RubyGems - brakeman - Versions diffs - 4.5.1 → 4.6.0 - Mend

@@ -27,7 +27,7 @@ class Brakeman::CallIndex
     if options[:chained]
       return find_chain options
     #Find by narrowest category
-    elsif target and method and target.is_a? Array and method.is_a? Array
+    elsif target.is_a? Array and method.is_a? Array
       if target.length > method.length
         calls = filter_by_target calls_by_methods(method), target
       else
@@ -35,6 +35,12 @@ class Brakeman::CallIndex
         calls = filter_by_method calls, method
       end
+    elsif target.is_a? Regexp and method
+      calls = filter_by_target(calls_by_method(method), target)
+    elsif method.is_a? Regexp and target
+      calls = filter_by_method(calls_by_target(target), method)
     #Find by target, then by methods, if provided
     elsif target
       calls = calls_by_target target
@@ -85,6 +91,16 @@ class Brakeman::CallIndex
     end
   end
+  def remove_indexes_by_file file
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          call[:location][:file] == file
+        end
+      end
+    end
+  end
   def index_calls calls
     calls.each do |call|
       @calls_by_method[call[:method]] ||= []
@@ -116,8 +132,11 @@ class Brakeman::CallIndex
   end
   def calls_by_target target
-    if target.is_a? Array
+    case target
+    when Array
       calls_by_targets target
+    when Regexp
+      calls_by_targets_regex target
     else
       @calls_by_target[target] || []
     end
@@ -133,10 +152,24 @@ class Brakeman::CallIndex
     calls
   end
+  def calls_by_targets_regex targets_regex
+    calls = []
+    @calls_by_target.each do |key, value|
+      case key
+      when String, Symbol
+        calls.concat value if key.match targets_regex
+      end
+    end
+    calls
+  end
   def calls_by_method method
-    if method.is_a? Array
+    case method
+    when Array
       calls_by_methods method
-    elsif method.is_a? Regexp
+    when Regexp
       calls_by_methods_regex method
     else
       @calls_by_method[method.to_sym] || []
@@ -156,26 +189,28 @@ class Brakeman::CallIndex
   def calls_by_methods_regex methods_regex
     calls = []
     @calls_by_method.each do |key, value|
-      calls.concat value if key.to_s.match methods_regex
+      calls.concat value if key.match methods_regex
     end
-    calls
-  end
-  def calls_with_no_target
-    @calls_by_target[nil]
+    calls
   end
   def filter calls, key, value
-    if value.is_a? Array
+    case value
+    when Array
       values = Set.new value
       calls.select do |call|
         values.include? call[key]
       end
-    elsif value.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[key].to_s.match value
+        case call[key]
+        when String, Symbol
+          call[key].match value
+        end
       end
     else
       calls.select do |call|
@@ -197,15 +232,19 @@ class Brakeman::CallIndex
   end
   def filter_by_chain calls, target
-    if target.is_a? Array
+    case target
+    when Array
       targets = Set.new target
       calls.select do |call|
         targets.include? call[:chain].first
       end
-    elsif target.is_a? Regexp
+    when Regexp
       calls.select do |call|
-        call[:chain].first.to_s.match target
+        case call[:chain].first
+        when String, Symbol
+          call[:chain].first.match target
+        end
       end
     else
       calls.select do |call|

data/lib/brakeman/checks/base_check.rb CHANGED

@@ -44,19 +44,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
   #Add result to result list, which is used to check for duplicates
-  def add_result result, location = nil
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
-    location = location[:name] if location.is_a? Hash
-    location = location.name if location.is_a? Brakeman::Collection
-    location = location.to_sym
-    if result.is_a? Hash
-      line = result[:call].original_line || result[:call].line
-    elsif sexp? result
-      line = result.original_line || result.line
-    else
-      raise ArgumentError
-    end
+  def add_result result
+    location = get_location result
+    location, line = get_location result
     @results << [line, location, result]
   end
@@ -170,8 +160,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @mass_assign_disabled = true
     else
       #Check for ActiveRecord::Base.send(:attr_accessible, nil)
-      tracker.check_initializers(:"ActiveRecord::Base", :attr_accessible).each do |result|
-        call = result.call
+      tracker.find_call(target: :"ActiveRecord::Base", method: :attr_accessible).each do |result|
+        call = result[:call]
         if call? call
           if call.first_arg == Sexp.new(:nil)
             @mass_assign_disabled = true
@@ -180,26 +171,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         end
       end
-      unless @mass_assign_disabled
-        tracker.check_initializers(:"ActiveRecord::Base", :send).each do |result|
-          call = result.call
-          if call? call
-            if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
-              @mass_assign_disabled = true
-              break
-            end
-          end
-        end
-      end
       unless @mass_assign_disabled
         #Check for
         #  class ActiveRecord::Base
         #    attr_accessible nil
         #  end
-        matches = tracker.check_initializers([], :attr_accessible)
-        matches.each do |result|
+        tracker.check_initializers([], :attr_accessible).each do |result|
           if result.module == "ActiveRecord" and result.result_class == :Base
             arg = result.call.first_arg
@@ -227,10 +204,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
       unless @mass_assign_disabled
-        matches = tracker.check_initializers(:"ActiveRecord::Base", [:send, :include])
-        matches.each do |result|
-          call = result.call
+        tracker.find_call(target: :"ActiveRecord::Base", method: [:send, :include]).each do |result|
+          call = result[:call]
           if call? call and (call.first_arg == forbidden_protection or call.second_arg == forbidden_protection)
             @mass_assign_disabled = true
           end
@@ -250,6 +225,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil
+    location, line = get_location result
+    @results.each do |r|
+      if r[0] == line and r[1] == location
+        if tracker.options[:combine_locations]
+          return true
+        elsif r[2] == result
+          return true
+        end
+      end
+    end
+    false
+  end
+  def get_location result
     if result.is_a? Hash
       line = result[:call].original_line || result[:call].line
     elsif sexp? result
@@ -258,23 +249,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       raise ArgumentError
     end
-    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
+    location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template] || result[:location][:file].to_s
     location = location[:name] if location.is_a? Hash
     location = location.name if location.is_a? Brakeman::Collection
     location = location.to_sym
-    @results.each do |r|
-      if r[0] == line and r[1] == location
-        if tracker.options[:combine_locations]
-          return true
-        elsif r[2] == result
-          return true
-        end
-      end
-    end
-    false
+    return location, line
   end
   #Checks if an expression contains string interpolation.

data/lib/brakeman/checks/check_cookie_serialization.rb ADDED

@@ -0,0 +1,22 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Check for use of Marshal for cookie serialization"
+  def run_check
+    tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
+      setting = result[:call].first_arg
+      if symbol? setting and setting.value == :marshal or setting.value == :hybrid
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :unsafe_cookie_serialization,
+          :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
+          :confidence => :medium,
+          :link_path => "unsafe_deserialization"
+      end
+    end
+  end
+end