brakeman 6.2.2 → 8.0.4

data/lib/brakeman/messages.rb

@@ -86,7 +86,7 @@ class Brakeman::Messages::Message
   end
 
   def to_html
-    require 'cgi'
+    require 'cgi/escape'
 
     output = @parts.map(&:to_html).join
 

data/lib/brakeman/options.rb

@@ -63,14 +63,22 @@ module Brakeman::Options
           options[:exit_on_error] = exit_on_error
         end
 
-        opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
-          options[:ensure_latest] = true
+        opts.on "--ensure-latest [DAYS]", Integer, "Fail when Brakeman is outdated. Optionally set minimum age in days." do |days|
+          if days and not (1..15).include? days
+            raise OptionParser::InvalidArgument
+          end
+
+          options[:ensure_latest] = days || true
         end
 
         opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
           options[:ensure_ignore_notes] = true
         end
 
+        opts.on "--ensure-no-obsolete-ignore-entries", "Fail when an obsolete ignore entry is found" do
+          options[:ensure_no_obsolete_ignore_entries] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -127,7 +135,6 @@ module Brakeman::Options
 
         opts.on "--faster", "Faster, but less accurate scan" do
           options[:ignore_ifs] = true
-          options[:skip_libs] = true
           options[:disable_constant_tracking] = true
         end
 
@@ -139,10 +146,6 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
-        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
-          options[:index_libs] = index
-        end
-
         opts.on "--interprocedural", "Process method calls to known methods" do
           options[:interprocedural] = true
         end
@@ -161,14 +164,13 @@ module Brakeman::Options
 
         opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
           if use_prism
-            prism_version = '0.30'
+            min_prism_version = '1.0.0'
 
             begin
-              # Specifying minimum version here,
-              # since it can't be in the gem dependency list because it is optional
-              gem 'prism', "~>#{prism_version}"
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
             rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
-              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
               raise e
             end
           end
@@ -209,10 +211,6 @@ module Brakeman::Options
           options[:skip_vendor] = skip
         end
 
-        opts.on "--skip-libs", "Skip processing lib directory" do
-          options[:skip_libs] = true
-        end
-
         opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
           options[:additional_libs_path] ||= Set.new
           options[:additional_libs_path].merge paths
@@ -223,6 +221,14 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/parsers/haml6_embedded.rb

@@ -0,0 +1,23 @@
+[:Coffee, :CoffeeScript, :Markdown, :Sass].each do |name|
+  klass = Module.const_get("Haml::Filters::#{name}")
+
+  klass.define_method(:compile) do |node|
+    temple = [:multi]
+    temple << [:static, "<script>\n"]
+    temple << compile_with_tilt(node)
+    temple << [:static, "</script>"]
+    temple
+  end
+
+  klass.define_method(:compile_with_tilt) do |node|
+    # From Haml
+    text = ::Haml::Util.unescape_interpolation(node.value[:text]).gsub(/(\\+)n/) do |s|
+      escapes = $1.size
+      next s if escapes % 2 == 0
+      "#{'\\' * (escapes - 1)}\n"
+    end
+    text.prepend("\n").sub!(/\n"\z/, '"')
+
+    [:dynamic, "BrakemanFilter.render(#{text})"]
+  end
+end

data/lib/brakeman/parsers/rails_erubi.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+# Copied almost verbatim from Rails
+# https://github.com/rails/rails/blob/5359cf8a5b093b04170e884ee8da5a1e076b8a0d/actionview/lib/action_view/template/handlers/erb/erubi.rb#L9
+
+Brakeman.load_brakeman_dependency "erubi"
+
+module Brakeman
+  class Erubi < ::Erubi::Engine
+    # :nodoc: all
+    def initialize(input, properties = {})
+      @newline_pending = 0
+
+      # Dup properties so that we don't modify argument
+      properties = Hash[properties]
+
+      properties[:bufvar]     ||= "@output_buffer"
+      properties[:preamble]   ||= ""
+      properties[:postamble]  ||= "#{properties[:bufvar]}"
+
+      # Tell Erubi whether the template will be compiled with `frozen_string_literal: true`
+      # properties[:freeze_template_literals] = !Template.frozen_string_literal
+      properties[:freeze_template_literals] = false
+
+      properties[:escapefunc] = ""
+
+      super
+    end
+
+  private
+    def add_text(text)
+      return if text.empty?
+
+      if text == "\n"
+        @newline_pending += 1
+      else
+        with_buffer do
+          src << ".safe_append='"
+          src << "\n" * @newline_pending if @newline_pending > 0
+          src << text.gsub(/['\\]/, '\\\\\&') << @text_end
+        end
+        @newline_pending = 0
+      end
+    end
+
+    BLOCK_EXPR = /((\s|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+    def add_expression(indicator, code)
+      flush_newline_if_pending(src)
+
+      with_buffer do
+        if (indicator == "==") || @escape
+          src << ".safe_expr_append="
+        else
+          src << ".append="
+        end
+
+        if BLOCK_EXPR.match?(code)
+          src << " " << code
+        else
+          src << "(" << code << ")"
+        end
+      end
+    end
+
+    def add_code(code)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def add_postamble(_)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def flush_newline_if_pending(src)
+      if @newline_pending > 0
+        with_buffer { src << ".safe_append='#{"\n" * @newline_pending}" << @text_end }
+        @newline_pending = 0
+      end
+    end
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -21,9 +21,10 @@ module Brakeman
       begin
         src = case type
               when :erb
-                type = :erubis if erubis?
+                type = :erubi if erubi?
                 parse_erb path, text
               when :haml
+                type = :haml6 if haml6?
                 parse_haml path, text
               when :slim
                 parse_slim path, text
@@ -45,17 +46,9 @@ module Brakeman
     end
 
     def parse_erb path, text
-      if tracker.config.escape_html?
-        if tracker.options[:rails3]
-          require 'brakeman/parsers/rails3_erubis'
-          Brakeman::Rails3Erubis.new(text, :filename => path).src
-        else
-          require 'brakeman/parsers/rails2_xss_plugin_erubis'
-          Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
-        end
-      elsif tracker.config.erubis?
-        require 'brakeman/parsers/rails2_erubis'
-        Brakeman::ScannerErubis.new(text, :filename => path).src
+      if erubi?
+        require 'brakeman/parsers/rails_erubi'
+        Brakeman::Erubi.new(text, :filename => path).src
       else
         require 'erb'
         src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
@@ -68,25 +61,49 @@ module Brakeman
       end
     end
 
-    def erubis?
+    def erubi?
       tracker.config.escape_html? or
-        tracker.config.erubis?
+        tracker.config.erubi?
     end
 
     def parse_haml path, text
-      Brakeman.load_brakeman_dependency 'haml'
-      require_relative 'haml_embedded'
+      if haml6?
+        require_relative 'haml6_embedded'
+
+        Haml::Template.new(filename: path.relative,
+                           :escape_html => tracker.config.escape_html?,
+                           generator: Temple::Generators::RailsOutputBuffer,
+                           use_html_safe: true,
+                           buffer_class: 'ActionView::OutputBuffer',
+                           disable_capture: true,
+                          ) { text }.precompiled_template
+      else
+        require_relative 'haml_embedded'
 
-      Haml::Engine.new(text,
-                       :filename => path,
-                       :escape_html => tracker.config.escape_html?,
-                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
-                      ).precompiled.gsub(/([^\\])\\n/, '\1')
+        Haml::Engine.new(text,
+                         :filename => path,
+                         :escape_html => tracker.config.escape_html?,
+                         :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                        ).precompiled.gsub(/([^\\])\\n/, '\1')
+      end
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
     end
 
+    def haml6?
+      return @haml6 unless @haml6.nil?
+
+      Brakeman.load_brakeman_dependency 'haml'
+      major_version = Haml::VERSION.split('.').first.to_i
+
+      if major_version >= 6
+        @haml6 = true
+      else
+        @haml6 = false
+      end
+    end
+
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
 
@@ -123,7 +140,7 @@ module Brakeman
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
-      type = tp.erubis? ? :erubis : :erb
+      type = tp.erubi? ? :erubi : :erb
 
       return type, fp.parse_ruby(src, "_inline_")
     end

data/lib/brakeman/processor.rb

@@ -63,8 +63,10 @@ module Brakeman
         result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
-      when :erubis
-        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml6
+        result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubi
+        result = ErubiTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim
         result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       else

data/lib/brakeman/processors/alias_processor.rb

@@ -97,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -268,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -276,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg
@@ -433,6 +436,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :open
   end
 
+  def temp_file_create? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :create
+  end
+
   def temp_file_new line
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
@@ -462,6 +471,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       elsif temp_file_open? call
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = temp_file_new(exp.line)
+      elsif temp_file_create? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local
@@ -666,7 +678,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     unless array? exp[1] and array? exp[2]
-      return process_default(exp)
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
 
     vars = exp[1].dup

data/lib/brakeman/processors/base_processor.rb

@@ -205,6 +205,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
+
     result
   end
 
@@ -240,6 +241,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
+      # Maybe do partial if in view?
       type = :action
       value = first_arg
     end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -146,7 +146,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     filter = tracker.find_method name, @current_class
 
     if filter.nil?
-      Brakeman.debug "[Notice] Could not find filter #{name}"
+      Brakeman.debug "Could not find filter #{name}"
       return
     end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -30,13 +30,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #But if not inside a controller already, then the class may include
     #a real controller, so we can't take this shortcut.
     if @current_class and @current_class.name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end
 
     if not name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
+      Brakeman.debug "Adding noncontroller as library: #{name}"
       #Set the class to be a module in order to get the right namespacing.
       #Add class to libraries, in case it is needed later (e.g. it's used
       #as a parent class for a controller.)
@@ -124,7 +124,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
             if @app_tree.layout_exists?(name)
               @current_class.layout = "layouts/#{name}"
             else
-              Brakeman.debug "[Notice] Layout not found: #{name}"
+              Brakeman.debug "Layout not found: #{name}"
             end
           elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil

data/lib/brakeman/processors/{erubis_template_processor.rb → erubi_template_procesor.rb}

