brakeman 6.2.2 → 8.0.4

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
   require 'brakeman/processors/lib/file_type_detector'
+  require 'brakeman/tracker/file_cache'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -30,7 +31,6 @@ class Brakeman::Scanner
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
-    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -38,36 +38,20 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
 
-  def process_step description
-    Brakeman.notify "#{description}...".ljust(40)
-
-    if @show_timing
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
-
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def file_cache
+    tracker.file_cache
   end
 
-  def process_step_file description
-    if @show_timing
-      Brakeman.notify "Processing #{description}"
-
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
+  def process_step(description, &)
+    Brakeman.process_step(description, &)
+  end
 
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def process_step_file(description, &)
+    Brakeman.logger.single_context(description, &)
   end
 
   #Process everything in the Rails application
-  def process
+  def process(ruby_paths: nil, template_paths: nil)
     process_step 'Processing gems' do
       process_gems
     end
@@ -77,19 +61,35 @@ class Brakeman::Scanner
       process_config
     end
 
+    # -
+    # If ruby_paths or template_paths are set,
+    # only parse those files. The rest will be fetched
+    # from the file cache.
+    #
+    # Otherwise, parse everything normally.
+    #
+    astfiles = nil
+    process_step 'Finding files' do
+      ruby_paths ||= tracker.app_tree.ruby_file_paths
+      template_paths ||= tracker.app_tree.template_paths
+    end
+
     process_step 'Parsing files' do
-      parse_files
+      astfiles = parse_files(ruby_paths: ruby_paths, template_paths: template_paths)
     end
 
     process_step 'Detecting file types' do
-      detect_file_types
+      detect_file_types(astfiles)
     end
 
+    tracker.save_file_cache! if support_rescanning?
+    # -
+
     process_step 'Processing initializers' do
       process_initializers
     end
 
-    process_step 'Processing libs' do
+    process_step 'Processing libraries' do
       process_libs
     end
 
@@ -101,7 +101,7 @@ class Brakeman::Scanner
       process_templates
     end
 
-    process_step 'Processing data flow in templates' do
+    process_step 'Processing data flow' do
       process_template_data_flows
     end
 
@@ -113,55 +113,51 @@ class Brakeman::Scanner
       process_controllers
     end
 
-    process_step 'Processing data flow in controllers' do
+    process_step 'Processing data flow' do
       process_controller_data_flows
     end
 
-    process_step 'Indexing call sites' do
+    process_step 'Indexing method calls' do
       index_call_sites
     end
 
     tracker
   end
 
-  def parse_files
+  def parse_files(ruby_paths:, template_paths:)
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks], tracker.options[:use_prism])
 
-    fp.parse_files tracker.app_tree.ruby_file_paths
+    fp.parse_files ruby_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths) do |path, contents|
-      template_parser.parse_template path, contents
+    fp.read_files(template_paths) do |path, contents|
+      Brakeman.logger.spin
+      template_parser.parse_template(path, contents)
     end
 
     # Collect errors raised during parsing
     tracker.add_errors(fp.errors)
 
-    @parsed_files = fp.file_list
+    fp.file_list
   end
 
-  def detect_file_types
-    @file_list = {
-      controllers: [],
-      initializers: [],
-      libs: [],
-      models: [],
-      templates: [],
-    }
-
+  def detect_file_types(astfiles)
     detector = Brakeman::FileTypeDetector.new
 
-    @parsed_files.each do |file|
+    astfiles.each do |file|
+      Brakeman.logger.spin
+
       if file.is_a? Brakeman::TemplateParser::TemplateFile
-        @file_list[:templates] << file
+        file_cache.add_file file, :template
       else
         type = detector.detect_type(file)
+
         unless type == :skip
-          if @file_list[type].nil?
-            raise type.to_s
+          if file_cache.valid_type? type
+            file_cache.add_file(file, type)
           else
-            @file_list[type] << file
+            raise "Unexpected file type: #{type.inspect}"
           end
         end
       end
@@ -187,7 +183,7 @@ class Brakeman::Scanner
       options[:rails3] or options[:escape_html]
 
       tracker.config.escape_html = true
-      Brakeman.notify "[Notice] Escaping HTML by default"
+      Brakeman.debug 'Escaping HTML by default'
     end
 
     if @app_tree.exists? ".ruby-version"
@@ -207,7 +203,7 @@ class Brakeman::Scanner
     end
 
   rescue => e
-    Brakeman.notify "[Notice] Error while processing #{path}"
+    Brakeman.alert "Error while processing #{path}"
     tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
   end
 
@@ -216,21 +212,29 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+    gem_file_names = ['Gemfile', 'gems.rb']
+    lock_file_names = ['Gemfile.lock', 'gems.locked']
+
+    if tracker.options[:gemfile]
+      name = tracker.options[:gemfile]
+      gem_file_names.unshift name
+      lock_file_names.unshift "#{name}.lock"
+    end
 
-    if @app_tree.exists? "Gemfile"
-      file = @app_tree.file_path("Gemfile")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
-    elsif @app_tree.exists? "gems.rb"
-      file = @app_tree.file_path("gems.rb")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+    gem_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+        break
+      end
     end
 
-    if @app_tree.exists? "Gemfile.lock"
-      file = @app_tree.file_path("Gemfile.lock")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
-    elsif @app_tree.exists? "gems.locked"
-      file = @app_tree.file_path("gems.locked")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
+    lock_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemlock] = { :src => file.read, :file => file }
+        break
+      end
     end
 
     if @app_tree.gemspec
@@ -241,7 +245,7 @@ class Brakeman::Scanner
       @processor.process_gems gem_files
     end
   rescue => e
-    Brakeman.notify "[Notice] Error while processing Gemfile."
+    Brakeman.alert 'Error while processing Gemfile'
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
@@ -250,16 +254,16 @@ class Brakeman::Scanner
     unless tracker.options[:rails3] or tracker.options[:rails4]
       if @app_tree.exists?("script/rails")
         tracker.options[:rails3] = true
-        Brakeman.notify "[Notice] Detected Rails 3 application"
+        Brakeman.debug 'Detected Rails 3 application'
       elsif @app_tree.exists?("app/channels")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
         tracker.options[:rails5] = true
-        Brakeman.notify "[Notice] Detected Rails 5 application"
+        Brakeman.debug 'Detected Rails 5 application'
       elsif not @app_tree.exists?("script")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
-        Brakeman.notify "[Notice] Detected Rails 4 application"
+        Brakeman.debug 'Detected Rails 4 application'
       end
     end
   end
@@ -268,8 +272,8 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    track_progress @file_list[:initializers] do |init|
-      process_step_file init[:path] do
+    track_progress file_cache.initializers do |path, init|
+      process_step_file path do
         process_initializer init
       end
     end
@@ -280,17 +284,14 @@ class Brakeman::Scanner
     @processor.process_initializer(init.path, init.ast)
   end
 
-  #Process all .rb in lib/
-  #
-  #Adds parsed information to tracker.libs.
+  # Adds parsed information to tracker.libs.
+  # This is a catch-all for any Ruby files that weren't determined
+  # to be a specific type of file (like a controller).
   def process_libs
-    if options[:skip_libs]
-      Brakeman.notify '[Skipping]'
-      return
-    end
+    libs = file_cache.libs.sort_by { |path, _| path }
 
-    track_progress @file_list[:libs] do |lib|
-      process_step_file lib.path do
+    track_progress libs do |path, lib|
+      process_step_file path do
         process_lib lib
       end
     end
@@ -310,11 +311,11 @@ class Brakeman::Scanner
       if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
-        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        Brakeman.alert 'Error while processing routes - assuming all public controller methods are actions.'
         options[:assume_all_routes] = true
       end
     else
-      Brakeman.notify "[Notice] No route information found"
+      Brakeman.alert 'No route information found'
     end
   end
 
@@ -322,15 +323,17 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    track_progress @file_list[:controllers] do |controller|
-      process_step_file controller.path do
+    controllers = file_cache.controllers.sort_by { |path, _| path }
+
+    track_progress controllers do |path, controller|
+      process_step_file path do
         process_controller controller
       end
     end
   end
 
   def process_controller_data_flows
-    controllers = tracker.controllers.sort_by { |name, _| name.to_s }
+    controllers = tracker.controllers.sort_by { |name, _| name }
 
     track_progress controllers, "controllers" do |name, controller|
       process_step_file name do
@@ -356,10 +359,10 @@ class Brakeman::Scanner
   #
   #Adds processed views to tracker.views
   def process_templates
-    templates = @file_list[:templates].sort_by { |t| t[:path] }
+    templates = file_cache.templates.sort_by { |path, _| path }
 
-    track_progress templates, "templates" do |template|
-      process_step_file template[:path] do
+    track_progress templates, "templates" do |path, template|
+      process_step_file path do
         process_template template
       end
     end
@@ -370,7 +373,7 @@ class Brakeman::Scanner
   end
 
   def process_template_data_flows
-    templates = tracker.templates.sort_by { |name, _| name.to_s }
+    templates = tracker.templates.sort_by { |name, _| name }
 
     track_progress templates, "templates" do |name, template|
       process_step_file name do
@@ -383,30 +386,32 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    track_progress @file_list[:models] do |model|
-      process_step_file model[:path] do
-        process_model model[:path], model[:ast]
+    models = file_cache.models.sort_by { |path, _| path }
+
+    track_progress models do |path, model|
+      process_step_file path do
+        process_model model
       end
     end
   end
 
-  def process_model path, ast
-    @processor.process_model(ast, path)
+  def process_model astfile
+    @processor.process_model(astfile.ast, astfile.path)
   end
 
   def track_progress list, type = "files"
     total = list.length
     current = 0
     list.each do |item|
-      report_progress current, total, type
+      report_progress current, total
       current += 1
       yield item
     end
   end
 
-  def report_progress(current, total, type = "files")
+  def report_progress(current, total)
     return unless @options[:report_progress]
-    $stderr.print " #{current}/#{total} #{type} processed\r"
+    Brakeman.logger.update_progress(current, total)
   end
 
   def index_call_sites
@@ -420,6 +425,10 @@ class Brakeman::Scanner
     tracker.error(e)
     nil
   end
+
+  def support_rescanning?
+    tracker.options[:support_rescanning]
+  end
 end
 
 # This is to allow operation without loading the Haml library

data/lib/brakeman/tracker/collection.rb

@@ -55,13 +55,23 @@ module Brakeman
       if src.node_type == :defs
         @class_methods[name] = meth_info
 
-        # TODO fix this weirdness
-        name = :"#{src[1]}.#{name}"
+        name = :"#{method_definition_receiver(src[1])}.#{name}"
       end
 
       @methods[visibility][name] = meth_info
     end
 
+    def method_definition_receiver(receiver)
+      return receiver if receiver.is_a?(Symbol)
+
+      case receiver.sexp_type
+      when :self
+        "self"
+      else
+        receiver[1].to_s
+      end
+    end
+
     def each_method
       @methods.each do |_vis, meths|
         meths.each do |name, info|

data/lib/brakeman/tracker/config.rb

@@ -5,7 +5,7 @@ module Brakeman
     include Util
 
     attr_reader :gems, :rails, :ruby_version, :tracker
-    attr_writer :erubis, :escape_html
+    attr_writer :erubi, :escape_html
 
     def initialize tracker
       @tracker = tracker
@@ -13,7 +13,7 @@ module Brakeman
       @gems = {}
       @settings = {}
       @escape_html = nil
-      @erubis = nil
+      @erubi = nil
       @ruby_version = nil
       @rails_version = nil
     end
@@ -28,8 +28,8 @@ module Brakeman
       false
     end
 
-    def erubis?
-      @erubis
+    def erubi?
+      @erubi
     end
 
     def escape_html?
@@ -88,29 +88,29 @@ module Brakeman
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
             tracker.options[:rails3] = true
-            Brakeman.notify "[Notice] Detected Rails 3 application"
+            notify_version 3
           elsif @rails_version.start_with? "4"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
-            Brakeman.notify "[Notice] Detected Rails 4 application"
+            notify_version 4
           elsif @rails_version.start_with? "5"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
-            Brakeman.notify "[Notice] Detected Rails 5 application"
+            notify_version 5
           elsif @rails_version.start_with? "6"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
-            Brakeman.notify "[Notice] Detected Rails 6 application"
+            notify_version 6
           elsif @rails_version.start_with? "7"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
-            Brakeman.notify "[Notice] Detected Rails 7 application"
+            notify_version 7
           elsif @rails_version.start_with? "8"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
@@ -118,14 +118,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             tracker.options[:rails8] = true
-            Brakeman.notify "[Notice] Detected Rails 8 application"
+            notify_version 8
           end
         end
       end
 
       if get_gem :rails_xss
         @escape_html = true
-        Brakeman.notify "[Notice] Escaping HTML by default"
+        Brakeman.debug "Escaping HTML by default"
       end
     end
 
