brakeman 6.2.2 → 8.0.4

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter, :app_tree
+    :duration, :ignored_filter, :app_tree, :file_cache, :pristine_file_cache
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -26,15 +26,22 @@ class Brakeman::Tracker
     @app_tree = app_tree
     @processor = processor
     @options = options
+    @file_cache = Brakeman::FileCache.new
+    @pristine_file_cache = nil
 
-    @config = Brakeman::Config.new(self)
+    reset_all
+  end
+
+  def reset_all
     @templates = {}
     @controllers = {}
+
     #Initialize models with the unknown model so
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
+
     @method_cache = {}
     @routes = {}
     @initializers = {}
@@ -46,11 +53,16 @@ class Brakeman::Tracker
     @template_cache = Set.new
     @filter_cache = {}
     @call_index = nil
+    @config = Brakeman::Config.new(self)
     @start_time = Time.now
     @end_time = nil
     @duration = nil
   end
 
+  def save_file_cache!
+    @pristine_file_cache = @file_cache.dup
+  end
+
   #Add an error to the list. If no backtrace is given,
   #the one from the exception will be used.
   def error exception, backtrace = nil
@@ -89,15 +101,9 @@ class Brakeman::Tracker
     @app_path ||= File.expand_path @options[:app_path]
   end
 
-  #Iterate over all methods in controllers and models.
+  #Iterate over all methods
   def each_method
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
           src = definition.src
@@ -125,13 +131,7 @@ class Brakeman::Tracker
 
 
   def each_class
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.src.each do |file, src|
           yield src, set_name, file
@@ -301,6 +301,11 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :libs
+      classes_to_reindex.merge self.libs.keys
+      method_sets << self.libs
+    end
+
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
         @call_index.remove_indexes_by_file file_name
@@ -312,6 +317,8 @@ class Brakeman::Tracker
     finder = Brakeman::FindAllCalls.new self
 
     method_sets.each do |set|
+      Brakeman.logger.spin
+
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
           src = definition.src
@@ -322,12 +329,14 @@ class Brakeman::Tracker
 
     if locations.include? :templates
       self.each_template do |_name, template|
+        Brakeman.logger.spin
         finder.process_source template.src, :template => template, :file => template.file
       end
     end
 
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
+        Brakeman.logger.spin
         finder.process_all_source src, :file => file_name
       end
     end
@@ -424,4 +433,10 @@ class Brakeman::Tracker
 
     @call_index.remove_indexes_by_file path
   end
+
+  # Call this to be able to marshal the Tracker
+  def marshallable
+    @app_tree.marshallable
+    self
+  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.2.2"
+  Version = "8.0.4"
 end

data/lib/brakeman.rb

@@ -1,4 +1,5 @@
 require 'set'
+require 'brakeman/logger'
 require 'brakeman/version'
 
 module Brakeman
@@ -24,10 +25,15 @@ module Brakeman
   #--ensure-ignore-notes is set
   Empty_Ignore_Note_Exit_Code = 8
 
+  # Exit code returned when at least one obsolete ignore entry is present
+  # and `--ensure-no-obsolete-ignore-entries` is set.
+  Obsolete_Ignore_Entries_Exit_Code = 9
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
   @vendored_paths = false
+  @logger = nil
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -48,7 +54,6 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
-  #  * :index_libs - add libraries to call index (default: true)
   #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
@@ -67,7 +72,6 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :show_ignored - Display warnings that are usually ignored
   #  * :sql_safe_methods - array of sql sanitization methods to consider safe
-  #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
@@ -75,6 +79,10 @@ module Brakeman
   #
   #Alternatively, just supply a path as a string.
   def self.run options
+    if not $stderr.tty? and options[:report_progress].nil?
+      options[:report_progress] = false
+    end
+
     options = set_options options
 
     @quiet = !!options[:quiet]
@@ -84,9 +92,37 @@ module Brakeman
       options[:report_progress] = false
     end
 
+    @logger = options[:logger] || set_default_logger(options)
+
+    if options[:use_prism]
+      begin
+        require 'prism'
+      rescue LoadError => e
+        Brakeman.alert "Asked to use Prism, but failed to load: #{e}"
+      end
+    end
+
+    Brakeman.announce "Brakeman v#{Brakeman::Version}"
+
     scan options
   end
 
