brakeman 4.10.0 → 5.0.0.pre1

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.0}/lib/haml/helpers/xss_mods.rb

@@ -8,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_internal_concat haml_indent
-           escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.0}/lib/haml/parser.rb

@@ -307,7 +307,7 @@ module Haml
         return ParseNode.new(:plain, line.index + 1, :text => line.text)
       end
 
-      escape_html = @options.escape_html if escape_html.nil?
+      escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
       line.text = unescape_interpolation(line.text, escape_html)
       script(line, false)
     end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.0}/lib/haml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Haml
-  VERSION = "5.1.2"
+  VERSION = "5.2.0"
 end

data/lib/brakeman.rb

@@ -66,6 +66,7 @@ module Brakeman
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
   #  * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
@@ -191,6 +192,7 @@ module Brakeman
       :report_progress => true,
       :safe_methods => Set.new,
       :skip_checks => Set.new,
+      :skip_vendor => true,
     }
   end
 
@@ -239,6 +241,8 @@ module Brakeman
       [:to_junit]
     when :sarif, :to_sarif
       [:to_sarif]
+    when :sonar, :to_sonar
+      [:to_sonar]
     else
       [:to_text]
     end
@@ -270,6 +274,8 @@ module Brakeman
         :to_junit
       when /\.sarif$/i
         :to_sarif
+      when /\.sonar$/i
+        :to_sonar
       else
         :to_text
       end

data/lib/brakeman/app_tree.rb

@@ -21,6 +21,7 @@ module Brakeman
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
+      init_options[:skip_vendor] = options[:skip_vendor]
       new(root, init_options)
     end
 
@@ -62,6 +63,7 @@ module Brakeman
       @engine_paths = init_options[:engine_paths] || []
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
+      @skip_vendor = init_options[:skip_vendor]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -96,6 +98,10 @@ module Brakeman
       end
     end
 
+    def ruby_file_paths
+      find_paths(".").uniq
+    end
+
     def initializer_paths
       @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
     end
@@ -109,8 +115,8 @@ module Brakeman
     end
 
     def template_paths
-      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
-                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+      @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
+        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -163,7 +169,8 @@ module Brakeman
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
-      convert_to_file_paths(paths)
+      paths = convert_to_file_paths(paths)
+      reject_global_excludes(paths)
     end
 
     def select_only_files(paths)
@@ -182,6 +189,32 @@ module Brakeman
       end
     end
 
+    EXCLUDED_PATHS = %w[
+      /generators/
+      lib/tasks/
+      lib/templates/
+      db/
+      spec/
+      test/
+      tmp/
+      public/
+      log/
+    ]
+
+    def reject_global_excludes(paths)
+      paths.reject do |path|
+        relative_path = path.relative
+
+        if @skip_vendor and relative_path.include? 'vendor/'
+          true
+        else
+          EXCLUDED_PATHS.any? do |excluded|
+            relative_path.include? excluded
+          end
+        end
+      end
+    end
+
     def match_path files, path
       absolute_path = Pathname.new(path)
       # relative root never has a leading separator. But, we use a leading

data/lib/brakeman/checks/check_unsafe_reflection_methods.rb

@@ -0,0 +1,68 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe reflection to access methods"
+
+  def run_check
+    check_method
+    check_tap
+    check_to_proc
+  end
+
+  def check_method
+    tracker.find_call(method: :method, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_tap
+    tracker.find_call(method: :tap, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      # Argument is passed like a.tap(&argument)
+      if node_type? argument, :block_pass
+        argument = argument.value
+      end
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_to_proc
+    tracker.find_call(method: :to_proc, nested: true).each do |result|
+      target = result[:call].target
+
+      if user_input = include_user_input?(target)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def warn_unsafe_reflection result, input
+    return unless original? result
+    method = result[:call].method
+
+    confidence = if input.type == :params
+      :high
+    else
+      :medium
+    end
+
+    message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+
+    warn :result => result,
+      :warning_type => "Remote Code Execution",
+      :warning_code => :unsafe_method_reflection,
+      :message => message,
+      :user_input => input,
+      :confidence => confidence
+  end
+end

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -0,0 +1,75 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for uses of `request.get?` that might have unintentional behavior"
+
+  #Process calls
+  def run_check
+    calls = tracker.find_call(target: :request, methods: [:get?])
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    @current_result = result
+    @matched_call = result[:call]
+    klass = tracker.find_class(result[:location][:class])
+
+    # TODO: abstract into tracker.find_location ?
+    if klass.nil?
+      Brakeman.debug "No class found: #{result[:location][:class]}"
+      return
+    end
+
+    method = klass.get_method(result[:location][:method])
+
+    if method.nil?
+      Brakeman.debug "No method found: #{result[:location][:method]}"
+      return
+    end
+
+    process method[:src]
+  end
+
+  def process_if exp
+    if exp.condition == @matched_call
+      # Found `if request.get?`
+
+      # Do not warn if there is an `elsif` clause
+      if node_type? exp.else_clause, :if
+        return exp
+      end
+
+      warn_about_result @current_result, exp
+    end
+
+    exp
+  end
+
+  def warn_about_result result, code
+    return unless original? result
+
+    confidence = :weak
+    message = msg('Potential HTTP verb confusion. ',
+                  msg_code('HEAD'),
+                  ' is routed like ',
+                  msg_code('GET'),
+                  ' but ',
+                  msg_code('request.get?'),
+                  ' will return ',
+                  msg_code('false')
+                 )
+
+    warn :result => result,
+      :warning_type => "HTTP Verb Confusion",
+      :warning_code => :http_verb_confusion,
+      :message => message,
+      :code => code,
+      :user_input => result[:call],
+      :confidence => confidence
+  end
+end

data/lib/brakeman/file_parser.rb

@@ -3,32 +3,31 @@ module Brakeman
 
   # This class handles reading and parsing files.
   class FileParser
-    attr_reader :file_list
+    attr_reader :file_list, :errors
 
-    def initialize tracker
-      @tracker = tracker
-      @timeout = @tracker.options[:parser_timeout]
-      @app_tree = @tracker.app_tree
-      @file_list = {}
+    def initialize app_tree, timeout
+      @app_tree = app_tree
+      @timeout = timeout
+      @file_list = []
+      @errors = []
     end
 
-    def parse_files list, type
-      read_files list, type do |path, contents|
+    def parse_files list
+      read_files list do |path, contents|
         if ast = parse_ruby(contents, path.relative)
           ASTFile.new(path, ast)
         end
       end
     end
 
-    def read_files list, type
-      @file_list[type] ||= []
-
+    def read_files list
       list.each do |path|
         file = @app_tree.file_path(path)
 
         result = yield file, file.read
+
         if result
-          @file_list[type] << result
+          @file_list << result
         end
       end
     end
@@ -38,15 +37,17 @@ module Brakeman
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        @tracker.error e, "Could not parse #{path}"
-        nil
+        error e.exception(e.message + "\nCould not parse #{path}")
       rescue Timeout::Error => e
-        @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
-        nil
+        error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
       rescue => e
-        @tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
-        nil
+        error e.exception(e.message + "\nWhile processing #{path}")
       end
     end
+
+    def error exception
+      @errors << exception
+      nil
+    end
   end
 end

data/lib/brakeman/options.rb

@@ -166,6 +166,10 @@ module Brakeman::Options
           options[:only_files].merge files
         end
 
+        opts.on "--[no-]skip-vendor", "Skip processing vendor directory (Default)" do |skip|
+          options[:skip_vendor] = skip
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end
@@ -229,7 +233,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/parsers/template_parser.rb

@@ -9,7 +9,6 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
-      @file_parser.file_list[:templates] ||= []
     end
 
     def parse_template path, text
@@ -33,7 +32,7 @@ module Brakeman
               end
 
         if src and ast = @file_parser.parse_ruby(src, path)
-          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+          @file_parser.file_list << TemplateFile.new(path, ast, name, type)
         end
       rescue Racc::ParseError => e
         tracker.error e, "Could not parse #{path}"
@@ -97,7 +96,7 @@ module Brakeman
     end
 
     def self.parse_inline_erb tracker, text
-      fp = Brakeman::FileParser.new(tracker)
+      fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
       type = tp.erubis? ? :erubis : :erb

data/lib/brakeman/processors/haml_template_processor.rb

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)