brakeman 6.2.2 → 8.0.4

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -131,7 +131,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
       when :except
         process_option_except value
       else
-        Brakeman.notify "[Notice] Unhandled resource option, please report: #{option}"
+        Brakeman.alert "Unhandled resource option, please report: #{option}"
       end
     end
   end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -17,6 +17,7 @@ require 'brakeman/processors/lib/basic_processor'
 #Values for tracker.config.rails will still be Sexps.
 class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   RAILS_CONFIG = Sexp.new(:call, nil, :config)
+  RAILS_APPLICATION = Sexp.new(:colon2, s(:const, :Rails), :Application)
 
   def initialize *args
     super
@@ -48,7 +49,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
 
   #Look for class Application < Rails::Application
   def process_class exp
-    if exp.class_name == :Application
+    if application_class? exp
       @inside_config = true
       process_all exp.body if sexp? exp.body
       @inside_config = false
@@ -57,6 +58,14 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     exp
   end
 
+  def application_class? exp
+    return unless node_type? exp, :class
+
+    exp.class_name == :Application or
+    (node_type? exp.class_name, :colon2 and exp.class_name.rhs == :Application) or
+    (exp.parent_name == RAILS_APPLICATION)
+  end
+
   #Look for configuration settings that
   #are just a call like
   #
@@ -78,7 +87,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     if exp.target == RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp.method.to_s[0..-2].to_sym
-      if exp.args.length > 1
+      if exp.num_args > 1
         #Multiple arguments?...not sure if this will ever happen
         @tracker.config.rails[attribute] = exp.args
       else

data/lib/brakeman/processors/lib/render_helper.rb

@@ -9,7 +9,14 @@ module Brakeman::RenderHelper
     @rendered = true
     case exp.render_type
     when :action, :template, :inline
-      process_action exp[2][1], exp[3], exp.line
+      action = exp[2]
+      args = exp[3]
+
+      if string? action or symbol? action
+        process_action action.value, args, exp.line
+      else
+        process_model_action action, args
+      end
     when :default
       begin
         process_template template_name, exp[3], nil, exp.line
@@ -49,6 +56,36 @@ module Brakeman::RenderHelper
   def process_action name, args, line
     if name.is_a? String or name.is_a? Symbol
       process_template template_name(name), args, nil, line
+    else
+      Brakeman.debug "Not processing render #{name.inspect}"
+    end
+  end
+
+  SINGLE_RECORD = [:first, :find, :last, :new]
+  COLLECTION = [:all, :where]
+
+  def process_model_action action, args
+    return unless call? action
+
+    method = action.method
+
+    klass = get_class_target(action) || Brakeman::Tracker::UNKNOWN_MODEL
+    name = Sexp.new(:lit, klass.downcase)
+
+    if SINGLE_RECORD.include? method
+      # Set a local variable with name based on class of model
+      # and value of the value passed to render
+      local_key = Sexp.new(:lit, :locals)
+      locals = hash_access(args, local_key) || Sexp.new(:hash)
+      hash_insert(locals, name, action)
+      hash_insert(args, local_key, locals)
+
+      process_partial name, args, action.line
+    elsif COLLECTION.include? method
+      collection_key = Sexp.new(:lit, :collection)
+      hash_insert(args, collection_key, action)
+
+      process_partial name, args, action.line
     end
   end
 
@@ -61,7 +98,7 @@ module Brakeman::RenderHelper
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]
     unless template
-      Brakeman.debug "[Notice] No such template: #{name}"
+      Brakeman.debug "No such template: #{name}"
       return
     end
 

data/lib/brakeman/processors/lib/render_path.rb

@@ -36,7 +36,7 @@ module Brakeman
           file: template.file,
         }
       else
-        Brakeman.debug "[Notice] No render path to add template information"
+        Brakeman.debug "No render path to add template information"
       end
     end
 

data/lib/brakeman/processors/model_processor.rb

@@ -27,7 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
 
     #If inside an inner class we treat it as a library.
     if @current_class
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/processors/template_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   # Pull out actual output value from template
   def normalize_output arg
     if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
-      arg.target
+      normalize_output(arg.target) # sometimes it's foo.to_s.to_s
     elsif node_type? arg, :if
       branches = [arg.then_clause, arg.else_clause].compact
 

data/lib/brakeman/report/ignore/config.rb

@@ -107,7 +107,7 @@ module Brakeman
           raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
         end
       else
-        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        Brakeman.alert "Could not find ignore configuration in #{file} (no file)"
         @already_ignored = []
       end
 
@@ -130,7 +130,6 @@ module Brakeman
 
       output = {
         :ignored_warnings => warnings,
-        :updated => Time.now.to_s,
         :brakeman_version => Brakeman::Version
       }
 

data/lib/brakeman/report/pager.rb

@@ -92,7 +92,7 @@ module Brakeman
       if system("which less > /dev/null")
         less_help = `less -?`
 
-        ["-R ", "-F ", "-X "].each do |opt|
+        ["-R ", "-F ", "-X ", " --wordwrap"].each do |opt|
           if less_help.include? opt
             @less_options << opt
           end

data/lib/brakeman/report/report_html.rb

@@ -1,4 +1,4 @@
-require 'cgi'
+require 'cgi/escape'
 require 'brakeman/report/report_table.rb'
 
 class Brakeman::Report::HTML < Brakeman::Report::Table

data/lib/brakeman/report/report_junit.rb

@@ -9,50 +9,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
     doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
 
     test_suites = REXML::Element.new 'testsuites'
-    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
-    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
 
-    errors = test_suites.add_element 'brakeman:errors'
-    tracker.errors.each { |e|
-      error = errors.add_element 'brakeman:error'
-      error.add_attribute 'brakeman:message', e[:error]
-      e[:backtrace].each { |b|
-        backtrace = error.add_element 'brakeman:backtrace'
-        backtrace.add_text b
-      }
-    }
-
-    obsolete = test_suites.add_element 'brakeman:obsolete'
-    tracker.unused_fingerprints.each { |fingerprint|
-      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
-    }
-
-    ignored = test_suites.add_element 'brakeman:ignored'
-    ignored_warnings.each { |w|
-      warning = ignored.add_element 'brakeman:warning'
-      warning.add_attribute 'brakeman:message', w.message
-      warning.add_attribute 'brakeman:category', w.warning_type
-      warning.add_attribute 'brakeman:file', warning_file(w)
-      warning.add_attribute 'brakeman:line', w.line
-      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', w.confidence_name 
-      warning.add_attribute 'brakeman:code', w.format_code
-      warning.add_text w.to_s
-    }
-
-    hostname = `hostname`.strip
     i = 0
     all_warnings
       .map { |warning| [warning.file, [warning]] }
@@ -66,35 +23,25 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
         test_suite = test_suites.add_element 'testsuite'
         test_suite.add_attribute 'id', i
         test_suite.add_attribute 'package', 'brakeman'
-        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'file', file.relative
         test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
-        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
         test_suite.add_attribute 'tests', checks.checks_run.length
         test_suite.add_attribute 'failures', warnings.length
         test_suite.add_attribute 'errors', '0'
         test_suite.add_attribute 'time', '0'
 
-        test_suite.add_element 'properties'
-
         warnings.each { |warning|
           test_case = test_suite.add_element 'testcase'
-          test_case.add_attribute 'name', 'run_check'
-          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'name', warning.check.sub(/^Brakeman::/, '')
+          test_case.add_attribute 'file', file.relative
+          test_case.add_attribute 'line', warning.line if warning.line
           test_case.add_attribute 'time', '0'
 
           failure = test_case.add_element 'failure'
           failure.add_attribute 'message', warning.message
           failure.add_attribute 'type', warning.warning_type
-          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
-          failure.add_attribute 'brakeman:file', warning_file(warning)
-          failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', warning.confidence_name 
-          failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }
-
-        test_suite.add_element 'system-out'
-        test_suite.add_element 'system-err'
       }
 
     doc.add test_suites

data/lib/brakeman/report/report_sarif.rb

@@ -1,8 +1,10 @@
+require 'uri'
+
 class Brakeman::Report::SARIF < Brakeman::Report::Base
   def generate_report
     sarif_log = {
       :version => '2.1.0',
-      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json',
       :runs => runs,
     }
     JSON.pretty_generate sarif_log
@@ -20,10 +22,122 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
           },
         },
         :results => results,
-      },
+      }.merge(original_uri_base_ids)
     ]
   end
 
+  # Output base URIs
+  # based on what the user specified for the application path
+  # and whether or not --absolute-paths was set.
+  def original_uri_base_ids
+    if tracker.options[:app_path] == '.'
+      # Probably no app_path was specified, as that's the default
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # This avoids any paths appearing in the report
+        # that are not part of the application directory.
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+
+      end
+    elsif tracker.options[:app_path] != tracker.app_tree.root
+      # Path was specified and it was relative
+
+      if absolute_paths?
+        # Include absolute root and relative application path
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Just include relative application path.
+        # Not clear this is 100% valid, but there is one example in the spec like this
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      end
+    else
+      # app_path was absolute
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+      end
+    end
+  end
+
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
@@ -130,4 +244,10 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     })
     @@levels_from_confidence[warning.confidence]
   end
+
+  # File URI as a string with trailing forward-slash
+  # as required by SARIF standard
+  def file_uri(path)
+    URI::File.build(path: File.join(path, '/')).to_s
+  end
 end

data/lib/brakeman/report/templates/header.html.erb

@@ -9,10 +9,15 @@
     function toggle(context) {
       var elem = document.getElementById(context);
 
-      if (elem.style.display != "block")
+      if (elem.style.display != "block") {
         elem.style.display = "block";
-      else
+
+        elem.querySelectorAll("table").forEach(function(table) {
+          $(table).DataTable().columns.adjust();
+        });
+      } else {
         elem.style.display = "none";
+      }
 
       elem.parentNode.scrollIntoView();
     }
@@ -46,7 +51,7 @@
     <tr>
       <td><%= tracker.app_path %></td>
       <td><%= rails_version %></td>
-      <td><%= brakeman_version %>
+      <td><%= brakeman_version %></td>
       <td>
         <%= tracker.start_time %><br><br>
         <%= tracker.duration %> seconds

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -1,6 +1,6 @@
 <div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
-<div>
-  <table style="display:none" id="ignored_table">
+<div style="display:none; width:100%" id="ignored_table">
+  <table>
     <thead>
       <tr>
         <th>Confidence</th>
@@ -8,7 +8,7 @@
         <th>Warning Type</th>
         <th>CWE ID</th>
         <th>Message</th>
-        <th>Note</th>
+        <th width="auto">Note</th>
       </tr>
     </thead>
     <tbody>