brakeman 6.0.0 → 7.0.0

data/lib/brakeman/app_tree.rb

@@ -22,6 +22,8 @@ module Brakeman
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
       init_options[:skip_vendor] = options[:skip_vendor]
+      init_options[:follow_symlinks] = options[:follow_symlinks]
+
       new(root, init_options)
     end
 
@@ -50,7 +52,7 @@ module Brakeman
           "#{Regexp.escape f}\\z"
         end
       end
-      Regexp.new("(?:" << path_regexes.join("|") << ")")
+      Regexp.new("(?:#{path_regexes.join("|")})")
     end
     private_class_method(:regex_for_paths)
 
@@ -64,6 +66,7 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @skip_vendor = init_options[:skip_vendor]
+      @follow_symlinks = init_options[:follow_symlinks]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -161,9 +164,26 @@ module Brakeman
     end
 
     def glob_files(directory, name, extensions = ".rb")
-      pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+      if @follow_symlinks
+        root_directory = "#{root_search_pattern}#{directory}"
+        patterns = ["#{root_directory}/**/#{name}#{extensions}"]
+
+        Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
+          if File.symlink?(path) && File.directory?(path)
+            symlink_target = File.readlink(path)
+            if Pathname.new(symlink_target).relative?
+              symlink_target = File.join(File.dirname(path), symlink_target)
+            end
+            patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
+          end
+        end
 
-      Dir.glob(pattern)
+        files = patterns.flat_map { |pattern| Dir.glob(pattern) }
+        files.uniq
+      else
+        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        Dir.glob(pattern)
+      end
     end
 
     def select_files(paths)
@@ -189,15 +209,14 @@ module Brakeman
       end
     end
 
-    EXCLUDED_PATHS = %w[
-      /generators/
+    EXCLUDED_PATHS = regex_for_paths %w[
+      generators/
       lib/tasks/
       lib/templates/
       db/
       spec/
       test/
       tmp/
-      log/
     ]
 
     def reject_global_excludes(paths)
@@ -207,9 +226,7 @@ module Brakeman
         if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
           true
         else
-          EXCLUDED_PATHS.any? do |excluded|
-            relative_path.include? excluded
-          end
+          match_path EXCLUDED_PATHS, path
         end
       end
     end
@@ -237,13 +254,16 @@ module Brakeman
 
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
+      @root_search_pattern = search_pattern(@root)
+    end
 
+    def search_pattern(root_dir)
       abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
       rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
 
-      roots = ([@root] + abs).join(",")
+      roots = ([root_dir] + abs).join(",")
       rel_engines = (rel + [""]).join("/,")
-      @root_search_pattern = "{#{roots}}/{#{rel_engines}}"
+      "{#{roots}}/{#{rel_engines}}"
     end
 
     def prioritize_concerns paths

data/lib/brakeman/checks/check_deserialize.rb

@@ -76,10 +76,13 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
       confidence = :high
     elsif input = include_user_input?(arg)
       confidence = :medium
+    elsif target == :Marshal
+      confidence = :low
+      message = msg("Use of ", msg_code("#{target}.#{method}"), " may be dangerous")
     end
 
     if confidence
-      message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
+      message ||= msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_eol_rails.rb

@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     check_eol_version :rails, RAILS_EOL_DATES
   end
 
+  # https://rubyonrails.org/maintenance
+  # https://endoflife.date/rails
   RAILS_EOL_DATES = {
     ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
     ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
     ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
     ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+    ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
+    ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
+    ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
+    ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
   }
 end

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
     ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
     ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
+    ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
   }
 end

data/lib/brakeman/checks/check_evaluation.rb

@@ -23,13 +23,31 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     return unless original? result
 
     if input = include_user_input?(result[:call].arglist)
+      confidence = :high
+      message = msg(msg_input(input), " evaluated as code")
+    elsif string_evaluation? result[:call].first_arg
+      confidence = :low
+      message = "Dynamic string evaluated as code"
+    elsif safe_literal? result[:call].first_arg
+      # don't warn
+    elsif result[:call].method == :eval
+      confidence = :low
+      message = "Dynamic code evaluation"
+    end
+
+    if confidence
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :warning_code => :code_eval,
-        :message => "User input in eval",
+        :message => message,
         :user_input => input,
-        :confidence => :high,
+        :confidence => confidence,
         :cwe_id => [913, 95]
     end
   end
+
+  def string_evaluation? exp
+    string_interp? exp or
+      (call? exp and string? exp.target)
+  end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     call = result[:call]
     args = call.arglist
     first_arg = call.first_arg
+    failure = nil
 
     case call.method
     when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg[3]) ||
                   dangerous_string_building?(first_arg[3])
       end
+    when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
+      # Since these pipeline commands pipe together several commands,
+      # need to check each argument. If it's an array, check first argument
+      # (the command) and also check for `bash -c`. Otherwise check the argument
+      # as a unit.
+
+      args.each do |arg|
+        next unless sexp? arg
+
+        if array?(arg)
+          # Check first element of array
+          failure = include_user_input?(arg[1]) ||
+            dangerous_interp?(arg[1]) ||
+            dangerous_string_building?(arg[1])
+
+          # Check for ['bash', '-c', user_input]
+          if dash_c_shell_command?(arg[1], arg[2])
+            failure = include_user_input?(arg[3]) ||
+              dangerous_interp?(arg[3]) ||
+              dangerous_string_building?(arg[3])
+          end
+        else
+          failure = include_user_input?(arg)
+        end
+
+        break if failure
+      end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
       # about shell injection when there's a single argument, because comma-

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
               :confidence => confidence,
               :code => Sexp.new(:lit, attribute),
               :cwe_id => [915]
+
             break # Prevent from matching single attr multiple times
           end
         end

data/lib/brakeman/checks/check_ransack.rb

@@ -0,0 +1,53 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRansack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for dangerous use of the Ransack library"
+
+  def run_check
+    return unless version_between? "0.0.0", "3.99", tracker.config.gem_version(:ransack)
+    check_ransack_calls
+  end
+
+  def check_ransack_calls
+    tracker.find_call(method: :ransack, nested: true).each do |result|
+      next unless original? result
+
+      call = result[:call]
+      arg = call.first_arg
+
+      # If an allow list is defined anywhere in the
+      # class or super classes, consider it safe
+      class_name = result[:chain].first
+
+      next if ransackable_allow_list?(class_name)
+
+      if input = has_immediate_user_input?(arg)
+        confidence = if tracker.find_class(class_name).nil?
+                       confidence = :low
+                     elsif result[:location][:file].relative.include? 'admin'
+                       confidence = :medium
+                     else
+                       confidence = :high
+                     end
+
+        message = msg('Unrestricted search using ', msg_code('ransack'), ' library called with ', msg_input(input), '. Limit search by defining ', msg_code('ransackable_attributes'), ' and ', msg_code('ransackable_associations'), ' methods in class or upgrade Ransack to version 4.0.0 or newer')
+
+        warn result: result,
+          warning_type: 'Missing Authorization',
+          warning_code: :ransack_search,
+          message: message,
+          user_input: input,
+          confidence: confidence,
+          cwe_id: [862],
+          link: 'https://positive.security/blog/ransack-data-exfiltration'
+      end
+    end
+  end
+
+  def ransackable_allow_list? class_name
+    tracker.find_method(:ransackable_attributes, class_name, :class) and
+      tracker.find_method(:ransackable_associations, class_name, :class)
+  end
+end

data/lib/brakeman/checks/check_render.rb

@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def known_renderable_class? class_name
     klass = tracker.find_class(class_name)
     return false if klass.nil?
-    klass.ancestor? :"ViewComponent::Base"
+    knowns = [
+      :"ViewComponent::Base",
+      :"ViewComponentContrib::Base",
+      :"Phlex::HTML"
+    ]
+    knowns.any? { |k| klass.ancestor? k }
   end
 end

data/lib/brakeman/checks/check_session_settings.rb

@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
     if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
       yaml = secrets_file.read
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      require 'yaml'
       begin
-        secrets = SafeYAML.load yaml
+        secrets = YAML.safe_load yaml, aliases: true
       rescue Psych::SyntaxError, RuntimeError => e
         Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"

data/lib/brakeman/checks/check_sql.rb

@@ -591,7 +591,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key, :uuid
+    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string
   ]
 
   def ignore_methods_in_sql

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       process_result call
     end
 
-    tracker.find_call(:method => :find_by, :targets => associated_model_names).each do |result|
+    tracker.find_call(:methods => [:find_by, :find_by!], :targets => associated_model_names).each do |result|
       arg = result[:call].first_arg
 
       if hash? arg and hash_access(arg, :id)

data/lib/brakeman/file_parser.rb

@@ -7,7 +7,19 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
 
-    def initialize app_tree, timeout, parallel = true
+    def initialize app_tree, timeout, parallel = true, use_prism = false
+      @use_prism = use_prism
+
+      if @use_prism
+        begin
+          require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
+        rescue LoadError => e
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          @use_prism = false
+        end
+      end
+
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
@@ -73,8 +85,29 @@ module Brakeman
         path = path.relative
       end
 
