brakeman 7.1.2 → 8.0.0

data/lib/brakeman/scanner.rb

@@ -31,8 +31,6 @@ class Brakeman::Scanner
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
-    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
-    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -44,32 +42,12 @@ class Brakeman::Scanner
     tracker.file_cache
   end
 
-  def process_step description
-    Brakeman.notify "#{description}...".ljust(40)
-
-    if @show_timing
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
-
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def process_step(description, &)
+    Brakeman.process_step(description, &)
   end
 
-  def process_step_file description
-    if @per_file_timing
-      Brakeman.notify "Processing #{description}"
-
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
-
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def process_step_file(description, &)
+    Brakeman.logger.single_context(description, &)
   end
 
   #Process everything in the Rails application
@@ -111,7 +89,7 @@ class Brakeman::Scanner
       process_initializers
     end
 
-    process_step 'Processing libs' do
+    process_step 'Processing libraries' do
       process_libs
     end
 
@@ -123,7 +101,7 @@ class Brakeman::Scanner
       process_templates
     end
 
-    process_step 'Processing data flow in templates' do
+    process_step 'Processing data flow' do
       process_template_data_flows
     end
 
@@ -135,11 +113,11 @@ class Brakeman::Scanner
       process_controllers
     end
 
-    process_step 'Processing data flow in controllers' do
+    process_step 'Processing data flow' do
       process_controller_data_flows
     end
 
-    process_step 'Indexing call sites' do
+    process_step 'Indexing method calls' do
       index_call_sites
     end
 
@@ -154,6 +132,7 @@ class Brakeman::Scanner
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
     fp.read_files(template_paths) do |path, contents|
+      Brakeman.logger.spin
       template_parser.parse_template(path, contents)
     end
 
@@ -167,6 +146,8 @@ class Brakeman::Scanner
     detector = Brakeman::FileTypeDetector.new
 
     astfiles.each do |file|
+      Brakeman.logger.spin
+
       if file.is_a? Brakeman::TemplateParser::TemplateFile
         file_cache.add_file file, :template
       else
@@ -202,7 +183,7 @@ class Brakeman::Scanner
       options[:rails3] or options[:escape_html]
 
       tracker.config.escape_html = true
-      Brakeman.notify "[Notice] Escaping HTML by default"
+      Brakeman.debug 'Escaping HTML by default'
     end
 
     if @app_tree.exists? ".ruby-version"
@@ -222,7 +203,7 @@ class Brakeman::Scanner
     end
 
   rescue => e
-    Brakeman.notify "[Notice] Error while processing #{path}"
+    Brakeman.alert "Error while processing #{path}"
     tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
   end
 
@@ -264,7 +245,7 @@ class Brakeman::Scanner
       @processor.process_gems gem_files
     end
   rescue => e
-    Brakeman.notify "[Notice] Error while processing Gemfile."
+    Brakeman.alert 'Error while processing Gemfile'
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
@@ -273,16 +254,16 @@ class Brakeman::Scanner
     unless tracker.options[:rails3] or tracker.options[:rails4]
       if @app_tree.exists?("script/rails")
         tracker.options[:rails3] = true
-        Brakeman.notify "[Notice] Detected Rails 3 application"
+        Brakeman.debug 'Detected Rails 3 application'
       elsif @app_tree.exists?("app/channels")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
         tracker.options[:rails5] = true
-        Brakeman.notify "[Notice] Detected Rails 5 application"
+        Brakeman.debug 'Detected Rails 5 application'
       elsif not @app_tree.exists?("script")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
-        Brakeman.notify "[Notice] Detected Rails 4 application"
+        Brakeman.debug 'Detected Rails 4 application'
       end
     end
   end
@@ -303,15 +284,10 @@ class Brakeman::Scanner
     @processor.process_initializer(init.path, init.ast)
   end
 
-  #Process all .rb in lib/
-  #
-  #Adds parsed information to tracker.libs.
+  # Adds parsed information to tracker.libs.
+  # This is a catch-all for any Ruby files that weren't determined
+  # to be a specific type of file (like a controller).
   def process_libs
-    if options[:skip_libs]
-      Brakeman.notify '[Skipping]'
-      return
-    end
-
     libs = file_cache.libs.sort_by { |path, _| path }
 
     track_progress libs do |path, lib|
@@ -335,11 +311,11 @@ class Brakeman::Scanner
       if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
-        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        Brakeman.alert 'Error while processing routes - assuming all public controller methods are actions.'
         options[:assume_all_routes] = true
       end
     else
-      Brakeman.notify "[Notice] No route information found"
+      Brakeman.alert 'No route information found'
     end
   end
 
@@ -427,15 +403,15 @@ class Brakeman::Scanner
     total = list.length
     current = 0
     list.each do |item|
-      report_progress current, total, type
+      report_progress current, total
       current += 1
       yield item
     end
   end
 
-  def report_progress(current, total, type = "files")
+  def report_progress(current, total)
     return unless @options[:report_progress]
-    $stderr.print " #{current}/#{total} #{type} processed\r"
+    Brakeman.logger.update_progress(current, total)
   end
 
   def index_call_sites

data/lib/brakeman/tracker/collection.rb

@@ -55,13 +55,23 @@ module Brakeman
       if src.node_type == :defs
         @class_methods[name] = meth_info
 
-        # TODO fix this weirdness
-        name = :"#{src[1]}.#{name}"
+        name = :"#{method_definition_receiver(src[1])}.#{name}"
       end
 
       @methods[visibility][name] = meth_info
     end
 
+    def method_definition_receiver(receiver)
+      return receiver if receiver.is_a?(Symbol)
+
+      case receiver.sexp_type
+      when :self
+        "self"
+      else
+        receiver[1].to_s
+      end
+    end
+
     def each_method
       @methods.each do |_vis, meths|
         meths.each do |name, info|

data/lib/brakeman/tracker/config.rb

@@ -5,7 +5,7 @@ module Brakeman
     include Util
 
     attr_reader :gems, :rails, :ruby_version, :tracker
-    attr_writer :erubis, :escape_html
+    attr_writer :erubi, :escape_html
 
     def initialize tracker
       @tracker = tracker
@@ -13,7 +13,7 @@ module Brakeman
       @gems = {}
       @settings = {}
       @escape_html = nil
-      @erubis = nil
+      @erubi = nil
       @ruby_version = nil
       @rails_version = nil
     end
@@ -28,8 +28,8 @@ module Brakeman
       false
     end
 
-    def erubis?
-      @erubis
+    def erubi?
+      @erubi
     end
 
     def escape_html?
@@ -88,29 +88,29 @@ module Brakeman
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
             tracker.options[:rails3] = true
-            Brakeman.notify "[Notice] Detected Rails 3 application"
+            notify_version 3
           elsif @rails_version.start_with? "4"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
-            Brakeman.notify "[Notice] Detected Rails 4 application"
+            notify_version 4
           elsif @rails_version.start_with? "5"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
-            Brakeman.notify "[Notice] Detected Rails 5 application"
+            notify_version 5
           elsif @rails_version.start_with? "6"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
-            Brakeman.notify "[Notice] Detected Rails 6 application"
+            notify_version 6
           elsif @rails_version.start_with? "7"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
-            Brakeman.notify "[Notice] Detected Rails 7 application"
+            notify_version 7
           elsif @rails_version.start_with? "8"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
@@ -118,14 +118,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             tracker.options[:rails8] = true
-            Brakeman.notify "[Notice] Detected Rails 8 application"
+            notify_version 8
           end
         end
       end
 
       if get_gem :rails_xss
         @escape_html = true
-        Brakeman.notify "[Notice] Escaping HTML by default"
+        Brakeman.debug "Escaping HTML by default"
       end
     end
 
@@ -182,7 +182,7 @@ module Brakeman
         option = config[o]
 
         if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
+          Brakeman.debug "Skipping config setting: #{path.map(&:to_s).join(".")}"
           return
         end
 
@@ -202,7 +202,7 @@ module Brakeman
       version = tracker.config.rails[:load_defaults].value.to_s
 
       unless version.match?(/^\d+\.\d+$/)
-        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        Brakeman.alert "Unknown version: #{tracker.config.rails[:load_defaults]}"
         return
       end
 
@@ -284,5 +284,9 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
       end
     end
+
+    private def notify_version version
+      Brakeman.debug "Detected Rails #{version} application"
+    end
   end
 end

data/lib/brakeman/tracker/constants.rb

@@ -29,7 +29,7 @@ module Brakeman
 
     def set_name name, context
       @name = name
-      @name_array = Constants.constant_as_array(name)
+      @name_array = Constants.constant_as_array(name, context)
     end
 
     def match? name
@@ -129,7 +129,22 @@ module Brakeman
       end
     end
 
-    def self.constant_as_array exp
+    def self.constant_as_array exp, context = nil
+      # Only prepend context for simple (unqualified) constants
+      if context && (exp.is_a?(Symbol) || (exp.is_a?(Sexp) && exp.node_type == :const))
+        context_name = context[:module] || context[:class]
+        context_name = context_name.name if context_name.respond_to?(:name)
+        if context_name
+          # Build colon2 chain: A::B becomes s(:colon2, s(:const, :A), :B)
+          parts = context_name.to_s.split("::")
+          base = Sexp.new(:const, parts.first.to_sym)
+          parts[1..].each do |part|
+            base = Sexp.new(:colon2, base, part.to_sym)
+          end
+          exp = Sexp.new(:colon2, base, exp)
+        end
+      end
+
       res = []
       while exp
         if exp.is_a? Sexp

data/lib/brakeman/tracker/controller.rb

@@ -132,7 +132,7 @@ module Brakeman
           when :lit, :str
             filter[option.value] = value[1]
           else
-            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+            Brakeman.debug "Unknown before_filter value: #{option} => #{value}"
           end
         end
       else

data/lib/brakeman/tracker.rb

@@ -101,15 +101,9 @@ class Brakeman::Tracker
     @app_path ||= File.expand_path @options[:app_path]
   end
 
-  #Iterate over all methods in controllers and models.
+  #Iterate over all methods
   def each_method
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
           src = definition.src
@@ -137,13 +131,7 @@ class Brakeman::Tracker
 
 
   def each_class
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.src.each do |file, src|
           yield src, set_name, file
@@ -329,6 +317,8 @@ class Brakeman::Tracker
     finder = Brakeman::FindAllCalls.new self
 
     method_sets.each do |set|
+      Brakeman.logger.spin
+
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
           src = definition.src
@@ -339,12 +329,14 @@ class Brakeman::Tracker
 
     if locations.include? :templates
       self.each_template do |_name, template|
+        Brakeman.logger.spin
         finder.process_source template.src, :template => template, :file => template.file
       end
     end
 
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
+        Brakeman.logger.spin
         finder.process_all_source src, :file => file_name
       end
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.1.2"
+  Version = "8.0.0"
 end