brakeman 5.0.2 → 5.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +46 -1
- data/README.md +1 -1
- data/bundle/load.rb +5 -5
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/CHANGELOG.md +8 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/FAQ.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/Gemfile +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/MIT-LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/README.md +19 -13
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/REFERENCE.md +10 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/TODO +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/haml.gemspec +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_builder.rb +55 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_compiler.rb +4 -2
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/attribute_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/buffer.rb +0 -56
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/error.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/escapable.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/exec.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/filters.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/generator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/safe_erubi_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/safe_erubis_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers/xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/helpers.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/plugin.rb +18 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/railtie.rb +5 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/sass_rails_filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/template/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/temple_engine.rb +2 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/temple_line_counter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/util.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/lib/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/yard/default/fulldoc/html/css/common.sass +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.2}/yard/default/layout/html/footer.erb +0 -0
- data/bundle/ruby/2.7.0/gems/{parallel-1.20.1 → parallel-1.21.0}/MIT-LICENSE.txt +0 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/processor_count.rb +45 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb +4 -0
- data/bundle/ruby/2.7.0/gems/{parallel-1.20.1 → parallel-1.21.0}/lib/parallel.rb +52 -43
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/History.rdoc +76 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/Manifest.txt +3 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/README.rdoc +1 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/compare/normalize.rb +6 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/debugging.md +0 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/gauntlet.md +106 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/rp_extensions.rb +15 -36
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/rp_stringscanner.rb +33 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby20_parser.rb +7122 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby20_parser.y +327 -247
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby21_parser.rb +7176 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby21_parser.y +322 -244
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.rb +7222 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.y +2718 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby23_parser.rb +7231 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby26_parser.y → ruby_parser-3.18.0/lib/ruby23_parser.y} +328 -271
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby24_parser.rb +7262 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby24_parser.y +326 -246
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby25_parser.rb +7262 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby30_parser.y → ruby_parser-3.18.0/lib/ruby25_parser.y} +327 -276
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby26_parser.rb +7281 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby27_parser.y → ruby_parser-3.18.0/lib/ruby26_parser.y} +326 -260
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby27_parser.rb +8511 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0/lib/ruby_parser.yy → ruby_parser-3.18.0/lib/ruby27_parser.y} +905 -355
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.rb +8741 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.y +3463 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby3_parser.yy +3467 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rb +261 -609
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rex +27 -20
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_lexer.rex.rb +59 -23
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer_strings.rb +638 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_parser.yy +3481 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/lib/ruby_parser_extras.rb +296 -115
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/tools/munge.rb +34 -6
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.0}/tools/ripper.rb +15 -10
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/History.rdoc +15 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/pt_testcase.rb +7 -2
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp.rb +19 -9
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp_matcher.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/strict_sexp.rb +25 -3
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/unique.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/CHANGELOG.md +4 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/MIT-LICENSE.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/README.md +1 -1
- data/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/data/display_width.marshal.gz +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/constants.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/index.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/no_string_ext.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/string_ext.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width.rb +0 -0
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +10 -0
- data/lib/brakeman/checks/check_json_parsing.rb +1 -1
- data/lib/brakeman/checks/check_render.rb +15 -1
- data/lib/brakeman/checks/check_sql.rb +45 -8
- data/lib/brakeman/file_parser.rb +10 -2
- data/lib/brakeman/options.rb +6 -1
- data/lib/brakeman/processors/alias_processor.rb +41 -4
- data/lib/brakeman/processors/haml_template_processor.rb +9 -0
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -6
- data/lib/brakeman/processors/model_processor.rb +32 -0
- data/lib/brakeman/report/ignore/config.rb +1 -1
- data/lib/brakeman/report/report_csv.rb +1 -1
- data/lib/brakeman/report/report_sarif.rb +22 -3
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +1 -1
- data/lib/brakeman/scanner.rb +13 -13
- data/lib/brakeman/tracker/collection.rb +30 -2
- data/lib/brakeman/tracker/method_info.rb +41 -0
- data/lib/brakeman/util.rb +26 -18
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +4 -2
- data/lib/ruby_parser/bm_sexp.rb +24 -0
- metadata +101 -98
- data/bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/processor_count.rb +0 -42
- data/bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/version.rb +0 -3
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/rp_stringscanner.rb +0 -64
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby20_parser.rb +0 -7070
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby21_parser.rb +0 -7143
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby22_parser.rb +0 -7180
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby22_parser.y +0 -2638
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby23_parser.rb +0 -7194
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby23_parser.y +0 -2640
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby24_parser.rb +0 -7214
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby25_parser.rb +0 -7213
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby25_parser.y +0 -2648
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby26_parser.rb +0 -7235
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby27_parser.rb +0 -7310
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby30_parser.rb +0 -7310
- data/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/data/display_width.marshal.gz +0 -0
@@ -208,6 +208,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
208
208
|
return Sexp.new(:false).line(exp.line)
|
209
209
|
end
|
210
210
|
|
211
|
+
# For the simplest case of `Foo.thing`
|
212
|
+
if node_type? target, :const and first_arg.nil?
|
213
|
+
if tracker and (klass = tracker.find_class(class_name(target.value)))
|
214
|
+
if return_value = klass.get_simple_method_return_value(:class, method)
|
215
|
+
return return_value.deep_clone(exp.line)
|
216
|
+
end
|
217
|
+
end
|
218
|
+
end
|
219
|
+
|
211
220
|
#See if it is possible to simplify some basic cases
|
212
221
|
#of addition/concatenation.
|
213
222
|
case method
|
@@ -314,8 +323,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
314
323
|
exp = hash_values(target)
|
315
324
|
end
|
316
325
|
when :values_at
|
317
|
-
if
|
318
|
-
|
326
|
+
if node_type? target, :hash
|
327
|
+
res = hash_values_at target, exp.args
|
328
|
+
|
329
|
+
# Only convert to array of values if _all_ keys
|
330
|
+
# are present in the hash.
|
331
|
+
unless res.any?(&:nil?)
|
332
|
+
exp = res
|
333
|
+
end
|
319
334
|
end
|
320
335
|
end
|
321
336
|
|
@@ -794,6 +809,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
794
809
|
exp
|
795
810
|
end
|
796
811
|
|
812
|
+
def hash_or_array_include_all_literals? exp
|
813
|
+
return unless call? exp and sexp? exp.target
|
814
|
+
target = exp.target
|
815
|
+
|
816
|
+
case target.node_type
|
817
|
+
when :hash
|
818
|
+
hash_include_all_literals? exp
|
819
|
+
else
|
820
|
+
array_include_all_literals? exp
|
821
|
+
end
|
822
|
+
end
|
823
|
+
|
797
824
|
# Check if exp is a call to Array#include? on an array literal
|
798
825
|
# that contains all literal values. For example:
|
799
826
|
#
|
@@ -812,6 +839,16 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
812
839
|
(all_literals? exp.target or dir_glob? exp.target)
|
813
840
|
end
|
814
841
|
|
842
|
+
# Check if exp is a call to Hash#include? on a hash literal
|
843
|
+
# that contains all literal values. For example:
|
844
|
+
#
|
845
|
+
# {x: 1}.include? x
|
846
|
+
def hash_include_all_literals? exp
|
847
|
+
call? exp and
|
848
|
+
exp.method == :include? and
|
849
|
+
all_literals? exp.target, :hash
|
850
|
+
end
|
851
|
+
|
815
852
|
#Sets @inside_if = true
|
816
853
|
def process_if exp
|
817
854
|
if @ignore_ifs.nil?
|
@@ -852,7 +889,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
852
889
|
scope do
|
853
890
|
@branch_env = env.current
|
854
891
|
branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
|
855
|
-
if i == 0 and
|
892
|
+
if i == 0 and hash_or_array_include_all_literals? condition
|
856
893
|
# If the condition is ["a", "b"].include? x
|
857
894
|
# set x to "a" inside the true branch
|
858
895
|
var = condition.first_arg
|
@@ -860,7 +897,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
860
897
|
env.current[var] = safe_literal(var.line)
|
861
898
|
exp[branch_index] = process_if_branch branch
|
862
899
|
env.current[var] = previous_value
|
863
|
-
elsif i == 1 and
|
900
|
+
elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
|
864
901
|
var = condition.first_arg
|
865
902
|
env.current[var] = safe_literal(var.line)
|
866
903
|
exp[branch_index] = process_if_branch branch
|
@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
8
8
|
HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
|
9
9
|
JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
|
10
10
|
COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
|
11
|
+
ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
|
11
12
|
|
12
13
|
def initialize *args
|
13
14
|
super
|
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
133
134
|
|
134
135
|
get_pushed_value(exp.first_arg, default)
|
135
136
|
@javascript = false
|
137
|
+
elsif haml_attribute_builder? exp
|
138
|
+
ignore # probably safe... seems escaped by default?
|
136
139
|
else
|
137
140
|
add_output exp, default
|
138
141
|
end
|
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
154
157
|
exp.method == :attributes
|
155
158
|
end
|
156
159
|
|
160
|
+
def haml_attribute_builder? exp
|
161
|
+
call? exp and
|
162
|
+
exp.target == ATTRIBUTE_BUILDER and
|
163
|
+
exp.method == :build
|
164
|
+
end
|
165
|
+
|
157
166
|
def fix_textareas? exp
|
158
167
|
call? exp and
|
159
168
|
exp.target == HAMLOUT and
|
@@ -1,11 +1,5 @@
|
|
1
1
|
module Brakeman
|
2
2
|
module CallConversionHelper
|
3
|
-
def all_literals? exp, expected_type = :array
|
4
|
-
node_type? exp, expected_type and
|
5
|
-
exp.length > 1 and
|
6
|
-
exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
|
7
|
-
end
|
8
|
-
|
9
3
|
# Join two array literals into one.
|
10
4
|
def join_arrays lhs, rhs, original_exp = nil
|
11
5
|
if array? lhs and array? rhs
|
@@ -95,6 +89,8 @@ module Brakeman
|
|
95
89
|
end
|
96
90
|
end
|
97
91
|
|
92
|
+
# You must check the return value for `nil`s -
|
93
|
+
# which indicate a key could not be found.
|
98
94
|
def hash_values_at hash, keys
|
99
95
|
values = keys.map do |key|
|
100
96
|
process_hash_access hash, key
|
@@ -73,6 +73,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
73
73
|
@current_class.set_attr_accessible exp
|
74
74
|
when :attr_protected
|
75
75
|
@current_class.set_attr_protected exp
|
76
|
+
when :enum
|
77
|
+
add_enum_method exp
|
76
78
|
else
|
77
79
|
if @current_class
|
78
80
|
@current_class.add_option method, exp
|
@@ -87,4 +89,34 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
87
89
|
call
|
88
90
|
end
|
89
91
|
end
|
92
|
+
|
93
|
+
def add_enum_method call
|
94
|
+
arg = call.first_arg
|
95
|
+
return unless hash? arg
|
96
|
+
return unless symbol? arg[1]
|
97
|
+
|
98
|
+
enum_name = arg[1].value # first key
|
99
|
+
enums = arg[2] # first value
|
100
|
+
enums_name = pluralize(enum_name.to_s).to_sym
|
101
|
+
|
102
|
+
call_line = call.line
|
103
|
+
|
104
|
+
if hash? enums
|
105
|
+
enum_values = enums
|
106
|
+
elsif array? enums
|
107
|
+
# Build hash for enum values like Rails does
|
108
|
+
enum_values = s(:hash).line(call_line)
|
109
|
+
|
110
|
+
enums.each_sexp.with_index do |v, index|
|
111
|
+
enum_values << v
|
112
|
+
enum_values << s(:lit, index).line(call_line)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
enum_method = s(:defn, enum_name, s(:args), safe_literal(call_line))
|
117
|
+
enums_method = s(:defs, s(:self), enums_name, s(:args), enum_values)
|
118
|
+
|
119
|
+
@current_class.add_method :public, enum_name, enum_method, @current_file
|
120
|
+
@current_class.add_method :public, enums_name, enums_method, @current_file
|
121
|
+
end
|
90
122
|
end
|
@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
|
|
17
17
|
]
|
18
18
|
|
19
19
|
rows = tracker.filtered_warnings.sort_by do |w|
|
20
|
-
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
20
|
+
[w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
|
21
21
|
end.map do |warning|
|
22
22
|
generate_row(headers, warning)
|
23
23
|
end
|
@@ -48,7 +48,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
48
48
|
end
|
49
49
|
|
50
50
|
def results
|
51
|
-
@results ||= all_warnings.map do |warning|
|
51
|
+
@results ||= tracker.checks.all_warnings.map do |warning|
|
52
52
|
rule_id = render_id warning
|
53
53
|
result_level = infer_level warning
|
54
54
|
message_text = render_message warning.message.to_s
|
@@ -72,11 +72,28 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
72
72
|
],
|
73
73
|
}
|
74
74
|
|
75
|
+
if @ignore_filter && @ignore_filter.ignored?(warning)
|
76
|
+
result[:suppressions] = [
|
77
|
+
{
|
78
|
+
:kind => 'external',
|
79
|
+
:justification => @ignore_filter.note_for(warning),
|
80
|
+
:location => {
|
81
|
+
:physicalLocation => {
|
82
|
+
:artifactLocation => {
|
83
|
+
:uri => Brakeman::FilePath.from_app_tree(@app_tree, @ignore_filter.file).relative,
|
84
|
+
:uriBaseId => '%SRCROOT%',
|
85
|
+
},
|
86
|
+
},
|
87
|
+
},
|
88
|
+
}
|
89
|
+
]
|
90
|
+
end
|
91
|
+
|
75
92
|
result
|
76
93
|
end
|
77
94
|
end
|
78
95
|
|
79
|
-
# Returns a hash of all check descriptions, keyed by check
|
96
|
+
# Returns a hash of all check descriptions, keyed by check name
|
80
97
|
def check_descriptions
|
81
98
|
@check_descriptions ||= Brakeman::Checks.checks.map do |check|
|
82
99
|
[check.name.gsub(/^Check/, ''), check.description]
|
@@ -85,7 +102,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
85
102
|
|
86
103
|
# Returns a de-duplicated set of warnings, used to generate rules
|
87
104
|
def unique_warnings_by_warning_code
|
88
|
-
@unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
|
105
|
+
@unique_warnings_by_warning_code ||= tracker.checks.all_warnings.uniq { |w| w.warning_code }
|
89
106
|
end
|
90
107
|
|
91
108
|
def render_id warning
|
@@ -94,6 +111,8 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
94
111
|
end
|
95
112
|
|
96
113
|
def render_message message
|
114
|
+
return message if message.nil?
|
115
|
+
|
97
116
|
# Ensure message ends with a period
|
98
117
|
if message.end_with? "."
|
99
118
|
message
|
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
92
92
|
HighLine.color("No warnings found", :bold, :green)
|
93
93
|
else
|
94
94
|
warnings = tracker.filtered_warnings.sort_by do |w|
|
95
|
-
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
95
|
+
[w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
|
96
96
|
end.map do |w|
|
97
97
|
output_warning w
|
98
98
|
end
|
data/lib/brakeman/rescanner.rb
CHANGED
@@ -391,7 +391,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
391
391
|
|
392
392
|
def parse_ruby_files list
|
393
393
|
paths = list.select(&:exists?)
|
394
|
-
file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
|
394
|
+
file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
|
395
395
|
file_parser.parse_files paths
|
396
396
|
tracker.add_errors(file_parser.errors)
|
397
397
|
file_parser.file_list
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -40,38 +40,38 @@ class Brakeman::Scanner
|
|
40
40
|
|
41
41
|
#Process everything in the Rails application
|
42
42
|
def process
|
43
|
-
Brakeman.notify "Processing gems..."
|
43
|
+
Brakeman.notify "Processing gems... "
|
44
44
|
process_gems
|
45
45
|
guess_rails_version
|
46
|
-
Brakeman.notify "Processing configuration..."
|
46
|
+
Brakeman.notify "Processing configuration... "
|
47
47
|
process_config
|
48
|
-
Brakeman.notify "Parsing files..."
|
48
|
+
Brakeman.notify "Parsing files... "
|
49
49
|
parse_files
|
50
|
-
Brakeman.notify "Detecting file types..."
|
50
|
+
Brakeman.notify "Detecting file types... "
|
51
51
|
detect_file_types
|
52
|
-
Brakeman.notify "Processing initializers..."
|
52
|
+
Brakeman.notify "Processing initializers... "
|
53
53
|
process_initializers
|
54
|
-
Brakeman.notify "Processing libs..."
|
54
|
+
Brakeman.notify "Processing libs... "
|
55
55
|
process_libs
|
56
|
-
Brakeman.notify "Processing routes...
|
56
|
+
Brakeman.notify "Processing routes... "
|
57
57
|
process_routes
|
58
|
-
Brakeman.notify "Processing templates...
|
58
|
+
Brakeman.notify "Processing templates... "
|
59
59
|
process_templates
|
60
|
-
Brakeman.notify "Processing data flow in templates..."
|
60
|
+
Brakeman.notify "Processing data flow in templates... "
|
61
61
|
process_template_data_flows
|
62
|
-
Brakeman.notify "Processing models...
|
62
|
+
Brakeman.notify "Processing models... "
|
63
63
|
process_models
|
64
|
-
Brakeman.notify "Processing controllers...
|
64
|
+
Brakeman.notify "Processing controllers... "
|
65
65
|
process_controllers
|
66
66
|
Brakeman.notify "Processing data flow in controllers..."
|
67
67
|
process_controller_data_flows
|
68
|
-
Brakeman.notify "Indexing call sites...
|
68
|
+
Brakeman.notify "Indexing call sites... "
|
69
69
|
index_call_sites
|
70
70
|
tracker
|
71
71
|
end
|
72
72
|
|
73
73
|
def parse_files
|
74
|
-
fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
|
74
|
+
fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
|
75
75
|
|
76
76
|
fp.parse_files tracker.app_tree.ruby_file_paths
|
77
77
|
|
@@ -15,6 +15,7 @@ module Brakeman
|
|
15
15
|
@includes = []
|
16
16
|
@methods = { :public => {}, :private => {}, :protected => {} }
|
17
17
|
@class_methods = {}
|
18
|
+
@simple_methods = { :class => {}, instance: {} }
|
18
19
|
@options = {}
|
19
20
|
@tracker = tracker
|
20
21
|
|
@@ -24,7 +25,7 @@ module Brakeman
|
|
24
25
|
def ancestor? parent, seen={}
|
25
26
|
seen[self.name] = true
|
26
27
|
|
27
|
-
if self.parent == parent or seen[self.parent]
|
28
|
+
if self.parent == parent or self.name == parent or seen[self.parent]
|
28
29
|
true
|
29
30
|
elsif parent_model = collection[self.parent]
|
30
31
|
parent_model.ancestor? parent, seen
|
@@ -39,7 +40,7 @@ module Brakeman
|
|
39
40
|
end
|
40
41
|
|
41
42
|
def add_include class_name
|
42
|
-
@includes << class_name
|
43
|
+
@includes << class_name unless ancestor?(class_name)
|
43
44
|
end
|
44
45
|
|
45
46
|
def add_option name, exp
|
@@ -49,6 +50,7 @@ module Brakeman
|
|
49
50
|
|
50
51
|
def add_method visibility, name, src, file_name
|
51
52
|
meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
|
53
|
+
add_simple_method_maybe meth_info
|
52
54
|
|
53
55
|
if src.node_type == :defs
|
54
56
|
@class_methods[name] = meth_info
|
@@ -112,5 +114,31 @@ module Brakeman
|
|
112
114
|
def methods_public
|
113
115
|
@methods[:public]
|
114
116
|
end
|
117
|
+
|
118
|
+
def get_simple_method_return_value type, name
|
119
|
+
@simple_methods[type][name]
|
120
|
+
end
|
121
|
+
|
122
|
+
private
|
123
|
+
|
124
|
+
def add_simple_method_maybe meth_info
|
125
|
+
if meth_info.very_simple_method?
|
126
|
+
add_simple_method meth_info
|
127
|
+
end
|
128
|
+
end
|
129
|
+
|
130
|
+
def add_simple_method meth_info
|
131
|
+
name = meth_info.name
|
132
|
+
value = meth_info.return_value
|
133
|
+
|
134
|
+
case meth_info.src.node_type
|
135
|
+
when :defn
|
136
|
+
@simple_methods[:instance][name] = value
|
137
|
+
when :defs
|
138
|
+
@simple_methods[:class][name] = value
|
139
|
+
else
|
140
|
+
raise "Expected sexp type: #{src.node_type}"
|
141
|
+
end
|
142
|
+
end
|
115
143
|
end
|
116
144
|
end
|
@@ -19,11 +19,52 @@ module Brakeman
|
|
19
19
|
else
|
20
20
|
raise "Expected sexp type: #{src.node_type}"
|
21
21
|
end
|
22
|
+
|
23
|
+
@simple_method = nil
|
22
24
|
end
|
23
25
|
|
24
26
|
# To support legacy code that expected a Hash
|
25
27
|
def [] attr
|
26
28
|
self.send(attr)
|
27
29
|
end
|
30
|
+
|
31
|
+
def very_simple_method?
|
32
|
+
return @simple_method == :very unless @simple_method.nil?
|
33
|
+
|
34
|
+
# Very simple methods have one (simple) expression in the body and
|
35
|
+
# no arguments
|
36
|
+
if src.formal_args.length == 1 # no args
|
37
|
+
if src.method_length == 1 # Single expression in body
|
38
|
+
value = first_body # First expression in body
|
39
|
+
|
40
|
+
if simple_literal? value or
|
41
|
+
(array? value and all_literals? value) or
|
42
|
+
(hash? value and all_literals? value, :hash)
|
43
|
+
|
44
|
+
@return_value = value
|
45
|
+
@simple_method = :very
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
@simple_method ||= false
|
51
|
+
end
|
52
|
+
|
53
|
+
def return_value env = nil
|
54
|
+
if very_simple_method?
|
55
|
+
return @return_value
|
56
|
+
else
|
57
|
+
nil
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
def first_body
|
62
|
+
case @type
|
63
|
+
when :class
|
64
|
+
src[4]
|
65
|
+
when :instance
|
66
|
+
src[3]
|
67
|
+
end
|
68
|
+
end
|
28
69
|
end
|
29
70
|
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -50,7 +50,11 @@ module Brakeman::Util
|
|
50
50
|
|
51
51
|
# stupid simple, used to delegate to ActiveSupport
|
52
52
|
def pluralize word
|
53
|
-
word
|
53
|
+
if word.end_with? 's'
|
54
|
+
word + 'es'
|
55
|
+
else
|
56
|
+
word + 's'
|
57
|
+
end
|
54
58
|
end
|
55
59
|
|
56
60
|
#Returns a class name as a Symbol.
|
@@ -238,30 +242,22 @@ module Brakeman::Util
|
|
238
242
|
|
239
243
|
#Check if _exp_ is a params hash
|
240
244
|
def params? exp
|
241
|
-
|
242
|
-
return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
|
243
|
-
|
244
|
-
if call? exp
|
245
|
-
if params? exp[1]
|
246
|
-
return true
|
247
|
-
elsif exp[2] == :[]
|
248
|
-
return params? exp[1]
|
249
|
-
end
|
250
|
-
end
|
251
|
-
end
|
252
|
-
|
253
|
-
false
|
245
|
+
recurse_check?(exp) { |child| child.node_type == :params or ALL_PARAMETERS.include? child }
|
254
246
|
end
|
255
247
|
|
256
248
|
def cookies? exp
|
249
|
+
recurse_check?(exp) { |child| child.node_type == :cookies or ALL_COOKIES.include? child }
|
250
|
+
end
|
251
|
+
|
252
|
+
def recurse_check? exp, &check
|
257
253
|
if exp.is_a? Sexp
|
258
|
-
return true if exp
|
254
|
+
return true if yield(exp)
|
259
255
|
|
260
256
|
if call? exp
|
261
|
-
if
|
257
|
+
if recurse_check? exp[1], &check
|
262
258
|
return true
|
263
259
|
elsif exp[2] == :[]
|
264
|
-
return
|
260
|
+
return recurse_check? exp[1], &check
|
265
261
|
end
|
266
262
|
end
|
267
263
|
end
|
@@ -301,12 +297,24 @@ module Brakeman::Util
|
|
301
297
|
exp.is_a? Sexp and types.include? exp.node_type
|
302
298
|
end
|
303
299
|
|
304
|
-
|
300
|
+
SIMPLE_LITERALS = [:lit, :false, :str, :true]
|
301
|
+
|
302
|
+
def simple_literal? exp
|
303
|
+
exp.is_a? Sexp and SIMPLE_LITERALS.include? exp.node_type
|
304
|
+
end
|
305
|
+
|
306
|
+
LITERALS = [*SIMPLE_LITERALS, :array, :hash]
|
305
307
|
|
306
308
|
def literal? exp
|
307
309
|
exp.is_a? Sexp and LITERALS.include? exp.node_type
|
308
310
|
end
|
309
311
|
|
312
|
+
def all_literals? exp, expected_type = :array
|
313
|
+
node_type? exp, expected_type and
|
314
|
+
exp.length > 1 and
|
315
|
+
exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
|
316
|
+
end
|
317
|
+
|
310
318
|
DIR_CONST = s(:const, :Dir)
|
311
319
|
|
312
320
|
# Dir.glob(...).whatever
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -65,6 +65,7 @@ module Brakeman
|
|
65
65
|
# * :report_routes - show found routes on controllers (default: false)
|
66
66
|
# * :run_checks - array of checks to run (run all if not specified)
|
67
67
|
# * :safe_methods - array of methods to consider safe
|
68
|
+
# * :sql_safe_methods - array of sql sanitization methods to consider safe
|
68
69
|
# * :skip_libs - do not process lib/ directory (default: false)
|
69
70
|
# * :skip_vendor - do not process vendor/ directory (default: true)
|
70
71
|
# * :skip_checks - checks not to run (run all if not specified)
|
@@ -198,6 +199,7 @@ module Brakeman
|
|
198
199
|
:relative_path => false,
|
199
200
|
:report_progress => true,
|
200
201
|
:safe_methods => Set.new,
|
202
|
+
:sql_safe_methods => Set.new,
|
201
203
|
:skip_checks => Set.new,
|
202
204
|
:skip_vendor => true,
|
203
205
|
}
|
@@ -392,7 +394,7 @@ module Brakeman
|
|
392
394
|
if options[:parallel_checks]
|
393
395
|
notify "Running checks in parallel..."
|
394
396
|
else
|
395
|
-
notify "
|
397
|
+
notify "Running checks..."
|
396
398
|
end
|
397
399
|
|
398
400
|
tracker.run_checks
|
@@ -477,7 +479,7 @@ module Brakeman
|
|
477
479
|
$stderr.puts message if @debug
|
478
480
|
end
|
479
481
|
|
480
|
-
# Compare JSON
|
482
|
+
# Compare JSON output from a previous scan and return the diff of the two scans
|
481
483
|
def self.compare options
|
482
484
|
require 'json'
|
483
485
|
require 'brakeman/differ'
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -543,6 +543,20 @@ class Sexp
|
|
543
543
|
self.body.unshift :rlist
|
544
544
|
end
|
545
545
|
|
546
|
+
# Number of "statements" in a method.
|
547
|
+
# This is more efficient than `Sexp#body.length`
|
548
|
+
# because `Sexp#body` creates a new Sexp.
|
549
|
+
def method_length
|
550
|
+
expect :defn, :defs
|
551
|
+
|
552
|
+
case self.node_type
|
553
|
+
when :defn
|
554
|
+
self.length - 3
|
555
|
+
when :defs
|
556
|
+
self.length - 4
|
557
|
+
end
|
558
|
+
end
|
559
|
+
|
546
560
|
def render_type
|
547
561
|
expect :render
|
548
562
|
self[1]
|
@@ -628,4 +642,14 @@ end
|
|
628
642
|
RUBY
|
629
643
|
end
|
630
644
|
|
645
|
+
class String
|
646
|
+
##
|
647
|
+
# This is a hack used by the lexer to sneak in line numbers at the
|
648
|
+
# identifier level. This should be MUCH smaller than making
|
649
|
+
# process_token return [value, lineno] and modifying EVERYTHING that
|
650
|
+
# reduces tIDENTIFIER.
|
651
|
+
|
652
|
+
attr_accessor :lineno
|
653
|
+
end
|
654
|
+
|
631
655
|
class WrongSexpError < RuntimeError; end
|