brakeman 2.6.1 → 2.6.2

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NTdlNDlhNGRkMDhlNWQ5NGNlYWZlOWI2NTI5ZWI4NjBlZGU4YzBmNg==
+  data.tar.gz: !binary |-
+    YTliNDliZjhkYmZjNzNkNmY0M2QxY2UxOGNiMGQ3NTQ1YWVkMjg5ZA==
+SHA512:
+  metadata.gz: !binary |-
+    NmU3Yzc2NmQxYTM2NzZlZDA2YWZmYjExYTczOTZkYjdiMmI2ZDFiN2FjNDUy
+    NjVmMjYyODk0ZmRhNmIxNzEzNTZmNjE1MmFjNjE2ZTA5N2VkZjEwNDA3OTQ3
+    OGE1YWQ4MjE5MzFhMzIxZGVjNjMyODc3NDgxY2IxYzhhOWRkMTM=
+  data.tar.gz: !binary |-
+    YjgwZmI1N2NiOGIxNGJiODgyZTU2NjJhZDRlN2QzOWZhN2JhZDU1NTE1ZGY2
+    ZTE2MDY1MDU3M2MzY2M0MzM1MTM5NWM4NmM3YjZiZDQzNjg4OGUyYTVlYjM3
+    N2E2MjI1MGViNjY3MjkwYzZiYWUyODYwZGYyMzljODkzZjExMmE=

data/CHANGES

@@ -1,3 +1,17 @@
+# 2.6.2 
+
+* Add check for CVE-2014-3415
+* Avoid warning about symbolizing safe parameters
+* Update ruby2ruby dependency to 2.1.1
+* Expand app path in one place instead of all over (Jeff Rafter)
+* Add `--add-checks-path` option for external checks (Clint Gibler)
+* Fix SQL injection detection in deep nested string building
+* Add `-4` option to force Rails 4 mode
+* Check entire call for `send`
+* Check for .gitignore of secrets in subdirectories
+* Fix block statment endings in Erubis
+* Fix undefined variable in controller processing error (Jason Barnabe) 
+
 # 2.6.1
 
 * Add check for CVE-2014-3482 and CVE-2014-3483

data/bin/brakeman

@@ -17,7 +17,7 @@ end
 
 #Exit early for these options
 if options[:list_checks]
-  Brakeman.list_checks
+  Brakeman.list_checks options
   exit
 elsif options[:create_config]
   Brakeman.dump_config options
@@ -36,9 +36,9 @@ end
 #Set application path according to the commandline arguments
 unless options[:app_path]
   if ARGV[-1].nil?
-    options[:app_path] = File.expand_path "."
+    options[:app_path] = "."
   else
-    options[:app_path] = File.expand_path ARGV[-1]
+    options[:app_path] = ARGV[-1]
   end
 end
 

data/lib/brakeman.rb

@@ -76,7 +76,6 @@ module Brakeman
       options[:quiet] = true
     end
 
-    options[:app_path] = File.expand_path(options[:app_path])
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 
@@ -215,8 +214,11 @@ module Brakeman
   private_class_method :get_github_url
 
   #Output list of checks (for `-k` option)
-  def self.list_checks
+  def self.list_checks options
     require 'brakeman/scanner'
+
+    add_external_checks options
+
     format_length = 30
 
     $stderr.puts "Available Checks:"
@@ -301,11 +303,14 @@ module Brakeman
       raise NoBrakemanError, "Cannot find lib/ directory."
     end
 
+    add_external_checks options
+
     #Start scanning
     scanner = Scanner.new options
+    tracker = scanner.tracker
 
-    notify "Processing application in #{options[:app_path]}"
-    tracker = scanner.process
+    notify "Processing application in #{tracker.app_path}"
+    scanner.process
 
     if options[:parallel_checks]
       notify "Running checks in parallel..."
@@ -383,6 +388,8 @@ module Brakeman
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]
 
+    add_external_checks options
+
     begin
       previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
     rescue MultiJson::DecodeError
@@ -437,6 +444,12 @@ module Brakeman
     tracker.ignored_filter = config
   end
 
+  def self.add_external_checks options
+    options[:additional_checks_path].each do |path|
+      Brakeman::Checks.initialize_checks path
+    end if options[:additional_checks_path]
+  end
+
   class DependencyError < RuntimeError; end
   class RakeInstallError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end

data/lib/brakeman/app_tree.rb

@@ -5,7 +5,7 @@ module Brakeman
     attr_reader :root
 
     def self.from_options(options)
-      root = options[:app_path]
+      root = File.expand_path options[:app_path]
 
       # Convert files into Regexp for matching
       init_options = {}

data/lib/brakeman/checks.rb

@@ -13,13 +13,20 @@ class Brakeman::Checks
 
   #Add a check. This will call +_klass_.new+ when running tests
   def self.add klass
-    @checks << klass
+    @checks << klass unless @checks.include? klass
   end
 
   def self.checks
     @checks
   end
 
+  def self.initialize_checks check_directory = ""
+    #Load all files in check_directory
+    Dir.glob(File.join(check_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+
   #No need to use this directly.
   def initialize options = { }
     if options[:min_confidence]

data/lib/brakeman/checks/base_check.rb

@@ -177,7 +177,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
       @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9") && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
+    elsif tracker.options[:rails4] && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
             tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)))
 
       @mass_assign_disabled = true
@@ -481,7 +481,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def lts_version? version
-    tracker.config[:gems] and
     tracker.config[:gems][:'railslts-version'] and
     version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
   end

data/lib/brakeman/checks/check_create_with.rb

@@ -0,0 +1,75 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCreateWith < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for strong params bypass in CVE-2014-3514"
+
+  def run_check
+    @warned = false
+
+    if version_between? "4.0.0", "4.0.8"
+      suggested_version = "4.0.9"
+    elsif version_between? "4.1.0", "4.1.4"
+      suggested_version = "4.1.5"
+    else
+      return
+    end
+
+    @message = "create_with is vulnerable to strong params bypass. Upgrade to Rails #{suggested_version} or patch"
+
+    tracker.find_call(:method => :create_with, :nested => true).each do |result|
+      process_result result
+    end
+
+    generic_warning unless @warned
+  end
+
+  def process_result result
+    return if duplicate? result
+    add_result result
+    arg = result[:call].first_arg
+
+    confidence = danger_level arg
+
+    if confidence
+      @warned = true
+
+      warn :warning_type => "Mass Assignment",
+        :warning_code => :CVE_2014_3514_call,
+        :result => result,
+        :message => @message,
+        :confidence => confidence,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+    end
+  end
+
+  #For a given create_with call, set confidence level.
+  #Ignore calls that use permit()
+  def danger_level exp
+    return unless sexp? exp
+
+    if call? exp and exp.method == :permit
+      nil
+    elsif request_value? exp
+      CONFIDENCE[:high]
+    elsif hash? exp
+      nil
+    elsif has_immediate_user_input?(exp)
+      CONFIDENCE[:high]
+    elsif include_user_input? exp
+      CONFIDENCE[:med]
+    else
+      CONFIDENCE[:low]
+    end
+  end
+
+  def generic_warning
+      warn :warning_type => "Mass Assignment",
+        :warning_code => :CVE_2014_3514,
+        :message => @message,
+        :file => gemfile_or_environment,
+        :confidence => CONFIDENCE[:med],
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+  end
+end

data/lib/brakeman/checks/check_default_routes.rb

@@ -22,7 +22,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :message => "All public methods in controllers are available as actions in routes.rb",
         :line => tracker.routes[:allow_all_actions].line,
         :confidence => CONFIDENCE[:high],
-        :file => "#{tracker.options[:app_path]}/config/routes.rb"
+        :file => "#{tracker.app_path}/config/routes.rb"
     end
   end
 
@@ -44,7 +44,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
           :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
           :line => actions[2],
           :confidence => CONFIDENCE[:med],
-          :file => "#{tracker.options[:app_path]}/config/routes.rb"
+          :file => "#{tracker.app_path}/config/routes.rb"
       end
     end
   end
@@ -76,7 +76,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
       :warning_code => :CVE_2014_0130,
       :message => "Rails #{tracker.config[:rails_version]} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
       :confidence => confidence,
-      :file => "#{tracker.options[:app_path]}/config/routes.rb",
+      :file => "#{tracker.app_path}/config/routes.rb",
       :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
   end
 

data/lib/brakeman/checks/check_i18n_xss.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
     if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
       message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
 
-      i18n_gem = tracker.config[:gems] && tracker.config[:gems][:i18n]
+      i18n_gem = tracker.config[:gems][:i18n]
 
       if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
         message << "3.2.16 or i18n 0.5.1"

data/lib/brakeman/checks/check_json_parsing.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
 
   #Check if `yajl` is included in Gemfile
   def uses_yajl?
-    tracker.config[:gems] and tracker.config[:gems][:yajl]
+    tracker.config[:gems][:yajl]
   end
 
   #Check for `ActiveSupport::JSON.backend = "JSONGem"`

data/lib/brakeman/checks/check_redirect.rb

@@ -184,7 +184,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if node_type? exp, :or
       decorated_model? exp.lhs or decorated_model? exp.rhs
     else
-      tracker.config[:gems] and
       tracker.config[:gems][:draper] and
       call? exp and
       node_type?(exp.target, :const) and

data/lib/brakeman/checks/check_send.rb

@@ -7,8 +7,9 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   @description = "Check for unsafe use of Object#send"
 
   def run_check
+    @send_methods = [:send, :try, :__send__, :public_send]
     Brakeman.debug("Finding instances of #send")
-    calls = tracker.find_call :methods => [:send, :try, :__send__, :public_send]
+    calls = tracker.find_call :methods => @send_methods, :nested => true
 
     calls.each do |call|
       process_result call
@@ -19,10 +20,11 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
     return if duplicate? result or result[:call].original_line
     add_result result
 
-    process_call_args result[:call]
-    target = process result[:call].target
+    send_call = get_send result[:call]
+    process_call_args send_call
+    target = process send_call.target
 
-    if input = has_immediate_user_input?(result[:call].first_arg)
+    if input = has_immediate_user_input?(send_call.first_arg)
       warn :result => result,
         :warning_type => "Dangerous Send",
         :warning_code => :dangerous_send,
@@ -32,4 +34,15 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :confidence => CONFIDENCE[:high]
     end
   end
+
+  # Recursively check call chain for send call
+  def get_send exp
+    if call? exp
+      if @send_methods.include? exp.method
+        return exp
+      else
+        get_send exp.target
+      end
+    end
+  end
 end

data/lib/brakeman/checks/check_session_settings.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     settings = tracker.config[:rails][:action_controller] &&
                tracker.config[:rails][:action_controller][:session]
 
-    check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb"
+    check_for_issues settings, "#{tracker.app_path}/config/environment.rb"
 
     ["session_store.rb", "secret_token.rb"].each do |file|
       if tracker.initializers[file] and not ignored? file
@@ -39,15 +39,15 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
-      check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+      check_for_issues exp.first_arg, "#{tracker.app_path}/config/initializers/session_store.rb"
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
       (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
-      warn_about_secret_token exp, "#{tracker.options[:app_path]}/config/initializers/secret_token.rb"
+      warn_about_secret_token exp, "#{tracker.app_path}/config/initializers/secret_token.rb"
     end
-      
+
     exp
   end
 
@@ -55,9 +55,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #in Rails 3.x apps
   def process_call exp
     if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
-      check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+      check_for_rails3_issues exp.second_arg, "#{tracker.app_path}/config/initializers/session_store.rb"
     end
-      
+
     exp
   end
 
@@ -134,12 +134,15 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   end
 
   def ignored? file
-    if @app_tree.exists? ".gitignore"
-      input = @app_tree.read(".gitignore")
+    [".", "config", "config/initializers"].each do |dir|
+      ignore_file = "#{dir}/.gitignore"
+      if @app_tree.exists? ignore_file
+        input = @app_tree.read(ignore_file)
 
-      input.include? file
-    else
-      false
+        return true if input.include? file
+      end
     end
+
+    false
   end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
       :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! if version_between? "4.0.0", "9.9.9"
+    @sql_targets << :find_by << :find_by! if tracker.options[:rails4]
 
     @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
       :select_rows, :select_value, :select_values]
@@ -496,23 +496,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     arg = exp.first_arg
 
     if STRING_METHODS.include? method
-      if string? target
-        check_string_arg arg
-      elsif string? arg
-        check_string_arg target
-      elsif call? target
-        check_for_string_building target
-      elsif node_type? target, :string_interp, :dstr or
-            node_type? arg, :string_interp, :dstr
-
-        check_string_arg target and
-        check_string_arg arg
-      end
+      check_str_target_or_arg(target, arg) or
+      check_interp_target_or_arg(target, arg) or
+      check_for_string_building(target) or
+      check_for_string_building(arg)
     else
       nil
     end
   end
 
+  def check_str_target_or_arg target, arg
+    if string? target
+      check_string_arg arg
+    elsif string? arg
+      check_string_arg target
+    end
+  end
+
+  def check_interp_target_or_arg target, arg
+    if node_type? target, :string_interp, :dstr or
+      node_type? arg, :string_interp, :dstr
+
+      check_string_arg target and
+      check_string_arg arg
+    end
+  end
+
   def check_string_arg exp
     if safe_value? exp
       nil

data/lib/brakeman/checks/check_sql_cves.rb

@@ -48,7 +48,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       }
     end
 
-    if tracker.config[:gems] and tracker.config[:gems][:pg]
+    if tracker.config[:gems][:pg]
       issues << {
         :cve => "CVE-2014-3482",
         :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -54,6 +54,8 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
     end
 
     if confidence
+      return if safe_parameter? input.match
+
       message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
 
       warn :result => result,
@@ -63,7 +65,14 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
         :user_input => input.match,
         :confidence => confidence
     end
-
   end
 
+  def safe_parameter? input
+    return unless params? input
+
+    call? input and
+    input.method == :[] and
+    symbol? input.first_arg and
+    [:controller, :action].include? input.first_arg.value
+  end
 end

data/lib/brakeman/options.rb

@@ -32,7 +32,7 @@ module Brakeman::Options
         end
 
         opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
-          options[:app_path] = File.expand_path path
+          options[:app_path] = path
         end
 
         opts.on "-q", "--[no-]quiet", "Suppress informational messages" do |quiet|
@@ -47,6 +47,11 @@ module Brakeman::Options
           options[:rails3] = true
         end
 
+        opts.on "-4", "--rails4", "Force Rails 4 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -133,6 +138,11 @@ module Brakeman::Options
           end
         end
 
+        opts.on "--add-checks-path path1,path2,etc", Array, "A directory containing additional out-of-tree checks to run" do |paths|
+          options[:additional_checks_path] ||= Set.new
+          options[:additional_checks_path].merge paths.map {|p| File.expand_path p}
+        end
+
         opts.separator ""
         opts.separator "Output options:"
 

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -39,14 +39,6 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
     end
   end
 
-  def add_stmt(src, code)
-    if code =~ BLOCK_EXPR
-      src << '@output_buffer.append_if_string= ' << code
-    else
-      super
-    end
-  end
-
   def add_expr_escaped(src, code)
     if code =~ BLOCK_EXPR
       src << "@output_buffer.safe_append= " << code

data/lib/brakeman/parsers/template_parser.rb

@@ -27,7 +27,7 @@ module Brakeman
               when :slim
                 parse_slim text
               else
-                tracker.error "Unkown template type in #{path}"
+                tracker.error "Unknown template type in #{path}"
                 nil
               end
 

data/lib/brakeman/processors/gem_processor.rb

@@ -19,9 +19,15 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
       @tracker.config[:rails_version] = $1
     end
 
-    if @tracker.config[:rails_version] =~ /^(3|4)\./ and not @tracker.options[:rails3]
-      @tracker.options[:rails3] = true
-      Brakeman.notify "[Notice] Detected Rails #$1 application"
+    if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
+      if @tracker.config[:rails_version].start_with? "3"
+        @tracker.options[:rails3] = true
+        Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif @tracker.config[:rails_version].start_with? "4"
+        @tracker.options[:rails3] = true
+        @tracker.options[:rails4] = true
+        Brakeman.notify "[Notice] Detected Rails 4 application"
+      end
     end
 
     if @tracker.config[:gems][:rails_xss]

data/lib/brakeman/processors/output_processor.rb

@@ -1,10 +1,3 @@
-#Temporary fix for https://github.com/seattlerb/ruby_parser/issues/154
-class Regexp
-  [:ENC_NONE, :ENC_EUC, :ENC_SJIS, :ENC_UTF8].each do |enc|
-    remove_const enc if const_defined? enc
-  end
-end
-
 require 'ruby2ruby'
 require 'brakeman/util'
 

data/lib/brakeman/report/report_base.rb

@@ -262,9 +262,16 @@ class Brakeman::Report::Base
   end
 
   def rails_version
-    return tracker.config[:rails_version] if tracker.config[:rails_version]
-    return "3.x" if tracker.options[:rails3]
-    "Unknown"
+    case
+    when tracker.config[:rails_version]
+      tracker.config[:rails_version]
+    when tracker.options[:rails4]
+      "4.x"
+    when tracker.options[:rails3]
+      "3.x"
+    else
+      "Unknown"
+    end
   end
 
   #Escape warning message and highlight user input in text output

data/lib/brakeman/report/report_csv.rb

@@ -50,7 +50,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Table
   #Generate header for CSV output
   def csv_header
     header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << CSV.generate_line([File.expand_path(tracker.options[:app_path]), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
+    header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
     "BRAKEMAN REPORT\n\n" + header
   end
 end

data/lib/brakeman/report/report_hash.rb

@@ -16,6 +16,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
     end
 
     report[:config] = tracker.config
+    report[:checks_run] = tracker.checks.checks_run
 
     report
   end

data/lib/brakeman/report/report_json.rb

@@ -4,14 +4,13 @@ require 'brakeman/report/initializers/multi_json'
 class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
-    app_path = tracker.options[:app_path]
 
     warnings = convert_to_hashes all_warnings
 
     ignored = convert_to_hashes ignored_warnings
 
     scan_info = {
-      :app_path => File.expand_path(tracker.options[:app_path]),
+      :app_path => tracker.app_path,
       :rails_version => rails_version,
       :security_warnings => all_warnings.length,
       :start_time => tracker.start_time.to_s,

data/lib/brakeman/report/report_markdown.rb

@@ -66,7 +66,7 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
         ['Application path', 'Rails version', 'Brakeman version', 'Started at', 'Duration']
     ) do |t|
       t.add_row([
-        File.expand_path(tracker.options[:app_path]),
+        tracker.app_path,
         rails_version,
         Brakeman::Version,
         tracker.start_time,

data/lib/brakeman/report/report_table.rb

@@ -98,7 +98,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
 
 +BRAKEMAN REPORT+
 
-Application path: #{File.expand_path tracker.options[:app_path]}
+Application path: #{tracker.app_path}
 Rails version: #{rails_version}
 Brakeman version: #{Brakeman::Version}
 Started at #{tracker.start_time}

data/lib/brakeman/report/templates/header.html.erb

@@ -31,7 +31,7 @@
     <th>Checks Performed</th>
   </tr>
   <tr>
-    <td><%= File.expand_path tracker.options[:app_path] %></td>
+    <td><%= tracker.app_path %></td>
     <td><%= rails_version %></td>
     <td><%= brakeman_version %>
     <td>

data/lib/brakeman/scanner.rb

@@ -28,14 +28,6 @@ class Brakeman::Scanner
       raise Brakeman::NoApplication, "Please supply the path to a Rails application."
     end
 
-    if @app_tree.exists?("script/rails")
-      options[:rails3] = true
-      Brakeman.notify "[Notice] Detected Rails 3 application"
-    elsif not @app_tree.exists?("script")
-      options[:rails3] = true # Probably need to do some refactoring
-      Brakeman.notify "[Notice] Detected Rails 4 application"
-    end
-
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
   end
 
@@ -48,6 +40,7 @@ class Brakeman::Scanner
   def process
     Brakeman.notify "Processing gems..."
     process_gems
+    guess_rails_version
     Brakeman.notify "Processing configuration..."
     process_config
     Brakeman.notify "Parsing files..."
@@ -147,6 +140,20 @@ class Brakeman::Scanner
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
+  #Set :rails3/:rails4 option if version was not determined from Gemfile
+  def guess_rails_version
+    unless tracker.options[:rails3] or tracker.options[:rails4]
+      if @app_tree.exists?("script/rails")
+        tracker.options[:rails3] = true
+        Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif not @app_tree.exists?("script")
+        tracker.options[:rails3] = true # Probably need to do some refactoring
+        tracker.options[:rails4] = true
+        Brakeman.notify "[Notice] Detected Rails 4 application"
+      end
+    end
+  end
+
   #Process all the .rb files in config/initializers/
   #
   #Adds parsed information to tracker.initializers
@@ -227,7 +234,7 @@ class Brakeman::Scanner
     begin
       @processor.process_controller(astfile.ast, astfile.path)
     rescue => e
-      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      tracker.error e.exception(e.message + "\nWhile processing #{astfile.path}"), e.backtrace
     end
   end
 

data/lib/brakeman/tracker.rb

@@ -25,7 +25,7 @@ class Brakeman::Tracker
     @processor = processor
     @options = options
 
-    @config = { :rails => {} }
+    @config = { :rails => {}, :gems => {} }
     @templates = {}
     @controllers = {}
     #Initialize models with the unknown model so
@@ -77,6 +77,10 @@ class Brakeman::Tracker
     @checks
   end
 
+  def app_path
+    @app_path ||= File.expand_path @options[:app_path]
+  end
+
   #Iterate over all methods in controllers and models.
   def each_method
     [self.controllers, self.models].each do |set|

data/lib/brakeman/util.rb

@@ -274,7 +274,7 @@ module Brakeman::Util
     end
 
     if warning.file
-      File.expand_path warning.file, tracker.options[:app_path]
+      File.expand_path warning.file, tracker.app_path
     elsif warning.template.is_a? Hash and warning.template[:file]
       warning.template[:file]
     else
@@ -314,7 +314,7 @@ module Brakeman::Util
       end
     end
 
-    path = tracker.options[:app_path]
+    path = tracker.app_path
 
     case type
     when :controller
@@ -377,7 +377,7 @@ module Brakeman::Util
 
   def relative_path file
     if file and not file.empty? and file.start_with? '/'
-      Pathname.new(file).relative_path_from(Pathname.new(@tracker.options[:app_path])).to_s
+      Pathname.new(file).relative_path_from(Pathname.new(@tracker.app_path)).to_s
     else
       file
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.6.1"
+  Version = "2.6.2"
 end

data/lib/brakeman/warning_codes.rb

@@ -81,6 +81,8 @@ module Brakeman::WarningCodes
     :CVE_2014_0130 => 77,
     :CVE_2014_3482 => 78,
     :CVE_2014_3483 => 79,
+    :CVE_2014_3514 => 80,
+    :CVE_2014_3514_call => 81,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -12,7 +12,14 @@ class Sexp
     #
     #The original functionality calls find_node and optionally
     #deletes the node if found.
-    raise NoMethodError.new("No method '#{name}' for Sexp", name, args)
+    #
+    #Defining a method named "return" seems like a bad idea, so we have to
+    #check for it here instead
+    if name == :return
+      find_node name, *args
+    else
+      raise NoMethodError.new("No method '#{name}' for Sexp", name, args)
+    end
   end
 
   #Create clone of Sexp and nested Sexps but not their non-Sexp contents.

metadata

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 2.6.1
-  prerelease: 
+  version: 2.6.2
 platform: ruby
 authors:
 - Justin Collins
@@ -36,78 +35,95 @@ cert_chain:
   Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
   QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
   RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-date: 2014-07-02 00:00:00.000000000 Z
+date: 2014-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_parser
-  requirement: &70322329568880 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 3.5.0
   type: :runtime
   prerelease: false
-  version_requirements: *70322329568880
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.5.0
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
-  requirement: &70322329568380 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.1.1
   type: :runtime
   prerelease: false
-  version_requirements: *70322329568380
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.1.1
 - !ruby/object:Gem::Dependency
   name: terminal-table
-  requirement: &70322329567880 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.4'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329567880
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: fastercsv
-  requirement: &70322329567300 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.5'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329567300
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: highline
-  requirement: &70322329566800 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.6.20
   type: :runtime
   prerelease: false
-  version_requirements: *70322329566800
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.20
 - !ruby/object:Gem::Dependency
   name: erubis
-  requirement: &70322329566300 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.6'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329566300
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.6'
 - !ruby/object:Gem::Dependency
   name: haml
-  requirement: &70322329565820 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -117,22 +133,31 @@ dependencies:
         version: '5.0'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329565820
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: sass
-  requirement: &70322329565100 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329565100
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: slim
-  requirement: &70322329564620 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -142,18 +167,28 @@ dependencies:
         version: '3.0'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329564620
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.6
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: multi_json
-  requirement: &70322329580140 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
-  version_requirements: *70322329580140
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.2'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
 email: gem@brakeman.org
@@ -162,17 +197,20 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- bin/brakeman
 - CHANGES
-- WARNING_TYPES
 - FEATURES
 - README.md
+- WARNING_TYPES
+- bin/brakeman
+- lib/brakeman.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
+- lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_content_tag.rb
+- lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
@@ -223,7 +261,6 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
-- lib/brakeman/checks.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
 - lib/brakeman/format/style.css
@@ -259,6 +296,7 @@ files:
 - lib/brakeman/processors/slim_template_processor.rb
 - lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report.rb
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
 - lib/brakeman/report/initializers/faster_csv.rb
@@ -283,7 +321,6 @@ files:
 - lib/brakeman/report/templates/template_overview.html.erb
 - lib/brakeman/report/templates/view_warnings.html.erb
 - lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report.rb
 - lib/brakeman/rescanner.rb
 - lib/brakeman/scanner.rb
 - lib/brakeman/tracker.rb
@@ -291,32 +328,30 @@ files:
 - lib/brakeman/version.rb
 - lib/brakeman/warning.rb
 - lib/brakeman/warning_codes.rb
-- lib/brakeman.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.9
+rubygems_version: 2.3.0
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []