brakeman 4.7.1 → 4.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb1a6279fa089c035c1e284d078ba0af21b8a19de58e489dcdc7c3a167d52e43
-  data.tar.gz: 4d163ff4a319363126e9626f8d0d841b1b55abf48fca01f1b5e0581bbda8f69f
+  metadata.gz: 411fde4f85ce3e35551ea8e0e289bad38213583166118db0740ac4677076e55f
+  data.tar.gz: 99a14d0668d883d1def0280df61ec2f40ad669505f7d70d1fc7b9350de5b9176
 SHA512:
-  metadata.gz: 7decb5b6745e654b6e2d7b06503fedad0e9a1c1b89d40ee380e37c23092420e34425357091f47a623508b1cf7e91a114a786f25d5441efe1cd7db80d7d15cc72
-  data.tar.gz: 81651d8ba5958201234b84576a691e5281b3f3af3cbb66500fb847e1873406c8956f8746c062de965b95c76e5c3c9f6810b81ebe73abbfc454cafbd2e93b9c31
+  metadata.gz: 78243e7cec614d4e75530fb1a09c6057773fe0955759e60f7117a40fbfd56282ab0a4c89a3d5349063ba2786562722598b1e6206ecacabcba5ed1619c5e789a0
+  data.tar.gz: fd2ea9beed747478786d9f33ff5fe0f4fc6d2f4b9c7bffad1081cac802d2bbb31ef8bfe99974fd81d8cb8b81ee65ec933f62d13fdc346bd0d03b3b1078843f57

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 4.7.2 - 2019-11-25
+
+* Remove version guard for `named_scope` vs. `scope`
+* Find SQL injection in `String#strip_heredoc` target
+* Handle more `permit!` cases
+* Ensure file name is set when processing model
+* Add `request.params` as query parameters
+
 # 4.7.1 - 2019-10-29 
 
 * Check string length against limit before joining

data/README.md

@@ -62,7 +62,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 5.x.
+Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
 Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
 

data/bundle/load.rb

@@ -7,8 +7,8 @@ $:.unshift "#{path}/bundle/ruby/2.6.0/gems/ruby2ruby-2.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/haml-5.1.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/unicode-display_width-1.6.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/erubis-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.6.0/gems/safe_yaml-1.0.5/lib"
-$:.unshift "#{path}/bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib"

data/bundle/ruby/2.6.0/gems/{ruby_parser-3.14.0 → ruby_parser-3.14.1}/History.rdoc

@@ -1,3 +1,15 @@
+=== 3.14.1 / 2019-10-29
+
+* 1 minor enhancement:
+
+  * Declared that ruby_parser supports ruby 2.2 and up.
+
+* 3 bug fixes:
+
+  * Fixed a problem with %W with a null-byte terminator. (wtf?) (spohlenz)
+  * Fixed line numbering for command (eg methods without parentheses) arguments. (mvz)
+  * Fixed lineno on new dxstrs. (presidentbeef)
+
 === 3.14.0 / 2019-09-24
 
 * 8 minor enhancements:

data/bundle/ruby/2.6.0/gems/{ruby_parser-3.14.0 → ruby_parser-3.14.1}/lib/ruby_lexer.rb

@@ -1177,8 +1177,6 @@ class RubyLexer
       handled = true
 
       case
-      when paren_re && scan(paren_re) then
-        self.string_nest += 1
       when scan(term_re) then
         if self.string_nest == 0 then
           ss.pos -= 1
@@ -1186,6 +1184,8 @@ class RubyLexer
         else
           self.string_nest -= 1
         end
+      when paren_re && scan(paren_re) then
+        self.string_nest += 1
       when expand && scan(/#(?=[\$\@\{])/) then # TODO: this seems wrong
         ss.pos -= 1
         break
@@ -1232,9 +1232,9 @@ class RubyLexer
             end
         x = Regexp.escape paren if paren && paren != "\000"
         re = if qwords then
-               /[^#{t}#{x}\#\0\\\s]+|./ # |. to pick up whatever
+               /[^#{t}#{x}\#\\\s]+|./ # |. to pick up whatever
              else
-               /[^#{t}#{x}\#\0\\]+|./
+               /[^#{t}#{x}\#\\]+|./
              end
 
         scan re

data/bundle/ruby/2.6.0/gems/{ruby_parser-3.14.0 → ruby_parser-3.14.1}/lib/ruby_parser_extras.rb

@@ -28,7 +28,7 @@ class Sexp
 end
 
 module RubyParserStuff
-  VERSION = "3.14.0"
+  VERSION = "3.14.1"
 
   attr_accessor :lexer, :in_def, :in_single, :file
   attr_accessor :in_kwarg
@@ -831,6 +831,8 @@ module RubyParserStuff
     (_, line), name, _, args, body, nil_body_line, * = val
     body ||= s(:nil).line nil_body_line
 
+    args.line line
+
     result = s(:defn, name.to_sym, args).line line
 
     if body then
@@ -1240,7 +1242,7 @@ module RubyParserStuff
       when :dstr
         str.sexp_type = :dxstr
       else
-        str = s(:dxstr, "", str)
+        str = s(:dxstr, "", str).line str.line
       end
       str
     else

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -158,7 +158,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
-    tracker.find_call(:method => :permit!).each do |result|
+    tracker.find_call(:method => :permit!, :nested => true).each do |result|
       if params? result[:call].target and not result[:chain].include? :slice
         warn_on_permit! result
       end

data/lib/brakeman/checks/check_sql.rb

@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def find_scope_calls
     scope_calls = []
 
-    if version_between?("2.1.0", "3.0.9")
-      ar_scope_calls(:named_scope) do |model, args|
-        call = make_call(nil, :named_scope, args).line(args.line)
-        scope_calls << scope_call_hash(call, model, :named_scope)
-      end
-    elsif version_between?("3.1.0", "9.9.9")
-      ar_scope_calls(:scope) do |model, args|
-        second_arg = args[2]
-        next unless sexp? second_arg
-
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
-          process_scope_with_block(model, args)
-        elsif call? second_arg
-          call = second_arg
-          scope_calls << scope_call_hash(call, model, call.method)
-        else
-          call = make_call(nil, :scope, args).line(args.line)
-          scope_calls << scope_call_hash(call, model, :scope)
-        end
+    # Used in pre-3.1.0 versions of Rails
+    ar_scope_calls(:named_scope) do |model, args|
+      call = make_call(nil, :named_scope, args).line(args.line)
+      scope_calls << scope_call_hash(call, model, :named_scope)
+    end
+
+    # Use in 3.1.0 and later
+    ar_scope_calls(:scope) do |model, args|
+      second_arg = args[2]
+      next unless sexp? second_arg
+
+      if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+        process_scope_with_block(model, args)
+      elsif call? second_arg
+        call = second_arg
+        scope_calls << scope_call_hash(call, model, call.method)
+      else
+        call = make_call(nil, :scope, args).line(args.line)
+        scope_calls << scope_call_hash(call, model, :scope)
       end
     end
 
     scope_calls
   end
 
-  def ar_scope_calls(symbol_name = :named_scope, &block)
+  def ar_scope_calls(symbol_name, &block)
     active_record_models.each do |name, model|
       model_args = model.options[symbol_name]
       if model_args
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
+  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
     if node_type? exp, :evstr
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
 
     if not sexp? value
       nil
-    elsif call? value and value.method == :to_s
+    elsif call? value and TO_STRING_METHODS.include? value.method
       unsafe_string_interp? value.target
     elsif call? value and safe_literal_target? value
       nil
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp
           exp
-        elsif exp.method == :to_s
+        elsif TO_STRING_METHODS.include? exp.method
           find_dangerous_value exp.target, ignore_hash
         else
           check_call exp

data/lib/brakeman/processor.rb

@@ -53,7 +53,7 @@ module Brakeman
     #Process a model source
     def process_model src, file_name
       result = ModelProcessor.new(@tracker).process_model src, file_name
-      AliasProcessor.new(@tracker).process result if result
+      AliasProcessor.new(@tracker, file_name).process result if result
     end
 
     #Process either an ERB or HAML template

data/lib/brakeman/util.rb

@@ -8,9 +8,11 @@ module Brakeman::Util
 
   PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
 
-  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
+  REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
 
-  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
 
   REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
 
@@ -22,7 +24,7 @@ module Brakeman::Util
 
   SESSION = Sexp.new(:call, nil, :session)
 
-  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.7.1"
+  Version = "4.7.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.7.1
+  version: 4.7.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-29 00:00:00.000000000 Z
+date: 2019-11-25 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -136,35 +136,35 @@ files:
 - bundle/ruby/2.6.0/gems/ruby2ruby-2.4.4/Manifest.txt
 - bundle/ruby/2.6.0/gems/ruby2ruby-2.4.4/README.rdoc
 - bundle/ruby/2.6.0/gems/ruby2ruby-2.4.4/lib/ruby2ruby.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/History.rdoc
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/Manifest.txt
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/README.rdoc
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/compare/normalize.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/debugging.md
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/rp_extensions.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/rp_stringscanner.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby20_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby20_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby21_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby21_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby22_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby22_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby23_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby23_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby24_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby24_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby25_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby25_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby26_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby26_parser.y
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_lexer.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_lexer.rex
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_lexer.rex.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_parser.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_parser.yy
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/lib/ruby_parser_extras.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/tools/munge.rb
-- bundle/ruby/2.6.0/gems/ruby_parser-3.14.0/tools/ripper.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/History.rdoc
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/Manifest.txt
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/README.rdoc
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/compare/normalize.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/debugging.md
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/rp_extensions.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/rp_stringscanner.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby20_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby20_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby21_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby21_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby22_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby22_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby23_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby23_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby24_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby24_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby25_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby25_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby26_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby26_parser.y
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_lexer.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_lexer.rex
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_lexer.rex.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_parser.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_parser.yy
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/lib/ruby_parser_extras.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/tools/munge.rb
+- bundle/ruby/2.6.0/gems/ruby_parser-3.14.1/tools/ripper.rb
 - bundle/ruby/2.6.0/gems/ruby_parser-legacy-1.0.0/History.rdoc
 - bundle/ruby/2.6.0/gems/ruby_parser-legacy-1.0.0/Manifest.txt
 - bundle/ruby/2.6.0/gems/ruby_parser-legacy-1.0.0/README.rdoc
@@ -541,7 +541,14 @@ files:
 homepage: https://brakemanscanner.org
 licenses:
 - Brakeman Public Use License
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
+  changelog_uri: https://github.com/presidentbeef/brakeman/releases
+  documentation_uri: https://brakemanscanner.org/docs/
+  homepage_uri: https://brakemanscanner.org/
+  mailing_list_uri: https://gitter.im/presidentbeef/brakeman
+  source_code_uri: https://github.com/presidentbeef/brakeman
+  wiki_uri: https://github.com/presidentbeef/brakeman/wiki
 post_install_message: 
 rdoc_options: []
 require_paths: