brakeman 6.1.2 → 7.1.0

data/lib/brakeman/options.rb

@@ -71,6 +71,10 @@ module Brakeman::Options
           options[:ensure_ignore_notes] = true
         end
 
+        opts.on "--ensure-no-obsolete-ignore-entries", "Fail when an obsolete ignore entry is found" do
+          options[:ensure_no_obsolete_ignore_entries] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -101,6 +105,15 @@ module Brakeman::Options
           options[:rails7] = true
         end
 
+        opts.on "-8", "--rails8", "Force Rails 8 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+          options[:rails8] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -150,6 +163,22 @@ module Brakeman::Options
           options[:parser_timeout] = timeout
         end
 
+        opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
+          if use_prism
+            min_prism_version = '1.0.0'
+
+            begin
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
+            rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
+              raise e
+            end
+          end
+
+          options[:use_prism] = use_prism
+        end
+
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -197,12 +226,20 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"
               check
             else
-              "Check" << check
+              "Check#{check}"
             end
           end
 
@@ -213,7 +250,7 @@ module Brakeman::Options
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"
-              checks[index] = "Check" << s
+              checks[index] = "Check#{s}"
             end
           end
 
@@ -224,7 +261,7 @@ module Brakeman::Options
         opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
           skip.each do |s|
             if s[0,5] != "Check"
-              s = "Check" << s
+              s = "Check#{s}"
             end
 
             options[:skip_checks] ||= Set.new
@@ -254,7 +291,7 @@ module Brakeman::Options
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
-          options[:output_format] = ("to_" << type.to_s).to_sym
+          options[:output_format] = :"to_#{type}"
         end
 
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
@@ -269,6 +306,10 @@ module Brakeman::Options
           options[:interactive_ignore] = true
         end
 
+        opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do
+          options[:show_ignored] = true
+        end
+
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
           options[:combine_locations] = combine
         end

data/lib/brakeman/parsers/erubis_patch.rb

@@ -0,0 +1,11 @@
+module Brakeman::ErubisPatch
+  # Simple patch to make `erubis` compatible with frozen string literals
+  def convert(input)
+    codebuf = +"" # Modified line, the rest is identitical
+    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
+    convert_input(codebuf, input)
+    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
+    @_proc = nil    # clear cached proc object
+    return codebuf  # or codebuf.join()
+  end
+end

data/lib/brakeman/parsers/haml6_embedded.rb

@@ -0,0 +1,23 @@
+[:Coffee, :CoffeeScript, :Markdown, :Sass].each do |name|
+  klass = Module.const_get("Haml::Filters::#{name}")
+
+  klass.define_method(:compile) do |node|
+    temple = [:multi]
+    temple << [:static, "<script>\n"]
+    temple << compile_with_tilt(node)
+    temple << [:static, "</script>"]
+    temple
+  end
+
+  klass.define_method(:compile_with_tilt) do |node|
+    # From Haml
+    text = ::Haml::Util.unescape_interpolation(node.value[:text]).gsub(/(\\+)n/) do |s|
+      escapes = $1.size
+      next s if escapes % 2 == 0
+      "#{'\\' * (escapes - 1)}\n"
+    end
+    text.prepend("\n").sub!(/\n"\z/, '"')
+
+    [:dynamic, "BrakemanFilter.render(#{text})"]
+  end
+end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,6 +1,9 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby
   include Erubis::NoTextEnhancer
+  include Brakeman::ErubisPatch
 end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,7 +1,11 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
+
   def add_preamble(src)
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,11 +1,15 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 # This is from Rails 5 version of the Erubis handler
 # https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
 
   def add_preamble(src)
     @newline_pending = 0
+    src << "_this_is_to_make_yields_syntactally_correct {"
     src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
 
@@ -62,7 +66,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_postamble(src)
     flush_newline_if_pending(src)
-    src << '@output_buffer.to_s'
+    src << '@output_buffer.to_s; }'
   end
 
   def flush_newline_if_pending(src)

data/lib/brakeman/parsers/slim_embedded.rb

@@ -2,6 +2,7 @@
 module Slim
   class Embedded
     class TiltEngine
+      alias_method :on_slim_embedded, :on_slim_embedded # silence redefined method warning
       def on_slim_embedded(engine, body, attrs)
         # Override this method to avoid Slim trying to load sass/scss and failing
         case engine
@@ -22,6 +23,7 @@ module Slim
     class SassEngine
       protected
 
+      alias_method :tilt_render, :tilt_render # silence redefined method warning
       def tilt_render(tilt_engine, tilt_options, text)
         [:dynamic,
          "BrakemanFilter.render(#{text.inspect}, #{self.class})"]

data/lib/brakeman/parsers/template_parser.rb

@@ -24,6 +24,7 @@ module Brakeman
                 type = :erubis if erubis?
                 parse_erb path, text
               when :haml
+                type = :haml6 if haml6?
                 parse_haml path, text
               when :slim
                 parse_slim path, text
@@ -74,19 +75,43 @@ module Brakeman
     end
 
     def parse_haml path, text
-      Brakeman.load_brakeman_dependency 'haml'
-      require_relative 'haml_embedded'
+      if haml6?
+        require_relative 'haml6_embedded'
+
+        Haml::Template.new(filename: path.relative,
+                           :escape_html => tracker.config.escape_html?,
+                           generator: Temple::Generators::RailsOutputBuffer,
+                           use_html_safe: true,
+                           buffer_class: 'ActionView::OutputBuffer',
+                           disable_capture: true,
+                          ) { text }.precompiled_template
+      else
+        require_relative 'haml_embedded'
 
-      Haml::Engine.new(text,
-                       :filename => path,
-                       :escape_html => tracker.config.escape_html?,
-                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
-                      ).precompiled.gsub(/([^\\])\\n/, '\1')
+        Haml::Engine.new(text,
+                         :filename => path,
+                         :escape_html => tracker.config.escape_html?,
+                         :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                        ).precompiled.gsub(/([^\\])\\n/, '\1')
+      end
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
     end
 
+    def haml6?
+      return @haml6 unless @haml6.nil?
+
+      Brakeman.load_brakeman_dependency 'haml'
+      major_version = Haml::VERSION.split('.').first.to_i
+
+      if major_version >= 6
+        @haml6 = true
+      else
+        @haml6 = false
+      end
+    end
+
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
 

data/lib/brakeman/processor.rb

@@ -63,6 +63,8 @@ module Brakeman
         result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml6
+        result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :erubis
         result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim

data/lib/brakeman/processors/alias_processor.rb

@@ -97,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -268,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -276,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg
@@ -373,7 +376,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result << join_item(array.last, nil)
 
     # Combine the strings at the beginning because that's what RubyParser does
-    combined_first = ""
+    combined_first = +""
     result.each do |e|
       if string? e
         combined_first << e.value
@@ -665,8 +668,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp[2] = exp[2][1]
     end
 
-    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
-      return process_default(exp)
+    unless array? exp[1] and array? exp[2]
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
 
     vars = exp[1].dup
@@ -678,21 +683,42 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     # Call each assignment as if it is normal
     vars.each_with_index do |var, i|
       val = vals[i]
-      if val
+      next unless val # TODO: Break if there are no vals left?
+
+      # This happens with nested destructuring like
+      #   x, (a, b) = blah
+      if node_type? var, :masgn
+        # Need to add value to masgn exp
+        m = var.dup
+        m[2] = s(:to_ary, val)
+
+        process_masgn m
+      elsif node_type? var, :splat
+        # Assign the rest of the values to the variable:
+        #
+        #   a, *b = 1, 2, 3
+        #
+        #   b == [2, 3]
+
 
-        # This happens with nested destructuring like
-        #   x, (a, b) = blah
-        if node_type? var, :masgn
-          # Need to add value to masgn exp
-          m = var.dup
-          m[2] = s(:to_ary, val)
+        assign = var[1].dup # var is s(:splat, s(:lasgn, :b))
 
-          process_masgn m
+        if i == vars.length - 1 # Last variable being assigned, slurp up the rest
+          assign.rhs = s(:array, *vals[i..]) # val is the "rest" of the values
         else
-          assign = var.dup
-          assign.rhs = val
-          process assign
+          # Calculate how many values to assign based on how many variables
+          # there are.
+          #
+          # If there are more values than variables, the splat gets an empty array.
+
+          assign.rhs = s(:array, *vals[i, (vals.length - vars.length + 1)]).line(vals.line)
         end
+
+        process assign
+      else
+        assign = var.dup
+        assign.rhs = val
+        process assign
       end
     end
 

data/lib/brakeman/processors/base_processor.rb

@@ -205,6 +205,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
+
     result
   end
 
@@ -240,6 +241,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
+      # Maybe do partial if in view?
       type = :action
       value = first_arg
     end

data/lib/brakeman/processors/haml6_template_processor.rb

@@ -0,0 +1,92 @@
+require 'brakeman/processors/haml_template_processor'
+
+class Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplateProcessor
+
+  OUTPUT_BUFFER = s(:ivar, :@output_buffer)
+  HAML_UTILS = s(:colon2, s(:colon3, :Haml), :Util)
+  HAML_UTILS2 = s(:colon2, s(:const, :Haml), :Util)
+  # @output_buffer = output_buffer || ActionView::OutputBuffer.new
+  AV_SAFE_BUFFER = s(:or, s(:call, nil, :output_buffer), s(:call, s(:colon2, s(:const, :ActionView), :OutputBuffer), :new))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
+
+  def initialize(*)
+    super
+
+    # Because of how Haml 6 handles line breaks -
+    # we have to track where _haml_compiler variables are assigned.
+    # then change the line number of where they are output to where
+    # they are assigned.
+    #
+    # Like this:
+    #
+    #   ; _haml_compiler1 = (params[:x]; 
+    #   ; ); @output_buffer.safe_concat((((::Haml::Util.escape_html_safe((_haml_compiler1))).to_s).to_s));
+    #
+    #  `_haml_compiler1` is output a line after it's assigned,
+    #  but the assignment matches the "real" line where it is output in the template.
+    @compiler_assigns = {}
+  end
+
+  # @output_buffer.safe_concat
+  def buffer_append? exp
+    call? exp and
+      output_buffer? exp.target and
+      exp.method == :safe_concat
+  end
+
+  def process_lasgn exp
+    if exp.lhs.match?(/_haml_compiler\d+/)
+      @compiler_assigns[exp.lhs] = exp.rhs
+      ignore
+    else
+      exp
+    end
+  end
+
+  def process_lvar exp
+    if exp.value.match?(/_haml_compiler\d+/)
+      exp = @compiler_assigns[exp.value] || exp
+    end
+
+    exp
+  end
+
+  def is_escaped? exp
+    return unless call? exp
+
+    html_escaped? exp or
+      javascript_escaped? exp
+  end
+
+  def javascript_escaped? call
+    # TODO: Adding here to match existing behavior for HAML,
+    # but really this is not safe and needs to be revisited
+      call.method == :j or
+        call.method == :escape_javascript
+  end
+
+  def html_escaped? call
+    (call.target == HAML_UTILS or call.target == HAML_UTILS2) and
+      (call.method == :escape_html or call.method == :escape_html_safe)
+  end
+
+  def output_buffer? exp
+    exp == OUTPUT_BUFFER or
+      exp == AV_SAFE_BUFFER
+  end
+
+  def normalize_output arg
+    arg = super(arg)
+
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -84,6 +84,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     :escape_once_without_haml_xss
   ]
 
+  def is_escaped? exp
+    return unless call? exp
+
+    haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+  end
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -113,7 +119,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+      elsif is_escaped? exp
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
 
-      @file_type || :libs
+      @file_type || :lib
     end
 
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
 
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
 
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -9,7 +9,14 @@ module Brakeman::RenderHelper
     @rendered = true
     case exp.render_type
     when :action, :template, :inline
-      process_action exp[2][1], exp[3], exp.line
+      action = exp[2]
+      args = exp[3]
+
+      if string? action or symbol? action
+        process_action action.value, args, exp.line
+      else
+        process_model_action action, args
+      end
     when :default
       begin
         process_template template_name, exp[3], nil, exp.line
@@ -49,6 +56,36 @@ module Brakeman::RenderHelper
   def process_action name, args, line
     if name.is_a? String or name.is_a? Symbol
       process_template template_name(name), args, nil, line
+    else
+      Brakeman.debug "Not processing render #{name.inspect}"
+    end
+  end
+
+  SINGLE_RECORD = [:first, :find, :last, :new]
+  COLLECTION = [:all, :where]
+
+  def process_model_action action, args
+    return unless call? action
+
+    method = action.method
+
+    klass = get_class_target(action) || Brakeman::Tracker::UNKNOWN_MODEL
+    name = Sexp.new(:lit, klass.downcase)
+
+    if SINGLE_RECORD.include? method
+      # Set a local variable with name based on class of model
+      # and value of the value passed to render
+      local_key = Sexp.new(:lit, :locals)
+      locals = hash_access(args, local_key) || Sexp.new(:hash)
+      hash_insert(locals, name, action)
+      hash_insert(args, local_key, locals)
+
+      process_partial name, args, action.line
+    elsif COLLECTION.include? method
+      collection_key = Sexp.new(:lit, :collection)
+      hash_insert(args, collection_key, action)
+
+      process_partial name, args, action.line
     end
   end
 

data/lib/brakeman/processors/template_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   # Pull out actual output value from template
   def normalize_output arg
     if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
-      arg.target
+      normalize_output(arg.target) # sometimes it's foo.to_s.to_s
     elsif node_type? arg, :if
       branches = [arg.then_clause, arg.else_clause].compact
 

data/lib/brakeman/report/ignore/config.rb

@@ -130,7 +130,6 @@ module Brakeman
 
       output = {
         :ignored_warnings => warnings,
-        :updated => Time.now.to_s,
         :brakeman_version => Brakeman::Version
       }
 

data/lib/brakeman/report/report_html.rb

@@ -1,4 +1,4 @@
-require 'cgi'
+require 'cgi/escape'
 require 'brakeman/report/report_table.rb'
 
 class Brakeman::Report::HTML < Brakeman::Report::Table