brakeman 6.0.0 → 7.0.0

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
   require 'brakeman/processors/lib/file_type_detector'
+  require 'brakeman/tracker/file_cache'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -30,6 +31,7 @@ class Brakeman::Scanner
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
+    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -37,76 +39,143 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
 
+  def file_cache
+    tracker.file_cache
+  end
+
+  def process_step description
+    Brakeman.notify "#{description}...".ljust(40)
+
+    if @show_timing
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
+
+  def process_step_file description
+    if @show_timing
+      Brakeman.notify "Processing #{description}"
+
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
+
   #Process everything in the Rails application
-  def process
-    Brakeman.notify "Processing gems...                    "
-    process_gems
-    guess_rails_version
-    Brakeman.notify "Processing configuration...           "
-    process_config
-    Brakeman.notify "Parsing files...                      "
-    parse_files
-    Brakeman.notify "Detecting file types...               "
-    detect_file_types
-    Brakeman.notify "Processing initializers...            "
-    process_initializers
-    Brakeman.notify "Processing libs...                    "
-    process_libs
-    Brakeman.notify "Processing routes...                  "
-    process_routes
-    Brakeman.notify "Processing templates...               "
-    process_templates
-    Brakeman.notify "Processing data flow in templates...  "
-    process_template_data_flows
-    Brakeman.notify "Processing models...                  "
-    process_models
-    Brakeman.notify "Processing controllers...             "
-    process_controllers
-    Brakeman.notify "Processing data flow in controllers..."
-    process_controller_data_flows
-    Brakeman.notify "Indexing call sites...                "
-    index_call_sites
+  def process(ruby_paths: nil, template_paths: nil)
+    process_step 'Processing gems' do
+      process_gems
+    end
+
+    process_step 'Processing configuration' do
+      guess_rails_version
+      process_config
+    end
+
+    # -
+    # If ruby_paths or template_paths are set,
+    # only parse those files. The rest will be fetched
+    # from the file cache.
+    #
+    # Otherwise, parse everything normally.
+    #
+    astfiles = nil
+    process_step 'Finding files' do
+      ruby_paths ||= tracker.app_tree.ruby_file_paths
+      template_paths ||= tracker.app_tree.template_paths
+    end
+
+    process_step 'Parsing files' do
+      astfiles = parse_files(ruby_paths: ruby_paths, template_paths: template_paths)
+    end
+
+    process_step 'Detecting file types' do
+      detect_file_types(astfiles)
+    end
+
+    tracker.save_file_cache! if support_rescanning?
+    # -
+
+    process_step 'Processing initializers' do
+      process_initializers
+    end
+
+    process_step 'Processing libs' do
+      process_libs
+    end
+
+    process_step 'Processing routes' do
+      process_routes
+    end
+
+    process_step 'Processing templates' do
+      process_templates
+    end
+
+    process_step 'Processing data flow in templates' do
+      process_template_data_flows
+    end
+
+    process_step 'Processing models' do
+      process_models
+    end
+
+    process_step 'Processing controllers' do
+      process_controllers
+    end
+
+    process_step 'Processing data flow in controllers' do
+      process_controller_data_flows
+    end
+
+    process_step 'Indexing call sites' do
+      index_call_sites
+    end
+
     tracker
   end
 
-  def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
+  def parse_files(ruby_paths:, template_paths:)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks], tracker.options[:use_prism])
 
-    fp.parse_files tracker.app_tree.ruby_file_paths
+    fp.parse_files ruby_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths) do |path, contents|
-      template_parser.parse_template path, contents
+    fp.read_files(template_paths) do |path, contents|
+      template_parser.parse_template(path, contents)
     end
 
     # Collect errors raised during parsing
     tracker.add_errors(fp.errors)
 
-    @parsed_files = fp.file_list
+    fp.file_list
   end
 
-  def detect_file_types
-    @file_list = {
-      controllers: [],
-      initializers: [],
-      libs: [],
-      models: [],
-      templates: [],
-    }
-
+  def detect_file_types(astfiles)
     detector = Brakeman::FileTypeDetector.new
 
-    @parsed_files.each do |file|
+    astfiles.each do |file|
       if file.is_a? Brakeman::TemplateParser::TemplateFile
-        @file_list[:templates] << file
+        file_cache.add_file file, :template
       else
         type = detector.detect_type(file)
+
         unless type == :skip
-          if @file_list[type].nil?
-            raise type.to_s
+          if file_cache.valid_type? type
+            file_cache.add_file(file, type)
           else
-            @file_list[type] << file
+            raise "Unexpected file type: #{type.inspect}"
           end
         end
       end
@@ -213,9 +282,10 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    track_progress @file_list[:initializers] do |init|
-      Brakeman.debug "Processing #{init[:path]}"
-      process_initializer init
+    track_progress file_cache.initializers do |path, init|
+      process_step_file path do
+        process_initializer init
+      end
     end
   end
 
@@ -233,9 +303,12 @@ class Brakeman::Scanner
       return
     end
 
-    track_progress @file_list[:libs] do |lib|
-      Brakeman.debug "Processing #{lib.path}"
-      process_lib lib
+    libs = file_cache.libs.sort_by { |path, _| path }
+
+    track_progress libs do |path, lib|
+      process_step_file path do
+        process_lib lib
+      end
     end
   end
 
@@ -265,19 +338,23 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    track_progress @file_list[:controllers] do |controller|
-      Brakeman.debug "Processing #{controller.path}"
-      process_controller controller
+    controllers = file_cache.controllers.sort_by { |path, _| path }
+
+    track_progress controllers do |path, controller|
+      process_step_file path do
+        process_controller controller
+      end
     end
   end
 
   def process_controller_data_flows
-    controllers = tracker.controllers.sort_by { |name, _| name.to_s }
+    controllers = tracker.controllers.sort_by { |name, _| name }
 
     track_progress controllers, "controllers" do |name, controller|
-      Brakeman.debug "Processing #{name}"
-      controller.src.each do |file, src|
-        @processor.process_controller_alias name, src, nil, file
+      process_step_file name do
+        controller.src.each do |file, src|
+          @processor.process_controller_alias name, src, nil, file
+        end
       end
     end
 
@@ -297,11 +374,12 @@ class Brakeman::Scanner
   #
   #Adds processed views to tracker.views
   def process_templates
-    templates = @file_list[:templates].sort_by { |t| t[:path] }
+    templates = file_cache.templates.sort_by { |path, _| path }
 
-    track_progress templates, "templates" do |template|
-      Brakeman.debug "Processing #{template[:path]}"
-      process_template template
+    track_progress templates, "templates" do |path, template|
+      process_step_file path do
+        process_template template
+      end
     end
   end
 
@@ -310,11 +388,12 @@ class Brakeman::Scanner
   end
 
   def process_template_data_flows
-    templates = tracker.templates.sort_by { |name, _| name.to_s }
+    templates = tracker.templates.sort_by { |name, _| name }
 
     track_progress templates, "templates" do |name, template|
-      Brakeman.debug "Processing #{name}"
-      @processor.process_template_alias template
+      process_step_file name do
+        @processor.process_template_alias template
+      end
     end
   end
 
@@ -322,14 +401,17 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    track_progress @file_list[:models] do |model|
-      Brakeman.debug "Processing #{model[:path]}"
-      process_model model[:path], model[:ast]
+    models = file_cache.models.sort_by { |path, _| path }
+
+    track_progress models do |path, model|
+      process_step_file path do
+        process_model model
+      end
     end
   end
 
-  def process_model path, ast
-    @processor.process_model(ast, path)
+  def process_model astfile
+    @processor.process_model(astfile.ast, astfile.path)
   end
 
   def track_progress list, type = "files"
@@ -352,12 +434,16 @@ class Brakeman::Scanner
   end
 
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], false, tracker.options[:use_prism])
     fp.parse_ruby(file.read, file)
   rescue Exception => e
     tracker.error(e)
     nil
   end
+
+  def support_rescanning?
+    tracker.options[:support_rescanning]
+  end
 end
 
 # This is to allow operation without loading the Haml library

data/lib/brakeman/tracker/config.rb

@@ -111,6 +111,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             Brakeman.notify "[Notice] Detected Rails 7 application"
+          elsif @rails_version.start_with? "8"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            tracker.options[:rails7] = true
+            tracker.options[:rails8] = true
+            Brakeman.notify "[Notice] Detected Rails 8 application"
           end
         end
       end
@@ -189,13 +197,19 @@ module Brakeman
     # Load defaults based on config.load_defaults value
     # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
     def load_rails_defaults
-      return unless number? tracker.config.rails[:load_defaults]
+      return unless node_type? tracker.config.rails[:load_defaults], :lit, :str
+
+      version = tracker.config.rails[:load_defaults].value.to_s
+
+      unless version.match?(/^\d+\.\d+$/)
+        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        return
+      end
 
-      version = tracker.config.rails[:load_defaults].value
       true_value = Sexp.new(:true)
       false_value = Sexp.new(:false)
 
-      if version >= 5.0
+      if version >= '5.0'
         set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
         set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
         set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
@@ -203,12 +217,12 @@ module Brakeman
         set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
       end
 
-      if version >= 5.1
+      if version >= '5.1'
         set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
         set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
       end
 
-      if version >= 5.2
+      if version >= '5.2'
         set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
         set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
         set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
@@ -217,7 +231,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
       end
 
-      if version >= 6.0
+      if version >= '6.0'
         set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
         set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
         set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
@@ -230,7 +244,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
       end
 
-      if version >= 6.1
+      if version >= '6.1'
         set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
         set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
         set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
@@ -242,7 +256,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_storage, :track_variants])
       end
 
-      if version >= 7.0
+      if version >= '7.0'
         video_args =
           Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
         hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)

data/lib/brakeman/tracker/controller.rb

@@ -120,16 +120,20 @@ module Brakeman
         filter[:methods] << a[1] if a.node_type == :lit
       end
 
-      if args[-1].node_type == :hash
-        option = args[-1][1][1]
-        value = args[-1][2]
-        case value.node_type
-        when :array
-          filter[option] = value.sexp_body.map {|v| v[1] }
-        when :lit, :str
-          filter[option] = value[1]
-        else
-          Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+      options = args.last
+
+      if hash? options
+        # Probably only one option,
+        # but this also avoids issues with kwsplats
+        hash_iterate(options) do |option, value|
+          case value.node_type
+          when :array
+            filter[option.value] = value.sexp_body.map {|v| v[1] }
+          when :lit, :str
+            filter[option.value] = value[1]
+          else
+            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+          end
         end
       else
         filter[:all] = true

data/lib/brakeman/tracker/file_cache.rb

@@ -0,0 +1,83 @@
+module Brakeman
+  class FileCache
+    def initialize(file_list = nil)
+      @file_list = file_list || {
+        controller: {},
+        initializer: {},
+        lib: {},
+        model: {},
+        template: {},
+      }
+    end
+
+    def controllers
+      @file_list[:controller]
+    end
+
+    def initializers
+      @file_list[:initializer]
+    end
+
+    def libs
+      @file_list[:lib]
+    end
+
+    def models
+      @file_list[:model]
+    end
+
+    def templates
+      @file_list[:template]
+    end
+
+    def add_file(astfile, type)
+      raise "Unknown type: #{type}" unless valid_type? type
+      @file_list[type][astfile.path] = astfile
+    end
+
+    def valid_type?(type)
+      @file_list.key? type
+    end
+
+    def cached? path
+      @file_list.any? do |name, list|
+        list[path]
+      end
+    end
+
+    def delete path
+      @file_list.each do |name, list|
+        list.delete path
+      end
+    end
+
+    def diff other
+      @file_list.each do |name, list|
+        other_list = other.send(:"#{name}s")
+
+        if list == other_list
+          next
+        else
+          puts "-- #{name} --"
+          puts "Old: #{other_list.keys - list.keys}"
+          puts "New: #{list.keys - other_list.keys}"
+        end
+      end
+    end
+
+    def dup
+      copy_file_list = @file_list.map do |name, list|
+        copy_list = list.map do |path, astfile|
+          copy_astfile = astfile.dup
+          copy_astfile.ast = copy_astfile.ast.deep_clone
+
+          [path, copy_astfile]
+        end.to_h
+
+        [name, copy_list]
+      end.to_h
+
+      FileCache.new(copy_file_list)
+    end
+  end
+end

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter, :app_tree
+    :duration, :ignored_filter, :app_tree, :file_cache, :pristine_file_cache
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -26,15 +26,22 @@ class Brakeman::Tracker
     @app_tree = app_tree
     @processor = processor
     @options = options
+    @file_cache = Brakeman::FileCache.new
+    @pristine_file_cache = nil
 
-    @config = Brakeman::Config.new(self)
+    reset_all
+  end
+
+  def reset_all
     @templates = {}
     @controllers = {}
+
     #Initialize models with the unknown model so
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
+
     @method_cache = {}
     @routes = {}
     @initializers = {}
@@ -46,11 +53,16 @@ class Brakeman::Tracker
     @template_cache = Set.new
     @filter_cache = {}
     @call_index = nil
+    @config = Brakeman::Config.new(self)
     @start_time = Time.now
     @end_time = nil
     @duration = nil
   end
 
+  def save_file_cache!
+    @pristine_file_cache = @file_cache.dup
+  end
+
   #Add an error to the list. If no backtrace is given,
   #the one from the exception will be used.
   def error exception, backtrace = nil
@@ -245,7 +257,7 @@ class Brakeman::Tracker
       end
 
       # Not in any included modules, check the parent
-      @method_cache[cache_key] = find_method(method_name, klass.parent)
+      @method_cache[cache_key] = find_method(method_name, klass.parent, method_type)
     end
   end
 
@@ -301,6 +313,11 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :libs
+      classes_to_reindex.merge self.libs.keys
+      method_sets << self.libs
+    end
+
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
         @call_index.remove_indexes_by_file file_name

data/lib/brakeman/util.rb

@@ -63,14 +63,12 @@ module Brakeman::Util
     case exp
     when Sexp
       case exp.node_type
-      when :const
+      when :const, :colon3
         exp.value
       when :lvar
         exp.value.to_sym
       when :colon2
         "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
-      when :colon3
-        "::#{exp.value}".to_sym
       when :self
         @current_class || @current_module || nil
       else

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.0.0"
+  Version = "7.0.0"
 end

data/lib/brakeman/warning.rb

@@ -317,7 +317,7 @@ class Brakeman::Warning
 
   def format_ruby code, strip
     formatted = Brakeman::OutputProcessor.new.format(code)
-    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+    formatted = formatted.gsub(/(\t|\r|\n)+/, " ") if strip
     formatted
   end
 end

data/lib/brakeman/warning_codes.rb

@@ -130,6 +130,7 @@ module Brakeman::WarningCodes
     :insecure_rsa_padding_mode => 126,
     :missing_rsa_padding_mode => 127,
     :small_rsa_key_size => 128,
+    :ransack_search => 129,
 
     :custom_check => 9090,
   }