+      Brakeman.debug "Parsing #{path}"
+
+      if @use_prism
+        begin
+          parse_with_prism input, path
+        rescue => e
+          Brakeman.debug "Prism failed to parse #{path}: #{e}"
+
+          parse_with_ruby_parser input, path
+        end
+      else
+        parse_with_ruby_parser input, path
+      end
+    end
+
+    private
+
+    def parse_with_prism input, path
+      Prism::Translation::RubyParser.parse(input, path)
+    end
+
+    def parse_with_ruby_parser input, path
       begin
-        Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         raise e.exception(e.message + "\nCould not parse #{path}")

data/lib/brakeman/options.rb

@@ -101,6 +101,15 @@ module Brakeman::Options
           options[:rails7] = true
         end
 
+        opts.on "-8", "--rails8", "Force Rails 8 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+          options[:rails8] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -150,6 +159,22 @@ module Brakeman::Options
           options[:parser_timeout] = timeout
         end
 
+        opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
+          if use_prism
+            min_prism_version = '1.0.0'
+
+            begin
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
+            rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
+              raise e
+            end
+          end
+
+          options[:use_prism] = use_prism
+        end
+
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -197,12 +222,16 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"
               check
             else
-              "Check" << check
+              "Check#{check}"
             end
           end
 
@@ -213,7 +242,7 @@ module Brakeman::Options
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"
-              checks[index] = "Check" << s
+              checks[index] = "Check#{s}"
             end
           end
 
@@ -224,7 +253,7 @@ module Brakeman::Options
         opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
           skip.each do |s|
             if s[0,5] != "Check"
-              s = "Check" << s
+              s = "Check#{s}"
             end
 
             options[:skip_checks] ||= Set.new
@@ -244,13 +273,17 @@ module Brakeman::Options
           options[:debug] = true
         end
 
+        opts.on "--timing", "Measure time for scan steps" do
+          options[:show_timing] = true
+        end
+
         opts.on "-f",
           "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
-          options[:output_format] = ("to_" << type.to_s).to_sym
+          options[:output_format] = :"to_#{type}"
         end
 
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
@@ -265,6 +298,10 @@ module Brakeman::Options
           options[:interactive_ignore] = true
         end
 
+        opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do
+          options[:show_ignored] = true
+        end
+
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
           options[:combine_locations] = combine
         end

data/lib/brakeman/parsers/erubis_patch.rb

@@ -0,0 +1,11 @@
+module Brakeman::ErubisPatch
+  # Simple patch to make `erubis` compatible with frozen string literals
+  def convert(input)
+    codebuf = +"" # Modified line, the rest is identitical
+    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
+    convert_input(codebuf, input)
+    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
+    @_proc = nil    # clear cached proc object
+    return codebuf  # or codebuf.join()
+  end
+end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,6 +1,9 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby
   include Erubis::NoTextEnhancer
+  include Brakeman::ErubisPatch
 end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,7 +1,11 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
+
   def add_preamble(src)
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,11 +1,15 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 # This is from Rails 5 version of the Erubis handler
 # https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
 
   def add_preamble(src)
     @newline_pending = 0
+    src << "_this_is_to_make_yields_syntactally_correct {"
     src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
 
@@ -62,7 +66,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_postamble(src)
     flush_newline_if_pending(src)
-    src << '@output_buffer.to_s'
+    src << '@output_buffer.to_s; }'
   end
 
   def flush_newline_if_pending(src)

data/lib/brakeman/parsers/slim_embedded.rb

@@ -2,6 +2,7 @@
 module Slim
   class Embedded
     class TiltEngine
+      alias_method :on_slim_embedded, :on_slim_embedded # silence redefined method warning
       def on_slim_embedded(engine, body, attrs)
         # Override this method to avoid Slim trying to load sass/scss and failing
         case engine
@@ -22,6 +23,7 @@ module Slim
     class SassEngine
       protected
 
+      alias_method :tilt_render, :tilt_render # silence redefined method warning
       def tilt_render(tilt_engine, tilt_options, text)
         [:dynamic,
          "BrakemanFilter.render(#{text.inspect}, #{self.class})"]