brakeman 5.0.2 → 5.1.2

data/lib/brakeman/processors/alias_processor.rb

@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:false).line(exp.line)
     end
 
+    # For the simplest case of `Foo.thing`
+    if node_type? target, :const and first_arg.nil?
+      if tracker and (klass = tracker.find_class(class_name(target.value)))
+        if return_value = klass.get_simple_method_return_value(:class, method)
+          return return_value.deep_clone(exp.line)
+        end
+      end
+    end
+
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
@@ -314,8 +323,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = hash_values(target)
       end
     when :values_at
-      if hash? target
-        exp = hash_values_at target, exp.args
+      if node_type? target, :hash
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
       end
     end
 
@@ -794,6 +809,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def hash_or_array_include_all_literals? exp
+    return unless call? exp and sexp? exp.target
+    target = exp.target
+
+    case target.node_type
+    when :hash
+      hash_include_all_literals? exp
+    else
+      array_include_all_literals? exp
+    end
+  end
+
   # Check if exp is a call to Array#include? on an array literal
   # that contains all literal values. For example:
   #
@@ -812,6 +839,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     (all_literals? exp.target or dir_glob? exp.target)
   end
 
+  # Check if exp is a call to Hash#include? on a hash literal
+  # that contains all literal values. For example:
+  #
+  #    {x: 1}.include? x
+  def hash_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    all_literals? exp.target, :hash
+  end
+
   #Sets @inside_if = true
   def process_if exp
     if @ignore_ifs.nil?
@@ -852,7 +889,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         scope do
           @branch_env = env.current
           branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
-          if i == 0 and array_include_all_literals? condition
+          if i == 0 and hash_or_array_include_all_literals? condition
             # If the condition is ["a", "b"].include? x
             # set x to "a" inside the true branch
             var = condition.first_arg
@@ -860,7 +897,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
-          elsif i == 1 and array_include_all_literals? condition and early_return? branch
+          elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch

data/lib/brakeman/processors/haml_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
         get_pushed_value(exp.first_arg, default)
         @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.method == :attributes
   end
 
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
   def fix_textareas? exp
     call? exp and
       exp.target == HAMLOUT and

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -1,11 +1,5 @@
 module Brakeman
   module CallConversionHelper
-    def all_literals? exp, expected_type = :array
-      node_type? exp, expected_type and
-        exp.length > 1 and
-        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
-    end
-
     # Join two array literals into one.
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
@@ -95,6 +89,8 @@ module Brakeman
       end
     end
 
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
     def hash_values_at hash, keys
       values = keys.map do |key|
         process_hash_access hash, key

data/lib/brakeman/processors/model_processor.rb

@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           @current_class.set_attr_accessible exp
         when :attr_protected
           @current_class.set_attr_protected exp
+        when :enum
+          add_enum_method exp
         else
           if @current_class
             @current_class.add_option method, exp
@@ -87,4 +89,34 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
+
+  def add_enum_method call
+    arg = call.first_arg
+    return unless hash? arg
+    return unless symbol? arg[1]
+
+    enum_name = arg[1].value # first key
+    enums = arg[2] # first value
+    enums_name = pluralize(enum_name.to_s).to_sym
+
+    call_line = call.line
+
+    if hash? enums
+      enum_values = enums
+    elsif array? enums
+      # Build hash for enum values like Rails does
+      enum_values = s(:hash).line(call_line)
+
+      enums.each_sexp.with_index do |v, index|
+        enum_values << v
+        enum_values << s(:lit, index).line(call_line)
+      end
+    end
+
+    enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
+    enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
+
+    @current_class.add_method :public, enum_name, enum_method, @current_file
+    @current_class.add_method :public, enums_name, enums_method, @current_file
+  end
 end

data/lib/brakeman/report/ignore/config.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| [w[:fingerprint], w[:line]] }
+      end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_csv.rb

@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     ]
 
     rows = tracker.filtered_warnings.sort_by do |w|
-      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+      [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
     end.map do |warning|
       generate_row(headers, warning)
     end

data/lib/brakeman/report/report_sarif.rb

@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def results
-    @results ||= all_warnings.map do |warning|
+    @results ||= tracker.checks.all_warnings.map do |warning|
       rule_id = render_id warning
       result_level = infer_level warning
       message_text = render_message warning.message.to_s
@@ -72,11 +72,28 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
         ],
       }
 
+      if @ignore_filter && @ignore_filter.ignored?(warning)
+        result[:suppressions] = [
+          {
+            :kind => 'external',
+            :justification => @ignore_filter.note_for(warning),
+            :location => {
+              :physicalLocation => {
+                :artifactLocation => {
+                  :uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
+                  :uriBaseId => '%SRCROOT%',
+                },
+              },
+            },
+          }
+        ]
+      end
+
       result
     end
   end
 
-  # Returns a hash of all check descriptions, keyed by check namne
+  # Returns a hash of all check descriptions, keyed by check name
   def check_descriptions
     @check_descriptions ||= Brakeman::Checks.checks.map do |check|
       [check.name.gsub(/^Check/, ''), check.description]
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
 
   # Returns a de-duplicated set of warnings, used to generate rules
   def unique_warnings_by_warning_code
-    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+    @unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
   end
 
   def render_id warning
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
   end
 
   def render_message message
+    return message if message.nil?
+
     # Ensure message ends with a period
     if message.end_with? "."
       message

data/lib/brakeman/report/report_text.rb

@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
       end.map do |w|
         output_warning w
       end

data/lib/brakeman/rescanner.rb

@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
     file_parser.parse_files paths
     tracker.add_errors(file_parser.errors)
     file_parser.file_list

data/lib/brakeman/scanner.rb

@@ -40,38 +40,38 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems..."
+    Brakeman.notify "Processing gems...                    "
     process_gems
     guess_rails_version
-    Brakeman.notify "Processing configuration..."
+    Brakeman.notify "Processing configuration...           "
     process_config
-    Brakeman.notify "Parsing files..."
+    Brakeman.notify "Parsing files...                      "
     parse_files
-    Brakeman.notify "Detecting file types..."
+    Brakeman.notify "Detecting file types...               "
     detect_file_types
-    Brakeman.notify "Processing initializers..."
+    Brakeman.notify "Processing initializers...            "
     process_initializers
-    Brakeman.notify "Processing libs..."
+    Brakeman.notify "Processing libs...                    "
     process_libs
-    Brakeman.notify "Processing routes...          "
+    Brakeman.notify "Processing routes...                  "
     process_routes
-    Brakeman.notify "Processing templates...       "
+    Brakeman.notify "Processing templates...               "
     process_templates
-    Brakeman.notify "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates...  "
     process_template_data_flows
-    Brakeman.notify "Processing models...          "
+    Brakeman.notify "Processing models...                  "
     process_models
-    Brakeman.notify "Processing controllers...     "
+    Brakeman.notify "Processing controllers...             "
     process_controllers
     Brakeman.notify "Processing data flow in controllers..."
     process_controller_data_flows
-    Brakeman.notify "Indexing call sites...        "
+    Brakeman.notify "Indexing call sites...                "
     index_call_sites
     tracker
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 

data/lib/brakeman/tracker/collection.rb

@@ -15,6 +15,7 @@ module Brakeman
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @class_methods = {}
+      @simple_methods = { :class => {}, instance: {} }
       @options = {}
       @tracker = tracker
 
@@ -24,7 +25,7 @@ module Brakeman
     def ancestor? parent, seen={}
       seen[self.name] = true
 
-      if self.parent == parent or seen[self.parent]
+      if self.parent == parent or self.name == parent or seen[self.parent]
         true
       elsif parent_model = collection[self.parent]
         parent_model.ancestor? parent, seen
@@ -39,7 +40,7 @@ module Brakeman
     end
 
     def add_include class_name
-      @includes << class_name
+      @includes << class_name unless ancestor?(class_name)
     end
 
     def add_option name, exp
@@ -49,6 +50,7 @@ module Brakeman
 
     def add_method visibility, name, src, file_name
       meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
+      add_simple_method_maybe meth_info
 
       if src.node_type == :defs
         @class_methods[name] = meth_info
@@ -112,5 +114,31 @@ module Brakeman
     def methods_public
       @methods[:public]
     end
+
+    def get_simple_method_return_value type, name
+      @simple_methods[type][name]
+    end
+
+    private
+
+    def add_simple_method_maybe meth_info
+      if meth_info.very_simple_method?
+        add_simple_method meth_info
+      end
+    end
+
+    def add_simple_method meth_info
+      name = meth_info.name
+      value = meth_info.return_value
+
+      case meth_info.src.node_type
+      when :defn
+        @simple_methods[:instance][name] = value
+      when :defs
+        @simple_methods[:class][name] = value
+      else
+        raise "Expected sexp type: #{src.node_type}"
+      end
+    end
   end
 end

data/lib/brakeman/tracker/method_info.rb

@@ -19,11 +19,52 @@ module Brakeman
               else
                 raise "Expected sexp type: #{src.node_type}"
               end
+
+      @simple_method = nil
     end
 
     # To support legacy code that expected a Hash
     def [] attr
       self.send(attr)
     end
+
+    def very_simple_method?
+      return @simple_method == :very unless @simple_method.nil?
+
+      # Very simple methods have one (simple) expression in the body and
+      # no arguments
+      if src.formal_args.length == 1 # no args
+        if src.method_length == 1 # Single expression in body
+          value = first_body # First expression in body
+
+          if simple_literal? value or
+              (array? value and all_literals? value) or
+              (hash? value and all_literals? value, :hash)
+
+            @return_value = value
+            @simple_method = :very
+          end
+        end
+      end
+
+      @simple_method ||= false
+    end
+
+    def return_value env = nil
+      if very_simple_method?
+        return @return_value
+      else
+        nil
+      end
+    end
+
+    def first_body
+      case @type
+      when :class
+        src[4]
+      when :instance
+        src[3]
+      end
+    end
   end
 end

data/lib/brakeman/util.rb

@@ -50,7 +50,11 @@ module Brakeman::Util
 
   # stupid simple, used to delegate to ActiveSupport
   def pluralize word
-    word + "s"
+    if word.end_with? 's'
+      word + 'es'
+    else
+      word + 's'
+    end
   end
 
   #Returns a class name as a Symbol.
@@ -238,30 +242,22 @@ module Brakeman::Util
 
   #Check if _exp_ is a params hash
   def params? exp
-    if exp.is_a? Sexp
-      return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
-
-      if call? exp
-        if params? exp[1]
-          return true
-        elsif exp[2] == :[]
-          return params? exp[1]
-        end
-      end
-    end
-
-    false
+    recurse_check?(exp) { |child| child.node_type == :params or ALL_PARAMETERS.include? child }
   end
 
   def cookies? exp
+    recurse_check?(exp) { |child| child.node_type == :cookies or ALL_COOKIES.include? child }
+  end
+
+  def recurse_check? exp, &check
     if exp.is_a? Sexp
-      return true if exp.node_type == :cookies or ALL_COOKIES.include? exp
+      return true if yield(exp)
 
       if call? exp
-        if cookies? exp[1]
+        if recurse_check? exp[1], &check
           return true
         elsif exp[2] == :[]
-          return cookies? exp[1]
+          return recurse_check? exp[1], &check
         end
       end
     end
@@ -301,12 +297,24 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
-  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+  SIMPLE_LITERALS = [:lit, :false, :str, :true]
+
+  def simple_literal? exp
+    exp.is_a? Sexp and SIMPLE_LITERALS.include? exp.node_type
+  end
+
+  LITERALS = [*SIMPLE_LITERALS, :array, :hash]
 
   def literal? exp
     exp.is_a? Sexp and LITERALS.include? exp.node_type
   end
 
+  def all_literals? exp, expected_type = :array
+    node_type? exp, expected_type and
+      exp.length > 1 and
+      exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+
   DIR_CONST = s(:const, :Dir)
 
   # Dir.glob(...).whatever

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.0.2"
+  Version = "5.1.2"
 end

data/lib/brakeman.rb

@@ -65,6 +65,7 @@ module Brakeman
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
+  #  * :sql_safe_methods - array of sql sanitization methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
@@ -198,6 +199,7 @@ module Brakeman
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
+      :sql_safe_methods => Set.new,
       :skip_checks => Set.new,
       :skip_vendor => true,
     }
@@ -392,7 +394,7 @@ module Brakeman
     if options[:parallel_checks]
       notify "Running checks in parallel..."
     else
-      notify "Runnning checks..."
+      notify "Running checks..."
     end
 
     tracker.run_checks
@@ -477,7 +479,7 @@ module Brakeman
     $stderr.puts message if @debug
   end
 
-  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  # Compare JSON output from a previous scan and return the diff of the two scans
   def self.compare options
     require 'json'
     require 'brakeman/differ'

data/lib/ruby_parser/bm_sexp.rb

@@ -543,6 +543,20 @@ class Sexp
     self.body.unshift :rlist
   end
 
+  # Number of "statements" in a method.
+  # This is more efficient than `Sexp#body.length`
+  # because `Sexp#body` creates a new Sexp.
+  def method_length
+    expect :defn, :defs
+
+    case self.node_type
+    when :defn
+      self.length - 3
+    when :defs
+      self.length - 4
+    end
+  end
+
   def render_type
     expect :render
     self[1]
@@ -628,4 +642,14 @@ end
   RUBY
 end
 
+class String
+  ##
+  # This is a hack used by the lexer to sneak in line numbers at the
+  # identifier level. This should be MUCH smaller than making
+  # process_token return [value, lineno] and modifying EVERYTHING that
+  # reduces tIDENTIFIER.
+
+  attr_accessor :lineno
+end
+
 class WrongSexpError < RuntimeError; end