brakeman 4.7.2 → 4.9.1

data/bundle/ruby/{2.6.0/gems/unicode-display_width-1.6.0 → 2.7.0/gems/unicode-display_width-1.7.0}/lib/unicode/display_width.rb

@@ -19,7 +19,7 @@ module Unicode
         total_width + (overwrite[codepoint] || width || 1)
       }
 
-      res -= emoji_extra_width_of(string) if options[:emoji]
+      res -= emoji_extra_width_of(string, ambiguous, overwrite) if options[:emoji]
       res < 0 ? 0 : res
     end
 

data/bundle/ruby/{2.6.0/gems/unicode-display_width-1.6.0 → 2.7.0/gems/unicode-display_width-1.7.0}/lib/unicode/display_width/constants.rb

@@ -1,7 +1,7 @@
 module Unicode
   module DisplayWidth
-    VERSION = '1.6.0'
-    UNICODE_VERSION = "12.1.0".freeze
+    VERSION = '1.7.0'
+    UNICODE_VERSION = "13.0.0".freeze
     DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
     INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
   end

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -231,6 +235,8 @@ module Brakeman
       [:to_text]
     when :table, :to_table
       [:to_table]
+    when :junit, :to_junit
+      [:to_junit]
     else
       [:to_text]
     end
@@ -258,6 +264,8 @@ module Brakeman
         :to_text
       when /\.table$/i
         :to_table
+      when /\.junit$/i
+        :to_junit
       else
         :to_text
       end
@@ -494,6 +502,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/base_check.rb

@@ -280,15 +280,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     return location, line
   end
 
-  #Checks if an expression contains string interpolation.
-  #
-  #Returns Match with :interp type if found.
-  def include_interp? exp
-    @string_interp = false
-    process exp
-    @string_interp
-  end
-
   #Checks if _exp_ includes user input in the form of cookies, parameters,
   #request environment, or model attributes.
   #
@@ -476,7 +467,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment gem_name = :rails
-    if gem_name and info = tracker.config.get_gem(gem_name)
+    if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
       info
     elsif @app_tree.exists?("Gemfile")
       @app_tree.file_path "Gemfile"
@@ -504,4 +495,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
     @active_record_models
   end
+
+  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
+  private_constant :STRING_METHODS
+
+  def string_building? exp
+    return false unless call? exp and STRING_METHODS.include? exp.method
+
+    node_type? exp.target, :str, :dstr or
+    node_type? exp.first_arg, :str, :dstr or
+    string_building? exp.target or
+    string_building? exp.first_arg
+  end
 end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
   # Check if the block of a result contains a comparison of password to string
   def include_password_literal? result
+    return false if result[:block_args].nil?
+
     @password_var = result[:block_args].last
     @include_password = false
     process result[:block]

data/lib/brakeman/checks/check_content_tag.rb

@@ -55,8 +55,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     @current_file = result[:location][:file]
 
-    call = result[:call] = result[:call].dup
-
+    call = result[:call]
     args = call.arglist
 
     tag_name = args[1]

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -56,8 +56,20 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     case call.method
     when :popen
-      unless array? first_arg
-        failure = include_user_input?(args) || dangerous_interp?(args)
+      # Normally, if we're in a `popen` call, we only are worried about shell
+      # injection when the argument is not an array, because array elements
+      # are always escaped by Ruby. However, an exception is when the array
+      # contains two values are something like "bash -c" because then the third
+      # element is effectively the command being run and might be a malicious
+      # executable if it comes (partially or fully) from user input.
+      if !array?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
+      elsif dash_c_shell_command?(first_arg[1], first_arg[2])
+        failure = include_user_input?(first_arg[3]) ||
+                  dangerous_interp?(first_arg[3]) ||
+                  dangerous_string_building?(first_arg[3])
       end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
@@ -67,12 +79,18 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # the third argument is effectively the command being run and might be
       # a malicious executable if it comes (partially or fully) from user input.
       if dash_c_shell_command?(first_arg, call.second_arg)
-        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+        failure = include_user_input?(args[3]) ||
+                  dangerous_interp?(args[3]) ||
+                  dangerous_string_building?(args[3])
       else
-        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+        failure = include_user_input?(first_arg) ||
+                  dangerous_interp?(first_arg) ||
+                  dangerous_string_building?(first_arg)
       end
     else
-      failure = include_user_input?(args) || dangerous_interp?(args)
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     end
 
     if failure and original? result
@@ -219,6 +237,23 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     false
   end
 
+  #Checks if an expression contains string interpolation.
+  #
+  #Returns Match with :interp type if found.
+  def include_interp? exp
+    @string_interp = false
+    process exp
+    @string_interp
+  end
+
+  def dangerous_string_building? exp
+    if string_building?(exp) && res = dangerous?(exp)
+      return Match.new(:interp, res)
+    end
+
+    false
+  end
+
   def shell_escape? exp
     return false unless call? exp
 

data/lib/brakeman/checks/check_json_entity_escape.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check if HTML escaping is disabled for JSON output"
+
+  def run_check
+    check_config_setting
+    check_manual_disable
+  end
+
+  def check_config_setting
+    if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
+      warn :warning_type => "Cross-Site Scripting",
+        :warning_code => :json_html_escape_config,
+        :message => msg("HTML entities in JSON are not escaped by default"),
+        :confidence => :medium,
+        :file => "config/environments/production.rb",
+        :line => 1
+    end
+  end
+
+  def check_manual_disable
+    tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
+      setting = result[:call].first_arg
+
+      if false? setting
+        warn :result => result,
+          :warning_type => "Cross-Site Scripting",
+          :warning_code => :json_html_escape_module,
+          :message => msg("HTML entities in JSON are not escaped by default"),
+          :confidence => :medium,
+          :file => "config/environments/production.rb"
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_link_to.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     #Have to make a copy of this, otherwise it will be changed to
     #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
 
     first_arg = call.first_arg
     second_arg = call.second_arg

data/lib/brakeman/checks/check_link_to_href.rb

@@ -30,9 +30,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
   end
 
   def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
+    call = result[:call]
     @matched = false
 
     url_arg = if result[:block]

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   def run_check
     check_mass_assignment
     check_permit!
+    check_permit_all_parameters
   end
 
   def find_mass_assign_calls
@@ -159,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -190,7 +206,21 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
+
+  def check_permit_all_parameters
+    tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
+      call = result[:call]
+
+      if true? call.first_arg
+        warn :result => result,
+          :warning_type => "Mass Assignment",
+          :warning_code => :mass_assign_permit_all,
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
+          :confidence => :high
+      end
+    end
+  end
 end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_model_attributes.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
   @description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
 
   def run_check
-    return if mass_assign_disabled?
+    return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]

data/lib/brakeman/checks/check_page_caching_cve.rb

@@ -0,0 +1,37 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for page caching vulnerability (CVE-2020-8159)"
+
+  def run_check
+    gem_name = 'actionpack-page_caching'
+    gem_version = tracker.config.gem_version(gem_name.to_sym)
+    upgrade_version = '1.2.2'
+    cve = 'CVE-2020-8159'
+
+    return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
+
+    message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
+
+    if uses_caches_page?
+      confidence = :high
+    else
+      confidence = :weak
+    end
+
+    warn :warning_type => 'Directory Traversal',
+      :warning_code => :CVE_2020_8159,
+      :message => message,
+      :confidence => confidence,
+      :link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
+      :gem_info => gemfile_or_environment(gem_name)
+  end
+
+  def uses_caches_page?
+    tracker.controllers.any? do |name, controller|
+      controller.options.has_key? :caches_page
+    end
+  end
+end