+  def self.logger
+    @logger
+  end
+
+  def self.logger= log
+    @logger = log
+  end
+
+  def self.set_default_logger(options = {})
+    @logger = Brakeman::Logger.get_logger(options)
+  end
+
+  def self.cleanup(newline = true)
+    @logger.cleanup(newline) if @logger
+  end
+
   #Sets up options for run, checks given application path
   def self.set_options options
     if options.is_a? String
@@ -118,13 +154,19 @@ module Brakeman
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 
+
+    # Use ENV value only if option was not already explicitly set
+    # (i.e. prefer commandline option over environment variable).
+    if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE'] and not ENV['BUNDLE_GEMFILE'].empty?
+      options[:gemfile] = ENV['BUNDLE_GEMFILE']
+    end
+
     options
   end
 
   #Load options from YAML file
   def self.load_options line_options
     custom_location = line_options[:config_file]
-    quiet = line_options[:quiet]
     app_path = line_options[:app_path]
 
     #Load configuration file
@@ -138,19 +180,22 @@ module Brakeman
         # After parsing the yaml config file for options, convert any string keys into symbols.
         options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
+        # Brakeman.logger is probably not set yet
+        logger = Brakeman::Logger.get_logger(options.merge(line_options))
+
         unless line_options[:allow_check_paths_in_config]
           if options.include? :additional_checks_path
             options.delete :additional_checks_path
 
-            notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
+            logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow'
           end
         end
 
-        # notify if options[:quiet] and quiet is nil||false
-        notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
+        logger.alert "Using configuration in #{config}"
         options
       else
-        notify "[Notice] Empty configuration file: #{config}" unless quiet
+        logger = Brakeman::Logger.get_logger(line_options)
+        logger.alert "Empty configuration file: #{config}"
         {}
       end
     else
@@ -189,13 +234,13 @@ module Brakeman
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
       :ignore_model_output => false,
       :ignore_redirect_to_model => true,
-      :index_libs => true,
       :message_limit => 100,
       :min_confidence => 2,
       :output_color => true,
       :pager => true,
       :parallel_checks => true,
       :parser_timeout => 10,
+      :use_prism => true,
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
@@ -346,6 +391,12 @@ module Brakeman
 
     options.delete :create_config
 
+    if options[:logger]
+      @logger = options.delete(:logger)
+    else
+      set_default_logger(options)
+    end
+
     options.each do |k,v|
       if v.is_a? Set
         options[k] = v.to_a
@@ -356,60 +407,73 @@ module Brakeman
       File.open file, "w" do |f|
         YAML.dump options, f
       end
-      notify "Output configuration to #{file}"
+
+      announce "Output configuration to #{file}"
     else
-      notify YAML.dump(options)
+      $stdout.puts YAML.dump(options)
     end
   end
 
-  def self.ensure_latest
+  # Returns quit message unless the latest version
+  # of Brakeman matches the current version.
+  #
+  # Optionally checks that the latest version is at least
+  # the specified number of days old.
+  def self.ensure_latest(days_old: 0)
+    require 'date'
+
     current = Brakeman::Version
-    latest = Gem.latest_version_for('brakeman').to_s
-    if current != latest
-      "Brakeman #{current} is not the latest version #{latest}"
+    latest = Gem.latest_spec_for('brakeman')
+    release_date = latest.date.to_date
+    latest_version = latest.version.to_s
+
+    if (Date.today - latest.date.to_date) >= days_old
+      if current != latest_version
+        return "Brakeman #{current} is not the latest version #{latest_version}"
+      else
+        false
+      end
+    else
+      false
     end
   end
 
   #Run a scan. Generally called from Brakeman.run instead of directly.
   def self.scan options
     #Load scanner
-    notify "Loading scanner..."
+    scanner, tracker = nil
 
-    begin
-      require 'brakeman/scanner'
-    rescue LoadError
-      raise NoBrakemanError, "Cannot find lib/ directory."
-    end
+    process_step 'Loading scanner' do
+      begin
+        require 'brakeman/scanner'
+      rescue LoadError
+        raise NoBrakemanError, 'Cannot find lib/ directory.'
+      end
 
-    add_external_checks options
+      add_external_checks options
 
-    #Start scanning
-    scanner = Scanner.new options
-    tracker = scanner.tracker
+      #Start scanning
+      scanner = Scanner.new options
+      tracker = scanner.tracker
 
-    check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+      check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+    end
 
-    notify "Processing application in #{tracker.app_path}"
+    logger.announce "Scanning #{tracker.app_path}"
     scanner.process
 
-    if options[:parallel_checks]
-      notify "Running checks in parallel..."
-    else
-      notify "Running checks..."
-    end
-
     tracker.run_checks
 
     self.filter_warnings tracker, options
 
     if options[:output_files]
-      notify "Generating report..."
-
-      write_report_to_files tracker, options[:output_files]
+      process_step 'Generating report' do
+        write_report_to_files tracker, options[:output_files]
+      end
     elsif options[:print_report]
-      notify "Generating report..."
-
-      write_report_to_formats tracker, options[:output_formats]
+      process_step 'Generating report' do
+        write_report_to_formats tracker, options[:output_formats]
+      end
     end
 
     tracker
@@ -428,7 +492,8 @@ module Brakeman
       File.open output_file, "w" do |f|
         f.write tracker.report.format(tracker.options[:output_formats][idx])
       end
-      notify "Report saved in '#{output_file}'"
+
+      logger.announce "Report saved in '#{output_file}'"
     end
   end
   private_class_method :write_report_to_files
@@ -464,20 +529,24 @@ module Brakeman
   def self.rescan tracker, files, options = {}
     require 'brakeman/rescanner'
 
-    tracker.options.merge! options
+    options = tracker.options.merge options
 
     @quiet = !!tracker.options[:quiet]
     @debug = !!tracker.options[:debug]
 
-    Rescanner.new(tracker.options, tracker.processor, files).recheck
+    Rescanner.new(options, tracker.processor, files).recheck
+  end
+
+  def self.announce message
+    logger.announce message
   end
 
-  def self.notify message
-    $stderr.puts message unless @quiet
+  def self.alert message
+    logger.alert message
   end
 
   def self.debug message
-    $stderr.puts message if @debug
+    logger.debug message
   end
 
   # Compare JSON output from a previous scan and return the diff of the two scans
@@ -489,7 +558,7 @@ module Brakeman
     begin
       previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
     rescue JSON::ParserError
-      self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
+      self.alert "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
 
@@ -544,6 +613,7 @@ module Brakeman
 
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
+    config = nil
 
     app_tree = Brakeman::AppTree.from_options(options)
 
@@ -555,16 +625,17 @@ module Brakeman
       return
     end
 
-    notify "Filtering warnings..."
-
-    if options[:interactive_ignore]
-      require 'brakeman/report/ignore/interactive'
-      config = InteractiveIgnorer.new(file, tracker.warnings).start
-    else
-      notify "[Notice] Using '#{file}' to filter warnings"
-      config = IgnoreConfig.new(file, tracker.warnings)
-      config.read_from_file
-      config.filter_ignored
+    process_step "Filtering warnings..." do
+      if options[:interactive_ignore]
+        require 'brakeman/report/ignore/interactive'
+        logger.cleanup
+        config = InteractiveIgnorer.new(file, tracker.warnings).start
+      else
+        logger.announce "Using '#{file}' to filter warnings"
+        config = IgnoreConfig.new(file, tracker.warnings)
+        config.read_from_file
+        config.filter_ignored
+      end
     end
 
     tracker.ignored_filter = config
@@ -594,6 +665,10 @@ module Brakeman
     @quiet = val
   end
 
+  def self.process_step(description, &)
+    logger.context(description, &)
+  end
+
   class DependencyError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end

data/lib/ruby_parser/bm_sexp.rb

@@ -172,6 +172,20 @@ class Sexp
     self[2] = name
   end
 
+  # Number of arguments in a method call.
+  def num_args
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+
+    case self.node_type
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
+      self.length - 3
+    when :super
+      self.length - 1
+    when :zsuper
+      0
+    end
+  end
+
   #Sets the arglist in a method call.
   def arglist= exp
     expect :call, :attrasgn, :safe_call, :safe_attrasgn