brakeman 4.5.1 → 5.4.0

data/lib/brakeman/processors/controller_processor.rb

@@ -192,8 +192,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
     args = exp.block_call.arglist
-    args.insert(1, Sexp.new(:lit, filter_name))
-    before_filter_call = make_call(nil, :before_filter, args)
+    args.insert(1, Sexp.new(:lit, filter_name).line(exp.line))
+    before_filter_call = make_call(nil, :before_filter, args).line(exp.line)
 
     if exp.block_args.length > 1
       block_variable = exp.block_args[1]
@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end
@@ -210,9 +210,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #Build Sexp for filter method
     body = Sexp.new(:lasgn,
                     block_variable,
-                    Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
+                    Sexp.new(:call, Sexp.new(:const, @current_class.name).line(exp.line), :new).line(exp.line)).line(exp.line)
 
-    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
+    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args).line(exp.line), body).concat(block_inner).line(exp.line)
 
     vis = @visibility
     @visibility = :private

data/lib/brakeman/processors/gem_processor.rb

@@ -6,6 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
+    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
   end
 
   def process_gems gem_files
@@ -29,6 +30,14 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
     @tracker.config.set_rails_version
   end
 
+  # Known issue: Brakeman does not yet support `gem` calls with multiple
+  # "version requirements". Consider the following example from the ruby docs:
+  #
+  #     gem 'rake', '>= 1.1.a', '< 2'
+  #
+  # We are assuming that `second_arg` (eg. '>= 1.1.a') is the only requirement.
+  # Perhaps we should instantiate an array of `::Gem::Requirement`s or even a
+  # `::Gem::Dependency` and pass that to `Tracker::Config#add_gem`?
   def process_call exp
     if exp.target == nil
       if exp.method == :gem
@@ -51,8 +60,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
         end
       end
     elsif @inside_gemspec and exp.method == :add_dependency
-      if string? exp.first_arg and string? exp.last_arg
-        @tracker.config.add_gem exp.first_arg.value, exp.last_arg.value, @gemspec, exp.line
+      if string? exp.first_arg and string? exp.second_arg
+        @tracker.config.add_gem exp.first_arg.value, exp.second_arg.value, @gemspec, exp.line
       end
     end
 
@@ -87,6 +96,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def set_gem_version_and_file line, file, line_num
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
+    elsif line =~ @ruby_version
+      @tracker.config.set_ruby_version $1
     end
   end
 end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -2,10 +2,13 @@ require 'brakeman/processors/template_processor'
 
 #Processes HAML templates.
 class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
-  HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
+  HAMLOUT = s(:call, nil, :_hamlout)
+  HAML_BUFFER = s(:call, HAMLOUT, :buffer)
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
+  HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -14,130 +17,46 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   #Processes call, looking for template output
   def process_call exp
-    target = exp.target
-    if sexp? target
-      target = process target
+    exp = process_default exp
+
+    if buffer_append? exp
+      output = normalize_output(exp.first_arg)
+      res = get_pushed_value(output)
     end
 
-    method = exp.method
-
-    if (call? target and target.method == :_hamlout)
-      res = case method
-            when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
-              ignore
-            when :options, :buffer
-              exp
-            when :open_tag
-              process_call_args exp
-            else
-              arg = exp.first_arg
-
-              if arg
-                @inside_concat = true
-                exp.first_arg = process(arg)
-                out = normalize_output(exp.first_arg)
-                @inside_concat = false
-              else
-                raise "Empty _hamlout.#{method}()?"
-              end
-
-              if string? out
-                ignore
-              else
-                r = case method.to_s
-                    when "push_text"
-                      build_output_from_push_text(out)
-                    when HAML_FORMAT_METHOD
-                      if $4 == "true"
-                        if string_interp? out
-                          build_output_from_push_text(out, :escaped_output)
-                        else
-                          Sexp.new :format_escaped, out
-                        end
-                      else
-                        if string_interp? out
-                          build_output_from_push_text(out)
-                        else
-                          Sexp.new :format, out
-                        end
-                      end
-
-                    else
-                      raise "Unrecognized action on _hamlout: #{method}"
-                    end
-
-                @javascript = false
-                r
-              end
-            end
-
-      res.line(exp.line)
-      res
-
-      #_hamlout.buffer <<
-      #This seems to be used rarely, but directly appends args to output buffer.
-      #Has something to do with values of blocks?
-    elsif sexp? target and method == :<< and is_buffer_target? target
-      @inside_concat = true
-      exp.first_arg = process(exp.first_arg)
-      out = normalize_output(exp.first_arg)
-      @inside_concat = false
-
-      if out.node_type == :str #ignore plain strings
-        ignore
-      else
-        add_output out
-      end
-    elsif target == nil and method == :render
-      #Process call to render()
-      exp.arglist = process exp.arglist
-      make_render_in_view exp
-    elsif target == nil and method == :find_and_preserve and exp.first_arg
-      process exp.first_arg
-    elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
-        @javascript = true
-      end
+    res or exp
+  end
 
-      process exp.first_arg
-    else
-      exp.target = target
-      exp.arglist = process exp.arglist
-      exp
-    end
+  # _haml_out.buffer << ...
+  def buffer_append? exp
+    call? exp and
+      exp.target == HAML_BUFFER and
+      exp.method == :<<
+  end
+
+  PRESERVE_METHODS = [:find_and_preserve, :preserve]
+
+  def find_and_preserve? exp
+    call? exp and
+      PRESERVE_METHODS.include?(exp.method) and
+      exp.first_arg
   end
 
   #If inside an output stream, only return the final expression
   def process_block exp
     exp = exp.dup
     exp.shift
-    if @inside_concat
-      @inside_concat = false
-      exp[0..-2].each do |e|
-        process e
-      end
-      @inside_concat = true
-      process exp[-1]
-    else
-      exp.map! do |e|
-        res = process e
-        if res.empty?
-          nil
-        else
-          res
-        end
+
+    exp.map! do |e|
+      res = process e
+      if res.empty?
+        nil
+      else
+        res
       end
-      Sexp.new(:rlist).concat(exp).compact
     end
-  end
 
-  #Checks if the buffer is the target in a method call Sexp.
-  #TODO: Test this
-  def is_buffer_target? exp
-    exp.node_type == :call and
-    node_type? exp.target, :lvar and
-    exp.target.value == :_hamlout and
-    exp.method == :buffer
+    Sexp.new(:rlist).concat(exp).compact
   end
 
   #HAML likes to put interpolated values into _hamlout.push_text
@@ -158,7 +77,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
-  #Gets outputs from values interpolated into _hamlout.push_text
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -173,24 +98,79 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp
     when :str, :ignore, :output, :escaped_output
       exp
-    when :block, :rlist, :dstr
-      exp.map! { |e| get_pushed_value e }
+    when :block, :rlist
+      exp.map! { |e| get_pushed_value(e, default) }
+    when :dstr
+      build_output_from_push_text(exp, default)
     when :if
-      clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
+      clauses = [get_pushed_value(exp.then_clause, default), get_pushed_value(exp.else_clause, default)].compact
 
       if clauses.length > 1
-        s(:or, *clauses)
+        s(:or, *clauses).line(exp.line)
       else
         clauses.first
       end
-    else
-      if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
-        add_escaped_output exp.first_arg
-      elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
-        add_escaped_output exp.first_arg
+    when :call
+      if exp.method == :to_s or exp.method == :strip
+        get_pushed_value(exp.target, default)
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+        get_pushed_value(exp.first_arg, :escaped_output)
+      elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
+        get_pushed_value(exp.first_arg, :escaped_output)
+      elsif find_and_preserve? exp or fix_textareas? exp
+        get_pushed_value(exp.first_arg, default)
+      elsif raw? exp
+        get_pushed_value(exp.first_arg, :output)
+      elsif hamlout_attributes? exp
+        ignore # ignore _hamlout.attributes calls
+      elsif exp.target.nil? and exp.method == :render
+        #Process call to render()
+        exp.arglist = process exp.arglist
+        make_render_in_view exp
+      elsif exp.method == :render_with_options
+        if exp.target == JAVASCRIPT_FILTER or exp.target == COFFEE_FILTER
+          @javascript = true
+        end
+
+        get_pushed_value(exp.first_arg, default)
+        @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
+    else
+      add_output exp, default
     end
   end
+
+  def haml_helpers? exp
+    # Sometimes its Haml::Helpers and
+    # sometimes its ::Haml::Helpers
+    exp == HAML_HELPERS or
+      exp == HAML_HELPERS2
+  end
+
+  def hamlout_attributes? exp
+    call? exp and
+      exp.target == HAMLOUT and
+      exp.method == :attributes
+  end
+
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
+  def fix_textareas? exp
+    call? exp and
+      exp.target == HAMLOUT and
+      exp.method == :fix_textareas! 
+  end
+
+  def raw? exp
+    call? exp and
+      exp.method == :raw
+  end
 end

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,16 +1,10 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result
@@ -19,16 +13,17 @@ module Brakeman
       end
     end
 
+    STRING_LENGTH_LIMIT = 50
+
     # Join two string literals into one.
     def join_strings lhs, rhs, original_exp = nil
       if string? lhs and string? rhs
-        result = Sexp.new(:str).line(lhs.line)
-        result.value = lhs.value + rhs.value
-
-        if result.value.length > 50
+        if (lhs.value.length + rhs.value.length > STRING_LENGTH_LIMIT)
           # Avoid gigantic strings
           lhs
         else
+          result = Sexp.new(:str).line(lhs.line)
+          result.value = lhs.value + rhs.value
           result
         end
       elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
@@ -75,6 +70,8 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
+      elsif all_literals? array
+        safe_literal(array.line)
       else
         original_exp
       end
@@ -91,5 +88,15 @@ module Brakeman
         original_exp
       end
     end
+
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
+    def hash_values_at hash, keys
+      values = keys.map do |key|
+        process_hash_access hash, key
+      end
+
+      Sexp.new(:array).concat(values).line(hash.line)
+    end
   end
 end

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -0,0 +1,64 @@
+module Brakeman
+  class FileTypeDetector < BaseProcessor
+    def initialize
+      super(nil)
+      reset
+    end
+
+    def detect_type(file)
+      reset
+      process(file.ast)
+
+      if @file_type.nil?
+        @file_type = guess_from_path(file.path.relative)
+      end
+
+      @file_type || :libs
+    end
+
+    MODEL_CLASSES = [
+      :'ActiveRecord::Base',
+      :ApplicationRecord
+    ]
+
+    def process_class exp
+      name = class_name(exp.class_name)
+      parent = class_name(exp.parent_name)
+
+      if name.match(/Controller$/)
+        @file_type = :controllers
+        return exp
+      elsif MODEL_CLASSES.include? parent
+        @file_type = :models
+        return exp
+      end
+
+      super
+    end
+
+    def guess_from_path path
+      case
+      when path.include?('app/models')
+        :models
+      when path.include?('app/controllers')
+        :controllers
+      when path.include?('config/initializers')
+        :initializers
+      when path.include?('lib/')
+        :libs
+      when path.match?(%r{config/environments/(?!production\.rb)$})
+        :skip
+      when path.match?(%r{environments/production\.rb$})
+        :skip
+      when path.match?(%r{application\.rb$})
+        :skip
+      end
+    end
+
+    private
+
+    def reset
+      @file_type = nil
+    end
+  end
+end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -5,9 +5,9 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   def initialize tracker
     super
-    @current_class = nil
-    @current_method = nil
+
     @in_target = false
+    @processing_class = false
     @calls = []
     @cache = {}
   end
@@ -20,13 +20,37 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
+  #For whatever reason, originally the indexing of calls
+  #was performed on individual method bodies (see process_defn).
+  #This method explicitly indexes all calls everywhere given any
+  #source.
+  def process_all_source exp, opts
+    @processing_class = true
+    process_source exp, opts
+  ensure
+    @processing_class = false
+  end
+
   #Process body of method
   def process_defn exp
-    return exp unless @current_method
-    process_all exp.body
+    return exp unless @current_method or @processing_class
+
+    # 'Normal' processing assumes the method name was given
+    # as an option to `process_source` but for `process_all_source`
+    # we don't want to do that.
+    if @current_method.nil?
+      @current_method = exp.method_name
+      process_all exp.body
+      @current_method = nil
+    else
+      process_all exp.body
+    end
+
+    exp
   end
 
   alias process_defs process_defn
@@ -37,7 +61,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   end
 
   def process_call exp
-    @calls << create_call_hash(exp)
+    @calls << create_call_hash(exp).freeze
     exp
   end
 
@@ -49,6 +73,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
       call_hash[:block] = exp.block
       call_hash[:block_args] = exp.block_args
+      call_hash.freeze
 
       @calls << call_hash
 
@@ -65,7 +90,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
 
     add_simple_call :render, exp
 
@@ -113,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -190,34 +216,48 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+      call_hash[:full_call] = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end