brakeman 5.0.0 → 5.1.0

data/lib/brakeman/processors/base_processor.rb

@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::SafeCallHelper
   include Brakeman::Util
 
-  IGNORE = Sexp.new :ignore
+  IGNORE = Sexp.new(:ignore).line(0)
 
   #Return a new Processor.
   def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #
   #And also :layout for inside templates
   def find_render_type call, in_view = false
-    rest = Sexp.new(:hash)
+    rest = Sexp.new(:hash).line(call.line)
     type = nil
     value = nil
     first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, first_arg.to_sym)
+      value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
 
-    return s(:lit, template_name), options
+    return s(:lit, template_name).line(value.line), options
   end
 end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
-        method = mixin.get_method(name)[:src].deep_clone
+        method = mixin.get_method(name).src.deep_clone
 
         if node_type? method, :defn
           method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name
-    filter = find_method name, @current_class
+    filter = tracker.find_method name, @current_class
 
     if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    method = filter[:method]
+    method = filter.src
 
-    if ivars = @tracker.filter_cache[[filter[:controller], name]]
+    if ivars = @tracker.filter_cache[[filter.owner, name]]
       ivars.each do |variable, value|
         env[variable] = value
       end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
       ivars = processor.only_ivars(:include_request_vars).all
 
-      @tracker.filter_cache[[filter[:controller], name]] = ivars
+      @tracker.filter_cache[[filter.owner, name]] = ivars
 
       ivars.each do |variable, value|
         env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+        if line = meth.src && meth.src.last && meth.src.last.line
           line += 1
         else
           line = 1
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       []
     end
   end
-
-  #Finds a method in the given class or a parent class
-  #
-  #Returns nil if the method could not be found.
-  #
-  #If found, returns hash table with controller name and method sexp.
-  def find_method method_name, klass
-    return nil if sexp? method_name
-    method_name = method_name.to_sym
-
-    if method = @method_cache[method_name]
-      return method
-    end
-
-    controller = @tracker.controllers[klass]
-    controller ||= @tracker.libs[klass]
-
-    if klass and controller
-      method = controller.get_method method_name
-
-      if method.nil?
-        controller.includes.each do |included|
-          method = find_method method_name, included
-          if method
-            @method_cache[method_name] = method
-            return method
-          end
-       end
-
-        @method_cache[method_name] = find_method method_name, controller.parent
-      else
-        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
-      end
-    else
-      nil
-    end
-  end
 end

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -76,6 +70,8 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
+      elsif all_literals? array
+        safe_literal(array.line)
       else
         original_exp
       end
@@ -92,5 +88,13 @@ module Brakeman
         original_exp
       end
     end
+
+    def hash_values_at hash, keys
+      values = keys.map do |key|
+        process_hash_access hash, key
+      end
+
+      Sexp.new(:array).concat(values).line(hash.line)
+    end
   end
 end

data/lib/brakeman/processors/lib/rails4_config_processor.rb

@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
 
 class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
   APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
 
   # Look for Rails.application.configure do ... end
   def process_iter exp
-    if exp.block_call == APPLICATION_CONFIG
+    if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
       @inside_config = true
       process exp.block if sexp? exp.block
       @inside_config = false

data/lib/brakeman/processors/library_processor.rb

@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if process_call_defn? exp
+      exp
+    elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
+      # Methods called inside class / module
+      case exp.method
+      when :include
+        module_name = class_name(exp.first_arg)
+        (@current_class || @current_module).add_include module_name
+      end
+
       exp
     else
       process_default exp

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,33 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -48,6 +48,9 @@ class Brakeman::Report
     when :to_sonar
       require_report 'sonar'
       Brakeman::Report::Sonar
+    when :to_github
+      require_report 'github'
+      Brakeman::Report::Github
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/config.rb

@@ -100,14 +100,14 @@ module Brakeman
 
     # Read configuration to file
     def read_from_file file = @file
-      if File.exist? file
+      if File.exist? file.absolute
         begin
           @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
         rescue => e
-          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
+          raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file.relative}\n"
         end
       else
-        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        Brakeman.notify "[Notice] Could not find ignore configuration in #{file.relative}"
         @already_ignored = []
       end
 
@@ -134,7 +134,7 @@ module Brakeman
         :brakeman_version => Brakeman::Version
       }
 
-      File.open file, "w" do |f|
+      File.open file.absolute, "w" do |f|
         f.puts JSON.pretty_generate(output)
       end
     end

data/lib/brakeman/report/ignore/interactive.rb

@@ -62,7 +62,7 @@ module Brakeman
           process_warnings
         end
 
-        m.choice "Hide previously ignored warnings" do
+        m.choice "Inspect new warnings" do
           @skip_ignored = true
           pre_show_help
           process_warnings

data/lib/brakeman/report/report_github.rb

@@ -0,0 +1,31 @@
+# Github Actions Formatter
+# Formats warnings as workflow commands to create annotations in GitHub UI
+class Brakeman::Report::Github < Brakeman::Report::Base
+  def generate_report
+    # @see https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-a-warning-message
+    errors.concat(warnings).join("\n")
+  end
+
+  def warnings
+    all_warnings
+      .map { |warning| "::warning file=#{warning_file(warning)},line=#{warning.line}::#{warning.message}" }
+  end
+
+  def errors
+    tracker.errors.map do |error|
+      if error[:exception].is_a?(Racc::ParseError)
+        # app/services/balance.rb:4 :: parse error on value "..." (tDOT3)
+        file, line = error[:exception].message.split(':').map(&:strip)[0,2]
+        "::error file=#{file},line=#{line}::#{clean_message(error[:error])}"
+      else
+        "::error ::#{clean_message(error[:error])}"
+      end
+    end
+  end
+
+  private
+
+  def clean_message(msg)
+    msg.gsub('::','').squeeze(' ')
+  end
+end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,6 +72,23 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => @ignore_filter.file.relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message

data/lib/brakeman/rescanner.rb

@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
     file_parser.parse_files paths
     tracker.add_errors(file_parser.errors)
     file_parser.file_list

data/lib/brakeman/scanner.rb

@@ -71,7 +71,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 
@@ -353,6 +353,9 @@ class Brakeman::Scanner
   def parse_ruby_file file
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
+  rescue Exception => e
+    tracker.error(e)
+    nil
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -35,6 +35,7 @@ class Brakeman::Tracker
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
+    @method_cache = {}
     @routes = {}
     @initializers = {}
     @errors = []
@@ -99,8 +100,8 @@ class Brakeman::Tracker
     classes.each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
-          src = definition[:src]
-          yield src, set_name, method_name, definition[:file]
+          src = definition.src
+          yield src, set_name, method_name, definition.file
         end
       end
     end
@@ -220,6 +221,34 @@ class Brakeman::Tracker
     nil
   end
 
+  def find_method method_name, class_name, method_type = :instance
+    return nil unless method_name.is_a? Symbol
+
+    klass = find_class(class_name)
+    return nil unless klass
+
+    cache_key = [klass, method_name, method_type]
+
+    if method = @method_cache[cache_key]
+      return method
+    end
+
+    if method = klass.get_method(method_name, method_type)
+      return method
+    else
+      # Check modules included for method definition
+      # TODO: only for instance methods, otherwise check extends!
+      klass.includes.each do |included_name|
+        if method = find_method(method_name, included_name, method_type)
+          return (@method_cache[cache_key] = method)
+        end
+      end
+
+      # Not in any included modules, check the parent
+      @method_cache[cache_key] = find_method(method_name, klass.parent)
+    end
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 
@@ -285,8 +314,8 @@ class Brakeman::Tracker
     method_sets.each do |set|
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
-          src = definition[:src]
-          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
+          src = definition.src
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition.file
         end
       end
     end