@@ -1,7 +1,7 @@
 require 'brakeman/processors/template_processor'
 
-#Processes ERB templates using Erubis instead of erb.
-class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
+#Processes ERB templates using Erubi instead of erb.
+class Brakeman::ErubiTemplateProcessor < Brakeman::TemplateProcessor
 
   #s(:call, TARGET, :method, ARGS)
   def process_call exp
@@ -14,7 +14,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     exp.arglist = process exp.arglist
     method = exp.method
 
-    #_buf is the default output variable for Erubis
+    #_buf is the default output variable for Erubi
     if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
 

data/lib/brakeman/processors/haml6_template_processor.rb

@@ -0,0 +1,92 @@
+require 'brakeman/processors/haml_template_processor'
+
+class Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplateProcessor
+
+  OUTPUT_BUFFER = s(:ivar, :@output_buffer)
+  HAML_UTILS = s(:colon2, s(:colon3, :Haml), :Util)
+  HAML_UTILS2 = s(:colon2, s(:const, :Haml), :Util)
+  # @output_buffer = output_buffer || ActionView::OutputBuffer.new
+  AV_SAFE_BUFFER = s(:or, s(:call, nil, :output_buffer), s(:call, s(:colon2, s(:const, :ActionView), :OutputBuffer), :new))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
+
+  def initialize(*)
+    super
+
+    # Because of how Haml 6 handles line breaks -
+    # we have to track where _haml_compiler variables are assigned.
+    # then change the line number of where they are output to where
+    # they are assigned.
+    #
+    # Like this:
+    #
+    #   ; _haml_compiler1 = (params[:x]; 
+    #   ; ); @output_buffer.safe_concat((((::Haml::Util.escape_html_safe((_haml_compiler1))).to_s).to_s));
+    #
+    #  `_haml_compiler1` is output a line after it's assigned,
+    #  but the assignment matches the "real" line where it is output in the template.
+    @compiler_assigns = {}
+  end
+
+  # @output_buffer.safe_concat
+  def buffer_append? exp
+    call? exp and
+      output_buffer? exp.target and
+      exp.method == :safe_concat
+  end
+
+  def process_lasgn exp
+    if exp.lhs.match?(/_haml_compiler\d+/)
+      @compiler_assigns[exp.lhs] = exp.rhs
+      ignore
+    else
+      exp
+    end
+  end
+
+  def process_lvar exp
+    if exp.value.match?(/_haml_compiler\d+/)
+      exp = @compiler_assigns[exp.value] || exp
+    end
+
+    exp
+  end
+
+  def is_escaped? exp
+    return unless call? exp
+
+    html_escaped? exp or
+      javascript_escaped? exp
+  end
+
+  def javascript_escaped? call
+    # TODO: Adding here to match existing behavior for HAML,
+    # but really this is not safe and needs to be revisited
+      call.method == :j or
+        call.method == :escape_javascript
+  end
+
+  def html_escaped? call
+    (call.target == HAML_UTILS or call.target == HAML_UTILS2) and
+      (call.method == :escape_html or call.method == :escape_html_safe)
+  end
+
+  def output_buffer? exp
+    exp == OUTPUT_BUFFER or
+      exp == AV_SAFE_BUFFER
+  end
+
+  def normalize_output arg
+    arg = super(arg)
+
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -84,6 +84,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     :escape_once_without_haml_xss
   ]
 
+  def is_escaped? exp
+    return unless call? exp
+
+    haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+  end
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -113,7 +119,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+      elsif is_escaped? exp
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)
@@ -160,7 +166,16 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   def haml_attribute_builder? exp
     call? exp and
       exp.target == ATTRIBUTE_BUILDER and
-      exp.method == :build
+      escaped_builder_method? exp
+  end
+
+  def escaped_builder_method? exp
+    case exp.method
+    when :build, :build_aria, :build_boolean, :build_data, :build_id, :escape_html
+      true? exp.first_arg
+    else
+      false
+    end
   end
 
   def fix_textareas? exp

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
 
-      @file_type || :libs
+      @file_type || :lib
     end
 
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
 
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
 
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end
 

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -33,14 +33,15 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
     process res
   end
 
-  #Check if config is set to use Erubis
+  # Check if config is set to use Erubis
+  # but because it's 2026 we're going to use Erubi
   def process_call exp
     target = exp.target
     target = process target if sexp? target
 
     if exp.method == :gem and exp.first_arg.value == "erubis"
-      Brakeman.notify "[Notice] Using Erubis for ERB templates"
-      @tracker.config.erubis = true
+      Brakeman.debug "[Notice] Using Erubi for ERB templates"
+      @tracker.config.erubi = true
     end
 
     exp
@@ -51,7 +52,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
     if exp.target == RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp.method.to_s[0..-2].to_sym
-      if exp.args.length > 1
+      if exp.num_args > 1
         #Multiple arguments?...not sure if this will ever happen
         @tracker.config.rails[attribute] = exp.args
       else