RubyGems - brakeman - Versions diffs - 6.0.0 → 7.1.0 - Mend

brakeman 6.0.0 → 7.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (655) hide show

data/lib/brakeman/file_parser.rb CHANGED Viewed

@@ -7,7 +7,19 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
-    def initialize app_tree, timeout, parallel = true
+    def initialize app_tree, timeout, parallel = true, use_prism = false
+      @use_prism = use_prism
+      if @use_prism
+        begin
+          require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
+        rescue LoadError => e
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          @use_prism = false
+        end
+      end
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
@@ -73,8 +85,29 @@ module Brakeman
         path = path.relative
       end
+      Brakeman.debug "Parsing #{path}"
+      if @use_prism
+        begin
+          parse_with_prism input, path
+        rescue => e
+          Brakeman.debug "Prism failed to parse #{path}: #{e}"
+          parse_with_ruby_parser input, path
+        end
+      else
+        parse_with_ruby_parser input, path
+      end
+    end
+    private
+    def parse_with_prism input, path
+      Prism::Translation::RubyParser.parse(input, path)
+    end
+    def parse_with_ruby_parser input, path
       begin
-        Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         raise e.exception(e.message + "\nCould not parse #{path}")

data/lib/brakeman/messages.rb CHANGED Viewed

@@ -86,7 +86,7 @@ class Brakeman::Messages::Message
   end
   def to_html
-    require 'cgi'
+    require 'cgi/escape'
     output = @parts.map(&:to_html).join

data/lib/brakeman/options.rb CHANGED Viewed

@@ -71,6 +71,10 @@ module Brakeman::Options
           options[:ensure_ignore_notes] = true
         end
+        opts.on "--ensure-no-obsolete-ignore-entries", "Fail when an obsolete ignore entry is found" do
+          options[:ensure_no_obsolete_ignore_entries] = true
+        end
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -101,6 +105,15 @@ module Brakeman::Options
           options[:rails7] = true
         end
+        opts.on "-8", "--rails8", "Force Rails 8 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+          options[:rails8] = true
+        end
         opts.separator ""
         opts.separator "Scanning options:"
@@ -150,6 +163,22 @@ module Brakeman::Options
           options[:parser_timeout] = timeout
         end
+        opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
+          if use_prism
+            min_prism_version = '1.0.0'
+            begin
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
+            rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
+              raise e
+            end
+          end
+          options[:use_prism] = use_prism
+        end
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -197,12 +226,20 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"
               check
             else
-              "Check" << check
+              "Check#{check}"
             end
           end
@@ -213,7 +250,7 @@ module Brakeman::Options
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"
-              checks[index] = "Check" << s
+              checks[index] = "Check#{s}"
             end
           end
@@ -224,7 +261,7 @@ module Brakeman::Options
         opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
           skip.each do |s|
             if s[0,5] != "Check"
-              s = "Check" << s
+              s = "Check#{s}"
             end
             options[:skip_checks] ||= Set.new
@@ -244,13 +281,17 @@ module Brakeman::Options
           options[:debug] = true
         end
+        opts.on "--timing", "Measure time for scan steps" do
+          options[:show_timing] = true
+        end
         opts.on "-f",
           "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
           "Specify output formats. Default is text" do |type|
           type = "s" if type == :text
-          options[:output_format] = ("to_" << type.to_s).to_sym
+          options[:output_format] = :"to_#{type}"
         end
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
@@ -265,6 +306,10 @@ module Brakeman::Options
           options[:interactive_ignore] = true
         end
+        opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do
+          options[:show_ignored] = true
+        end
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
           options[:combine_locations] = combine
         end

data/lib/brakeman/parsers/erubis_patch.rb ADDED Viewed

@@ -0,0 +1,11 @@
+module Brakeman::ErubisPatch
+  # Simple patch to make `erubis` compatible with frozen string literals
+  def convert(input)
+    codebuf = +"" # Modified line, the rest is identitical
+    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
+    convert_input(codebuf, input)
+    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
+    @_proc = nil    # clear cached proc object
+    return codebuf  # or codebuf.join()
+  end
+end

data/lib/brakeman/parsers/haml6_embedded.rb ADDED Viewed

@@ -0,0 +1,23 @@
+[:Coffee, :CoffeeScript, :Markdown, :Sass].each do |name|
+  klass = Module.const_get("Haml::Filters::#{name}")
+  klass.define_method(:compile) do |node|
+    temple = [:multi]
+    temple << [:static, "<script>\n"]
+    temple << compile_with_tilt(node)
+    temple << [:static, "</script>"]
+    temple
+  end
+  klass.define_method(:compile_with_tilt) do |node|
+    # From Haml
+    text = ::Haml::Util.unescape_interpolation(node.value[:text]).gsub(/(\\+)n/) do |s|
+      escapes = $1.size
+      next s if escapes % 2 == 0
+      "#{'\\' * (escapes - 1)}\n"
+    end
+    text.prepend("\n").sub!(/\n"\z/, '"')
+    [:dynamic, "BrakemanFilter.render(#{text})"]
+  end
+end

data/lib/brakeman/parsers/rails2_erubis.rb CHANGED Viewed

@@ -1,6 +1,9 @@
 Brakeman.load_brakeman_dependency 'erubis'
+require 'brakeman/parsers/erubis_patch'
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby
   include Erubis::NoTextEnhancer
+  include Brakeman::ErubisPatch
 end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb CHANGED Viewed