@@ -182,7 +182,7 @@ module Brakeman
         option = config[o]
 
         if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
+          Brakeman.debug "Skipping config setting: #{path.map(&:to_s).join(".")}"
           return
         end
 
@@ -202,7 +202,7 @@ module Brakeman
       version = tracker.config.rails[:load_defaults].value.to_s
 
       unless version.match?(/^\d+\.\d+$/)
-        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        Brakeman.alert "Unknown version: #{tracker.config.rails[:load_defaults]}"
         return
       end
 
@@ -284,5 +284,9 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
       end
     end
+
+    private def notify_version version
+      Brakeman.debug "Detected Rails #{version} application"
+    end
   end
 end

data/lib/brakeman/tracker/constants.rb

@@ -29,7 +29,7 @@ module Brakeman
 
     def set_name name, context
       @name = name
-      @name_array = Constants.constant_as_array(name)
+      @name_array = Constants.constant_as_array(name, context)
     end
 
     def match? name
@@ -129,7 +129,22 @@ module Brakeman
       end
     end
 
-    def self.constant_as_array exp
+    def self.constant_as_array exp, context = nil
+      # Only prepend context for simple (unqualified) constants
+      if context && (exp.is_a?(Symbol) || (exp.is_a?(Sexp) && exp.node_type == :const))
+        context_name = context[:module] || context[:class]
+        context_name = context_name.name if context_name.respond_to?(:name)
+        if context_name
+          # Build colon2 chain: A::B becomes s(:colon2, s(:const, :A), :B)
+          parts = context_name.to_s.split("::")
+          base = Sexp.new(:const, parts.first.to_sym)
+          parts[1..].each do |part|
+            base = Sexp.new(:colon2, base, part.to_sym)
+          end
+          exp = Sexp.new(:colon2, base, exp)
+        end
+      end
+
       res = []
       while exp
         if exp.is_a? Sexp

data/lib/brakeman/tracker/controller.rb

@@ -132,7 +132,7 @@ module Brakeman
           when :lit, :str
             filter[option.value] = value[1]
           else
-            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+            Brakeman.debug "Unknown before_filter value: #{option} => #{value}"
           end
         end
       else

data/lib/brakeman/tracker/file_cache.rb

@@ -0,0 +1,83 @@
+module Brakeman
+  class FileCache
+    def initialize(file_list = nil)
+      @file_list = file_list || {
+        controller: {},
+        initializer: {},
+        lib: {},
+        model: {},
+        template: {},
+      }
+    end
+
+    def controllers
+      @file_list[:controller]
+    end
+
+    def initializers
+      @file_list[:initializer]
+    end
+
+    def libs
+      @file_list[:lib]
+    end
+
+    def models
+      @file_list[:model]
+    end
+
+    def templates
+      @file_list[:template]
+    end
+
+    def add_file(astfile, type)
+      raise "Unknown type: #{type}" unless valid_type? type
+      @file_list[type][astfile.path] = astfile
+    end
+
+    def valid_type?(type)
+      @file_list.key? type
+    end
+
+    def cached? path
+      @file_list.any? do |name, list|
+        list[path]
+      end
+    end
+
+    def delete path
+      @file_list.each do |name, list|
+        list.delete path
+      end
+    end
+
+    def diff other
+      @file_list.each do |name, list|
+        other_list = other.send(:"#{name}s")
+
+        if list == other_list
+          next
+        else
+          puts "-- #{name} --"
+          puts "Old: #{other_list.keys - list.keys}"
+          puts "New: #{list.keys - other_list.keys}"
+        end
+      end
+    end
+
+    def dup
+      copy_file_list = @file_list.map do |name, list|
+        copy_list = list.map do |path, astfile|
+          copy_astfile = astfile.dup
+          copy_astfile.ast = copy_astfile.ast.deep_clone
+
+          [path, copy_astfile]
+        end.to_h
+
+        [name, copy_list]
+      end.to_h
+
+      FileCache.new(copy_file_list)
+    end
+  end
+end