brakeman 5.0.1 → 5.1.1

data/lib/brakeman/processors/alias_processor.rb

@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false).line(exp.line)
     end
 
+    # For the simplest case of `Foo.thing`
+    if node_type? target, :const and first_arg.nil?
+      if tracker and (klass = tracker.find_class(class_name(target.value)))
+        if return_value = klass.get_simple_method_return_value(:class, method)
+          return return_value.deep_clone(exp.line)
+        end
+      end
+    end
+
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -220,13 +229,28 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(:+, target, first_arg, exp)
       end
     when :-, :*, :/
-      exp = math_op(method, target, first_arg, exp)
+      if method == :* and array? target
+        if string? first_arg
+          exp = process_array_join(target, first_arg)
+        end
+      else
+        exp = math_op(method, target, first_arg, exp)
+      end
     when :[]
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
         exp = process_hash_access(target, first_arg, exp)
       end
+    when :fetch
+      if array? target
+        # Not dealing with default value
+        # so just pass in first argument, but process_array_access expects
+        # an array of arguments.
+        exp = process_array_access(target, [first_arg], exp)
+      elsif hash? target
+        exp = process_hash_access(target, first_arg, exp)
+      end
     when :merge!, :update
       if hash? target and hash? first_arg
          target = process_hash_merge! target, first_arg
@@ -266,6 +290,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target = find_push_target(target_var)
         env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
+    when :push
+      if array? target
+        target << first_arg
+        env[target_var] = target
+        return target
+      end
     when :first
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
@@ -279,7 +309,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target
       end
     when :join
-      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
+      if array? target and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
     when :!
@@ -287,6 +317,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if call? target and target.method == :!
         exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
       end
+    when :values
+      # Hash literal
+      if node_type? target, :hash
+        exp = hash_values(target)
+      end
+    when :values_at
+      if node_type? target, :hash
+        exp = hash_values_at target, exp.args
+      end
     end
 
     exp
@@ -294,6 +333,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
+    # Empty array
+    if array.length == 1
+      return s(:str, '').line(array.line)
+    end
+
     result = s().line(array.line)
 
     join_value = if string? join_str
@@ -302,8 +346,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
                    nil
                  end
 
-    array[1..-2].each do |e|
-      result << join_item(e, join_value)
+    if array.length > 2
+      array[1..-2].each do |e|
+        result << join_item(e, join_value)
+      end
     end
 
     result << join_item(array.last, nil)
@@ -332,7 +378,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
 
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr).line(array.line)) do |memo, e|
+    string = result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
@@ -341,6 +387,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
       memo << e
     end
+
+    # Convert (:dstr, "hello world")
+    # to (:str, "hello world")
+    if string.length == 2 and string.last.is_a? String
+      string[0] = :str
+    end
+
+    string
   end
 
   def join_item item, join_value
@@ -749,6 +803,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def hash_or_array_include_all_literals? exp
+    return unless call? exp and sexp? exp.target
+    target = exp.target
+
+    case target.node_type
+    when :hash
+      hash_include_all_literals? exp
+    else
+      array_include_all_literals? exp
+    end
+  end
+
   # Check if exp is a call to Array#include? on an array literal
   # that contains all literal values. For example:
   #
@@ -767,6 +833,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Hash#include? on a hash literal
+  # that contains all literal values. For example:
+  #
+  #    {x: 1}.include? x
+  def hash_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    all_literals? exp.target, :hash
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -807,7 +883,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and array_include_all_literals? condition
+          if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
             # set x to "a" inside the true branch
             var = condition.first_arg
@@ -815,7 +891,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and early_return? branch
+          elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
@@ -1013,8 +1089,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method_name = call.method
 
     #Look for helper methods and see if we can get a return value
-    if found_method = find_method(method_name, @current_class)
-      helper = found_method[:method]
+    if found_method = tracker.find_method(method_name, @current_class)
+      helper = found_method.src
 
       if sexp? helper
         value = process_helper_method helper, call.args

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
-        method = mixin.get_method(name)[:src].deep_clone
+        method = mixin.get_method(name).src.deep_clone
 
         if node_type? method, :defn
           method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name
-    filter = find_method name, @current_class
+    filter = tracker.find_method name, @current_class
 
     if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    method = filter[:method]
+    method = filter.src
 
-    if ivars = @tracker.filter_cache[[filter[:controller], name]]
+    if ivars = @tracker.filter_cache[[filter.owner, name]]
       ivars.each do |variable, value|
         env[variable] = value
       end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
       ivars = processor.only_ivars(:include_request_vars).all
 
-      @tracker.filter_cache[[filter[:controller], name]] = ivars
+      @tracker.filter_cache[[filter.owner, name]] = ivars
 
       ivars.each do |variable, value|
         env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+        if line = meth.src && meth.src.last && meth.src.last.line
           line += 1
         else
           line = 1
@@ -241,41 +241,4 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       []
     end
   end
-
-  #Finds a method in the given class or a parent class
-  #
-  #Returns nil if the method could not be found.
-  #
-  #If found, returns hash table with controller name and method sexp.
-  def find_method method_name, klass
-    return nil if sexp? method_name
-    method_name = method_name.to_sym
-
-    if method = @method_cache[method_name]
-      return method
-    end
-
-    controller = @tracker.controllers[klass]
-    controller ||= @tracker.libs[klass]
-
-    if klass and controller
-      method = controller.get_method method_name
-
-      if method.nil?
-        controller.includes.each do |included|
-          method = find_method method_name, included
-          if method
-            @method_cache[method_name] = method
-            return method
-          end
-       end
-
-        @method_cache[method_name] = find_method method_name, controller.parent
-      else
-        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
-      end
-    else
-      nil
-    end
-  end
 end

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -76,6 +70,8 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
+      elsif all_literals? array
+        safe_literal(array.line)
       else
         original_exp
       end
@@ -92,5 +88,13 @@ module Brakeman
         original_exp
       end
     end
+
+    def hash_values_at hash, keys
+      values = keys.map do |key|
+        process_hash_access hash, key
+      end
+
+      Sexp.new(:array).concat(values).line(hash.line)
+    end
   end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -54,6 +54,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if process_call_defn? exp
+      exp
+    elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
+      # Methods called inside class / module
+      case exp.method
+      when :include
+        module_name = class_name(exp.first_arg)
+        (@current_class || @current_module).add_include module_name
+      end
+
       exp
     else
       process_default exp

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,33 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -48,6 +48,9 @@ class Brakeman::Report
     when :to_sonar
       require_report 'sonar'
       Brakeman::Report::Sonar
+    when :to_github
+      require_report 'github'
+      Brakeman::Report::Github
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/interactive.rb

@@ -62,7 +62,7 @@ module Brakeman
           process_warnings
         end
 
-        m.choice "Hide previously ignored warnings" do
+        m.choice "Inspect new warnings" do
           @skip_ignored = true
           pre_show_help
           process_warnings

data/lib/brakeman/report/report_github.rb

@@ -0,0 +1,31 @@
+# Github Actions Formatter
+# Formats warnings as workflow commands to create annotations in GitHub UI
+class Brakeman::Report::Github < Brakeman::Report::Base
+  def generate_report
+    # @see https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-a-warning-message
+    errors.concat(warnings).join("\n")
+  end
+
+  def warnings
+    all_warnings
+      .map { |warning| "::warning file=#{warning_file(warning)},line=#{warning.line}::#{warning.message}" }
+  end
+
+  def errors
+    tracker.errors.map do |error|
+      if error[:exception].is_a?(Racc::ParseError)
+        # app/services/balance.rb:4 :: parse error on value "..." (tDOT3)
+        file, line = error[:exception].message.split(':').map(&:strip)[0,2]
+        "::error file=#{file},line=#{line}::#{clean_message(error[:error])}"
+      else
+        "::error ::#{clean_message(error[:error])}"
+      end
+    end
+  end
+
+  private
+
+  def clean_message(msg)
+    msg.gsub('::','').squeeze(' ')
+  end
+end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,6 +72,23 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message