@@ -1,7 +1,11 @@
 Brakeman.load_brakeman_dependency 'erubis'
+require 'brakeman/parsers/erubis_patch'
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
   def add_preamble(src)
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end

data/lib/brakeman/parsers/rails3_erubis.rb CHANGED Viewed

@@ -1,11 +1,15 @@
 Brakeman.load_brakeman_dependency 'erubis'
+require 'brakeman/parsers/erubis_patch'
 # This is from Rails 5 version of the Erubis handler
 # https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
   def add_preamble(src)
     @newline_pending = 0
+    src << "_this_is_to_make_yields_syntactally_correct {"
     src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
@@ -62,7 +66,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
   def add_postamble(src)
     flush_newline_if_pending(src)
-    src << '@output_buffer.to_s'
+    src << '@output_buffer.to_s; }'
   end
   def flush_newline_if_pending(src)

data/lib/brakeman/parsers/slim_embedded.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 module Slim
   class Embedded
     class TiltEngine
+      alias_method :on_slim_embedded, :on_slim_embedded # silence redefined method warning
       def on_slim_embedded(engine, body, attrs)
         # Override this method to avoid Slim trying to load sass/scss and failing
         case engine
@@ -22,6 +23,7 @@ module Slim
     class SassEngine
       protected
+      alias_method :tilt_render, :tilt_render # silence redefined method warning
       def tilt_render(tilt_engine, tilt_options, text)
         [:dynamic,
          "BrakemanFilter.render(#{text.inspect}, #{self.class})"]

data/lib/brakeman/parsers/template_parser.rb CHANGED Viewed

@@ -24,6 +24,7 @@ module Brakeman
                 type = :erubis if erubis?
                 parse_erb path, text
               when :haml
+                type = :haml6 if haml6?
                 parse_haml path, text
               when :slim
                 parse_slim path, text
@@ -74,19 +75,43 @@ module Brakeman
     end
     def parse_haml path, text
-      Brakeman.load_brakeman_dependency 'haml'
-      require_relative 'haml_embedded'
+      if haml6?
+        require_relative 'haml6_embedded'
+        Haml::Template.new(filename: path.relative,
+                           :escape_html => tracker.config.escape_html?,
+                           generator: Temple::Generators::RailsOutputBuffer,
+                           use_html_safe: true,
+                           buffer_class: 'ActionView::OutputBuffer',
+                           disable_capture: true,
+                          ) { text }.precompiled_template
+      else
+        require_relative 'haml_embedded'
-      Haml::Engine.new(text,
-                       :filename => path,
-                       :escape_html => tracker.config.escape_html?,
-                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
-                      ).precompiled.gsub(/([^\\])\\n/, '\1')
+        Haml::Engine.new(text,
+                         :filename => path,
+                         :escape_html => tracker.config.escape_html?,
+                         :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                        ).precompiled.gsub(/([^\\])\\n/, '\1')
+      end
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
     end
+    def haml6?
+      return @haml6 unless @haml6.nil?
+      Brakeman.load_brakeman_dependency 'haml'
+      major_version = Haml::VERSION.split('.').first.to_i
+      if major_version >= 6
+        @haml6 = true
+      else
+        @haml6 = false
+      end
+    end
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'

data/lib/brakeman/processor.rb CHANGED Viewed

@@ -63,6 +63,8 @@ module Brakeman
         result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml6
+        result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :erubis
         result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
     @current_file = current_file
+    @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
     set_env_defaults
   end
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
-    if replacement = env[exp] and not duplicate? replacement
-      replace(replacement.deep_clone(exp.line), int + 1)
+    if replacement = env[exp]
+      if not duplicate? replacement and replacement.mass < @mass_limit
+        replace(replacement.deep_clone(exp.line), int + 1)
+      else
+        exp
+      end
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     else
@@ -92,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
     if r != exp
@@ -122,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
     if hash? t
@@ -237,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -263,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -271,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg
@@ -368,7 +376,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result << join_item(array.last, nil)
     # Combine the strings at the beginning because that's what RubyParser does
-    combined_first = ""
+    combined_first = +""
     result.each do |e|
       if string? e
         combined_first << e.value
@@ -529,8 +537,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Process a method definition on self.
   def process_defs exp
-    env.scope do
-      set_env_defaults
+    meth_env do
       exp.body = process_all! exp.body
     end
     exp
@@ -661,8 +668,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp[2] = exp[2][1]
     end
-    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
-      return process_default(exp)
+    unless array? exp[1] and array? exp[2]
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
     vars = exp[1].dup
@@ -674,21 +683,42 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     # Call each assignment as if it is normal
     vars.each_with_index do |var, i|
       val = vals[i]
-      if val
+      next unless val # TODO: Break if there are no vals left?
-        # This happens with nested destructuring like
-        #   x, (a, b) = blah
-        if node_type? var, :masgn
-          # Need to add value to masgn exp
-          m = var.dup
-          m[2] = s(:to_ary, val)
+      # This happens with nested destructuring like
+      #   x, (a, b) = blah
+      if node_type? var, :masgn
+        # Need to add value to masgn exp
+        m = var.dup
+        m[2] = s(:to_ary, val)
-          process_masgn m
+        process_masgn m
+      elsif node_type? var, :splat
+        # Assign the rest of the values to the variable:
+        #
+        #   a, *b = 1, 2, 3
+        #
+        #   b == [2, 3]
+        assign = var[1].dup # var is s(:splat, s(:lasgn, :b))
+        if i == vars.length - 1 # Last variable being assigned, slurp up the rest
+          assign.rhs = s(:array, *vals[i..]) # val is the "rest" of the values
         else
-          assign = var.dup
-          assign.rhs = val
-          process assign
+          # Calculate how many values to assign based on how many variables
+          # there are.
+          #
+          # If there are more values than variables, the splat gets an empty array.
+          assign.rhs = s(:array, *vals[i, (vals.length - vars.length + 1)]).line(vals.line)
         end
+        process assign
+      else
+        assign = var.dup
+        assign.rhs = val
+        process assign
       end
     end

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -205,6 +205,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
     result
   end
@@ -240,6 +241,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
+      # Maybe do partial if in view?
       type = :action
       value = first_arg
     end

data/lib/brakeman/processors/haml6_template_processor.rb ADDED Viewed

@@ -0,0 +1,92 @@
+require 'brakeman/processors/haml_template_processor'
+class Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplateProcessor
+  OUTPUT_BUFFER = s(:ivar, :@output_buffer)
+  HAML_UTILS = s(:colon2, s(:colon3, :Haml), :Util)
+  HAML_UTILS2 = s(:colon2, s(:const, :Haml), :Util)
+  # @output_buffer = output_buffer || ActionView::OutputBuffer.new
+  AV_SAFE_BUFFER = s(:or, s(:call, nil, :output_buffer), s(:call, s(:colon2, s(:const, :ActionView), :OutputBuffer), :new))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
+  def initialize(*)
+    super
+    # Because of how Haml 6 handles line breaks -
+    # we have to track where _haml_compiler variables are assigned.
+    # then change the line number of where they are output to where
+    # they are assigned.
+    #
+    # Like this:
+    #
+    #   ; _haml_compiler1 = (params[:x];
+    #   ; ); @output_buffer.safe_concat((((::Haml::Util.escape_html_safe((_haml_compiler1))).to_s).to_s));
+    #
+    #  `_haml_compiler1` is output a line after it's assigned,
+    #  but the assignment matches the "real" line where it is output in the template.
+    @compiler_assigns = {}
+  end
+  # @output_buffer.safe_concat
+  def buffer_append? exp
+    call? exp and
+      output_buffer? exp.target and
+      exp.method == :safe_concat
+  end
+  def process_lasgn exp
+    if exp.lhs.match?(/_haml_compiler\d+/)
+      @compiler_assigns[exp.lhs] = exp.rhs
+      ignore
+    else
+      exp
+    end
+  end
+  def process_lvar exp
+    if exp.value.match?(/_haml_compiler\d+/)
+      exp = @compiler_assigns[exp.value] || exp
+    end
+    exp
+  end
+  def is_escaped? exp
+    return unless call? exp
+    html_escaped? exp or
+      javascript_escaped? exp
+  end
+  def javascript_escaped? call
+    # TODO: Adding here to match existing behavior for HAML,
+    # but really this is not safe and needs to be revisited
+      call.method == :j or
+        call.method == :escape_javascript
+  end
+  def html_escaped? call
+    (call.target == HAML_UTILS or call.target == HAML_UTILS2) and
+      (call.method == :escape_html or call.method == :escape_html_safe)
+  end
+  def output_buffer? exp
+    exp == OUTPUT_BUFFER or
+      exp == AV_SAFE_BUFFER
+  end
+  def normalize_output arg
+    arg = super(arg)
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED Viewed

@@ -84,6 +84,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     :escape_once_without_haml_xss
   ]
+  def is_escaped? exp
+    return unless call? exp
+    haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+  end
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
@@ -113,7 +119,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+      elsif is_escaped? exp
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/file_type_detector.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
-      @file_type || :libs
+      @file_type || :lib
     end
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end