brakeman 5.0.2 → 5.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (143) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +46 -1
  3. data/README.md +1 -1
  4. data/bundle/load.rb +5 -5
  5. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/CHANGELOG.md +8 -0
  6. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/FAQ.md +0 -0
  7. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/Gemfile +0 -0
  8. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/MIT-LICENSE +0 -0
  9. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/README.md +19 -13
  10. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/REFERENCE.md +10 -3
  11. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/TODO +0 -0
  12. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/haml.gemspec +0 -0
  13. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_builder.rb +55 -0
  14. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_compiler.rb +4 -2
  15. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_parser.rb +0 -0
  16. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/buffer.rb +0 -56
  17. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/compiler.rb +0 -0
  18. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/engine.rb +0 -0
  19. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/error.rb +0 -0
  20. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/escapable.rb +0 -0
  21. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/exec.rb +0 -0
  22. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/filters.rb +0 -0
  23. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/generator.rb +0 -0
  24. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_extensions.rb +0 -0
  25. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_mods.rb +0 -0
  26. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
  27. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/safe_erubi_template.rb +0 -0
  28. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/safe_erubis_template.rb +0 -0
  29. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/xss_mods.rb +0 -0
  30. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers.rb +0 -0
  31. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/options.rb +0 -0
  32. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/parser.rb +0 -0
  33. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/plugin.rb +18 -1
  34. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/railtie.rb +5 -0
  35. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/sass_rails_filter.rb +0 -0
  36. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/template/options.rb +0 -0
  37. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/template.rb +0 -0
  38. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/temple_engine.rb +2 -1
  39. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/temple_line_counter.rb +0 -0
  40. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/util.rb +0 -0
  41. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/version.rb +1 -1
  42. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml.rb +0 -0
  43. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/yard/default/fulldoc/html/css/common.sass +0 -0
  44. data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/yard/default/layout/html/footer.erb +0 -0
  45. data/bundle/ruby/2.7.0/gems/{parallel-1.20.1 → parallel-1.21.0}/MIT-LICENSE.txt +0 -0
  46. data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/processor_count.rb +45 -0
  47. data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb +4 -0
  48. data/bundle/ruby/2.7.0/gems/{parallel-1.20.1 → parallel-1.21.0}/lib/parallel.rb +52 -43
  49. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/History.rdoc +76 -0
  50. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/Manifest.txt +3 -0
  51. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/README.rdoc +1 -0
  52. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/compare/normalize.rb +6 -1
  53. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/debugging.md +0 -0
  54. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/gauntlet.md +106 -0
  55. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/rp_extensions.rb +15 -36
  56. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/rp_stringscanner.rb +33 -0
  57. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby20_parser.rb +7122 -0
  58. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby20_parser.y +327 -247
  59. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby21_parser.rb +7176 -0
  60. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby21_parser.y +322 -244
  61. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.rb +7222 -0
  62. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.y +2718 -0
  63. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby23_parser.rb +7231 -0
  64. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby26_parser.y → ruby_parser-3.18.0/lib/ruby23_parser.y} +328 -271
  65. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby24_parser.rb +7262 -0
  66. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby24_parser.y +326 -246
  67. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby25_parser.rb +7262 -0
  68. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby30_parser.y → ruby_parser-3.18.0/lib/ruby25_parser.y} +327 -276
  69. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby26_parser.rb +7281 -0
