brakeman 3.7.2 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b35dc1f57ca3589db3da50fee0727172aab89443
-  data.tar.gz: 21152579e85d00e06992bea8867e323d8516df7c
+  metadata.gz: e6ab5a70e52f407d8cf72fa20f488b2d29d69fa1
+  data.tar.gz: c741b82cef61f90e2fa335e7abcab176305bb774
 SHA512:
-  metadata.gz: e275bc4c370e29fe12f90fa57dd1daeadf5cadae6004edf0ef89cc9d6eaeadc2883987c870cce2947c4d2bffbc58e3a5cae9e4aab4793ae76e21dc678467f1df
-  data.tar.gz: b8660222d3d68094edcf12ececc814732e0d928ceeb099650f3a937b8df143c6b7a5df977aa220754d395f32e3f462beec34a1a324df2228bfecdb591fa7d98a
+  metadata.gz: a0040375401d198b0457223a0918a954cdbb14b729aa72492219ce5a2540b2b6de3a1c64712914416a6a68f19f4c0031463ef1c433ec2ee1dbae9cc96a4deb03
+  data.tar.gz: 692c60359fc83b6eec8e2b5f7f5bdb845e7224b4f7762b4032d34f49fcc6589cedb89cb8a0b8b4cb6d67789cc3c6a290509793764fa63c205e7ba8470738f5cd

data/CHANGES

@@ -1,3 +1,17 @@
+# 4.0.0
+
+* Add simple pager for reports output to terminal
+* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
+* Rearrange tests a little bit
+* Treat `request.cookies` like `cookies`
+* Treat `fail`/`raise` like early returns
+* Remove reliance on `CONFIDENCE` constant in checks
+* Remove low confidence mass assignment warnings
+* Reduce warnings about XSS in `link_to`
+* "Plain" report output is now the default
+* --exit-on-error and --exit-on-warn are now the default
+* Fix --exit-on-error and --exit-on-warn in config files
+
 # 3.7.2
 
 * Fix --ensure-latest (David Guyon)
@@ -300,7 +314,7 @@
 # 3.0.0
 
 * Add check for CVE-2014-7829
-* Add check for cross site scripting via inline renders
+* Add check for cross-site scripting via inline renders
 * Fix formatting of command interpolation
 * Local variables are no longer formatted as `(local var)`
 * Actually skip skipped before filters

data/FEATURES

@@ -1,5 +1,5 @@
 Can detect:
--Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
+-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
 -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
 -String interpolation in find_by_sql (SQL Injection)
 -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)

data/bundle/load.rb

@@ -1,15 +1,15 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/haml-4.0.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/erubis-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/tilt-2.0.8/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/safe_yaml-1.0.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/temple-0.7.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.3.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/terminal-table-1.8.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/slim-3.0.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/safe_yaml-1.0.4/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.3.0/lib"

data/lib/brakeman.rb

@@ -38,7 +38,8 @@ module Brakeman
   #  * :combine_locations - combine warning locations (default: true)
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
-  #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :exit_on_error - only affects Commandline module (default: true)
+  #  * :exit_on_warn - only affects Commandline module (default: true)
   #  * :github_repo - github repo to use for file links (user/repo[/path][@ref])
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
@@ -71,6 +72,7 @@ module Brakeman
     if @quiet
       options[:report_progress] = false
     end
+
     scan options
   end
 
@@ -156,23 +158,26 @@ module Brakeman
   #Default set of options
   def self.default_options
     { :assume_all_routes => true,
-      :skip_checks => Set.new,
       :check_arguments => true,
-      :safe_methods => Set.new,
-      :min_confidence => 2,
-      :combine_locations => true,
       :collapse_mass_assignment => false,
+      :combine_locations => true,
+      :engine_paths => ["engines/*"],
+      :exit_on_error => true,
+      :exit_on_warn => true,
       :highlight_user_input => true,
-      :ignore_redirect_to_model => true,
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
       :ignore_model_output => false,
+      :ignore_redirect_to_model => true,
       :index_libs => true,
       :message_limit => 100,
+      :min_confidence => 2,
+      :output_color => true,
+      :pager => true,
       :parallel_checks => true,
       :relative_path => false,
       :report_progress => true,
-      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
-      :output_color => true,
-      :engine_paths => ["engines/*"]
+      :safe_methods => Set.new,
+      :skip_checks => Set.new,
     }
   end
 
@@ -213,10 +218,12 @@ module Brakeman
       [:to_markdown]
     when :cc, :to_cc, :codeclimate, :to_codeclimate
       [:to_codeclimate]
-    when :plain ,:to_plain
-      [:to_plain]
+    when :plain ,:to_plain, :text, :to_text, :to_s
+      [:to_text]
+    when :table, :to_table
+      [:to_table]
     else
-      [:to_s]
+      [:to_text]
     end
   end
   private_class_method :get_formats_from_output_format
@@ -239,9 +246,11 @@ module Brakeman
       when /(\.cc|\.codeclimate)$/i
         :to_codeclimate
       when /\.plain$/i
-        :to_plain
+        :to_text
+      when /\.table$/i
+        :to_table
       else
-        :to_s
+        :to_text
       end
     end
   end
@@ -388,12 +397,41 @@ module Brakeman
       tracker.options[:output_color] = false
     end
 
-    output_formats.each do |output_format|
-      puts tracker.report.format(output_format)
+    if not $stdout.tty? or not tracker.options[:pager] or output_formats.length > 1 # does this ever happen??
+      output_formats.each do |output_format|
+        puts tracker.report.format(output_format)
+      end
+    else
+      page_output tracker.report.format(output_formats.first)
     end
   end
   private_class_method :write_report_to_formats
 
+  def self.page_output text
+    if system("which less")
+      # Adapted from https://github.com/piotrmurach/tty-pager/
+      write_io = open("|less -R", 'w')
+      pid = write_io.pid
+
+      write_io.write(text)
+      write_io.close
+
+      Process.waitpid2(pid, Process::WNOHANG)
+    else
+      load_brakeman_dependency 'highline'
+      h = ::HighLine.new
+      h.page_at = :auto
+      h.say tracker.report.format(output_formats.first)
+    end
+  rescue Errno::ECHILD
+    # on jruby 9x waiting on pid raises (per tty-pager)
+    true
+  rescue => e
+    warn "[Error] #{e}"
+    warn "[Error] Could not use pager. Set --no-pager to avoid this issue."
+    puts tracker.report.format(output_formats.first)
+  end
+
   #Rescan a subset of files in a Rails application.
   #
   #A full scan must have been run already to use this method.
@@ -508,7 +546,7 @@ module Brakeman
     missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
 
     unless missing.empty?
-      raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.to_a.join(', ')}"
+      raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"
     end
   end
 

data/lib/brakeman/call_index.rb

@@ -67,7 +67,7 @@ class Brakeman::CallIndex
 
   def remove_template_indexes template_name = nil
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           from_template call, template_name
         end
@@ -77,7 +77,7 @@ class Brakeman::CallIndex
 
   def remove_indexes_by_class classes
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           call[:location][:type] == :class and classes.include? call[:location][:class]
         end

data/lib/brakeman/checks/base_check.rb

@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::Util
   attr_reader :tracker, :warnings
 
-  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
+  # This is for legacy support.
+  # Use :high, :medium, or :low instead when creating warnings.
+  CONFIDENCE = Brakeman::Warning::CONFIDENCE
 
   Match = Struct.new(:type, :match)
 
@@ -60,7 +62,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Default Sexp processing. Iterates over each value in the Sexp
   #and processes them if they are also Sexps.
   def process_default exp
-    exp.each_with_index do |e, i|
+    exp.each_with_index do |e, _i|
       if sexp? e
         process e
       else

data/lib/brakeman/checks/check_basic_auth.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   end
 
   def check_basic_auth_filter
-    controllers = tracker.controllers.select do |name, c|
+    controllers = tracker.controllers.select do |_name, c|
       c.options[:http_basic_authenticate_with]
     end
 
@@ -30,7 +30,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
               :code => call,
-              :confidence => 0,
+              :confidence => :high,
               :file => controller.file
           break
         end
@@ -50,7 +50,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :confidence => 0
+              :confidence => :high
       end
     end
   end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
         :warning_type => "Timing Attack",
         :warning_code => :CVE_2015_7576,
         :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
     end
   end

data/lib/brakeman/checks/check_content_tag.rb

@@ -66,7 +66,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     #Attribute keys are never escaped, so check them for user input
     if not @matched and hash? attributes and not request_value? attributes
-      hash_iterate(attributes) do |k, v|
+      hash_iterate(attributes) do |k, _v|
         check_argument result, k
         return if @matched
       end
@@ -79,7 +79,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       if request_value? attributes or not hash? attributes
         check_argument result, attributes
       else #check hash values
-        hash_iterate(attributes) do |k, v|
+        hash_iterate(attributes) do |_k, v|
           check_argument result, v
           return if @matched
         end
@@ -101,11 +101,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link_path => "content_tag"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
@@ -113,13 +113,13 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         add_result result
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_content_tag,
           :message => "Unescaped model attribute in content_tag",
           :user_input => match,
@@ -135,11 +135,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "content_tag"
     end
   end
@@ -159,9 +159,9 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def check_cve_2016_6316
     if cve_2016_6316?
       confidence = if @content_tags.any?
-                     CONFIDENCE[:high]
+                     :high
                    else
-                     CONFIDENCE[:med]
+                     :medium
                    end
 
       fix_version = case
@@ -179,7 +179,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                       return
                     end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2016_6316,
         :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
         :confidence => confidence,

data/lib/brakeman/checks/check_create_with.rb

@@ -51,15 +51,15 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
     if call? exp and exp.method == :permit
       nil
     elsif request_value? exp
-      CONFIDENCE[:high]
+      :high
     elsif hash? exp
       nil
     elsif has_immediate_user_input?(exp)
-      CONFIDENCE[:high]
+      :high
     elsif include_user_input? exp
-      CONFIDENCE[:med]
+      :medium
     else
-      CONFIDENCE[:low]
+      :weak
     end
   end
 
@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
         :warning_code => :CVE_2014_3514,
         :message => @message,
         :gem_info => gemfile_or_environment,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -73,11 +73,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       message = "Unescaped #{friendly_type_of input}"
 
       warn :template => @current_template,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
       method = if call? match
@@ -90,9 +90,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         add_result exp
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         message = "Unescaped model attribute"
@@ -106,7 +106,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         end
 
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => warning_code,
           :message => message,
           :code => match,
@@ -178,18 +178,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warning_code = :cross_site_scripting
 
           if @known_dangerous.include? exp.method
-            confidence = CONFIDENCE[:high]
+            confidence = :high
             if exp.method == :to_json
               message += " in JSON hash"
               link_path += "_to_json"
               warning_code = :xss_to_json
             end
           else
-            confidence = CONFIDENCE[:low]
+            confidence = :weak
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => warning_code,
             :message => message,
             :code => exp,