RubyGems - brakeman - Versions diffs - 4.10.0 → 5.0.4 - Mend

brakeman 4.10.0 → 5.0.4

Files changed (186) hide show

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::SafeCallHelper
   include Brakeman::Util
-  IGNORE = Sexp.new :ignore
+  IGNORE = Sexp.new(:ignore).line(0)
   #Return a new Processor.
   def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #
   #And also :layout for inside templates
   def find_render_type call, in_view = false
-    rest = Sexp.new(:hash)
+    rest = Sexp.new(:hash).line(call.line)
     type = nil
     value = nil
     first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, first_arg.to_sym)
+      value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
-    return s(:lit, template_name), options
+    return s(:lit, template_name).line(value.line), options
   end
 end

data/lib/brakeman/processors/controller_processor.rb CHANGED Viewed

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED Viewed

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/file_type_detector.rb ADDED Viewed

@@ -0,0 +1,64 @@
+module Brakeman
+  class FileTypeDetector < BaseProcessor
+    def initialize
+      super(nil)
+      reset
+    end
+    def detect_type(file)
+      reset
+      process(file.ast)
+      if @file_type.nil?
+        @file_type = guess_from_path(file.path.relative)
+      end
+      @file_type || :libs
+    end
+    MODEL_CLASSES = [
+      :'ActiveRecord::Base',
+      :ApplicationRecord
+    ]
+    def process_class exp
+      name = class_name(exp.class_name)
+      parent = class_name(exp.parent_name)
+      if name.match(/Controller$/)
+        @file_type = :controllers
+        return exp
+      elsif MODEL_CLASSES.include? parent
+        @file_type = :models
+        return exp
+      end
+      super
+    end
+    def guess_from_path path
+      case
+      when path.include?('app/models')
+        :models
+      when path.include?('app/controllers')
+        :controllers
+      when path.include?('config/initializers')
+        :initializers
+      when path.include?('lib/')
+        :libs
+      when path.match?(%r{config/environments/(?!production\.rb)$})
+        :skip
+      when path.match?(%r{environments/production\.rb$})
+        :skip
+      when path.match?(%r{application\.rb$})
+        :skip
+      end
+    end
+    private
+    def reset
+      @file_type = nil
+    end
+  end
+end

data/lib/brakeman/processors/lib/rails3_config_processor.rb CHANGED Viewed

@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     exp
   end
+  #Look for configuration settings that
+  #are just a call like
+  #
+  #  config.load_defaults 5.2
+  def process_call exp
+    return exp unless @inside_config
+    if exp.target == RAILS_CONFIG and exp.first_arg
+      @tracker.config.rails[exp.method] = exp.first_arg
+    end
+    exp
+  end
   #Look for configuration settings
   def process_attrasgn exp
     return exp unless @inside_config
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
         @tracker.config.rails[attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
-      options = get_rails_config exp
-      level = @tracker.config.rails
-      options[0..-2].each do |o|
-        level[o] ||= {}
-        option = level[o]
-        if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
-          return exp
-        end
-        level = level[o]
-      end
-      level[options.last] = exp.first_arg
+      options_path = get_rails_config exp
+      @tracker.config.set_rails_config(exp.first_arg, *options_path)
     end
     exp

data/lib/brakeman/processors/lib/rails4_config_processor.rb CHANGED Viewed

@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
 class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
   APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
   # Look for Rails.application.configure do ... end
   def process_iter exp
-    if exp.block_call == APPLICATION_CONFIG
+    if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
       @inside_config = true
       process exp.block if sexp? exp.block
       @inside_config = false

data/lib/brakeman/processors/output_processor.rb CHANGED Viewed

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
     out

data/lib/brakeman/processors/template_alias_processor.rb CHANGED Viewed

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report.rb CHANGED Viewed

@@ -45,6 +45,9 @@ class Brakeman::Report
       Brakeman::Report::JUnit
     when :to_sarif
       return self.to_sarif
+    when :to_sonar
+      require_report 'sonar'
+      Brakeman::Report::Sonar
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -69,6 +72,11 @@ class Brakeman::Report
     generate Brakeman::Report::JSON
   end
+  def to_sonar
+    require_report 'sonar'
+    generate Brakeman::Report::Sonar
+  end
   def to_table
     require_report 'table'
     generate Brakeman::Report::Table

data/lib/brakeman/report/report_base.rb CHANGED Viewed

@@ -11,8 +11,6 @@ class Brakeman::Report::Base
   attr_reader :tracker, :checks
-  TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
   def initialize tracker
     @app_tree = tracker.app_tree
     @tracker = tracker

data/lib/brakeman/report/report_csv.rb CHANGED Viewed

@@ -1,72 +1,49 @@
 require 'csv'
-require "brakeman/report/report_table"
-class Brakeman::Report::CSV < Brakeman::Report::Table
+class Brakeman::Report::CSV < Brakeman::Report::Base
   def generate_report
-    output = csv_header
-    output << "\nSUMMARY\n"
-    output << table_to_csv(generate_overview) << "\n"
-    output << table_to_csv(generate_warning_overview) << "\n"
-    #Return output early if only summarizing
-    if tracker.options[:summary_only]
-      return output
-    end
-    if tracker.options[:report_routes] or tracker.options[:debug]
-      output << "CONTROLLERS\n"
-      output << table_to_csv(generate_controllers) << "\n"
-    end
-    if tracker.options[:debug]
-      output << "TEMPLATES\n\n"
-      output << table_to_csv(generate_templates) << "\n"
+    headers = [
+      "Confidence",
+      "Warning Type",
+      "File",
+      "Line",
+      "Message",
+      "Code",
+      "User Input",
+      "Check Name",
+      "Warning Code",
+      "Fingerprint",
+      "Link"
+    ]
+    rows = tracker.filtered_warnings.sort_by do |w|
+      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+    end.map do |warning|
+      generate_row(headers, warning)
     end
-    res = generate_errors
-    output << "ERRORS\n" << table_to_csv(res) << "\n" if res
-    res = generate_warnings
-    output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
+    table = CSV::Table.new(rows)
-    output << "Controller Warnings\n"
-    res = generate_controller_warnings
-    output << table_to_csv(res) << "\n" if res
-    output << "Model Warnings\n"
-    res = generate_model_warnings
-    output << table_to_csv(res) << "\n" if res
-    res = generate_template_warnings
-    output << "Template Warnings\n"
-    output << table_to_csv(res) << "\n" if res
-    output
+    table.to_csv
   end
-  #Generate header for CSV output
-  def csv_header
-    header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
-    "BRAKEMAN REPORT\n\n" + header
+  def generate_row headers, warning
+    CSV::Row.new headers, warning_row(warning)
   end
-  # rely on Terminal::Table to build the structure, extract the data out in CSV format
-  def table_to_csv table
-    return "" unless table
-    Brakeman.load_brakeman_dependency 'terminal-table'
-    headings = table.headings
-    if headings.is_a? Array
-      headings = headings.first
-    end
-    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
-    table.rows.each do |row|
-      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
-    end
-    output
+  def warning_row warning
+    [
+      warning.confidence_name,
+      warning.warning_type,
+      warning_file(warning),
+      warning.line,
+      warning.message,
+      warning.code && warning.format_code(false),
+      warning.user_input && warning.format_user_input(false),
+      warning.check_name,
+      warning.warning_code,
+      warning.fingerprint,
+      warning.link,
+    ]
   end
 end

data/lib/brakeman/report/report_junit.rb CHANGED Viewed

@@ -47,7 +47,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
       warning.add_attribute 'brakeman:file', warning_file(w)
       warning.add_attribute 'brakeman:line', w.line
       warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:confidence', w.confidence_name
       warning.add_attribute 'brakeman:code', w.format_code
       warning.add_text w.to_s
     }
@@ -88,7 +88,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
           failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
           failure.add_attribute 'brakeman:file', warning_file(warning)
           failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:confidence', warning.confidence_name
           failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }

data/lib/brakeman/report/report_sarif.rb CHANGED Viewed

@@ -27,7 +27,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
-      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_name = warning.check_name
       check_description = render_message check_descriptions[check_name]
       {
         :id => rule_id,

data/lib/brakeman/report/report_sonar.rb ADDED Viewed

@@ -0,0 +1,38 @@
+class Brakeman::Report::Sonar < Brakeman::Report::Base
+  def generate_report
+    report_object = {
+      issues: all_warnings.map { |warning| issue_json(warning) }
+    }
+    return JSON.pretty_generate report_object
+  end
+  private
+  def issue_json(warning)
+    {
+      engineId: "Brakeman",
+      ruleId: warning.warning_code,
+      type: "VULNERABILITY",
+      severity: severity_level_for(warning.confidence),
+      primaryLocation: {
+        message: warning.message,
+        filePath: warning.file.relative,
+        textRange: {
+          "startLine": warning.line || 1,
+          "endLine": warning.line || 1,
+        }
+      },
+      effortMinutes: (4 - warning.confidence) * 15
+    }
+  end
+  def severity_level_for(confidence)
+    if confidence == 0
+      "CRITICAL"
+    elsif confidence == 1
+      "MAJOR"
+    else
+      "MINOR"
+    end
+  end
+end

data/lib/brakeman/report/report_tabs.rb CHANGED Viewed

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
       end.join "\n"
     end.join "\n"

data/lib/brakeman/report/report_text.rb CHANGED Viewed

@@ -160,7 +160,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     when :category
       label('Category', w.warning_type.to_s)
     when :check
-      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+      label('Check', w.check_name)
     when :message
       label('Message', w.message)
     when :code