RubyGems - brakeman - Versions diffs - 6.1.2 → 7.1.0 - Mend

brakeman 6.1.2 → 7.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -7,6 +7,7 @@ begin
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
   require 'brakeman/processors/lib/file_type_detector'
+  require 'brakeman/tracker/file_cache'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -31,6 +32,7 @@ class Brakeman::Scanner
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
     @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
+    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
   #Returns the Tracker generated from the scan
@@ -38,6 +40,10 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
+  def file_cache
+    tracker.file_cache
+  end
   def process_step description
     Brakeman.notify "#{description}...".ljust(40)
@@ -53,7 +59,7 @@ class Brakeman::Scanner
   end
   def process_step_file description
-    if @show_timing
+    if @per_file_timing
       Brakeman.notify "Processing #{description}"
       start_t = Time.now
@@ -67,7 +73,7 @@ class Brakeman::Scanner
   end
   #Process everything in the Rails application
-  def process
+  def process(ruby_paths: nil, template_paths: nil)
     process_step 'Processing gems' do
       process_gems
     end
@@ -77,14 +83,30 @@ class Brakeman::Scanner
       process_config
     end
+    # -
+    # If ruby_paths or template_paths are set,
+    # only parse those files. The rest will be fetched
+    # from the file cache.
+    #
+    # Otherwise, parse everything normally.
+    #
+    astfiles = nil
+    process_step 'Finding files' do
+      ruby_paths ||= tracker.app_tree.ruby_file_paths
+      template_paths ||= tracker.app_tree.template_paths
+    end
     process_step 'Parsing files' do
-      parse_files
+      astfiles = parse_files(ruby_paths: ruby_paths, template_paths: template_paths)
     end
     process_step 'Detecting file types' do
-      detect_file_types
+      detect_file_types(astfiles)
     end
+    tracker.save_file_cache! if support_rescanning?
+    # -
     process_step 'Processing initializers' do
       process_initializers
     end
@@ -124,44 +146,37 @@ class Brakeman::Scanner
     tracker
   end
-  def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
+  def parse_files(ruby_paths:, template_paths:)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks], tracker.options[:use_prism])
-    fp.parse_files tracker.app_tree.ruby_file_paths
+    fp.parse_files ruby_paths
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    fp.read_files(@app_tree.template_paths) do |path, contents|
-      template_parser.parse_template path, contents
+    fp.read_files(template_paths) do |path, contents|
+      template_parser.parse_template(path, contents)
     end
     # Collect errors raised during parsing
     tracker.add_errors(fp.errors)
-    @parsed_files = fp.file_list
+    fp.file_list
   end
-  def detect_file_types
-    @file_list = {
-      controllers: [],
-      initializers: [],
-      libs: [],
-      models: [],
-      templates: [],
-    }
+  def detect_file_types(astfiles)
     detector = Brakeman::FileTypeDetector.new
-    @parsed_files.each do |file|
+    astfiles.each do |file|
       if file.is_a? Brakeman::TemplateParser::TemplateFile
-        @file_list[:templates] << file
+        file_cache.add_file file, :template
       else
         type = detector.detect_type(file)
         unless type == :skip
-          if @file_list[type].nil?
-            raise type.to_s
+          if file_cache.valid_type? type
+            file_cache.add_file(file, type)
           else
-            @file_list[type] << file
+            raise "Unexpected file type: #{type.inspect}"
           end
         end
       end
@@ -216,21 +231,29 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+    gem_file_names = ['Gemfile', 'gems.rb']
+    lock_file_names = ['Gemfile.lock', 'gems.locked']
-    if @app_tree.exists? "Gemfile"
-      file = @app_tree.file_path("Gemfile")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
-    elsif @app_tree.exists? "gems.rb"
-      file = @app_tree.file_path("gems.rb")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+    if tracker.options[:gemfile]
+      name = tracker.options[:gemfile]
+      gem_file_names.unshift name
+      lock_file_names.unshift "#{name}.lock"
     end
-    if @app_tree.exists? "Gemfile.lock"
-      file = @app_tree.file_path("Gemfile.lock")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
-    elsif @app_tree.exists? "gems.locked"
-      file = @app_tree.file_path("gems.locked")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
+    gem_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+        break
+      end
+    end
+    lock_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemlock] = { :src => file.read, :file => file }
+        break
+      end
     end
     if @app_tree.gemspec
@@ -268,8 +291,8 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    track_progress @file_list[:initializers] do |init|
-      process_step_file init[:path] do
+    track_progress file_cache.initializers do |path, init|
+      process_step_file path do
         process_initializer init
       end
     end
@@ -289,8 +312,10 @@ class Brakeman::Scanner
       return
     end
-    track_progress @file_list[:libs] do |lib|
-      process_step_file lib.path do
+    libs = file_cache.libs.sort_by { |path, _| path }
+    track_progress libs do |path, lib|
+      process_step_file path do
         process_lib lib
       end
     end
@@ -322,15 +347,17 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    track_progress @file_list[:controllers] do |controller|
-      process_step_file controller.path do
+    controllers = file_cache.controllers.sort_by { |path, _| path }
+    track_progress controllers do |path, controller|
+      process_step_file path do
         process_controller controller
       end
     end
   end
   def process_controller_data_flows
-    controllers = tracker.controllers.sort_by { |name, _| name.to_s }
+    controllers = tracker.controllers.sort_by { |name, _| name }
     track_progress controllers, "controllers" do |name, controller|
       process_step_file name do
@@ -356,10 +383,10 @@ class Brakeman::Scanner
   #
   #Adds processed views to tracker.views
   def process_templates
-    templates = @file_list[:templates].sort_by { |t| t[:path] }
+    templates = file_cache.templates.sort_by { |path, _| path }
-    track_progress templates, "templates" do |template|
-      process_step_file template[:path] do
+    track_progress templates, "templates" do |path, template|
+      process_step_file path do
         process_template template
       end
     end
@@ -370,7 +397,7 @@ class Brakeman::Scanner
   end
   def process_template_data_flows
-    templates = tracker.templates.sort_by { |name, _| name.to_s }
+    templates = tracker.templates.sort_by { |name, _| name }
     track_progress templates, "templates" do |name, template|
       process_step_file name do
@@ -383,15 +410,17 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    track_progress @file_list[:models] do |model|
-      process_step_file model[:path] do
-        process_model model[:path], model[:ast]
+    models = file_cache.models.sort_by { |path, _| path }
+    track_progress models do |path, model|
+      process_step_file path do
+        process_model model
       end
     end
   end
-  def process_model path, ast
-    @processor.process_model(ast, path)
+  def process_model astfile
+    @processor.process_model(astfile.ast, astfile.path)
   end
   def track_progress list, type = "files"
@@ -414,12 +443,16 @@ class Brakeman::Scanner
   end
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], false, tracker.options[:use_prism])
     fp.parse_ruby(file.read, file)
   rescue Exception => e
     tracker.error(e)
     nil
   end
+  def support_rescanning?
+    tracker.options[:support_rescanning]
+  end
 end
 # This is to allow operation without loading the Haml library

data/lib/brakeman/tracker/config.rb CHANGED Viewed

@@ -111,6 +111,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             Brakeman.notify "[Notice] Detected Rails 7 application"
+          elsif @rails_version.start_with? "8"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            tracker.options[:rails7] = true
+            tracker.options[:rails8] = true
+            Brakeman.notify "[Notice] Detected Rails 8 application"
           end
         end
       end
@@ -193,7 +201,7 @@ module Brakeman
       version = tracker.config.rails[:load_defaults].value.to_s
-      unless version.match? /^\d+\.\d+$/
+      unless version.match?(/^\d+\.\d+$/)
         Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
         return
       end

data/lib/brakeman/tracker/file_cache.rb ADDED Viewed

@@ -0,0 +1,83 @@
+module Brakeman
+  class FileCache
+    def initialize(file_list = nil)
+      @file_list = file_list || {
+        controller: {},
+        initializer: {},
+        lib: {},
+        model: {},
+        template: {},
+      }
+    end
+    def controllers
+      @file_list[:controller]
+    end
+    def initializers
+      @file_list[:initializer]
+    end
+    def libs
+      @file_list[:lib]
+    end
+    def models
+      @file_list[:model]
+    end
+    def templates
+      @file_list[:template]
+    end
+    def add_file(astfile, type)
+      raise "Unknown type: #{type}" unless valid_type? type
+      @file_list[type][astfile.path] = astfile
+    end
+    def valid_type?(type)
+      @file_list.key? type
+    end
+    def cached? path
+      @file_list.any? do |name, list|
+        list[path]
+      end
+    end
+    def delete path
+      @file_list.each do |name, list|
+        list.delete path
+      end
+    end
+    def diff other
+      @file_list.each do |name, list|
+        other_list = other.send(:"#{name}s")
+        if list == other_list
+          next
+        else
+          puts "-- #{name} --"
+          puts "Old: #{other_list.keys - list.keys}"
+          puts "New: #{list.keys - other_list.keys}"
+        end
+      end
+    end
+    def dup
+      copy_file_list = @file_list.map do |name, list|
+        copy_list = list.map do |path, astfile|
+          copy_astfile = astfile.dup
+          copy_astfile.ast = copy_astfile.ast.deep_clone
+          [path, copy_astfile]
+        end.to_h
+        [name, copy_list]
+      end.to_h
+      FileCache.new(copy_file_list)
+    end
+  end
+end

data/lib/brakeman/tracker.rb CHANGED Viewed

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter, :app_tree
+    :duration, :ignored_filter, :app_tree, :file_cache, :pristine_file_cache
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -26,15 +26,22 @@ class Brakeman::Tracker
     @app_tree = app_tree
     @processor = processor
     @options = options
+    @file_cache = Brakeman::FileCache.new
+    @pristine_file_cache = nil
-    @config = Brakeman::Config.new(self)
+    reset_all
+  end
+  def reset_all
     @templates = {}
     @controllers = {}
     #Initialize models with the unknown model so
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
     @method_cache = {}
     @routes = {}
     @initializers = {}
@@ -46,11 +53,16 @@ class Brakeman::Tracker
     @template_cache = Set.new
     @filter_cache = {}
     @call_index = nil
+    @config = Brakeman::Config.new(self)
     @start_time = Time.now
     @end_time = nil
     @duration = nil
   end
+  def save_file_cache!
+    @pristine_file_cache = @file_cache.dup
+  end
   #Add an error to the list. If no backtrace is given,
   #the one from the exception will be used.
   def error exception, backtrace = nil
@@ -301,6 +313,11 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
+    if locations.include? :libs
+      classes_to_reindex.merge self.libs.keys
+      method_sets << self.libs
+    end
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
         @call_index.remove_indexes_by_file file_name
@@ -424,4 +441,10 @@ class Brakeman::Tracker
     @call_index.remove_indexes_by_file path
   end
+  # Call this to be able to marshal the Tracker
+  def marshallable
+    @app_tree.marshallable
+    self
+  end
 end

data/lib/brakeman/util.rb CHANGED Viewed

@@ -63,14 +63,12 @@ module Brakeman::Util
     case exp
     when Sexp
       case exp.node_type
-      when :const
+      when :const, :colon3
         exp.value
       when :lvar
         exp.value.to_sym
       when :colon2
         "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
-      when :colon3
-        "::#{exp.value}".to_sym
       when :self
         @current_class || @current_module || nil
       else

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.1.2"
+  Version = "7.1.0"
 end

data/lib/brakeman/warning.rb CHANGED Viewed

@@ -317,7 +317,7 @@ class Brakeman::Warning
   def format_ruby code, strip
     formatted = Brakeman::OutputProcessor.new.format(code)
-    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+    formatted = formatted.gsub(/(\t|\r|\n)+/, " ") if strip
     formatted
   end
 end

data/lib/brakeman.rb CHANGED Viewed

@@ -24,6 +24,10 @@ module Brakeman
   #--ensure-ignore-notes is set
   Empty_Ignore_Note_Exit_Code = 8
+  # Exit code returned when at least one obsolete ignore entry is present
+  # and `--ensure-no-obsolete-ignore-entries` is set.
+  Obsolete_Ignore_Entries_Exit_Code = 9
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -65,6 +69,7 @@ module Brakeman
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
+  #  * :show_ignored - Display warnings that are usually ignored
   #  * :sql_safe_methods - array of sql sanitization methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
@@ -83,6 +88,15 @@ module Brakeman
       options[:report_progress] = false
     end
+    if options[:use_prism]
+      begin
+        require 'prism'
+        notify '[Notice] Using Prism parser'
+      rescue LoadError => e
+        Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+      end
+    end
     scan options
   end
@@ -117,6 +131,13 @@ module Brakeman
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
+    # Use ENV value only if option was not already explicitly set
+    # (i.e. prefer commandline option over environment variable).
+    if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE'] and not ENV['BUNDLE_GEMFILE'].empty?
+      options[:gemfile] = ENV['BUNDLE_GEMFILE']
+    end
     options
   end
@@ -195,9 +216,11 @@ module Brakeman
       :pager => true,
       :parallel_checks => true,
       :parser_timeout => 10,
+      :use_prism => true,
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
+      :show_ignored => false,
       :sql_safe_methods => Set.new,
       :skip_checks => Set.new,
       :skip_vendor => true,
@@ -462,12 +485,12 @@ module Brakeman
   def self.rescan tracker, files, options = {}
     require 'brakeman/rescanner'
-    tracker.options.merge! options
+    options = tracker.options.merge options
     @quiet = !!tracker.options[:quiet]
     @debug = !!tracker.options[:debug]
-    Rescanner.new(tracker.options, tracker.processor, files).recheck
+    Rescanner.new(options, tracker.processor, files).recheck
   end
   def self.notify message

data/lib/ruby_parser/bm_sexp.rb CHANGED Viewed

@@ -6,6 +6,7 @@ class Sexp
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2, :op_asgn_or]
   CALLS = [:call, :attrasgn, :safe_call, :safe_attrasgn]
+  alias_method :method_missing, :method_missing # silence redefined method warning
   def method_missing name, *args
     #Brakeman does not use this functionality,
     #so overriding it to raise a NoMethodError.
@@ -46,10 +47,12 @@ class Sexp
     s
   end
+  alias_method :paren, :paren # silence redefined method warning
   def paren
     @paren ||= false
   end
+  alias_method :value, :value # silence redefined method warning
   def value
     raise WrongSexpError, "Sexp#value called on multi-item Sexp: `#{self.inspect}`" if size > 2
     self[1]
@@ -98,6 +101,7 @@ class Sexp
     old_push arg
   end
+  alias_method :hash, :hash # silence redefined method warning
   def hash
     #There still seems to be some instances in which the hash of the
     #Sexp changes, but I have not found what method call is doing it.
@@ -616,7 +620,7 @@ end
 #Invalidate hash cache if the Sexp changes
 [:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
-  :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
+  :delete_if, :drop, :drop_while, :fill, :flatten!, :insert,
   :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
   :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
   :uniq!, :unshift].each do |method|