  70. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby27_parser.y → ruby_parser-3.18.0/lib/ruby26_parser.y} +326 -260
  71. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby27_parser.rb +8511 -0
  72. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby_parser.yy → ruby_parser-3.18.0/lib/ruby27_parser.y} +905 -355
  73. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.rb +8741 -0
  74. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.y +3463 -0
  75. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby3_parser.yy +3467 -0
  76. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rb +261 -609
  77. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rex +27 -20
  78. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rex.rb +59 -23
  79. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer_strings.rb +638 -0
  80. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_parser.rb +0 -0
  81. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_parser.yy +3481 -0
  82. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_parser_extras.rb +296 -115
  83. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/tools/munge.rb +34 -6
  84. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/tools/ripper.rb +15 -10
  85. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/History.rdoc +15 -0
  86. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/Manifest.txt +0 -0
  87. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/README.rdoc +0 -0
  88. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/composite_sexp_processor.rb +0 -0
  89. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/pt_testcase.rb +7 -2
  90. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp.rb +19 -9
  91. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp_matcher.rb +0 -0
  92. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp_processor.rb +1 -1
  93. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/strict_sexp.rb +25 -3
  94. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/unique.rb +0 -0
  95. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/CHANGELOG.md +4 -0
  96. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/MIT-LICENSE.txt +0 -0
  97. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/README.md +1 -1
  98. data/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/data/display_width.marshal.gz +0 -0
  99. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/constants.rb +2 -2
  100. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/index.rb +0 -0
  101. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/no_string_ext.rb +0 -0
  102. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/string_ext.rb +0 -0
  103. data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width.rb +0 -0
  104. data/lib/brakeman/app_tree.rb +1 -1
  105. data/lib/brakeman/checks/check_execute.rb +10 -0
  106. data/lib/brakeman/checks/check_json_parsing.rb +1 -1
  107. data/lib/brakeman/checks/check_render.rb +15 -1
  108. data/lib/brakeman/checks/check_sql.rb +45 -8
  109. data/lib/brakeman/file_parser.rb +10 -2
  110. data/lib/brakeman/options.rb +6 -1
  111. data/lib/brakeman/processors/alias_processor.rb +41 -4
  112. data/lib/brakeman/processors/haml_template_processor.rb +9 -0
  113. data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -6
  114. data/lib/brakeman/processors/model_processor.rb +32 -0
  115. data/lib/brakeman/report/ignore/config.rb +1 -1
  116. data/lib/brakeman/report/report_csv.rb +1 -1
  117. data/lib/brakeman/report/report_sarif.rb +22 -3
  118. data/lib/brakeman/report/report_text.rb +1 -1
  119. data/lib/brakeman/rescanner.rb +1 -1
  120. data/lib/brakeman/scanner.rb +13 -13
  121. data/lib/brakeman/tracker/collection.rb +30 -2
  122. data/lib/brakeman/tracker/method_info.rb +41 -0
  123. data/lib/brakeman/util.rb +26 -18
  124. data/lib/brakeman/version.rb +1 -1
  125. data/lib/brakeman.rb +4 -2
  126. data/lib/ruby_parser/bm_sexp.rb +24 -0
  127. metadata +101 -98
  128. data/bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/processor_count.rb +0 -42
  129. data/bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/version.rb +0 -3
  130. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/rp_stringscanner.rb +0 -64
  131. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby20_parser.rb +0 -7070
  132. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby21_parser.rb +0 -7143
  133. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby22_parser.rb +0 -7180
  134. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby22_parser.y +0 -2638
  135. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby23_parser.rb +0 -7194
  136. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby23_parser.y +0 -2640
  137. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby24_parser.rb +0 -7214
  138. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby25_parser.rb +0 -7213
  139. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby25_parser.y +0 -2648
  140. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby26_parser.rb +0 -7235
  141. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby27_parser.rb +0 -7310
  142. data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby30_parser.rb +0 -7310
  143. data/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/data/display_width.marshal.gz +0 -0
@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
208
208
  return Sexp.new(:false).line(exp.line)
209
209
  end
210
210
 
211
+ # For the simplest case of `Foo.thing`
212
+ if node_type? target, :const and first_arg.nil?
213
+ if tracker and (klass = tracker.find_class(class_name(target.value)))
214
+ if return_value = klass.get_simple_method_return_value(:class, method)
215
+ return return_value.deep_clone(exp.line)
216
+ end
217
+ end
218
+ end
219
+
211
220
  #See if it is possible to simplify some basic cases
212
221
  #of addition/concatenation.
213
222
  case method
@@ -314,8 +323,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
314
323
  exp = hash_values(target)
315
324
  end
316
325
  when :values_at
317
- if hash? target
318
- exp = hash_values_at target, exp.args
326
+ if node_type? target, :hash
327
+ res = hash_values_at target, exp.args
328
+
329
+ # Only convert to array of values if _all_ keys
330
+ # are present in the hash.
331
+ unless res.any?(&:nil?)
332
+ exp = res
333
+ end
319
334
  end
320
335
  end
321
336
 
@@ -794,6 +809,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
794
809
  exp
795
810
  end
796
811
 
812
+ def hash_or_array_include_all_literals? exp
813
+ return unless call? exp and sexp? exp.target
814
+ target = exp.target
815
+
816
+ case target.node_type
817
+ when :hash
818
+ hash_include_all_literals? exp
819
+ else
820
+ array_include_all_literals? exp
821
+ end
822
+ end
823
+
797
824
  # Check if exp is a call to Array#include? on an array literal
798
825
  # that contains all literal values. For example:
799
826
  #
@@ -812,6 +839,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
812
839
  (all_literals? exp.target or dir_glob? exp.target)
813
840
  end
814
841
 
842
+ # Check if exp is a call to Hash#include? on a hash literal
843
+ # that contains all literal values. For example:
844
+ #
845
+ # {x: 1}.include? x
846
+ def hash_include_all_literals? exp
847
+ call? exp and
848
+ exp.method == :include? and
849
+ all_literals? exp.target, :hash
850
+ end
851
+
815
852
  #Sets @inside_if = true
816
853
  def process_if exp
817
854
  if @ignore_ifs.nil?
@@ -852,7 +889,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
852
889
  scope do
853
890
  @branch_env = env.current
854
891
  branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
855
- if i == 0 and array_include_all_literals? condition
892
+ if i == 0 and hash_or_array_include_all_literals? condition
856
893
  # If the condition is ["a", "b"].include? x
857
894
  # set x to "a" inside the true branch
858
895
  var = condition.first_arg
@@ -860,7 +897,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
860
897
  env.current[var] = safe_literal(var.line)
861
898
  exp[branch_index] = process_if_branch branch
862
899
  env.current[var] = previous_value
863
- elsif i == 1 and array_include_all_literals? condition and early_return? branch
900
+ elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
864
901
  var = condition.first_arg
865
902
  env.current[var] = safe_literal(var.line)
866
903
  exp[branch_index] = process_if_branch branch
@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
8
8
  HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
9
9
  JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
10
10
  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
11
+ ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
11
12
 
12
13
  def initialize *args
13
14
  super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
133
134
 
134
135
  get_pushed_value(exp.first_arg, default)
135
136
  @javascript = false
137
+ elsif haml_attribute_builder? exp
138
+ ignore # probably safe... seems escaped by default?
136
139
  else
137
140
  add_output exp, default
138
141
  end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
154
157
  exp.method == :attributes
155
158
  end
156
159
 
160
+ def haml_attribute_builder? exp
161
+ call? exp and
162
+ exp.target == ATTRIBUTE_BUILDER and
163
+ exp.method == :build
164
+ end
165
+
157
166
  def fix_textareas? exp
158
167
  call? exp and
159
168
  exp.target == HAMLOUT and
@@ -1,11 +1,5 @@
1
1
  module Brakeman
2
2
  module CallConversionHelper
3
- def all_literals? exp, expected_type = :array
4
- node_type? exp, expected_type and
5
- exp.length > 1 and
6
- exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
7
- end
8
-
9
3
  # Join two array literals into one.
10
4
  def join_arrays lhs, rhs, original_exp = nil
11
5
  if array? lhs and array? rhs
@@ -95,6 +89,8 @@ module Brakeman
95
89
  end
96
90
  end
97
91
 
92
+ # You must check the return value for `nil`s -
93
+ # which indicate a key could not be found.
98
94
  def hash_values_at hash, keys
99
95
  values = keys.map do |key|
100
96
  process_hash_access hash, key
@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
73
73
  @current_class.set_attr_accessible exp
74
74
  when :attr_protected
75
75
  @current_class.set_attr_protected exp
76
+ when :enum
77
+ add_enum_method exp
76
78
  else
77
79
  if @current_class
78
80
  @current_class.add_option method, exp
@@ -87,4 +89,34 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
87
89
  call
88
90
  end
89
91
  end
92
+
93
+ def add_enum_method call
94
+ arg = call.first_arg
95
+ return unless hash? arg
96
+ return unless symbol? arg[1]
97
+
98
+ enum_name = arg[1].value # first key
99
+ enums = arg[2] # first value
100
+ enums_name = pluralize(enum_name.to_s).to_sym
101
+
102
+ call_line = call.line
103
+
104
+ if hash? enums
105
+ enum_values = enums
106
+ elsif array? enums
107
+ # Build hash for enum values like Rails does
108
+ enum_values = s(:hash).line(call_line)
109
+
110
+ enums.each_sexp.with_index do |v, index|
111
+ enum_values << v
112
+ enum_values << s(:lit, index).line(call_line)
113
+ end
114
+ end
115
+
116
+ enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
117
+ enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
118
+
119
+ @current_class.add_method :public, enum_name, enum_method, @current_file
120
+ @current_class.add_method :public, enums_name, enums_method, @current_file
121
+ end
90
122
  end
@@ -126,7 +126,7 @@ module Brakeman
126
126
 
127
127
  w[:note] = @notes[w[:fingerprint]] || ""
128
128
  w
129
- end.sort_by { |w| [w[:fingerprint], w[:line]] }
129
+ end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
130
130
 
131
131
  output = {
132
132
  :ignored_warnings => warnings,
@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
17
17
  ]
18
18
 
19
19
  rows = tracker.filtered_warnings.sort_by do |w|
20
- [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
20
+ [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
21
21
  end.map do |warning|
22
22
  generate_row(headers, warning)
23
23
  end
@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
48
48
  end
49
49
 
50
50
  def results
51
- @results ||= all_warnings.map do |warning|
51
+ @results ||= tracker.checks.all_warnings.map do |warning|
52
52
  rule_id = render_id warning
53
53
  result_level = infer_level warning
54
54
  message_text = render_message warning.message.to_s
@@ -72,11 +72,28 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
72
72
  ],
73
73
  }
74
74
 
75
+ if @ignore_filter && @ignore_filter.ignored?(warning)
76
+ result[:suppressions] = [
77
+ {
78
+ :kind => 'external',
79
+ :justification => @ignore_filter.note_for(warning),
80
+ :location => {
81
+ :physicalLocation => {
82
+ :artifactLocation => {
83
+ :uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
84
+ :uriBaseId => '%SRCROOT%',
85
+ },
86
+ },
87
+ },
88
+ }
89
+ ]
90
+ end
91
+
75
92
  result
76
93
  end
77
94
  end
78
95
 
79
- # Returns a hash of all check descriptions, keyed by check namne
96
+ # Returns a hash of all check descriptions, keyed by check name
80
97
  def check_descriptions
81
98
  @check_descriptions ||= Brakeman::Checks.checks.map do |check|
82
99
  [check.name.gsub(/^Check/, ''), check.description]
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
85
102
 
86
103
  # Returns a de-duplicated set of warnings, used to generate rules
87
104
  def unique_warnings_by_warning_code
88
- @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
105
+ @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
89
106
  end
90
107
 
91
108
  def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
94
111
  end
95
112
 
96
113
  def render_message message
114
+ return message if message.nil?
115
+
97
116
  # Ensure message ends with a period
98
117
  if message.end_with? "."
99
118
  message
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
92
92
  HighLine.color("No warnings found", :bold, :green)
93
93
  else
94
94
  warnings = tracker.filtered_warnings.sort_by do |w|
95
- [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
95
+ [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
96
96
  end.map do |w|
97
97
  output_warning w
98
98
  end
@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
391
391
 
392
392
  def parse_ruby_files list
393
393
  paths = list.select(&:exists?)
394
- file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
394
+ file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
395
395
  file_parser.parse_files paths
396
396
  tracker.add_errors(file_parser.errors)
397
397
  file_parser.file_list
@@ -40,38 +40,38 @@ class Brakeman::Scanner
40
40
 
41
41
  #Process everything in the Rails application
42
42
  def process
43
- Brakeman.notify "Processing gems..."
43
+ Brakeman.notify "Processing gems... "
44
44
  process_gems
45
45
  guess_rails_version
46
- Brakeman.notify "Processing configuration..."
46
+ Brakeman.notify "Processing configuration... "
47
47
  process_config
48
- Brakeman.notify "Parsing files..."
48
+ Brakeman.notify "Parsing files... "
49
49
  parse_files
50
- Brakeman.notify "Detecting file types..."
50
+ Brakeman.notify "Detecting file types... "
51
51
  detect_file_types
52
- Brakeman.notify "Processing initializers..."
52
+ Brakeman.notify "Processing initializers... "
53
53
  process_initializers
54
- Brakeman.notify "Processing libs..."
54
+ Brakeman.notify "Processing libs... "
55
55
  process_libs
56
- Brakeman.notify "Processing routes... "
56
+ Brakeman.notify "Processing routes... "
57
57
  process_routes
58
- Brakeman.notify "Processing templates... "
58
+ Brakeman.notify "Processing templates... "
59
59
  process_templates
60
- Brakeman.notify "Processing data flow in templates..."
60
+ Brakeman.notify "Processing data flow in templates... "
61
61
  process_template_data_flows
62
- Brakeman.notify "Processing models... "
62
+ Brakeman.notify "Processing models... "
63
63
  process_models
64
- Brakeman.notify "Processing controllers... "
64
+ Brakeman.notify "Processing controllers... "
65
65
  process_controllers
66
66
  Brakeman.notify "Processing data flow in controllers..."
67
67
  process_controller_data_flows
68
- Brakeman.notify "Indexing call sites... "
68
+ Brakeman.notify "Indexing call sites... "
69
69
  index_call_sites
70
70
  tracker
71
71
  end
72
72
 
73
73
  def parse_files
74
- fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
74
+ fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
75
75
 
76
76
  fp.parse_files tracker.app_tree.ruby_file_paths
77
77
 
@@ -15,6 +15,7 @@ module Brakeman
15
15
  @includes = []
16
16
  @methods = { :public => {}, :private => {}, :protected => {} }
17
17
  @class_methods = {}
18
+ @simple_methods = { :class => {}, instance: {} }
18
19
  @options = {}
19
20
  @tracker = tracker
20
21
 
@@ -24,7 +25,7 @@ module Brakeman
24
25
  def ancestor? parent, seen={}
25
26
  seen[self.name] = true
26
27
 
27
- if self.parent == parent or seen[self.parent]
28
+ if self.parent == parent or self.name == parent or seen[self.parent]
28
29
  true
29
30
  elsif parent_model = collection[self.parent]
30
31
  parent_model.ancestor? parent, seen
@@ -39,7 +40,7 @@ module Brakeman
39
40
  end
40
41
 
41
42
  def add_include class_name
42
- @includes << class_name
43
+ @includes << class_name unless ancestor?(class_name)
43
44
  end
44
45
 
45
46
  def add_option name, exp
@@ -49,6 +50,7 @@ module Brakeman
49
50
 
50
51
  def add_method visibility, name, src, file_name
51
52
  meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
53
+ add_simple_method_maybe meth_info
52
54
 
53
55
  if src.node_type == :defs
54
56
  @class_methods[name] = meth_info
@@ -112,5 +114,31 @@ module Brakeman
112
114
  def methods_public
113
115
  @methods[:public]
114
116
  end
117
+
118
+ def get_simple_method_return_value type, name
119
+ @simple_methods[type][name]
120
+ end
121
+
122
+ private
123
+
124
+ def add_simple_method_maybe meth_info
125
+ if meth_info.very_simple_method?
126
+ add_simple_method meth_info
127
+ end
128
+ end
129
+
130
+ def add_simple_method meth_info
131
+ name = meth_info.name
132
+ value = meth_info.return_value
133
+
134
+ case meth_info.src.node_type
135
+ when :defn
136
+ @simple_methods[:instance][name] = value
137
+ when :defs
138
+ @simple_methods[:class][name] = value
139
+ else
140
+ raise "Expected sexp type: #{src.node_type}"
141
+ end
142
+ end
115
143
  end
116
144
  end
@@ -19,11 +19,52 @@ module Brakeman
19
19
  else
20
20
  raise "Expected sexp type: #{src.node_type}"
21
21
  end
22
+
23
+ @simple_method = nil
22
24
  end
23
25
 
24
26
  # To support legacy code that expected a Hash
25
27
  def [] attr
26
28
  self.send(attr)
27
29
  end
30
+
31
+ def very_simple_method?
32
+ return @simple_method == :very unless @simple_method.nil?
33
+
34
+ # Very simple methods have one (simple) expression in the body and
35
+ # no arguments
36
+ if src.formal_args.length == 1 # no args
37
+ if src.method_length == 1 # Single expression in body
38
+ value = first_body # First expression in body
39
+
40
+ if simple_literal? value or
41
+ (array? value and all_literals? value) or
42
+ (hash? value and all_literals? value, :hash)
43
+
44
+ @return_value = value
45
+ @simple_method = :very
46
+ end
47
+ end
48
+ end
49
+
50
+ @simple_method ||= false
51
+ end
52
+
53
+ def return_value env = nil
54
+ if very_simple_method?
55
+ return @return_value
56
+ else
57
+ nil
58
+ end
59
+ end
60
+
61
+ def first_body
62
+ case @type
63
+ when :class
64
+ src[4]
65
+ when :instance
66
+ src[3]
67
+ end
68
+ end
28
69
  end
29
70
  end
data/lib/brakeman/util.rb CHANGED
@@ -50,7 +50,11 @@ module Brakeman::Util
50
50
 
51
51
  # stupid simple, used to delegate to ActiveSupport
52
52
  def pluralize word
53
- word + "s"
53
+ if word.end_with? 's'
54
+ word + 'es'
55
+ else
56
+ word + 's'
57
+ end
54
58
  end
55
59
 
56
60
  #Returns a class name as a Symbol.
@@ -238,30 +242,22 @@ module Brakeman::Util
238
242
 
239
243
  #Check if _exp_ is a params hash
240
244
  def params? exp
241
- if exp.is_a? Sexp
242
- return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
243
-
244
- if call? exp
245
- if params? exp[1]
246
- return true
247
- elsif exp[2] == :[]
248
- return params? exp[1]
249
- end
250
- end
251
- end
252
-
253
- false
245
+ recurse_check?(exp) { |child| child.node_type == :params or ALL_PARAMETERS.include? child }
254
246
  end
255
247
 
256
248
  def cookies? exp
249
+ recurse_check?(exp) { |child| child.node_type == :cookies or ALL_COOKIES.include? child }
250
+ end
251
+
252
+ def recurse_check? exp, &check
257
253
  if exp.is_a? Sexp
258
- return true if exp.node_type == :cookies or ALL_COOKIES.include? exp
254
+ return true if yield(exp)
259
255
 
