RubyGems - brakeman - Versions diffs - 3.3.2 → 3.3.3 - Mend

brakeman 3.3.2 → 3.3.3

Files changed (43) hide show

checksums.yaml +4 -4
data/CHANGES +13 -0
data/lib/brakeman/app_tree.rb +6 -1
data/lib/brakeman/checks/base_check.rb +10 -0
data/lib/brakeman/checks/check_create_with.rb +1 -2
data/lib/brakeman/checks/check_cross_site_scripting.rb +0 -4
data/lib/brakeman/checks/check_deserialize.rb +1 -2
data/lib/brakeman/checks/check_dynamic_finders.rb +1 -2
data/lib/brakeman/checks/check_evaluation.rb +1 -2
data/lib/brakeman/checks/check_execute.rb +2 -5
data/lib/brakeman/checks/check_file_access.rb +1 -2
data/lib/brakeman/checks/check_link_to_href.rb +13 -3
data/lib/brakeman/checks/check_mass_assignment.rb +2 -4
data/lib/brakeman/checks/check_redirect.rb +1 -4
data/lib/brakeman/checks/check_regex_dos.rb +1 -2
data/lib/brakeman/checks/check_render.rb +10 -5
data/lib/brakeman/checks/check_render_inline.rb +1 -2
data/lib/brakeman/checks/check_select_tag.rb +1 -2
data/lib/brakeman/checks/check_send.rb +1 -2
data/lib/brakeman/checks/check_session_manipulation.rb +1 -2
data/lib/brakeman/checks/check_simple_format.rb +1 -2
data/lib/brakeman/checks/check_ssl_verify.rb +1 -2
data/lib/brakeman/checks/check_symbol_dos.rb +2 -4
data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -2
data/lib/brakeman/checks/check_weak_hash.rb +3 -6
data/lib/brakeman/parsers/template_parser.rb +9 -0
data/lib/brakeman/processors/base_processor.rb +25 -0
data/lib/brakeman/processors/controller_processor.rb +6 -99
data/lib/brakeman/processors/erb_template_processor.rb +1 -4
data/lib/brakeman/processors/erubis_template_processor.rb +4 -16
data/lib/brakeman/processors/haml_template_processor.rb +4 -11
data/lib/brakeman/processors/lib/find_all_calls.rb +13 -25
data/lib/brakeman/processors/lib/find_return_value.rb +34 -4
data/lib/brakeman/processors/lib/module_helper.rb +111 -0
data/lib/brakeman/processors/lib/render_helper.rb +1 -1
data/lib/brakeman/processors/library_processor.rb +4 -57
data/lib/brakeman/processors/model_processor.rb +4 -104
data/lib/brakeman/processors/slim_template_processor.rb +7 -21
data/lib/brakeman/processors/template_processor.rb +11 -0
data/lib/brakeman/scanner.rb +1 -1
data/lib/brakeman/version.rb +1 -1
data/lib/ruby_parser/bm_sexp.rb +7 -3
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e8c028effaee5449ceb9ae4536b57db115597cbf
-  data.tar.gz: 49b860b6cee1fcadbda293659fb55b816650c4b5
+  metadata.gz: 08318cd38973d83265973cfcaffb09907d92bc25
+  data.tar.gz: f147beaa68bf28730c008478c98e666480d58ada
 SHA512:
-  metadata.gz: 53a61c3720d15d802b4904606cb08bd9e07e075360bdbbeb6e97afce32316d76ab0d5e87d3d336f514ef46f4cfebcc4fd68388b3e7cf9f4c9d0680a20f0a584a
-  data.tar.gz: 7cb28661d7a0a012e348475c5a74a69ba4d9c28077b66489d0f2b6507a19628bd0220244a1fa87bfd3abb4cea5e707aacbd71f3790ebffc78e57ca7a3374cc4a
+  metadata.gz: d7fd63e6289c6019accc98f91b5a8d6d10d610d8b5829a73641a89930097b80979a5143c8c5688662dbc367532d3d62cc68dbc6352322a66decce9d76e4f8570
+  data.tar.gz: 46bd51e6d4b76c8d8d0120cc9932bd0987800b03e0b2eb7eff7d97c127a88811d8859bdfc6dbb6d00bcc05d112b1d6b4fdb69e175b171293b5a1b11cee4c2f25

data/CHANGES CHANGED

@@ -1,3 +1,16 @@
+# 3.3.3
+* Show path when no Rails app found (Neil Matatall)
+* Index calls in view helpers
+* Process inline template renders
+* Avoid warning about hashes in link_to hrefs
+* Add documentation for authentication category
+* Ignore boolean methods in render paths
+* Reduce open redirect duplicates
+* Fix SymbolDoS error with unknown Rails version
+* Sexp#value returns nil when there is no value
+* Improve return value estimation
 # 3.3.2
 * Fix serious performance regression with global constant tracking

data/lib/brakeman/app_tree.rb CHANGED

@@ -106,11 +106,16 @@ module Brakeman
     def lib_paths
       @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" } +
-                     find_additional_lib_paths
+                     find_additional_lib_paths +
+                     find_helper_paths
     end
   private
+    def find_helper_paths
+      find_paths "app/helpers"
+    end
     def find_additional_lib_paths
       @additional_libs_path.collect{ |path| find_paths path }.flatten
     end

data/lib/brakeman/checks/base_check.rb CHANGED

@@ -131,6 +131,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       @comparison_ops.include? meth
   end
+  def boolean_method? method
+    method[-1] == "?"
+  end
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }
@@ -233,6 +237,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled
   end
+  def original? result
+    return false if result[:call].original_line or duplicate? result
+    add_result result
+    true
+  end
   #This is to avoid reporting duplicates. Checks if the result has been
   #reported already from the same line number.
   def duplicate? result, location = nil

data/lib/brakeman/checks/check_create_with.rb CHANGED

@@ -26,8 +26,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     arg = result[:call].first_arg
     confidence = danger_level arg

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED

@@ -378,8 +378,4 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   def safe_input_attribute? target, method
     target and always_safe_method? method
   end
-  def boolean_method? method
-    method.to_s.end_with? "?"
-  end
 end

data/lib/brakeman/checks/check_deserialize.rb CHANGED

@@ -30,8 +30,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
   def check_deserialize result, target, arg = nil
-    return if duplicate? result
-    add_result result
+    return unless original? result
     arg ||= result[:call].first_arg
     method = result[:call].method

data/lib/brakeman/checks/check_dynamic_finders.rb CHANGED

@@ -15,8 +15,7 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     call = result[:call]

data/lib/brakeman/checks/check_evaluation.rb CHANGED

@@ -20,8 +20,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Warns if eval includes user input
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     if input = include_user_input?(result[:call].arglist)
       warn :result => result,

data/lib/brakeman/checks/check_execute.rb CHANGED

@@ -53,8 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
-    if failure and not duplicate? result
-      add_result result
+    if failure and original? result
       if failure.type == :interp #Not from user input
         confidence = CONFIDENCE[:med]
@@ -107,9 +106,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   #Processes backticks.
   def process_backticks result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     exp = result[:call]

data/lib/brakeman/checks/check_file_access.rb CHANGED

@@ -27,8 +27,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     call = result[:call]
     file_name = call.first_arg

data/lib/brakeman/checks/check_link_to_href.rb CHANGED

@@ -17,7 +17,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :mail_to, :polymorphic_url, :radio_button, :select, :slice,
                            :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :u, :url_for,
+                           :text_field_tag, :url_encode, :u,
                            :will_paginate].merge(tracker.options[:url_safe_methods] || [])
     @models = tracker.models.keys
@@ -36,6 +36,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     @matched = false
     url_arg = process call.second_arg
+    if call? url_arg and url_arg.method == :url_for
+      url_arg = url_arg.first_arg
+    end
     #Ignore situations where the href is an interpolated string
     #with something before the user input
     return if string_interp?(url_arg) && !url_arg[1].chomp.empty?
@@ -45,7 +49,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     if input = has_immediate_user_input?(url_arg)
       message = "Unsafe #{friendly_type_of input} in link_to href"
-      unless duplicate? result
+      unless duplicate? result or call_on_params? url_arg
         add_result result
         warn :result => result,
           :warning_type => "Cross Site Scripting",
@@ -74,7 +78,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     elsif @matched
       if @matched.type == :model and not tracker.options[:ignore_model_output]
         message = "Unsafe model attribute in link_to href"
-      elsif @matched.type == :params
+      elsif @matched.type == :params and not call_on_params? @matched.match
         message = "Unsafe parameter value in link_to href"
       end
@@ -112,4 +116,10 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     MODEL_METHODS.include? exp.method or
       exp.method.to_s =~ /^find_by_/
   end
+  def call_on_params? exp
+    call? exp and
+    params? exp.target and
+    exp.method != :[]
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb CHANGED

@@ -65,8 +65,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     check = check_call call
-    if check and not call.original_line and not duplicate? res
-      add_result res
+    if check and original? res
       model = tracker.models[res[:chain].first]
@@ -180,8 +179,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   end
   def warn_on_permit! result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     confidence = if subsequent_mass_assignment? result
                    CONFIDENCE[:high]

data/lib/brakeman/checks/check_redirect.rb CHANGED

@@ -29,10 +29,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result
+    return unless original? result
     call = result[:call]
     method = call.method
     if method == :redirect_to and
@@ -41,8 +40,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         not slice_call?(call.first_arg) and
         res = include_user_input?(call)
-      add_result result
       if res.type == :immediate
         confidence = CONFIDENCE[:high]
       else

data/lib/brakeman/checks/check_regex_dos.rb CHANGED

@@ -26,8 +26,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
   #Warns if regex includes user input
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     call = result[:call]
     components = call[1..-1]

data/lib/brakeman/checks/check_render.rb CHANGED

@@ -32,8 +32,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def check_for_dynamic_path result
     view = result[:call][2]
-    if sexp? view and not duplicate? result
-      add_result result
+    if sexp? view and original? result
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -84,9 +83,15 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   end
   def safe_param? exp
-    if params? exp and call? exp and exp.method == :[]
-      arg = exp.first_arg
-      symbol? arg and [:controller, :action].include? arg.value
+    if params? exp and call? exp
+      method_name = exp.method
+      if method_name == :[]
+        arg = exp.first_arg
+        symbol? arg and [:controller, :action].include? arg.value
+      else
+        boolean_method? method_name
+      end
     end
   end
 end

data/lib/brakeman/checks/check_render_inline.rb CHANGED

@@ -12,8 +12,7 @@ class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
   end
   def check_render result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     call = result[:call]

data/lib/brakeman/checks/check_select_tag.rb CHANGED

@@ -34,8 +34,7 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
   #Check if select_tag is called with user input in :prompt option
   def process_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     #Only concerned if user input is supplied for :prompt option
     last_arg = result[:call].last_arg

data/lib/brakeman/checks/check_send.rb CHANGED

@@ -17,8 +17,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     send_call = get_send result[:call]
     process_call_args send_call

data/lib/brakeman/checks/check_session_manipulation.rb CHANGED

@@ -12,8 +12,7 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
   end
   def process_result result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     index = result[:call].first_arg

data/lib/brakeman/checks/check_simple_format.rb CHANGED

@@ -43,8 +43,7 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
   end
   def warn_on_simple_format result, match
-    return if duplicate? result
-    add_result result
+    return unless original? result
     @found_any = true

data/lib/brakeman/checks/check_ssl_verify.rb CHANGED

@@ -37,8 +37,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
   end
   def warn_about_ssl_verification_bypass result
-    return if duplicate?(result)
-    add_result result
+    return unless original? result
     warn :result => result,
       :warning_type => "SSL Verification Bypass",

data/lib/brakeman/checks/check_symbol_dos.rb CHANGED

@@ -8,7 +8,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   @description = "Checks for symbol denial of service"
   def run_check
-    return if rails_version > "5.0.0"
+    return if rails_version and rails_version > "5.0.0"
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)
@@ -16,9 +16,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   end
   def check_unsafe_symbol_creation result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     call = result[:call]

data/lib/brakeman/checks/check_unsafe_reflection.rb CHANGED

@@ -18,8 +18,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   end
   def check_unsafe_reflection result
-    return if duplicate? result or result[:call].original_line
-    add_result result
+    return unless original? result
     call = result[:call]
     method = call.method

data/lib/brakeman/checks/check_weak_hash.rb CHANGED

@@ -22,8 +22,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
   def process_hash_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     input = nil
     call = result[:call]
@@ -59,8 +58,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
   def process_hmac_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     call = result[:call]
@@ -81,8 +79,7 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
   end
   def process_openssl_result result
-    return if duplicate? result
-    add_result result
+    return unless original? result
     arg = result[:call].first_arg

data/lib/brakeman/parsers/template_parser.rb CHANGED

@@ -85,5 +85,14 @@ module Brakeman
       Slim::Template.new(:disable_capture => true,
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
+    def self.parse_inline_erb tracker, text
+      fp = Brakeman::FileParser.new(nil, nil)
+      tp = self.new(tracker, fp)
+      src = tp.parse_erb text
+      type = tp.erubis? ? :erubis : :erb
+      return type, fp.parse_ruby(src, "_inline_")
+    end
   end
 end

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -272,6 +272,31 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     type ||= :default
     value ||= :default
+    if type == :inline and string? value and not hash_access(rest, :type)
+      value, rest = make_inline_render(value, rest)
+    end
     return type, value, rest
   end
+  def make_inline_render value, options
+    require 'brakeman/parsers/template_parser'
+    class_or_module = (@current_class || @current_module)
+    class_or_module = if class_or_module.nil?
+                        "Unknown"
+                      else
+                        class_or_module.name
+                      end
+    template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
+    type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
+    ast = ast.deep_clone(value.line)
+    @tracker.processor.process_template(template_name, ast, type, nil, @file_name)
+    @tracker.processor.process_template_alias(@tracker.templates[template_name])
+    return s(:lit, template_name), options
+  end
 end