brakeman 1.8.0 → 1.8.1

data/lib/brakeman.rb

@@ -74,7 +74,7 @@ module Brakeman
 
     if File.exist? app_path + "/script/rails"
       options[:rails3] = true
-      notify "[Notice] Detected Rails 3 application"
+      notify "[Notice] Detected Rails 3 application" unless options[:quiet]
     end
 
     options

data/lib/brakeman/checks/base_check.rb

@@ -428,17 +428,17 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     high_version = high_version.split(".").map! { |n| n.to_i }
 
     version.each_with_index do |v, i|
-      if v < low_version[i]
+      if v < low_version.fetch(i, 0)
         return false
-      elsif v > low_version[i]
+      elsif v > low_version.fetch(i, 0)
         break
       end
     end
 
     version.each_with_index do |v, i|
-      if v > high_version[i]
+      if v > high_version.fetch(i, 0)
         return false
-      elsif v < high_version[i]
+      elsif v < high_version.fetch(i, 0)
         break
       end
     end

data/lib/brakeman/checks/check_mail_to.rb

@@ -23,7 +23,8 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_type => "Mail Link",
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end
 
@@ -33,13 +34,10 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
     Brakeman.debug "Checking calls to mail_to for javascript encoding"
 
     tracker.find_call(:target => false, :method => :mail_to).each do |result|
-      call = result[:call]
-      args = call.args
-
-      args.each do |arg|
+      result[:call].arglist.each do |arg|
         if hash? arg
-          if hash_access(arg, :javascript)
-            return result
+          if option = hash_access(arg, :encode)
+            return result if symbol? option and option.value == :javascript
           end
         end
       end

data/lib/brakeman/checks/check_redirect.rb

@@ -59,6 +59,10 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     args = call.args
     first_arg = call.first_arg
 
+    # if the first argument is an array, rails assumes you are building a
+    # polymorphic route, which will never jump off-host
+    return false if array? first_arg
+
     if tracker.options[:ignore_redirect_to_model] and call? first_arg and
       (@model_find_calls.include? first_arg.method or first_arg.method.to_s.match(/^find_by_/)) and
       model_name? first_arg.target

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -15,7 +15,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       suggested_version = "3.1.4"
     elsif version_between? "3.2.0", "3.2.1"
       suggested_version = "3.2.2"
-    elsif version_between? "2.0.0", "3.0.0"
+    elsif version_between? "2.0.0", "2.3.14"
       suggested_version = "3 or use options_for_select"
     else
       return

data/lib/brakeman/checks/check_sql.rb

@@ -90,7 +90,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2012_2660
-    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
         :confidence => CONFIDENCE[:high],
@@ -110,7 +110,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2012_2695
-    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
+    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
         :confidence => CONFIDENCE[:high],

data/lib/brakeman/processors/alias_processor.rb

@@ -450,11 +450,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #
   #Returns the value inside the array, if possible.
   def process_array_access target, args
-    if args.length == 1 and integer? args[0]
-      index = args[0][1]
+    if args.length == 1 and integer? args.first
+      index = args.first.value
 
       #Have to do this because first element is :array and we have to skip it
-      target[1..-1][index + 1]
+      target[1..-1][index]
     else
       nil
     end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -29,16 +29,15 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
     method = exp.method
 
-    if (call? target and target.method == :_hamlout) or target == :_hamlout
+    if (call? target and target.method == :_hamlout)
       res = case method
             when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
               ignore
-            when :options
-              Sexp.new :call, :_hamlout, :options, exp.arglist
-            when :buffer
-              Sexp.new :call, :_hamlout, :buffer, exp.arglist
+            when :options, :buffer
+              exp
             when :open_tag
-              Sexp.new(:tag, process(exp.arglist))
+              process(exp.arglist)
+              exp
             else
               arg = exp.first_arg
 

data/lib/brakeman/processors/output_processor.rb

@@ -10,7 +10,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   #Copies +exp+ and then formats it.
   def format exp
-    process exp.deep_clone
+    process(exp.deep_clone) || "[Format Error]"
   end
 
   alias process_safely format
@@ -23,36 +23,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     end
   end
 
-  def process_call exp
-    if exp[0].is_a? Symbol
-      target = exp[0]
-
-      method = exp[1]
-
-      args = process exp[2]
-
-      out = nil
-
-      if method == :[]
-        if target
-          out = "#{target}[#{args}]"
-        else
-          raise Exception.new("Not sure what to do with access and no target: #{exp}")
-        end
-      else
-        if target
-          out = "#{target}.#{method}(#{args})"
-        else
-          out = "#{method}(#{args})"
-        end
-      end
-      exp.clear
-      out
-    else
-      super exp
-    end
-  end
-
   def process_lvar exp
     out = "(local #{exp[0]})"
     exp.clear

data/lib/brakeman/rescanner.rb

@@ -117,7 +117,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       if controller[:file] == path
         tracker.templates.keys.each do |template_name|
           if template_name.to_s.match /(.+)\.#{name}#/
-            tracker.templates.delete template_name
+            tracker.reset_template template_name
           end
         end
 
@@ -222,7 +222,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
         #Remove templates rendered from this controller
         tracker.templates.keys.each do |template_name|
           if template_name.to_s.match template_matcher
-            tracker.templates.delete template_name
+            tracker.reset_template template_name
           end
         end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.8.0"
+  Version = "1.8.1"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -35,12 +35,26 @@ class Sexp
     self[0] = type
   end
 
+  #Don't use this, please.
+  #:nodoc:
   def resbody delete = false
-    #RubyParser relies on method_missing for this, but since we don't want to use
-    #method_missing, here's a real method.
+    #RubyParser and Ruby2Ruby rely on method_missing for this, but since we
+    #don't want to use method_missing, here's a real method.
     find_node :resbody, delete
   end
 
+  #Don't use this, please.
+  #:nodoc:
+  def lasgn delete = false
+    find_node :lasgn, delete
+  end
+
+  #Don't use this, please.
+  #:nodoc:
+  def iasgn delete = false
+    find_node :iasgn, delete
+  end
+
   alias :node_type :sexp_type
   alias :values :sexp_body # TODO: retire
 
@@ -147,8 +161,14 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn
-    self[2]
+    expect :call, :attrasgn, :super, :zsuper
+
+    case self.node_type
+    when :call, :attrasgn
+      self[2]
+    when :super, :zsuper
+      :super
+    end
   end
 
   #Sets the arglist in a method call.
@@ -165,8 +185,18 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                 ^------------ arglist ------------^
   def arglist
-    expect :call, :attrasgn
-    self[3]
+    expect :call, :attrasgn, :super, :zsuper
+
+    case self.node_type
+    when :call, :attrasgn
+      self[3]
+    when :super, :zsuper
+      if self[1]
+        Sexp.new(:arglist).concat self[1..-1]
+      else
+        Sexp.new(:arglist)
+      end
+    end
 
     #For new ruby_parser
     #Sexp.new(:arglist, *self[3..-1])
@@ -177,7 +207,7 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                             ^--------args--------^
   def args
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :super, :zsuper
     #For new ruby_parser
     #if self[3]
     #  self[3..-1]
@@ -185,11 +215,20 @@ class Sexp
     #  []
     #end
 
-    #For old ruby_parser
-    if self[3]
-      self[3][1..-1]
-    else
-      []
+    case self.node_type
+    when :call, :attrasgn
+      #For old ruby_parser
+      if self[3]
+        self[3][1..-1]
+      else
+        []
+      end
+    when :super, :zsuper
+      if self[1]
+        self[1..-1]
+      else
+        []
+      end
     end
   end
 
@@ -279,13 +318,16 @@ class Sexp
   #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
   #       ^-------------------- block --------------------------^
   def block
-    expect :iter, :call_with_block, :scope
+    expect :iter, :call_with_block, :scope, :resbody
 
     case self.node_type
     when :iter, :call_with_block
       self[3]
     when :scope
       self[1]
+    when :resbody
+      #This is for Ruby2Ruby ONLY
+      find_node :block
     end
   end
 
@@ -345,7 +387,7 @@ class Sexp
   #Sets body
   def body= exp
     expect :defn, :defs, :methdef, :selfdef, :class, :module
-    
+
     case self.node_type
     when :defn, :methdef, :class
       self[3] = exp
@@ -392,7 +434,7 @@ end
 [:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
   :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
   :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
-  :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose, 
+  :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
   :uniq!, :unshift].each do |method|
 
   Sexp.class_eval <<-RUBY

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 55
+  hash: 53
   prerelease: 
   segments: 
   - 1
   - 8
-  - 0
-  version: 1.8.0
+  - 1
+  version: 1.8.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-09-05 00:00:00 Z
+date: 2012-09-24 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport