RubyGems - brakeman - Versions diffs - 4.7.2 → 4.9.1 - Mend

brakeman 4.7.2 → 4.9.1

Files changed (400) hide show

data/lib/brakeman/checks/check_permit_attributes.rb CHANGED

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_skip_before_filter.rb CHANGED

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_sql.rb CHANGED

@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
-  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+  TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
@@ -525,8 +525,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     false
   end
-  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
   def check_for_string_building exp
     return unless call? exp
@@ -573,15 +571,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
-  def string_building? exp
-    return false unless call? exp and STRING_METHODS.include? exp.method
-    node_type? exp.target, :str, :dstr or
-    node_type? exp.first_arg, :str, :dstr or
-    string_building? exp.target or
-    string_building? exp.first_arg
-  end
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
     :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,

data/lib/brakeman/checks/check_template_injection.rb ADDED

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Searches for evaluation of user input through template injection"
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb CHANGED

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
         return options, app_path
       end
@@ -115,7 +122,20 @@ module Brakeman
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options
+        tracker = run_brakeman options
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
       # Actually run Brakeman.

data/lib/brakeman/differ.rb CHANGED

@@ -1,8 +1,6 @@
 # extracting the diff logic to it's own class for consistency. Currently handles
 # an array of Brakeman::Warnings or plain hash representations.
 class Brakeman::Differ
-  DEFAULT_HASH = {:new => [], :fixed => []}
-  OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
   attr_reader :old_warnings, :new_warnings
   def initialize new_warnings, old_warnings
@@ -11,9 +9,6 @@ class Brakeman::Differ
   end
   def diff
-    # get the type of elements
-    return DEFAULT_HASH if @new_warnings.empty?
     warnings = {}
     warnings[:new] = @new_warnings - @old_warnings
     warnings[:fixed] = @old_warnings - @new_warnings

data/lib/brakeman/options.rb CHANGED

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -225,7 +229,7 @@ module Brakeman::Options
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
           "Specify output formats. Default is text" do |type|
           type = "s" if type == :text
@@ -301,6 +305,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+          options[:text_fields] = format.map(&:to_sym)
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
   #Sets @inside_if = true

data/lib/brakeman/processors/lib/call_conversion_helper.rb CHANGED

@@ -10,7 +10,7 @@ module Brakeman
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
@@ -60,7 +61,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   end
   def process_call exp
-    @calls << create_call_hash(exp)
+    @calls << create_call_hash(exp).freeze
     exp
   end
@@ -72,6 +73,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
       call_hash[:block] = exp.block
       call_hash[:block_args] = exp.block_args
+      call_hash.freeze
       @calls << call_hash
@@ -88,7 +90,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
     add_simple_call :render, exp
@@ -136,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
   #Gets the target of a call as a Symbol
@@ -213,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
     method = exp.method
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
+    unless @in_target
+      @full_call = call_hash
+    end
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
     process_call_args exp
     @current_call = old_parent
+    @full_call = old_full_call
     call_hash
   end

data/lib/brakeman/processors/lib/render_helper.rb CHANGED

@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value)] = value
+          if symbol? key
+            template_env[Sexp.new(:call, nil, key.value)] = value
+          end
         end
       end

data/lib/brakeman/report.rb CHANGED

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -40,6 +40,9 @@ class Brakeman::Report
       return self.to_table
     when :to_pdf
       raise "PDF output is not yet supported."
+    when :to_junit
+      require_report 'junit'
+      Brakeman::Report::JUnit
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -94,10 +94,18 @@ module Brakeman
       end
     end
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        begin
+          @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        rescue => e
+          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
+        end
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -118,7 +126,7 @@ module Brakeman
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| w[:fingerprint] }
+      end.sort_by { |w| [w[:fingerprint], w[:line]] }
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_junit.rb ADDED

@@ -0,0 +1,104 @@
+require 'time'
+require "stringio"
+require 'rexml/document'
+class Brakeman::Report::JUnit < Brakeman::Report::Base
+  def generate_report
+    io = StringIO.new
+    doc = REXML::Document.new
+    doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
+    test_suites = REXML::Element.new 'testsuites'
+    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
+    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
+    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
+    errors = test_suites.add_element 'brakeman:errors'
+    tracker.errors.each { |e|
+      error = errors.add_element 'brakeman:error'
+      error.add_attribute 'brakeman:message', e[:error]
+      e[:backtrace].each { |b|
+        backtrace = error.add_element 'brakeman:backtrace'
+        backtrace.add_text b
+      }
+    }
+    obsolete = test_suites.add_element 'brakeman:obsolete'
+    tracker.unused_fingerprints.each { |fingerprint|
+      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
+    }
+    ignored = test_suites.add_element 'brakeman:ignored'
+    ignored_warnings.each { |w|
+      warning = ignored.add_element 'brakeman:warning'
+      warning.add_attribute 'brakeman:message', w.message
+      warning.add_attribute 'brakeman:category', w.warning_type
+      warning.add_attribute 'brakeman:file', warning_file(w)
+      warning.add_attribute 'brakeman:line', w.line
+      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
+      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:code', w.format_code
+      warning.add_text w.to_s
+    }
+    hostname = `hostname`.strip
+    i = 0
+    all_warnings
+      .map { |warning| [warning.file, [warning]] }
+      .reduce({}) { |entries, entry|
+        key, value = entry
+        entries[key] = entries[key] ? entries[key].concat(value) : value
+        entries
+      }
+      .each { |file, warnings|
+        i += 1
+        test_suite = test_suites.add_element 'testsuite'
+        test_suite.add_attribute 'id', i
+        test_suite.add_attribute 'package', 'brakeman'
+        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
+        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
+        test_suite.add_attribute 'tests', checks.checks_run.length
+        test_suite.add_attribute 'failures', warnings.length
+        test_suite.add_attribute 'errors', '0'
+        test_suite.add_attribute 'time', '0'
+        test_suite.add_element 'properties'
+        warnings.each { |warning|
+          test_case = test_suite.add_element 'testcase'
+          test_case.add_attribute 'name', 'run_check'
+          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'time', '0'
+          failure = test_case.add_element 'failure'
+          failure.add_attribute 'message', warning.message
+          failure.add_attribute 'type', warning.warning_type
+          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
+          failure.add_attribute 'brakeman:file', warning_file(warning)
+          failure.add_attribute 'brakeman:line', warning.line
+          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:code', warning.format_code
+          failure.add_text warning.to_s
+        }
+        test_suite.add_element 'system-out'
+        test_suite.add_element 'system-err'
+      }
+    doc.add test_suites
+    doc.write io
+    io.string
+  end
+end