260
256
  if call? exp
261
- if cookies? exp[1]
257
+ if recurse_check? exp[1], &check
262
258
  return true
263
259
  elsif exp[2] == :[]
264
- return cookies? exp[1]
260
+ return recurse_check? exp[1], &check
265
261
  end
266
262
  end
267
263
  end
@@ -301,12 +297,24 @@ module Brakeman::Util
301
297
  exp.is_a? Sexp and types.include? exp.node_type
302
298
  end
303
299
 
304
- LITERALS = [:lit, :false, :str, :true, :array, :hash]
300
+ SIMPLE_LITERALS = [:lit, :false, :str, :true]
301
+
302
+ def simple_literal? exp
303
+ exp.is_a? Sexp and SIMPLE_LITERALS.include? exp.node_type
304
+ end
305
+
306
+ LITERALS = [*SIMPLE_LITERALS, :array, :hash]
305
307
 
306
308
  def literal? exp
307
309
  exp.is_a? Sexp and LITERALS.include? exp.node_type
308
310
  end
309
311
 
312
+ def all_literals? exp, expected_type = :array
313
+ node_type? exp, expected_type and
314
+ exp.length > 1 and
315
+ exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
316
+ end
317
+
310
318
  DIR_CONST = s(:const, :Dir)
311
319
 
312
320
  # Dir.glob(...).whatever
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.0.2"
2
+ Version = "5.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -65,6 +65,7 @@ module Brakeman
65
65
  # * :report_routes - show found routes on controllers (default: false)
66
66
  # * :run_checks - array of checks to run (run all if not specified)
67
67
  # * :safe_methods - array of methods to consider safe
68
+ # * :sql_safe_methods - array of sql sanitization methods to consider safe
68
69
  # * :skip_libs - do not process lib/ directory (default: false)
69
70
  # * :skip_vendor - do not process vendor/ directory (default: true)
70
71
  # * :skip_checks - checks not to run (run all if not specified)
@@ -198,6 +199,7 @@ module Brakeman
198
199
  :relative_path => false,
199
200
  :report_progress => true,
200
201
  :safe_methods => Set.new,
202
+ :sql_safe_methods => Set.new,
201
203
  :skip_checks => Set.new,
202
204
  :skip_vendor => true,
203
205
  }
@@ -392,7 +394,7 @@ module Brakeman
392
394
  if options[:parallel_checks]
393
395
  notify "Running checks in parallel..."
394
396
  else
395
- notify "Runnning checks..."
397
+ notify "Running checks..."
396
398
  end
397
399
 
398
400
  tracker.run_checks
@@ -477,7 +479,7 @@ module Brakeman
477
479
  $stderr.puts message if @debug
478
480
  end
479
481
 
480
- # Compare JSON ouptut from a previous scan and return the diff of the two scans
482
+ # Compare JSON output from a previous scan and return the diff of the two scans
481
483
  def self.compare options
482
484
  require 'json'
483
485
  require 'brakeman/differ'
@@ -543,6 +543,20 @@ class Sexp
543
543
  self.body.unshift :rlist
544
544
  end
545
545
 
546
+ # Number of "statements" in a method.
547
+ # This is more efficient than `Sexp#body.length`
548
+ # because `Sexp#body` creates a new Sexp.
549
+ def method_length
550
+ expect :defn, :defs
551
+
552
+ case self.node_type
553
+ when :defn
554
+ self.length - 3
555
+ when :defs
556
+ self.length - 4
557
+ end
558
+ end
559
+
546
560
  def render_type
547
561
  expect :render
548
562
  self[1]
@@ -628,4 +642,14 @@ end
628
642
  RUBY
629
643
  end
630
644
 
645
+ class String
646
+ ##
647
+ # This is a hack used by the lexer to sneak in line numbers at the
648
+ # identifier level. This should be MUCH smaller than making
649
+ # process_token return [value, lineno] and modifying EVERYTHING that
650
+ # reduces tIDENTIFIER.
651
+
652
+ attr_accessor :lineno
653
+ end
654
+
631
655
  class WrongSexpError < RuntimeError; end