brakeman 7.1.2 → 8.0.0

data/lib/brakeman/logger.rb

@@ -0,0 +1,264 @@
+module Brakeman
+  module Logger
+    def self.get_logger options, dest = $stderr
+      case
+      when options[:debug]
+        Debug.new(options, dest)
+      when options[:quiet]
+        Quiet.new(options, dest)
+      when options[:report_progress] == false
+        Plain.new(options, dest)
+      when dest.tty?
+        Console.new(options, dest)
+      else
+        Plain.new(options, dest)
+      end
+    end
+
+    class Base
+      def initialize(options, log_destination = $stderr)
+        @dest = log_destination
+        @show_timing = options[:debug] || options[:show_timing]
+      end
+
+      # Output a message to the log.
+      # If newline is `false`, does not output a newline after message.
+      def log(message, newline: true)
+        if newline
+          @dest.puts message
+        else
+          @dest.write message
+        end
+      end
+
+      # Notify about important information - use sparingly
+      def announce(message); end
+
+      # Notify regarding errors - use sparingly
+      def alert(message); end
+
+      # Output debug information
+      def debug(message); end
+
+      # Wraps a step in the scanning process
+      def context(description, &)
+        yield self
+      end
+
+      # Wraps a substep (e.g. processing one file)
+      def single_context(description, &)
+        yield
+      end
+
+      # Update progress towards a known total
+      def update_progress(current, total, type = 'files'); end
+
+      # Show a spinner
+      def spin; end
+
+      # Called on exit
+      def cleanup(newline); end
+
+      def show_timing? = @show_timing
+
+      # Use ANSI codes to color a string
+      def color(message, *)
+        if @highline
+          @highline.color(message, *)
+        else
+          message
+        end
+      end
+
+      def color?
+        @highline and @highline.use_color?
+      end
+
+      private
+
+      def load_highline(output_color)
+        if @dest.tty? or output_color == :force
+          Brakeman.load_brakeman_dependency 'highline'
+          @highline = HighLine.new
+          @highline.use_color = !!output_color
+        else
+          @highline = nil
+        end
+      end
+    end
+
+    class Plain < Base
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+      end
+
+      def announce(message)
+        log color(message, :bold, :green)
+      end
+
+      def alert(message)
+        log color(message, :red)
+      end
+
+      def context(description, &)
+        log "#{color(description, :green)}..."
+
+        if show_timing?
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+
+      def time_step(description, &)
+        start_t = Time.now
+        yield
+        duration = Time.now - start_t
+
+        log color(("Completed #{description.to_s.downcase} in %0.2fs" % duration), :gray)
+      end
+    end
+
+    class Quiet < Base
+      def initialize(*)
+        super
+      end
+    end
+
+    class Debug < Plain
+      def debug(message)
+        log color(message, :gray)
+      end
+
+      def context(description, &)
+        log "#{description}..."
+
+        time_step(description, &)
+      end
+
+      def single_context(description, &)
+        debug "Processing #{description}"
+
+        if show_timing?
+          # Even in debug, only show timing for each file if asked
+          time_step(description, &)
+        else
+          yield
+        end
+      end
+    end
+
+    class Console < Base
+      attr_reader :prefix
+
+      def initialize(options, *)
+        super
+
+        load_highline(options[:output_color])
+        require 'reline'
+        require 'reline/io/ansi'
+
+        @prefix = ''
+        @post_fix_pos = 0
+        @reline = Reline::ANSI.new
+        @report_progress = options[:report_progress]
+        @spinner = ["⣀", "⣄", "⣤", "⣦", "⣶", "⣷", "⣿"]
+        @percenter = ["⣀", "⣤", "⣶", "⣿"]
+        @spindex = 0
+        @last_spin = Time.now
+        @reline.hide_cursor
+      end
+
+      def announce message
+        clear_line
+        log color(message, :bold, :green)
+        rewrite_prefix
+      end
+
+      def alert message
+        clear_line
+        log color(message, :red)
+        rewrite_prefix
+      end
+
+      def context(description, &)
+        write_prefix description
+
+        time_step(description, &)
+      ensure
+        clear_prefix
+      end
+
+      def time_step(description, &)
+        if show_timing?
+          start_t = Time.now
+          yield
+          duration = Time.now - start_t
+
+          write_after color(('%0.2fs' % duration), :gray)
+          log ''
+        else
+          yield
+        end
+      end
+
+      def update_progress current, total, type = 'files'
+        percent = ((current / total.to_f) * 100).to_i
+        tenths = [(percent / 10), 0].max
+
+        lead = color(@percenter[percent % 10 / 3], :bold, :red)
+        done_blocks = color("⣿" * tenths, :red)
+        remaining = color("⣀" * (9 - tenths), :gray)
+        write_after "#{done_blocks}#{lead}#{remaining}"
+      end
+
+      def write_prefix pref
+        set_prefix pref
+        rewrite_prefix
+      end
+
+      # If an alert was written, redo prefix on next line
+      def rewrite_prefix
+        log(@prefix, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def write_after message
+        @reline.move_cursor_column(@post_fix_pos)
+        log(message, newline: false)
+        @reline.erase_after_cursor
+      end
+
+      def set_prefix message
+        @prefix = "#{color('»', :bold, :cyan)} #{color(message, :green)}"
+        @post_fix_pos = HighLine::Wrapper.actual_length(@prefix) + 1
+      end
+
+      def clear_prefix
+        @prefix = ''
+        @post_fix_pos = 0
+        clear_line
+      end
+
+      def clear_line
+        @reline.move_cursor_column(0)
+        @reline.erase_after_cursor
+      end
+
+      def spin
+        return unless (Time.now - @last_spin) > 0.2
+
+        write_after color(@spinner[@spindex], :bold, :red)
+        @spindex = (@spindex + 1) % @spinner.length
+        @last_spin = Time.now
+      end
+
+      def cleanup(newline = true)
+        @reline.show_cursor
+        log('') if newline
+      end
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -131,7 +131,6 @@ module Brakeman::Options
 
         opts.on "--faster", "Faster, but less accurate scan" do
           options[:ignore_ifs] = true
-          options[:skip_libs] = true
           options[:disable_constant_tracking] = true
         end
 
@@ -143,10 +142,6 @@ module Brakeman::Options
           options[:ignore_attr_protected] = true
         end
 
-        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
-          options[:index_libs] = index
-        end
-
         opts.on "--interprocedural", "Process method calls to known methods" do
           options[:interprocedural] = true
         end
@@ -212,10 +207,6 @@ module Brakeman::Options
           options[:skip_vendor] = skip
         end
 
-        opts.on "--skip-libs", "Skip processing lib directory" do
-          options[:skip_libs] = true
-        end
-
         opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
           options[:additional_libs_path] ||= Set.new
           options[:additional_libs_path].merge paths

data/lib/brakeman/parsers/rails_erubi.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+# Copied almost verbatim from Rails
+# https://github.com/rails/rails/blob/5359cf8a5b093b04170e884ee8da5a1e076b8a0d/actionview/lib/action_view/template/handlers/erb/erubi.rb#L9
+
+Brakeman.load_brakeman_dependency "erubi"
+
+module Brakeman
+  class Erubi < ::Erubi::Engine
+    # :nodoc: all
+    def initialize(input, properties = {})
+      @newline_pending = 0
+
+      # Dup properties so that we don't modify argument
+      properties = Hash[properties]
+
+      properties[:bufvar]     ||= "@output_buffer"
+      properties[:preamble]   ||= ""
+      properties[:postamble]  ||= "#{properties[:bufvar]}"
+
+      # Tell Erubi whether the template will be compiled with `frozen_string_literal: true`
+      # properties[:freeze_template_literals] = !Template.frozen_string_literal
+      properties[:freeze_template_literals] = false
+
+      properties[:escapefunc] = ""
+
+      super
+    end
+
+  private
+    def add_text(text)
+      return if text.empty?
+
+      if text == "\n"
+        @newline_pending += 1
+      else
+        with_buffer do
+          src << ".safe_append='"
+          src << "\n" * @newline_pending if @newline_pending > 0
+          src << text.gsub(/['\\]/, '\\\\\&') << @text_end
+        end
+        @newline_pending = 0
+      end
+    end
+
+    BLOCK_EXPR = /((\s|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+    def add_expression(indicator, code)
+      flush_newline_if_pending(src)
+
+      with_buffer do
+        if (indicator == "==") || @escape
+          src << ".safe_expr_append="
+        else
+          src << ".append="
+        end
+
+        if BLOCK_EXPR.match?(code)
+          src << " " << code
+        else
+          src << "(" << code << ")"
+        end
+      end
+    end
+
+    def add_code(code)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def add_postamble(_)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def flush_newline_if_pending(src)
+      if @newline_pending > 0
+        with_buffer { src << ".safe_append='#{"\n" * @newline_pending}" << @text_end }
+        @newline_pending = 0
+      end
+    end
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -21,7 +21,7 @@ module Brakeman
       begin
         src = case type
               when :erb
-                type = :erubis if erubis?
+                type = :erubi if erubi?
                 parse_erb path, text
               when :haml
                 type = :haml6 if haml6?
@@ -46,17 +46,9 @@ module Brakeman
     end
 
     def parse_erb path, text
-      if tracker.config.escape_html?
-        if tracker.options[:rails3]
-          require 'brakeman/parsers/rails3_erubis'
-          Brakeman::Rails3Erubis.new(text, :filename => path).src
-        else
-          require 'brakeman/parsers/rails2_xss_plugin_erubis'
-          Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
-        end
-      elsif tracker.config.erubis?
-        require 'brakeman/parsers/rails2_erubis'
-        Brakeman::ScannerErubis.new(text, :filename => path).src
+      if erubi?
+        require 'brakeman/parsers/rails_erubi'
+        Brakeman::Erubi.new(text, :filename => path).src
       else
         require 'erb'
         src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
@@ -69,9 +61,9 @@ module Brakeman
       end
     end
 
-    def erubis?
+    def erubi?
       tracker.config.escape_html? or
-        tracker.config.erubis?
+        tracker.config.erubi?
     end
 
     def parse_haml path, text
@@ -148,7 +140,7 @@ module Brakeman
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
-      type = tp.erubis? ? :erubis : :erb
+      type = tp.erubi? ? :erubi : :erb
 
       return type, fp.parse_ruby(src, "_inline_")
     end

data/lib/brakeman/processor.rb

@@ -65,8 +65,8 @@ module Brakeman
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml6
         result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
-      when :erubis
-        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubi
+        result = ErubiTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim
         result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       else

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -146,7 +146,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     filter = tracker.find_method name, @current_class
 
     if filter.nil?
-      Brakeman.debug "[Notice] Could not find filter #{name}"
+      Brakeman.debug "Could not find filter #{name}"
       return
     end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -30,13 +30,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #But if not inside a controller already, then the class may include
     #a real controller, so we can't take this shortcut.
     if @current_class and @current_class.name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end
 
     if not name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
+      Brakeman.debug "Adding noncontroller as library: #{name}"
       #Set the class to be a module in order to get the right namespacing.
       #Add class to libraries, in case it is needed later (e.g. it's used
       #as a parent class for a controller.)
@@ -124,7 +124,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
             if @app_tree.layout_exists?(name)
               @current_class.layout = "layouts/#{name}"
             else
-              Brakeman.debug "[Notice] Layout not found: #{name}"
+              Brakeman.debug "Layout not found: #{name}"
             end
           elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil

data/lib/brakeman/processors/{erubis_template_processor.rb → erubi_template_procesor.rb}

@@ -1,7 +1,7 @@
 require 'brakeman/processors/template_processor'
 
-#Processes ERB templates using Erubis instead of erb.
-class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
+#Processes ERB templates using Erubi instead of erb.
+class Brakeman::ErubiTemplateProcessor < Brakeman::TemplateProcessor
 
   #s(:call, TARGET, :method, ARGS)
   def process_call exp
@@ -14,7 +14,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     exp.arglist = process exp.arglist
     method = exp.method
 
-    #_buf is the default output variable for Erubis
+    #_buf is the default output variable for Erubi
     if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
 

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -33,14 +33,15 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
     process res
   end
 
-  #Check if config is set to use Erubis
+  # Check if config is set to use Erubis
+  # but because it's 2026 we're going to use Erubi
   def process_call exp
     target = exp.target
     target = process target if sexp? target
 
     if exp.method == :gem and exp.first_arg.value == "erubis"
-      Brakeman.notify "[Notice] Using Erubis for ERB templates"
-      @tracker.config.erubis = true
+      Brakeman.debug "[Notice] Using Erubi for ERB templates"
+      @tracker.config.erubi = true
     end
 
     exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -131,7 +131,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
       when :except
         process_option_except value
       else
-        Brakeman.notify "[Notice] Unhandled resource option, please report: #{option}"
+        Brakeman.alert "Unhandled resource option, please report: #{option}"
       end
     end
   end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -98,7 +98,7 @@ module Brakeman::RenderHelper
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]
     unless template
-      Brakeman.debug "[Notice] No such template: #{name}"
+      Brakeman.debug "No such template: #{name}"
       return
     end
 

data/lib/brakeman/processors/lib/render_path.rb

@@ -36,7 +36,7 @@ module Brakeman
           file: template.file,
         }
       else
-        Brakeman.debug "[Notice] No render path to add template information"
+        Brakeman.debug "No render path to add template information"
       end
     end
 

data/lib/brakeman/processors/model_processor.rb

@@ -27,7 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
 
     #If inside an inner class we treat it as a library.
     if @current_class
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/report/ignore/config.rb

@@ -107,7 +107,7 @@ module Brakeman
           raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
         end
       else
-        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        Brakeman.alert "Could not find ignore configuration in #{file} (no file)"
         @already_ignored = []
       end