brakeman 2.1.0 → 2.1.1

data/CHANGES

@@ -1,3 +1,14 @@
+# 2.1.1
+
+ * New warning code for dangerous attributes in attr_accessible
+ * Do not warn on attr_accessible using roles
+ * More accurate results for model attribute warnings
+ * Use exit code zero with `-z` if all warnings ignored
+ * Respect ignored warnings in rescans
+ * Ignore dynamic controller names in routes
+ * Fix infinite loop when run as rake task (Matthew Shanley)
+ * Respect ignored warnings in tabs format reports
+
 # 2.1.0
 
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)

data/README.md

@@ -13,7 +13,7 @@ It works with Rails 2.x, 3.x, and 4.x.
 
 There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
 
-For even more continuous testing, try the [Guard plugin](https://github.com/oreoshake/guard-brakeman).
+For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
 # Homepage/News
 

data/bin/brakeman

@@ -78,7 +78,7 @@ begin
     tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
     #Return error code if --exit-on-warn is used and warnings were found
-    if options[:exit_on_warn] and not tracker.warnings.empty?
+    if options[:exit_on_warn] and not tracker.filtered_warnings.empty?
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end

data/lib/brakeman.rb

@@ -153,7 +153,7 @@ module Brakeman
       end
     end
   end
-  
+
   def self.get_formats_from_output_format output_format
     case output_format
     when :html, :to_html
@@ -171,7 +171,7 @@ module Brakeman
     end
   end
   private_class_method :get_formats_from_output_format
-  
+
   def self.get_formats_from_output_files output_files
     output_files.map do |output_file|
       case output_file
@@ -196,7 +196,7 @@ module Brakeman
   def self.list_checks
     require 'brakeman/scanner'
     format_length = 30
-    
+
     $stderr.puts "Available Checks:"
     $stderr.puts "-" * format_length
     Checks.checks.each do |check|
@@ -307,7 +307,7 @@ module Brakeman
 
     tracker
   end
-  
+
   def self.write_report_to_files tracker, output_files
     output_files.each_with_index do |output_file, idx|
       File.open output_file, "w" do |f|
@@ -317,7 +317,7 @@ module Brakeman
     end
   end
   private_class_method :write_report_to_files
-  
+
   def self.write_report_to_formats tracker, output_formats
     output_formats.each do |output_format|
       puts tracker.report.format(output_format)
@@ -375,7 +375,7 @@ module Brakeman
     Brakeman::Differ.new(new_results, previous_results).diff
   end
 
-  def self.load_dependency name
+  def self.load_brakeman_dependency name
     return if @loaded_dependencies.include? name
 
     begin

data/lib/brakeman/checks/base_check.rb

@@ -364,7 +364,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       if @safe_input_attributes.include? method
         false
       elsif call? target and not method.to_s[-1,1] == "?"
-        has_immediate_model? target, out
+        if res = has_immediate_model?(target, out)
+          exp
+        else
+          false
+        end
       elsif model_name? target
         exp
       else
@@ -429,28 +433,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     end
   end
 
-  #Finds entire method call chain where +target+ is a target in the chain
-  def find_chain exp, target
-    return unless sexp? exp
-
-    case exp.node_type
-    when :output, :format
-      find_chain exp.value, target
-    when :call
-      if exp == target or include_target? exp, target
-        return exp
-      end
-    else
-      exp.each do |e|
-        if sexp? e
-          res = find_chain e, target
-          return res if res
-        end
-      end
-      nil
-    end
-  end
-
   #Returns true if +target+ is in +exp+
   def include_target? exp, target
     return false unless call? exp

data/lib/brakeman/checks/check_content_tag.rb

@@ -107,12 +107,10 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :link_path => "content_tag"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
-      method = match[2]
-
-      unless IGNORE_MODEL_METHODS.include? method
+      unless IGNORE_MODEL_METHODS.include? match.method
         add_result result
 
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+        if likely_model_attribute? match
           confidence = CONFIDENCE[:high]
         else
           confidence = CONFIDENCE[:med]

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -122,7 +122,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       unless IGNORE_MODEL_METHODS.include? method
         add_result exp
 
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+        if likely_model_attribute? match
           confidence = CONFIDENCE[:high]
         else
           confidence = CONFIDENCE[:med]
@@ -138,12 +138,17 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warning_code = :xss_to_json
         end
 
-        code = find_chain out, match
+        code = if match == out
+                 nil
+               else
+                 match
+               end
+
         warn :template => @current_template,
           :warning_type => "Cross Site Scripting",
           :warning_code => warning_code,
           :message => message,
-          :code => code,
+          :code => match,
           :confidence => confidence,
           :link_path => link_path
       end
@@ -153,6 +158,19 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     end
   end
 
+  #Call already involves a model, but might not be acting on a record
+  def likely_model_attribute? exp
+    return false unless call? exp
+
+    method = exp.method
+
+    if MODEL_METHODS.include? method or method.to_s.start_with? "find_by_"
+      true
+    else
+      likely_model_attribute? exp.target
+    end
+  end
+
   #Process an output Sexp
   def process_output exp
     process exp.value.dup

data/lib/brakeman/checks/check_link_to.rb

@@ -82,7 +82,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     return false if IGNORE_MODEL_METHODS.include? method
 
     confidence = CONFIDENCE[:med]
-    confidence = CONFIDENCE[:high] if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+    confidence = CONFIDENCE[:high] if likely_model_attribute? match
     warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
   end
 

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -1,42 +1,49 @@
 require 'brakeman/checks/base_check'
 
-# Author: Paul Deardorff (themetric) 
-# Checks models to see if important foreign keys 
-# or attributes are exposed as attr_accessible when 
-# they probably shouldn't be. 
+# Author: Paul Deardorff (themetric)
+# Checks models to see if important foreign keys
+# or attributes are exposed as attr_accessible when
+# they probably shouldn't be.
 
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
   @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
 
-  SUSP_ATTRS = {
-    /admin/ => CONFIDENCE[:high], # Very dangerous unless some Rails authorization used 
-    /role/ => CONFIDENCE[:med],   
-    /banned/ => CONFIDENCE[:med], 
-    :account_id => CONFIDENCE[:high], 
-    /\S*_id(s?)\z/ => CONFIDENCE[:low] # All other foreign keys have weak/low confidence 
-  }
+  SUSP_ATTRS = [
+    [/admin/, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
+    [/role/, CONFIDENCE[:med]],
+    [/banned/, CONFIDENCE[:med]],
+    [:account_id, CONFIDENCE[:high]],
+    [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
+  ]
 
   def run_check
     check_models do |name, model|
-      accessible_attrs = model[:attr_accessible]
-      accessible_attrs.each do |attribute|
+      model[:attr_accessible].each do |attribute|
+        next if role_limited? model, attribute
+
         SUSP_ATTRS.each do |susp_attr, confidence|
-            if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute 
-              warn :model => name,    
-                :file => model[:file],                          
-                :warning_type => "Mass Assignment", 
-                :warning_code => :mass_assign_call,
-                :message => "Potentially dangerous attribute #{attribute} available for mass assignment.", 
-                :confidence => confidence 
-              break # Prevent from matching single attr multiple times
-            end 
-        end         
-      end 
+          if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
+            warn :model => name,
+              :file => model[:file],
+              :warning_type => "Mass Assignment",
+              :warning_code => :dangerous_attr_accessible,
+              :message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
+              :confidence => confidence
+            break # Prevent from matching single attr multiple times
+          end
+        end
+      end
     end
   end
 
+  def role_limited? model, attribute
+    role_accessible = model[:options][:role_accessible]
+    return if role_accessible.nil?
+    role_accessible.include? attribute
+  end
+
   def check_models
     tracker.models.each do |name, model|
       if !model[:attr_accessible].nil?
@@ -44,5 +51,4 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
       end
     end
   end
- 
 end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'erubis'
+Brakeman.load_brakeman_dependency 'erubis'
 
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'erubis'
+Brakeman.load_brakeman_dependency 'erubis'
 
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'erubis'
+Brakeman.load_brakeman_dependency 'erubis'
 
 #This is from Rails 3 version of the Erubis handler
 class Brakeman::Rails3Erubis < ::Erubis::Eruby

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -255,13 +255,16 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_controller_block exp
-    self.current_controller = exp.block_call.first_arg.value
+    if string? exp or symbol? exp
+      self.current_controller = exp.block_call.first_arg.value
 
-    in_controller_block do
-      process exp[-1] if exp[-1]
+      in_controller_block do
+        process exp[-1] if exp[-1]
+      end
+
+      @current_controller = nil
     end
 
-    @current_controller = nil
     exp
   end
 

data/lib/brakeman/processors/model_processor.rb

@@ -85,6 +85,9 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           exp.each_arg do |e|
             if node_type? e, :lit
               args << e.value
+            elsif hash? e
+              @model[:options][:role_accessible] ||= []
+              @model[:options][:role_accessible].concat args
             end
           end
 

data/lib/brakeman/report/ignore/interactive.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'highline'
+Brakeman.load_brakeman_dependency 'highline'
 
 module Brakeman
   class InteractiveIgnorer

data/lib/brakeman/report/report_csv.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'csv'
+Brakeman.load_brakeman_dependency 'csv'
 require "brakeman/report/initializers/faster_csv"
 require "brakeman/report/report_table"
 

data/lib/brakeman/report/report_json.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'multi_json'
+Brakeman.load_brakeman_dependency 'multi_json'
 require 'brakeman/report/initializers/multi_json'
 
 class Brakeman::Report::JSON < Brakeman::Report::Base

data/lib/brakeman/report/report_table.rb

@@ -1,4 +1,4 @@
-Brakeman.load_dependency 'terminal-table'
+Brakeman.load_brakeman_dependency 'terminal-table'
 
 class Brakeman::Report::Table < Brakeman::Report::Base
   def generate_report

data/lib/brakeman/report/report_tabs.rb

@@ -2,10 +2,10 @@
 #https://github.com/presidentbeef/brakeman-jenkins-plugin
 class Brakeman::Report::Tabs < Brakeman::Report::Base
   def generate_report
-    [[:warnings, "General"], [:controller_warnings, "Controller"],
+    [[:generic_warnings, "General"], [:controller_warnings, "Controller"],
       [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
 
-      checks.send(meth).map do |w|
+      self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
         "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"

data/lib/brakeman/rescanner.rb

@@ -1,6 +1,7 @@
 require 'brakeman/scanner'
 require 'terminal-table'
 require 'brakeman/util'
+require 'brakeman/differ'
 
 #Class for rescanning changed files after an initial scan
 class Brakeman::Rescanner < Brakeman::Scanner
@@ -13,7 +14,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     super(options, processor)
 
     @paths = changed_files.map {|f| @app_tree.expand_path(f) }
-    @old_results = tracker.checks  #Old warnings from previous scan
+    @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
   end
@@ -367,7 +368,6 @@ class Brakeman::RescanReport
   def initialize old_results, tracker
     @tracker = tracker
     @old_results = old_results
-    @new_results = tracker.checks
     @all_warnings = nil
     @diff = nil
   end
@@ -379,7 +379,7 @@ class Brakeman::RescanReport
 
   #Returns an array of all warnings found
   def all_warnings
-    @all_warnings ||= new_results.all_warnings
+    @all_warnings ||= @tracker.filtered_warnings
   end
 
   #Returns an array of warnings which were in the old report but are not in the
@@ -401,7 +401,7 @@ class Brakeman::RescanReport
 
   #Returns a hash of arrays for :new and :fixed warnings
   def diff
-    @diff ||= @new_results.diff(@old_results)
+    @diff ||= Brakeman::Differ.new(all_warnings, @old_results).diff
   end
 
   #Returns an array of warnings which were in the old report and the new report

data/lib/brakeman/scanner.rb

@@ -282,14 +282,14 @@ class Brakeman::Scanner
 
         parsed = parse_ruby src
       elsif type == :haml
-        Brakeman.load_dependency 'haml'
-        Brakeman.load_dependency 'sass'
+        Brakeman.load_brakeman_dependency 'haml'
+        Brakeman.load_brakeman_dependency 'sass'
 
         src = Haml::Engine.new(text,
                                :escape_html => !!tracker.config[:escape_html]).precompiled
         parsed = parse_ruby src
       elsif type == :slim
-        Brakeman.load_dependency 'slim'
+        Brakeman.load_brakeman_dependency 'slim'
 
         src = Slim::Template.new(:disable_capture => true,
                                  :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template

data/lib/brakeman/tracker.rb

@@ -156,6 +156,16 @@ class Brakeman::Tracker
     self.checks.all_warnings
   end
 
+  def filtered_warnings
+    if self.ignored_filter
+      self.warnings.reject do |w|
+        self.ignored_filter.ignored? w
+      end
+    else
+      self.warnings
+    end
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 

data/lib/brakeman/util.rb

@@ -385,7 +385,7 @@ module Brakeman::Util
 
   def truncate_table str
     @terminal_width ||= if $stdin && $stdin.tty?
-                          Brakeman.load_dependency 'highline'
+                          Brakeman.load_brakeman_dependency 'highline'
                           ::HighLine.new.terminal_size[0]
                         else
                           80
@@ -403,7 +403,7 @@ module Brakeman::Util
 
   # rely on Terminal::Table to build the structure, extract the data out in CSV format
   def table_to_csv table
-    Brakeman.load_dependency 'terminal-table'
+    Brakeman.load_brakeman_dependency 'terminal-table'
     output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
     table.rows.each do |row|
       output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.1.0"
+  Version = "2.1.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -59,7 +59,8 @@ module Brakeman::WarningCodes
     :CVE_2013_1855 => 56,
     :CVE_2013_1856 => 57,
     :CVE_2013_1857 => 58,
-    :unsafe_symbol_creation => 59
+    :unsafe_symbol_creation => 59,
+    :dangerous_attr_accessible => 60
   }
 
   def self.code name

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 11
+  hash: 9
   prerelease: 
   segments: 
   - 2
   - 1
-  - 0
-  version: 2.1.0
+  - 1
+  version: 2.1.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-07-17 00:00:00 Z
+date: 2013-08-21 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser