brakeman 1.5.1 → 1.5.2

data/bin/brakeman

@@ -6,14 +6,6 @@ require 'brakeman'
 require 'brakeman/options'
 require 'brakeman/version'
 
-trap("INT") do
-  $stderr.puts "\nInterrupted - exiting."
-  if RUBY_VERSION.include? "1.9"
-    $stderr.puts Thread.current.backtrace
-  end
-  exit!
-end
-
 #Parse options
 options, parser = Brakeman::Options.parse! ARGV
 
@@ -44,6 +36,16 @@ unless options[:app_path]
   end
 end
 
+trap("INT") do
+  $stderr.puts "\nInterrupted - exiting."
+
+  if options[:debug]
+    $stderr.puts caller
+  end
+
+  exit!
+end
+
 #Run scan and output a report
 tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 

data/lib/brakeman/checks/base_check.rb

@@ -78,6 +78,18 @@ class Brakeman::BaseCheck < SexpProcessor
     exp
   end
 
+  def process_if exp
+    #This is to ignore user input in condition
+    current_user_input = @has_user_input
+    process exp[1]
+    @has_user_input = current_user_input
+
+    process exp[2] if sexp? exp[2]
+    process exp[3] if sexp? exp[3]
+
+    exp
+  end
+
   #Note that params are included in current expression
   def process_params exp
     @has_user_input = :params

data/lib/brakeman/checks/check_link_to.rb

@@ -42,13 +42,25 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
     @matched = false
 
-    return if call[3][1].nil?
+    #Skip if no arguments(?) or first argument is a hash
+    return if call[3][1].nil? or hash? call[3][1]
 
-    #Only check first argument for +link_to+, as the second
-    #will *usually* be a record or escaped.
-    first_arg = process call[3][1]
+    if version_between? "2.0.0", "2.2.99"
+      check_argument result, call[3][1]
 
-    type, match = has_immediate_user_input? first_arg
+      if call[3][2] and not  hash? call[3][2]
+        check_argument result, call[3][2]
+      end
+    elsif call[3][2]
+      #Only check first argument if there is a second argument
+      #in Rails 2.3.x
+      check_argument result, call[3][1]
+    end
+  end
+
+  def check_argument result, exp
+    arg = process exp
+    type, match = has_immediate_user_input? arg
 
     if type
       case type
@@ -65,7 +77,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         :warning_type => "Cross Site Scripting", 
         :message => message,
         :confidence => CONFIDENCE[:high]
-    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       method = match[2]
 
       unless IGNORE_MODEL_METHODS.include? method

data/lib/brakeman/checks/check_render.rb

@@ -29,30 +29,44 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def check_for_dynamic_path result
     view = result[:call][2]
 
-    if sexp? view and view.node_type != :str and view.node_type != :lit and not duplicate? result
-
+    if sexp? view and not duplicate? result
       add_result result
 
-      if include_user_input? view
+      type, match = has_immediate_user_input? view
+
+      if type
         confidence = CONFIDENCE[:high]
+      elsif type = include_user_input?(view)
+        if node_type? view, :string_interp, :dstr
+          confidence = CONFIDENCE[:med]
+        else
+          confidence = CONFIDENCE[:low]
+        end
       else
-        confidence = CONFIDENCE[:low]
+        return
       end
 
-      warning = { :warning_type => "Dynamic Render Path",
-        :message => "Render path is dynamic",
-        :line => result[:call].line,
-        :code => result[:call],
-        :confidence => confidence }
+      message = "Render path contains "
 
-      if result[:location][0] == :template
-        warning[:template] = result[:location][1]
+      case type
+      when :params
+        message << "parameter value"
+      when :cookies
+        message << "cookie value"
+      when :request
+        message << "request value"
+      when :model
+        #Skip models
+        return
       else
-        warning[:class] = result[:location][1]
-        warning[:method] = result[:location][2]
+        message << "user input value"
       end
 
-      warn warning
+
+      warn :result => result,
+        :warning_type => "Dynamic Render Path",
+        :message => message,
+        :confidence => confidence
     end
   end
 end 

data/lib/brakeman/checks/check_sql.rb

@@ -201,7 +201,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       true
     elsif call? target
       check_call target
-    elsif target == nil and tracker.options[:rails3] and method.to_s.match /^first|last|all|where|order|group|having$/
+    elsif target == nil and tracker.options[:rails3] and method.to_s.match(/^first|last|all|where|order|group|having$/)
       check_arguments args
     else
       false

data/lib/brakeman/options.rb

@@ -91,7 +91,7 @@ module Brakeman::Options
 
         opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
           options[:skip_files] ||= Set.new
-          options[:skip_files].merge files.map {|f| f.to_sym }
+          options[:skip_files].merge files
         end
 
         opts.on "--skip-libs", "Skip processing lib directory" do

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -12,16 +12,22 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     method = exp[2]
 
     #_buf is the default output variable for Erubis
-    if target and (target[1] == :_buf or target[1] == :output_buffer)
+    if target and (target[1] == :_buf or target[1] == :@output_buffer)
       if method == :<< or method == :safe_concat
         args = exp[3][1] = process(exp[3][1])
 
-        if args.node_type == :call and args[2] == :to_s #just calling to_s on inner code 
+        #We want the actual content
+        if args.node_type == :call and (args[2] == :to_s or args[2] == :html_safe!)
           args = args[1]
         end
 
         if args.node_type == :str #ignore plain strings
           ignore
+        elsif target[1] == :@output_buffer
+          s = Sexp.new :escaped_output, args
+          s.line(exp.line)
+          @current_template[:outputs] << s
+          s
         else
           s = Sexp.new :output, args
           s.line(exp.line)
@@ -31,7 +37,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
       elsif method == :to_s
         ignore
       else
-        abort "Unrecognized action on _buf: #{method}"
+        abort "Unrecognized action on buffer: #{method}"
       end
     elsif target == nil and method == :render
       exp[3] = process exp[3]

data/lib/brakeman/rescanner.rb

@@ -74,7 +74,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     when :model
       rescan_model path
     when :lib
-      process_library path
+      process_lib path
     when :config
       process_config
     when :initializer

data/lib/brakeman/scanner.rb

@@ -1,7 +1,12 @@
 require 'rubygems'
 begin
-  #Load our own version of ruby_parser :'(
-  require 'ruby_parser/ruby_parser.rb'
+  if RUBY_VERSION =~ /^1\.9/
+    #Load our own version of ruby_parser :'(
+    require 'ruby_parser/ruby_parser.rb'
+  else
+    require 'ruby_parser'
+    require 'ruby_parser/bm_sexp.rb'
+  end
 
   require 'haml'
   require 'sass'
@@ -47,7 +52,7 @@ class Brakeman::Scanner
     if RUBY_1_9
       @ruby_parser = ::Ruby19Parser
     else
-      @ruby_parser = ::Ruby18Parser
+      @ruby_parser = ::RubyParser
     end
   end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.5.1"
+  Version = "1.5.2"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -0,0 +1,112 @@
+#Sexp changes from ruby_parser
+#and some changes for caching hash value and tracking 'original' line number
+#of a Sexp.
+class Sexp
+  attr_reader :paren
+
+  def paren
+    @paren ||= false
+  end
+
+  def value
+    raise "multi item sexp" if size > 2
+    last
+  end
+
+  def to_sym
+    self.value.to_sym
+  end
+
+  alias :node_type :sexp_type
+  alias :values :sexp_body # TODO: retire
+
+  alias :old_init :initialize
+  alias :old_push :<<
+  alias :old_line :line
+  alias :old_line_set :line=
+  alias :old_file_set :file=
+  alias :old_comments_set :comments=
+  alias :old_compact :compact
+  alias :old_fara :find_and_replace_all
+  alias :old_find_node :find_node
+
+  def initialize *args
+    old_init(*args)
+    @original_line = nil
+    @my_hash_value = nil
+  end
+
+  def original_line line = nil
+    if line
+      @my_hash_value = nil
+      @original_line = line
+    else
+      @original_line
+    end
+  end
+
+  def hash
+    #There still seems to be some instances in which the hash of the
+    #Sexp changes, but I have not found what method call is doing it.
+    #Of course, Sexp is subclasses from Array, so who knows what might
+    #be going on.
+    @my_hash_value ||= super
+  end
+
+  def line *args
+    @my_hash_value = nil
+    old_line(*args)
+  end
+
+  def line= *args
+    @my_hash_value = nil
+    old_line_set(*args)
+  end
+
+  def file= *args
+    @my_hash_value = nil
+    old_file_set(*args)
+  end
+
+  def compact
+    @my_hash_value = nil
+    old_compact
+  end
+
+  def find_and_replace_all *args
+    @my_hash_value = nil
+    old_fara(*args)
+  end
+
+  def find_node *args
+    @my_hash_value = nil
+    old_find_node(*args)
+  end
+
+  def paren= arg
+    @my_hash_value = nil
+    @paren = arg
+  end
+
+  def comments= *args
+    @my_hash_value = nil
+    old_comments_set(*args)
+  end
+end
+
+#Invalidate hash cache if the Sexp changes
+[:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
+  :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
+  :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
+  :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose, 
+  :uniq!, :unshift].each do |method|
+
+  Sexp.class_eval <<-RUBY
+    def #{method} *args
+      @my_hash_value = nil
+      super
+    end
+    RUBY
+end
+
+

data/lib/ruby_parser/ruby_parser_extras.rb

@@ -1051,113 +1051,7 @@ class Symbol
   end
 end
 
-class Sexp
-  attr_reader :paren
-
-  def paren
-    @paren ||= false
-  end
-
-  def value
-    raise "multi item sexp" if size > 2
-    last
-  end
-
-  def to_sym
-    self.value.to_sym
-  end
-
-  alias :node_type :sexp_type
-  alias :values :sexp_body # TODO: retire
-
-  alias :old_init :initialize
-  alias :old_push :<<
-  alias :old_line :line
-  alias :old_line_set :line=
-  alias :old_file_set :file=
-  alias :old_comments_set :comments=
-  alias :old_compact :compact
-  alias :old_fara :find_and_replace_all
-  alias :old_find_node :find_node
-
-  def initialize *args
-    old_init *args
-    @original_line = nil
-    @my_hash_value = nil
-  end
-
-  def original_line line = nil
-    if line
-      @my_hash_value = nil
-      @original_line = line
-    else
-      @original_line
-    end
-  end
-
-  def hash
-    #There still seems to be some instances in which the hash of the
-    #Sexp changes, but I have not found what method call is doing it.
-    #Of course, Sexp is subclasses from Array, so who knows what might
-    #be going on.
-    @my_hash_value ||= super
-  end
-
-  def line *args
-    @my_hash_value = nil
-    old_line *args
-  end
-
-  def line= *args
-    @my_hash_value = nil
-    old_line_set *args
-  end
-
-  def file= *args
-    @my_hash_value = nil
-    old_file_set *args
-  end
-
-  def compact
-    @my_hash_value = nil
-    old_compact
-  end
-
-  def find_and_replace_all *args
-    @my_hash_value = nil
-    old_fara *args
-  end
-
-  def find_node *args
-    @my_hash_value = nil
-    old_find_node *args
-  end
-
-  def paren= arg
-    @my_hash_value = nil
-    @paren = arg
-  end
-
-  def comments= *args
-    @my_hash_value = nil
-    old_comments_set *args
-  end
-end
-
-#Invalidate hash cache if the Sexp changes
-[:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
-  :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
-  :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
-  :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose, 
-  :uniq!, :unshift].each do |method|
-
-  Sexp.class_eval <<-RUBY
-    def #{method} *args
-      @my_hash_value = nil
-      super
-    end
-    RUBY
-end
+require 'bm_sexp'
 
 # END HACK
 ############################################################

metadata

@@ -1,107 +1,141 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: brakeman
-version: !ruby/object:Gem::Version
-  version: 1.5.1
+version: !ruby/object:Gem::Version 
+  hash: 7
   prerelease: 
+  segments: 
+  - 1
+  - 5
+  - 2
+  version: 1.5.2
 platform: ruby
-authors:
+authors: 
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-06 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2012-03-22 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: activesupport
-  requirement: &72282300 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *72282300
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: i18n
-  requirement: &72282080 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *72282080
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: ruby2ruby
-  requirement: &72281550 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
+        version: "1.2"
   type: :runtime
-  prerelease: false
-  version_requirements: *72281550
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
   name: ruport
-  requirement: &72280450 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.6'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 1
+        - 6
+        version: "1.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *72280450
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
   name: erubis
-  requirement: &72280190 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.6'
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 2
+        - 6
+        version: "2.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *72280190
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
   name: haml
-  requirement: &72279750 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *72279750
-- !ruby/object:Gem::Dependency
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
   name: sass
-  requirement: &72279400 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *72279400
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications
-  via static analysis.
+  version_requirements: *id007
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
-executables:
+executables: 
 - brakeman
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
 - README.md
 - lib/ruby_parser/ruby18_parser.rb
 - lib/ruby_parser/ruby_parser_extras.rb
+- lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/ruby_lexer.rb
 - lib/ruby_parser/ruby_parser.rb
 - lib/ruby_parser/ruby19_parser.rb
@@ -175,26 +209,36 @@ files:
 - lib/brakeman/format/style.css
 homepage: http://brakemanscanner.org
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
+