RubyGems - brakeman - Versions diffs - 5.2.1 → 5.3.0 - Mend

brakeman 5.2.1 → 5.3.0

Files changed (205) hide show

data/lib/brakeman/checks/check_unscoped_find.rb CHANGED Viewed

@@ -40,7 +40,8 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       :message      => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
       :code         => result[:call],
       :confidence   => :weak,
-      :user_input   => input
+      :user_input   => input,
+      :cwe_id => [285]
   end
   def optional_belongs_to? exp

data/lib/brakeman/checks/check_validation_regex.rb CHANGED Viewed

@@ -91,7 +91,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
       :warning_code => :validation_regex,
       :message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
       :line => value.line,
-      :confidence => :high
+      :confidence => :high,
+      :cwe_id => [777]
     end
   end

data/lib/brakeman/checks/check_verb_confusion.rb CHANGED Viewed

@@ -70,6 +70,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
       :message => message,
       :code => code,
       :user_input => result[:call],
-      :confidence => confidence
+      :confidence => confidence,
+      :cwe_id => [352]
   end
 end

data/lib/brakeman/checks/check_weak_hash.rb CHANGED Viewed

@@ -53,7 +53,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
       :warning_code => :weak_hash_digest,
       :message => message,
       :confidence => confidence,
-      :user_input => input
+      :user_input => input,
+      :cwe_id => [328]
   end
   def process_hmac_result result
@@ -74,7 +75,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
       :warning_type => "Weak Hash",
       :warning_code => :weak_hash_hmac,
       :message => message,
-      :confidence => :medium
+      :confidence => :medium,
+      :cwe_id => [328]
   end
   def process_openssl_result result
@@ -90,7 +92,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
           :warning_type => "Weak Hash",
           :warning_code => :weak_hash_digest,
           :message => msg("Weak hashing algorithm used: ", msg_lit(alg)),
-          :confidence => :medium
+          :confidence => :medium,
+          :cwe_id => [328]
       end
     end
   end

data/lib/brakeman/checks/check_without_protection.rb CHANGED Viewed

@@ -55,7 +55,8 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
             :message => "Unprotected mass assignment",
             :code => call,
             :user_input => input,
-            :confidence => confidence
+            :confidence => confidence,
+            :cwe_id => [915]
         end
       end

data/lib/brakeman/checks/check_xml_dos.rb CHANGED Viewed

@@ -30,7 +30,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => :medium,
       :gem_info => gemfile_or_environment,
-      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J",
+      :cwe_id => [125]
   end
   def has_workaround?

data/lib/brakeman/checks/check_yaml_parsing.rb CHANGED Viewed

@@ -29,7 +29,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :message => message,
         :confidence => :high,
         :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
+        :cwe_id => [20]
     end
     #Warn if app accepts YAML
@@ -41,7 +42,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :message => message,
         :confidence => :high,
         :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
+        :cwe_id => [20]
     end
   end

data/lib/brakeman/checks/eol_check.rb CHANGED Viewed

@@ -34,7 +34,8 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"pending_eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
       confidence: confidence,
-      gem_info: gemfile_or_environment
+      gem_info: gemfile_or_environment,
+      :cwe_id => [1104]
   end
   def warn_about_unsupported_version library, eol_date, version
@@ -42,6 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
       confidence: :high,
-      gem_info: gemfile_or_environment
+      gem_info: gemfile_or_environment,
+      :cwe_id => [1104]
   end
 end

data/lib/brakeman/options.rb CHANGED Viewed

@@ -323,7 +323,7 @@ module Brakeman::Options
         end
         opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
-          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+          valid_options = [:category, :category_id, :check, :code, :confidence, :cwe, :file, :fingerprint, :line, :link, :message, :render_path]
           options[:text_fields] = format.map(&:to_sym)

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
   def join_item item, join_value
-    if item.is_a? String
+    if item.nil? || item.is_a?(String)
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
       s(:str, "#{item.value}#{join_value}").line(item.line)
@@ -703,7 +703,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     end
-    exp
+    # Return early unless there might be short-hand syntax,
+    # since handling it is kind of expensive.
+    return exp unless exp.any? { |e| e.nil? }
+    # Need to handle short-hand hash syntax
+    new_hash = [:hash]
+    hash_iterate(exp) do |key, value|
+      # e.g. { a: }
+      if value.nil? and symbol? key
+        # Only handling local variables for now, not calls
+        lvar = s(:lvar, key.value)
+        if var_value = env[lvar]
+          new_hash << key << var_value.deep_clone(key.line || 0)
+        else
+          # If the value is unknown, assume it was a call
+          # and set the value to a call
+          new_hash.concat << key << s(:call, nil, key.value).line(key.line || 0)
+        end
+      else
+        new_hash.concat << key << value
+      end
+    end
+    Sexp.from_array(new_hash).line(exp.line || 0)
   end
   #Merge values into hash when processing
@@ -864,6 +887,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     elsif false? condition
       no_branch = true
       exps = [nil, exp.else_clause]
+    elsif equality_check? condition and condition.target == condition.first_arg
+      no_branch = true
+      exps = [exp.then_clause, nil]
     else
       no_branch = false
       exps = [exp.then_clause, exp.else_clause]
@@ -897,6 +923,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
+          elsif i == 0 and equality_check? condition
+            # For conditions like a == b,
+            # set a to b inside the true branch
+            var = condition.target
+            previous_value = env.current[var]
+            env.current[var] = condition.first_arg
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
           elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
@@ -931,6 +965,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
+  def equality_check? exp
+    call? exp and
+      exp.method == :==
+  end
   def simple_when? exp
     node_type? exp[1], :array and
       not node_type? exp[1][1], :splat, :array and

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED Viewed

@@ -233,6 +233,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     unless @in_target
       @full_call = call_hash
+      call_hash[:full_call] = call_hash
     end
     # Process up the call chain

data/lib/brakeman/report/ignore/interactive.rb CHANGED Viewed

@@ -88,10 +88,10 @@ module Brakeman
         m.choice "i"
         m.choice "n"
-        m.choice "k"
+        m.choice "s"
         m.choice "u"
         m.choice "a"
-        m.choice "s"
+        m.choice "k"
         m.choice "q"
         m.choice "?" do
           show_help

data/lib/brakeman/report/report_csv.rb CHANGED Viewed

@@ -5,6 +5,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     headers = [
       "Confidence",
       "Warning Type",
+      "CWE",
       "File",
       "Line",
       "Message",
@@ -35,6 +36,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     [
       warning.confidence_name,
       warning.warning_type,
+      warning.cwe_id.first,
       warning_file(warning),
       warning.line,
       warning.message,

data/lib/brakeman/report/report_junit.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 require 'time'
-require "stringio"
-require 'rexml/document'
+require 'stringio'
+Brakeman.load_brakeman_dependency 'rexml/document'
 class Brakeman::Report::JUnit < Brakeman::Report::Base
   def generate_report

data/lib/brakeman/report/report_table.rb CHANGED Viewed

@@ -98,7 +98,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     render_warnings generic_warnings,
                     :warning,
                     'security_warnings',
-                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
+                    ["Confidence", "Class", "Method", "Warning Type", "CWE ID", "Message"],
                     'Class'
   end
@@ -107,7 +107,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     render_warnings template_warnings,
                     :template,
                     'view_warnings',
-                    ['Confidence', 'Template', 'Warning Type', 'Message'],
+                    ['Confidence', 'Template', 'Warning Type', "CWE ID", 'Message'],
                     'Template'
   end
@@ -117,7 +117,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     render_warnings model_warnings,
                     :model,
                     'model_warnings',
-                    ['Confidence', 'Model', 'Warning Type', 'Message'],
+                    ['Confidence', 'Model', 'Warning Type', "CWE ID", 'Message'],
                     'Model'
   end
@@ -126,7 +126,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     render_warnings controller_warnings,
                     :controller,
                     'controller_warnings',
-                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
+                    ['Confidence', 'Controller', 'Warning Type', "CWE ID", 'Message'],
                     'Controller'
   end
@@ -134,7 +134,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     render_warnings ignored_warnings,
                     :ignored,
                     'ignored_warnings',
-                    ['Confidence', 'Warning Type', 'File', 'Message'],
+                    ['Confidence', 'Warning Type', "CWE ID", 'File', 'Message'],
                     'Warning Type'
   end

data/lib/brakeman/report/report_text.rb CHANGED Viewed

@@ -159,6 +159,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       label('Confidence', confidence(w.confidence))
     when :category
       label('Category', w.warning_type.to_s)
+    when :cwe
+      label('CWE', w.cwe_id.join(', '))
     when :check
       label('Check', w.check_name)
     when :message

data/lib/brakeman/report/templates/controller_warnings.html.erb CHANGED Viewed

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Controller</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -14,6 +15,7 @@
       <td><%= warning['Confidence']%></td>
       <td><%= warning['Controller']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/ignored_warnings.html.erb CHANGED Viewed

@@ -6,6 +6,7 @@
         <th>Confidence</th>
         <th>File</th>
         <th>Warning Type</th>
+        <th>CWE ID</th>
         <th>Message</th>
         <th>Note</th>
       </tr>
@@ -16,6 +17,7 @@
         <td><%= warning['Confidence']%></td>
         <td><%= warning['File']%></td>
         <td><%= warning['Warning Type']%></td>
+        <td><%= warning['CWE ID']%></td>
         <td><%= warning['Message']%></td>
         <td><%= warning['Note']%></td>
       </tr>

data/lib/brakeman/report/templates/model_warnings.html.erb CHANGED Viewed

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Model</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -14,6 +15,7 @@
       <td><%= warning['Confidence']%></td>
       <td><%= warning['Model']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/security_warnings.html.erb CHANGED Viewed

@@ -6,6 +6,7 @@
       <th>Class</th>
       <th>Method</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -16,6 +17,7 @@
       <td><%= warning['Class']%></td>
       <td><%= warning['Method']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/view_warnings.html.erb CHANGED Viewed

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Template</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -27,6 +28,7 @@
         <% end %>
       </td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.2.1"
+  Version = "5.3.0"
 end

data/lib/brakeman/warning.rb CHANGED Viewed

@@ -5,7 +5,7 @@ require 'brakeman/messages'
 #The Warning class stores information about warnings
 class Brakeman::Warning
-  attr_reader :called_from, :check, :class, :confidence, :controller,
+  attr_reader :called_from, :check, :class, :confidence, :controller, :cwe_id,
     :line, :method, :model, :template, :user_input, :user_input_type,
     :warning_code, :warning_set, :warning_type
@@ -31,6 +31,7 @@ class Brakeman::Warning
     :class => :@class,
     :code => :@code,
     :controller => :@controller,
+    :cwe_id => :@cwe_id,
     :file => :@file,
     :gem_info => :@gem_info,
     :line => :@line,
@@ -219,6 +220,7 @@ class Brakeman::Warning
   def to_row type = :warning
     @row = { "Confidence" => TEXT_CONFIDENCE[self.confidence],
       "Warning Type" => self.warning_type.to_s,
+      "CWE ID" => self.cwe_id,
       "Message" => self.message }
     case type
@@ -302,7 +304,8 @@ class Brakeman::Warning
       :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
-      :confidence => self.confidence_name
+      :confidence => self.confidence_name,
+      :cwe_id => cwe_id
     }
   end

data/lib/brakeman/warning_codes.rb CHANGED Viewed

@@ -125,6 +125,7 @@ module Brakeman::WarningCodes
     :eol_ruby => 121,
     :pending_eol_rails => 122,
     :pending_eol_ruby => 123,
+    :CVE_2022_32209 => 124,
     :custom_check => 9090,
   }