |arg|
+      if symbol? arg
+        if SUSPICIOUS_KEYS.key? arg.value
+          warn_on_permit_key result, arg
+        elsif arg.value.match /_id$/
+          warn_on_permit_key result, arg, :medium
+        end
+      end
+    end
+  end
+
+  def warn_on_permit_key result, key, confidence = nil
+    warn :result => result,
+      :warning_type => "Mass Assignment",
+      :warning_code => :dangerous_permit_key,
+      :message => "Potentially dangerous key allowed for mass assignment",
+      :confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
+      :user_input => key
+  end
+end

data/lib/brakeman/checks/check_redirect.rb

@@ -34,10 +34,13 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     call = result[:call]
     method = call.method
 
+    opt = call.first_arg
+
     if method == :redirect_to and
         not only_path?(call) and
-        not explicit_host?(call.first_arg) and
-        not slice_call?(call.first_arg) and
+        not explicit_host?(opt) and
+        not slice_call?(opt) and
+        not safe_permit?(opt) and
         res = include_user_input?(call)
 
       if res.type == :immediate
@@ -232,4 +235,20 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     return unless call? exp
     exp.method == :slice
   end
+
+  DANGEROUS_KEYS = [:host, :subdomain, :domain, :port]
+
+  def safe_permit? exp
+    if call? exp and params? exp.target and exp.method == :permit
+      exp.each_arg do |opt|
+        if symbol? opt and DANGEROUS_KEYS.include? opt.value
+          return false 
+        end
+      end
+
+      return true
+    end
+
+    false
+  end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -38,7 +38,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       @connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
     end
 
-    @expected_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
+    @expected_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base", :Arel]
 
     Brakeman.debug "Finding possible SQL calls on models"
     calls = tracker.find_call(:methods => @sql_targets, :nested => true)
@@ -53,6 +53,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     calls.concat tracker.find_call(:targets => @expected_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
 
+    calls.concat tracker.find_call(:target => :Arel, :method => :sql)
+
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
@@ -194,6 +196,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         check_lock_arguments call.first_arg
                       when :pluck
                         unsafe_sql? call.first_arg
+                      when :sql
+                        unsafe_sql? call.first_arg
                       when :update_all, :select
                         check_update_all_arguments call.args
                       when *@connection_calls

data/lib/brakeman/codeclimate/engine_configuration.rb

@@ -0,0 +1,97 @@
+require 'pathname'
+
+module Brakeman
+  module Codeclimate
+    class EngineConfiguration
+
+      def initialize(engine_config = {})
+        @engine_config = engine_config
+      end
+
+      def options
+        default_options.merge(configured_options)
+      end
+
+      private
+
+      attr_reader :engine_config
+
+      def default_options
+        @default_options = {
+          :output_format => :codeclimate,
+          :quiet => true,
+          :pager => false,
+          :app_path => Dir.pwd
+        }
+        if system("test -w /dev/stdout")
+          @default_options[:output_files] = ["/dev/stdout"]
+        end
+        @default_options
+      end
+
+      def configured_options
+        @configured_options = {}
+        # ATM this gets parsed as a string instead of bool: "config":{ "debug":"true" }
+        if brakeman_configuration["debug"] && brakeman_configuration["debug"].to_s.downcase == "true"
+          @configured_options[:debug] = true
+          @configured_options[:report_progress] = false
+        end
+
+        if active_include_paths
+          @configured_options[:only_files] = active_include_paths
+        end
+
+        if brakeman_configuration["app_path"]
+          @configured_options[:path_prefix] = brakeman_configuration["app_path"]
+          path = Pathname.new(Dir.pwd) + brakeman_configuration["app_path"]
+          @configured_options[:app_path] = path.to_s
+        end
+        @configured_options
+      end
+
+      def brakeman_configuration
+        if engine_config["config"]
+          engine_config["config"]
+        else
+          {}
+        end
+      end
+
+      def active_include_paths
+        @active_include_paths ||=
+          if brakeman_configuration["app_path"]
+            stripped_include_paths(brakeman_configuration["app_path"])
+          else
+            engine_config["include_paths"] && engine_config["include_paths"].compact
+          end
+      end
+
+      def stripped_include_paths(prefix)
+        subprefixes = path_subprefixes(prefix)
+        engine_config["include_paths"] && engine_config["include_paths"].map do |path|
+          next unless path
+          stripped_include_path(prefix, subprefixes, path)
+        end.compact
+      end
+
+      def path_subprefixes(path)
+        Pathname.new(path).each_filename.inject([]) do |memo, piece|
+         memo <<
+           if memo.any?
+             File.join(memo.last, piece)
+           else
+             File.join(piece)
+           end
+        end
+      end
+
+      def stripped_include_path(prefix, subprefixes, path)
+        if path.start_with?(prefix)
+          path.sub(%r{^#{prefix}/?}, "./")
+        elsif subprefixes.any? { |subprefix| path =~ %r{^#{subprefix}/?$} }
+          "./"
+        end
+      end
+    end
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -36,9 +36,7 @@ module Brakeman
           @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
         end
       rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{path}"
-      rescue Haml::Error => e
-        tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+        tracker.error e, "Could not parse #{path}"
       rescue StandardError, LoadError => e
         tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
       end
@@ -78,6 +76,12 @@ module Brakeman
       Haml::Engine.new(text,
                        :filename => path,
                        :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+    rescue Haml::Error => e
+      tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      nil
+    rescue Sass::SyntaxError => e
+      tracker.error e, "While processing #{path}"
+      nil
     end
 
     def parse_slim path, text

data/lib/brakeman/processor.rb

@@ -54,7 +54,7 @@ module Brakeman
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new(@tracker).process_all result if result
+      AliasProcessor.new(@tracker).process result if result
     end
 
     #Process either an ERB or HAML template

data/lib/brakeman/processors/alias_processor.rb

@@ -235,14 +235,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :/
       if number? target and number? first_arg
-        if first_arg.value == 0 and not target.value.is_a? Float
-          if @tracker
-            location = [@current_class, @current_method, "line #{first_arg.line}"].compact.join(' ')
-            require 'brakeman/processors/output_processor'
-            code = Brakeman::OutputProcessor.new.format(exp)
-            @tracker.error Exception.new("Potential divide by zero: #{code} (#{location})")
-          end
-        else
+        unless first_arg.value == 0 and not target.value.is_a? Float
           exp = Sexp.new(:lit, target.value / first_arg.value)
         end
       end
@@ -500,6 +493,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   # x, y = z, w
   def process_masgn exp
+    exp[2] = process exp[2] if sexp? exp[2]
+
+    if node_type? exp[2], :to_ary and array? exp[2][1]
+      exp[2] = exp[2][1]
+    end
+
     unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
       return process_default(exp)
     end
@@ -514,9 +513,20 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     vars.each_with_index do |var, i|
       val = vals[i]
       if val
-        assign = var.dup
-        assign.rhs = val
-        process assign
+
+        # This happens with nested destructuring like
+        #   x, (a, b) = blah
+        if node_type? var, :masgn
+          # Need to add value to masgn exp
+          m = var.dup
+          m[2] = s(:to_ary, val)
+
+          process_masgn m
+        else
+          assign = var.dup
+          assign.rhs = val
+          process assign
+        end
       end
     end
 
@@ -550,19 +560,26 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Assignments like this
   # x[:y] ||= 1
   def process_op_asgn1 exp
-    return process_default(exp) if exp[3] != :"||"
+    target_var = exp[1]
+    target_var &&= target_var.deep_clone
 
     target = exp[1] = process(exp[1])
     index = exp[2][1] = process(exp[2][1])
     value = exp[4] = process(exp[4])
     match = Sexp.new(:call, target, :[], index)
 
-    unless env[match]
-      if request_value? target
-        env[match] = match.combine(value)
-      else
-        env[match] = value
+    if exp[3] == :"||"
+      unless env[match]
+        if request_value? target
+          env[match] = match.combine(value)
+        else
+          env[match] = value
+        end
       end
+    else
+      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
+
+      env[match] = new_value
     end
 
     exp

data/lib/brakeman/report/pager.rb

@@ -0,0 +1,110 @@
+module Brakeman
+  class Pager
+    def initialize tracker, pager = :less, output = $stdout
+      @tracker = tracker
+      @pager = pager
+      @output = output
+    end
+
+    def page_report report, format
+      if @pager == :less
+        set_color
+      end
+
+      text = report.format(format)
+
+      if in_ci?
+        no_pager text
+      else
+        page_output text
+      end
+    end
+
+    def page_output text
+      case @pager
+      when :none
+        no_pager text
+      when :highline
+        page_via_highline text
+      when :less
+        if less_available?
+          page_via_less text
+        else
+          page_via_highline text
+        end
+      else
+        no_pager text
+      end
+    end
+
+    def no_pager text
+      @output.puts text
+    end
+
+    def page_via_highline text
+      Brakeman.load_brakeman_dependency 'highline'
+      h = ::HighLine.new($stdin, @output)
+      h.page_at = :auto
+      h.say text
+    end
+
+    def page_via_less text
+      # Adapted from https://github.com/piotrmurach/tty-pager/
+
+      write_io = open("|less #{less_options.join}", 'w')
+      pid = write_io.pid
+
+      write_io.write(text)
+      write_io.close
+
+      Process.waitpid2(pid, Process::WNOHANG)
+    rescue Errno::ECHILD
+      # on jruby 9x waiting on pid raises (per tty-pager)
+      true
+    rescue => e
+      warn "[Error] #{e}"
+      warn "[Error] Could not use pager. Set --no-pager to avoid this issue."
+      no_pager text
+    end
+
+    def in_ci?
+      ci = ENV["CI"]
+
+      ci.is_a? String and ci.downcase == "true"
+    end
+
+    def less_available?
+      return @less_available unless @less_available.nil?
+
+      @less_available = system("which less > /dev/null")
+    end
+
+    def less_options
+      # -R show colors
+      # -F exit if output fits on one screen
+      # -X do not clear screen after less exits
+
+      return @less_options if @less_options
+
+      @less_options = []
+
+      if system("which less > /dev/null")
+        less_help = `less -?`
+
+        ["-R ", "-F ", "-X "].each do |opt|
+          if less_help.include? opt
+            @less_options << opt
+          end
+        end
+      end
+
+      @less_options
+    end
+
+    def set_color
+      unless @tracker and less_options.include? "-R "
+        @tracker.options[:output_color] = false
+      end
+    end
+  end
+end

data/lib/brakeman/report/report_codeclimate.rb

@@ -1,5 +1,6 @@
 require "json"
 require "yaml"
+require "pathname"
 
 class Brakeman::Report::CodeClimate < Brakeman::Report::Base
   DOCUMENTATION_PATH = File.expand_path("../../../../docs/warning_types", __FILE__)
@@ -24,7 +25,7 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
       severity: severity_level_for(warning.confidence),
       remediation_points: remediation_points_for(warning_code_name),
       location: {
-        path: warning.relative_path,
+        path: file_path(warning),
         lines: {
           begin: warning.line || 1,
           end: warning.line || 1,
@@ -67,4 +68,12 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
 
     File.read(filename) if File.exist?(filename)
   end
+
+  def file_path(warning)
+    fp = Pathname.new(warning.relative_path)
+    if tracker.options[:path_prefix]
+      fp = Pathname.new(tracker.options[:path_prefix]) + fp
+    end
+    fp.to_s
+  end
 end

data/lib/brakeman/tracker/config.rb

@@ -24,6 +24,20 @@ module Brakeman
         @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
     end
 
+    def default_protect_from_forgery?
+      if version_between? "5.2.0", "9.9.9"
+        if @rails[:action_controller] and
+            @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)
+
+          return false
+        else
+          return true
+        end
+      end
+
+      false
+    end
+
     def erubis?
       @erubis
     end
@@ -101,6 +115,36 @@ module Brakeman
       end
     end
 
+    #Returns true if low_version <= RAILS_VERSION <= high_version
+    #
+    #If the Rails version is unknown, returns false.
+    def version_between? low_version, high_version, current_version = nil
+      current_version ||= rails_version
+      return false unless current_version
+
+      version = current_version.split(".").map!(&:to_i)
+      low_version = low_version.split(".").map!(&:to_i)
+      high_version = high_version.split(".").map!(&:to_i)
+
+      version.each_with_index do |v, i|
+        if v < low_version.fetch(i, 0)
+          return false
+        elsif v > low_version.fetch(i, 0)
+          break
+        end
+      end
+
+      version.each_with_index do |v, i|
+        if v > high_version.fetch(i, 0)
+          return false
+        elsif v < high_version.fetch(i, 0)
+          break
+        end
+      end
+
+      true
+    end
+
     def session_settings
       @rails[:action_controller] &&
         @rails[:action_controller][:session]

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.0.1"
+  Version = "4.1.0"
 end

data/lib/brakeman/warning.rb

@@ -196,11 +196,11 @@ class Brakeman::Warning
       if @link_path.start_with? "http"
         @link = @link_path
       else
-        @link = "http://brakemanscanner.org/docs/warning_types/#{@link_path}"
+        @link = "https://brakemanscanner.org/docs/warning_types/#{@link_path}"
       end
     else
       warning_path = self.warning_type.to_s.downcase.gsub(/\s+/, '_') + "/"
-      @link = "http://brakemanscanner.org/docs/warning_types/#{warning_path}"
+      @link = "https://brakemanscanner.org/docs/warning_types/#{warning_path}"
     end
 
     @link

data/lib/brakeman/warning_codes.rb

@@ -105,6 +105,8 @@ module Brakeman::WarningCodes
     :secret_in_source => 101,
     :CVE_2016_6316 => 102,
     :CVE_2016_6317 => 103,
+    :divide_by_zero => 104,
+    :dangerous_permit_key => 105,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -4,6 +4,7 @@
 class Sexp
   attr_accessor :original_line, :or_depth
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2, :op_asgn_or]
+  CALLS = [:call, :attrasgn, :safe_call, :safe_attrasgn]
 
   def method_missing name, *args
     #Brakeman does not use this functionality,
@@ -307,6 +308,21 @@ class Sexp
     end
   end
 
+  def call_chain
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+
+    chain = []
+    call = self
+
+    while call.class == Sexp and CALLS.include? call.first 
+      chain << call.method
+      call = call.target
+    end
+
+    chain.reverse!
+    chain
+  end
+
   #Returns condition of an if expression:
   #
   #    s(:if,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.1.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-09-25 00:00:00.000000000 Z
+date: 2017-12-14 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -19,7 +19,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- CHANGES
+- CHANGES.md
 - FEATURES
 - README.md
 - bin/brakeman
@@ -444,53 +444,53 @@ files:
 - bundle/ruby/2.3.0/gems/haml-4.0.7/test/templates/whitespace_handling.haml
 - bundle/ruby/2.3.0/gems/haml-4.0.7/test/test_helper.rb
 - bundle/ruby/2.3.0/gems/haml-4.0.7/test/util_test.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/AUTHORS
-- bundle/ruby/2.3.0/gems/highline-1.7.8/COPYING
-- bundle/ruby/2.3.0/gems/highline-1.7.8/Changelog.md
-- bundle/ruby/2.3.0/gems/highline-1.7.8/Gemfile
-- bundle/ruby/2.3.0/gems/highline-1.7.8/INSTALL
-- bundle/ruby/2.3.0/gems/highline-1.7.8/LICENSE
-- bundle/ruby/2.3.0/gems/highline-1.7.8/README.rdoc
-- bundle/ruby/2.3.0/gems/highline-1.7.8/Rakefile
-- bundle/ruby/2.3.0/gems/highline-1.7.8/TODO
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/ansi_colors.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/asking_for_arrays.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/basic_usage.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/color_scheme.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/get_character.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/limit.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/menus.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/overwrite.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/page_and_wrap.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/password.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/repeat_entry.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/trapping_eof.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/examples/using_readline.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/highline.gemspec
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/color_scheme.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/compatibility.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/import.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/menu.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/question.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/simulate.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/string_extensions.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/style.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/system_extensions.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/lib/highline/version.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/setup.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/site/highline.css
-- bundle/ruby/2.3.0/gems/highline-1.7.8/site/images/logo.png
-- bundle/ruby/2.3.0/gems/highline-1.7.8/site/index.html
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/string_methods.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_color_scheme.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_highline.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_import.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_menu.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_simulator.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_string_extension.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_string_highline.rb
-- bundle/ruby/2.3.0/gems/highline-1.7.8/test/tc_style.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/AUTHORS
+- bundle/ruby/2.3.0/gems/highline-1.7.10/COPYING
+- bundle/ruby/2.3.0/gems/highline-1.7.10/Changelog.md
+- bundle/ruby/2.3.0/gems/highline-1.7.10/Gemfile
+- bundle/ruby/2.3.0/gems/highline-1.7.10/INSTALL
+- bundle/ruby/2.3.0/gems/highline-1.7.10/LICENSE
+- bundle/ruby/2.3.0/gems/highline-1.7.10/README.rdoc
+- bundle/ruby/2.3.0/gems/highline-1.7.10/Rakefile
+- bundle/ruby/2.3.0/gems/highline-1.7.10/TODO
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/ansi_colors.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/asking_for_arrays.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/basic_usage.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/color_scheme.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/get_character.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/limit.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/menus.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/overwrite.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/page_and_wrap.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/password.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/repeat_entry.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/trapping_eof.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/examples/using_readline.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/highline.gemspec
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/color_scheme.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/compatibility.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/import.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/menu.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/question.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/simulate.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/string_extensions.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/style.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/system_extensions.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/lib/highline/version.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/setup.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/site/highline.css
+- bundle/ruby/2.3.0/gems/highline-1.7.10/site/images/logo.png
+- bundle/ruby/2.3.0/gems/highline-1.7.10/site/index.html
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/string_methods.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_color_scheme.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_highline.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_import.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_menu.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_simulator.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_string_extension.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_string_highline.rb
+- bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_style.rb
 - bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/History.rdoc
 - bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/Manifest.txt
 - bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/README.rdoc
@@ -1244,6 +1244,7 @@ files:
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
 - lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_divide_by_zero.rb
 - lib/brakeman/checks/check_dynamic_finders.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_evaluation.rb
@@ -1268,6 +1269,7 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
 - lib/brakeman/checks/check_regex_dos.rb
@@ -1302,6 +1304,7 @@ files:
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/codeclimate/engine_configuration.rb
 - lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
@@ -1346,6 +1349,7 @@ files:
 - lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/pager.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
@@ -1388,8 +1392,7 @@ homepage: http://brakemanscanner.org
 licenses:
 - MIT
 metadata: {}
-post_install_message: 'Brakeman 4.0 has important changes that may affect you. Please
-  see our blog post for details: https://brakemanscanner.org/blog/2017/09/25/brakeman-4-dot-0-released/'
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib