brakeman 4.10.1 → 5.0.0.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1266c840ed2a8f9b6e44686cba353eb6f75eb8d4ec87c7bbdcc56d81785b9227
-  data.tar.gz: a0ed358121968434f3289b25685970d338d72f1d1f97b0c27103a81a9792cb16
+  metadata.gz: 83005dc6f5d262579ddf2d249af33cc9ec446e5d187809b1ff2ebe2f99f71ad3
+  data.tar.gz: 899b9f1c9594ce43c9b638e53f948750bb04a3443c0db56254027de09c59203a
 SHA512:
-  metadata.gz: 22f064e0f38f304c3d9a18e0c7d36999b7161f9e33ff5c5cd4bca669d19b331e0f92651eb238faf1fd58de66c14da166d7de89353913d806d970f77eb87fa992
-  data.tar.gz: 4345e389eb3f592139f32cf70b8d618fcb8695cee9f4a8398fdaa636ac5e9be7b2b0ebe6667810f5cd0667f33898effcd9fbf8beac36f48883da73b68fa7c76f
+  metadata.gz: 1dea78840076e27bf0577b6f81bdc7b28a5a19eea2ce4d1672c318ddaa158f68b49310f5a9df4a6a4ab68d8d15f18fbd8089b1cd9392f5404c82db9111a78c1c
+  data.tar.gz: b7a122f95a49b36470308cf13675536ed7d86af98bbc37a433ada47d5cca68a7dba376fc470308862b2457c4223e8af85b9fafcbe60b16cfa61774b3ff1f9c9e

data/CHANGES.md

@@ -1,10 +1,12 @@
-# 4.10.1 - 2020-12-24
-
-* Declare REXML as a dependency (Ruby 3.0 compatibility)
-* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
-* Prevent render loops when template names are absolute paths
-* Ensure RubyParser is passed file path as a String
-* Support new Haml 5.2.0 escaping method
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
 
 # 4.10.0 - 2020-09-28
 

data/README.md

@@ -76,7 +76,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
 
 Multiple output files can be specified:
 

data/bundle/load.rb

@@ -1,15 +1,14 @@
 path = File.expand_path('../..', __FILE__)
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.1/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.1/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.0/lib"

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/CHANGELOG.md

@@ -1,16 +1,9 @@
 # Haml Changelog
 
-## 5.2.1
-
-Released on November 30, 2020
-([diff](https://github.com/haml/haml/compare/v5.2.0...v5.2.1)).
-
-* Add in improved "multiline" support for attributes [#1043](https://github.com/haml/haml/issues/1043)
-
 ## 5.2
 
 Released on September 28, 2020
-([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2.0)).
+([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2)).
 
 * Fix crash in the attribute optimizer when `#inspect` is overridden in TrueClass / FalseClass [#972](https://github.com/haml/haml/issues/972)
 * Do not HTML-escape templates that are declared to be plaintext [#1014](https://github.com/haml/haml/issues/1014) (Thanks [@cesarizu](https://github.com/cesarizu))

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/REFERENCE.md

@@ -228,19 +228,15 @@ is compiled to:
     <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'></html>
 
 Attribute hashes can also be stretched out over multiple lines to accommodate
-many attributes.
+many attributes. However, newlines may only be placed immediately after commas.
+For example:
 
-    %script{
-      "type": text/javascript",
-      "src": javascripts/script_#{2 + 7}",
-      "data": {
-        "controller": "reporter",
-      },
-    }
+    %script{:type => "text/javascript",
+            :src  => "javascripts/script_#{2 + 7}"}
 
 is compiled to:
 
-    <script src='javascripts/script_9' type='text/javascript' data-controller='reporter'></script>
+    <script src='javascripts/script_9' type='text/javascript'></script>
 
 #### `:class` and `:id` Attributes {#class-and-id-attributes}
 

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/haml.gemspec

@@ -32,7 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rbench'
   spec.add_development_dependency 'minitest', '>= 4.0'
   spec.add_development_dependency 'nokogiri'
-  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov', '0.17.1' # Locked to this version due to https://github.com/codeclimate/test-reporter/issues/418
 
   spec.description = <<-END
 Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/parser.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'ripper'
 require 'strscan'
 
 module Haml
@@ -91,9 +90,6 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
-    # Used for scanning old attributes, substituting the first '{'
-    METHOD_CALL_PREFIX = 'a('
-
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -655,18 +651,13 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
+      text = text.dup
       last_line = @line.index + 1
 
       begin
-        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
-        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
-        #
-        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
-        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
-        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
-        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
+        attributes_hash, rest = balance(text, ?{, ?})
       rescue SyntaxError => e
-        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
+        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -820,25 +811,6 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
-    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
-    def balance_tokens(buf, start, finish, count: 0)
-      text = ''.dup
-      Ripper.lex(buf).each do |_, token, str|
-        text << str
-        case token
-        when start
-          count += 1
-        when finish
-          count -= 1
-        end
-
-        if count == 0
-          return text, buf.sub(text, '')
-        end
-      end
-      raise SyntaxError.new(Error.message(:unbalanced_brackets))
-    end
-
     def block_opened?
       @next_line.tabs > @line.tabs
     end

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/util.rb

@@ -213,7 +213,7 @@ MSG
             scan.scan(/\w+/)
           end
           content = eval("\"#{interpolated}\"")
-          content = "#{char}#{content}" if char == '@' || char == '$'
+          content.prepend(char) if char == '@' || char == '$'
           content = "Haml::Helpers.html_escape((#{content}))" if escape_html
 
           res << "\#{#{content}}"

data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Haml
-  VERSION = "5.2.1"
+  VERSION = "5.2.0"
 end

data/lib/brakeman.rb

@@ -66,6 +66,7 @@ module Brakeman
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
   #  * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
@@ -191,6 +192,7 @@ module Brakeman
       :report_progress => true,
       :safe_methods => Set.new,
       :skip_checks => Set.new,
+      :skip_vendor => true,
     }
   end
 
@@ -239,6 +241,8 @@ module Brakeman
       [:to_junit]
     when :sarif, :to_sarif
       [:to_sarif]
+    when :sonar, :to_sonar
+      [:to_sonar]
     else
       [:to_text]
     end
@@ -270,6 +274,8 @@ module Brakeman
         :to_junit
       when /\.sarif$/i
         :to_sarif
+      when /\.sonar$/i
+        :to_sonar
       else
         :to_text
       end

data/lib/brakeman/app_tree.rb

@@ -21,6 +21,7 @@ module Brakeman
       end
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
+      init_options[:skip_vendor] = options[:skip_vendor]
       new(root, init_options)
     end
 
@@ -62,6 +63,7 @@ module Brakeman
       @engine_paths = init_options[:engine_paths] || []
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
+      @skip_vendor = init_options[:skip_vendor]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -96,6 +98,10 @@ module Brakeman
       end
     end
 
+    def ruby_file_paths
+      find_paths(".").uniq
+    end
+
     def initializer_paths
       @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
     end
@@ -109,8 +115,8 @@ module Brakeman
     end
 
     def template_paths
-      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
-                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+      @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
+        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -163,7 +169,8 @@ module Brakeman
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
-      convert_to_file_paths(paths)
+      paths = convert_to_file_paths(paths)
+      reject_global_excludes(paths)
     end
 
     def select_only_files(paths)
@@ -182,6 +189,32 @@ module Brakeman
       end
     end
 
+    EXCLUDED_PATHS = %w[
+      /generators/
+      lib/tasks/
+      lib/templates/
+      db/
+      spec/
+      test/
+      tmp/
+      public/
+      log/
+    ]
+
+    def reject_global_excludes(paths)
+      paths.reject do |path|
+        relative_path = path.relative
+
+        if @skip_vendor and relative_path.include? 'vendor/'
+          true
+        else
+          EXCLUDED_PATHS.any? do |excluded|
+            relative_path.include? excluded
+          end
+        end
+      end
+    end
+
     def match_path files, path
       absolute_path = Pathname.new(path)
       # relative root never has a leading separator. But, we use a leading

data/lib/brakeman/checks/check_execute.rb

@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.sexp_body.sexp_body)
+        if res = dangerous?(e.values[1..-1])
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call.sexp_body
+    components = call[1..-1]
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/checks/check_unsafe_reflection_methods.rb

@@ -0,0 +1,68 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsafe reflection to access methods"
+
+  def run_check
+    check_method
+    check_tap
+    check_to_proc
+  end
+
+  def check_method
+    tracker.find_call(method: :method, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_tap
+    tracker.find_call(method: :tap, nested: true).each do |result|
+      argument = result[:call].first_arg
+
+      # Argument is passed like a.tap(&argument)
+      if node_type? argument, :block_pass
+        argument = argument.value
+      end
+
+      if user_input = include_user_input?(argument)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def check_to_proc
+    tracker.find_call(method: :to_proc, nested: true).each do |result|
+      target = result[:call].target
+
+      if user_input = include_user_input?(target)
+        warn_unsafe_reflection(result, user_input)
+      end
+    end
+  end
+
+  def warn_unsafe_reflection result, input
+    return unless original? result
+    method = result[:call].method
+
+    confidence = if input.type == :params
+      :high
+    else
+      :medium
+    end
+
+    message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+
+    warn :result => result,
+      :warning_type => "Remote Code Execution",
+      :warning_code => :unsafe_method_reflection,
+      :message => message,
+      :user_input => input,
+      :confidence => confidence
+  end
+end