brakeman 7.0.2 → 7.1.1

data/lib/brakeman/processors/haml_template_processor.rb

@@ -84,6 +84,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     :escape_once_without_haml_xss
   ]
 
+  def is_escaped? exp
+    return unless call? exp
+
+    haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+  end
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -113,7 +119,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+      elsif is_escaped? exp
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)
@@ -160,7 +166,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   def haml_attribute_builder? exp
     call? exp and
       exp.target == ATTRIBUTE_BUILDER and
-      exp.method == :build
+      (exp.method == :build or exp.method == :build_id)
   end
 
   def fix_textareas? exp

data/lib/brakeman/processors/lib/render_helper.rb

@@ -9,7 +9,14 @@ module Brakeman::RenderHelper
     @rendered = true
     case exp.render_type
     when :action, :template, :inline
-      process_action exp[2][1], exp[3], exp.line
+      action = exp[2]
+      args = exp[3]
+
+      if string? action or symbol? action
+        process_action action.value, args, exp.line
+      else
+        process_model_action action, args
+      end
     when :default
       begin
         process_template template_name, exp[3], nil, exp.line
@@ -49,6 +56,36 @@ module Brakeman::RenderHelper
   def process_action name, args, line
     if name.is_a? String or name.is_a? Symbol
       process_template template_name(name), args, nil, line
+    else
+      Brakeman.debug "Not processing render #{name.inspect}"
+    end
+  end
+
+  SINGLE_RECORD = [:first, :find, :last, :new]
+  COLLECTION = [:all, :where]
+
+  def process_model_action action, args
+    return unless call? action
+
+    method = action.method
+
+    klass = get_class_target(action) || Brakeman::Tracker::UNKNOWN_MODEL
+    name = Sexp.new(:lit, klass.downcase)
+
+    if SINGLE_RECORD.include? method
+      # Set a local variable with name based on class of model
+      # and value of the value passed to render
+      local_key = Sexp.new(:lit, :locals)
+      locals = hash_access(args, local_key) || Sexp.new(:hash)
+      hash_insert(locals, name, action)
+      hash_insert(args, local_key, locals)
+
+      process_partial name, args, action.line
+    elsif COLLECTION.include? method
+      collection_key = Sexp.new(:lit, :collection)
+      hash_insert(args, collection_key, action)
+
+      process_partial name, args, action.line
     end
   end
 

data/lib/brakeman/processors/template_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   # Pull out actual output value from template
   def normalize_output arg
     if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
-      arg.target
+      normalize_output(arg.target) # sometimes it's foo.to_s.to_s
     elsif node_type? arg, :if
       branches = [arg.then_clause, arg.else_clause].compact
 

data/lib/brakeman/report/pager.rb

@@ -92,7 +92,7 @@ module Brakeman
       if system("which less > /dev/null")
         less_help = `less -?`
 
-        ["-R ", "-F ", "-X "].each do |opt|
+        ["-R ", "-F ", "-X ", " --wordwrap"].each do |opt|
           if less_help.include? opt
             @less_options << opt
           end

data/lib/brakeman/report/report_html.rb

@@ -1,4 +1,4 @@
-require 'cgi'
+require 'cgi/escape'
 require 'brakeman/report/report_table.rb'
 
 class Brakeman::Report::HTML < Brakeman::Report::Table

data/lib/brakeman/report/report_junit.rb

@@ -9,50 +9,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
     doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
 
     test_suites = REXML::Element.new 'testsuites'
-    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
-    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
 
-    errors = test_suites.add_element 'brakeman:errors'
-    tracker.errors.each { |e|
-      error = errors.add_element 'brakeman:error'
-      error.add_attribute 'brakeman:message', e[:error]
-      e[:backtrace].each { |b|
-        backtrace = error.add_element 'brakeman:backtrace'
-        backtrace.add_text b
-      }
-    }
-
-    obsolete = test_suites.add_element 'brakeman:obsolete'
-    tracker.unused_fingerprints.each { |fingerprint|
-      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
-    }
-
-    ignored = test_suites.add_element 'brakeman:ignored'
-    ignored_warnings.each { |w|
-      warning = ignored.add_element 'brakeman:warning'
-      warning.add_attribute 'brakeman:message', w.message
-      warning.add_attribute 'brakeman:category', w.warning_type
-      warning.add_attribute 'brakeman:file', warning_file(w)
-      warning.add_attribute 'brakeman:line', w.line
-      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', w.confidence_name 
-      warning.add_attribute 'brakeman:code', w.format_code
-      warning.add_text w.to_s
-    }
-
-    hostname = `hostname`.strip
     i = 0
     all_warnings
       .map { |warning| [warning.file, [warning]] }
@@ -66,35 +23,25 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
         test_suite = test_suites.add_element 'testsuite'
         test_suite.add_attribute 'id', i
         test_suite.add_attribute 'package', 'brakeman'
-        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'file', file.relative
         test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
-        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
         test_suite.add_attribute 'tests', checks.checks_run.length
         test_suite.add_attribute 'failures', warnings.length
         test_suite.add_attribute 'errors', '0'
         test_suite.add_attribute 'time', '0'
 
-        test_suite.add_element 'properties'
-
         warnings.each { |warning|
           test_case = test_suite.add_element 'testcase'
-          test_case.add_attribute 'name', 'run_check'
-          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'name', warning.check.sub(/^Brakeman::/, '')
+          test_case.add_attribute 'file', file.relative
+          test_case.add_attribute 'line', warning.line if warning.line
           test_case.add_attribute 'time', '0'
 
           failure = test_case.add_element 'failure'
           failure.add_attribute 'message', warning.message
           failure.add_attribute 'type', warning.warning_type
-          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
-          failure.add_attribute 'brakeman:file', warning_file(warning)
-          failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', warning.confidence_name 
-          failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }
-
-        test_suite.add_element 'system-out'
-        test_suite.add_element 'system-err'
       }
 
     doc.add test_suites

data/lib/brakeman/report/templates/header.html.erb

@@ -9,10 +9,15 @@
     function toggle(context) {
       var elem = document.getElementById(context);
 
-      if (elem.style.display != "block")
+      if (elem.style.display != "block") {
         elem.style.display = "block";
-      else
+
+        elem.querySelectorAll("table").forEach(function(table) {
+          $(table).DataTable().columns.adjust();
+        });
+      } else {
         elem.style.display = "none";
+      }
 
       elem.parentNode.scrollIntoView();
     }
@@ -46,7 +51,7 @@
     <tr>
       <td><%= tracker.app_path %></td>
       <td><%= rails_version %></td>
-      <td><%= brakeman_version %>
+      <td><%= brakeman_version %></td>
       <td>
         <%= tracker.start_time %><br><br>
         <%= tracker.duration %> seconds

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -1,6 +1,6 @@
 <div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
-<div>
-  <table style="display:none" id="ignored_table">
+<div style="display:none; width:100%" id="ignored_table">
+  <table>
     <thead>
       <tr>
         <th>Confidence</th>
@@ -8,7 +8,7 @@
         <th>Warning Type</th>
         <th>CWE ID</th>
         <th>Message</th>
-        <th>Note</th>
+        <th width="auto">Note</th>
       </tr>
     </thead>
     <tbody>

data/lib/brakeman/tracker.rb

@@ -441,4 +441,10 @@ class Brakeman::Tracker
 
     @call_index.remove_indexes_by_file path
   end
+
+  # Call this to be able to marshal the Tracker
+  def marshallable
+    @app_tree.marshallable
+    self
+  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.0.2"
+  Version = "7.1.1"
 end

data/lib/brakeman.rb

@@ -24,6 +24,10 @@ module Brakeman
   #--ensure-ignore-notes is set
   Empty_Ignore_Note_Exit_Code = 8
 
+  # Exit code returned when at least one obsolete ignore entry is present
+  # and `--ensure-no-obsolete-ignore-entries` is set.
+  Obsolete_Ignore_Entries_Exit_Code = 9
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []