brakeman 4.8.2 → 4.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31ceb768759fdfd53c78753d73ea57c6f35e655dd8ef88e9a34c75fa42f74c65
-  data.tar.gz: d68f7d634d8f2c4f62e1820760f09284ecbfbf44fed9d24e223743c3cc3fd773
+  metadata.gz: 2c34a5dde886bb8433eaf2b407a3be4a53cf7cde9c6c439a1438b25caf359096
+  data.tar.gz: 46689fbf4debd45a041ac0eaff08b06bee7f03c90707332a0ee145ba18884328
 SHA512:
-  metadata.gz: 96c55e31c70b374516e6a54e080548b3138c475e5b9e1752095b8536f72b8ab14e18984417fc7e928d3daaacbfbc9ae230fb093c67e5b42fb66cb14d7c920880
-  data.tar.gz: 1f83b5051e1bfc1af48a64d92c67719219fe92adcadcc7aed04113682a9f2d463f0bb9aface369baf691114aeb631662c07218365c67bd06dc0414db588e0c8d
+  metadata.gz: 5efc78c8ae5aa23e9557fd60e97799119d0a124ba70c5f7fb8dea801e4273071cad44aebc8bd8b019cb01790f17dcdc737998d52835332ac705898582084eb3e
+  data.tar.gz: 1c503845173d3f1b199f60451f7a7ce3f0844689097cfbd650cca058934cbbfd6cc8de0f292de5f562359dcc845acaa070d0b6aad626faf5bed28405c82b8622

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
 # 4.8.2 - 2020-05-12
 
 * Add check for CVE-2020-8159

data/bundle/load.rb

@@ -1,8 +1,8 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.0.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
@@ -10,5 +10,5 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.1.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.15.0}/History.rdoc

@@ -1,3 +1,9 @@
+=== 4.15.0 / 2020-06-09
+
+* 1 minor enhancement:
+
+  * Added `child` and `include` to Sexp::Matcher.parse language.
+
 === 4.14.1 / 2020-02-09
 
 * 2 bug fixes:

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.15.0}/lib/sexp_matcher.rb

@@ -455,7 +455,7 @@ class Sexp #:nodoc:
       #        | NAME:name                   => name.to_sym
       # UP_NAME: /[A-Z]\w*/
       #   NAME : /:?[\w?!=~-]+/
-      #    CMD : "t" | "k" | "m" | "atom" | "not?" | "-" | "any"
+      #    CMD : t | k | m | atom | not? | - | any | child | include
 
       def parse_sexp
         token = next_token
@@ -505,7 +505,7 @@ class Sexp #:nodoc:
       ##
       # A collection of allowed commands to convert into matchers.
 
-      ALLOWED = [:t, :m, :k, :atom, :not?, :-, :any].freeze
+      ALLOWED = [:t, :m, :k, :atom, :not?, :-, :any, :child, :include].freeze
 
       ##
       # Parses a balanced command. A command is denoted by square
@@ -760,11 +760,8 @@ class Sexp #:nodoc:
     # +child+.
 
     def satisfy? o
-      if child.satisfy? o
-        true
-      elsif o.kind_of? Sexp
-        o.search_each(child).any?
-      end
+      child.satisfy?(o) ||
+        (o.kind_of?(Sexp) && o.search_each(child).any?)
     end
 
     def == o # :nodoc:

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.15.0}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.14.1"
+  VERSION = "4.15.0"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/CHANGES

@@ -1,3 +1,7 @@
+4.1.0 (2020-05-07)
+  * Add support for Tailwind CSS - #841
+  * Update dependencies and testing
+  
 4.0.1 (2018-09-02)
 
   * Fix incompatibility issue with Slim Include plugin and new ability to specifiy attributes for embedded engines #819

data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/Gemfile

@@ -7,6 +7,12 @@ group :test do
   gem 'rack-test'
 end
 
+group :perf do
+  gem 'benchmark-ips'
+  gem 'erubis'
+  gem 'haml'
+end
+
 if ENV['TRAVIS']
   gem 'rails-controller-testing'
 end
@@ -30,19 +36,12 @@ if ENV['RAILS']
   else
     gem 'rails', "= #{ENV['RAILS']}"
   end
-end
 
-#Choose minitest 4.7.x for sinatra < 1.4.6 or rails 3 and 4.0 otherwise go for newer version
-if (ENV['SINATRA'] && ENV['SINATRA'] < '1.4.6') || (ENV['RAILS'] && ENV['RAILS'].match(/^(3|4\.0)/))
-  gem 'minitest', '~> 4.7.4'
-else
-  gem 'minitest', '~> 5.1'
+  gem 'slim-rails', require: false
 end
 
-#Ruby >= 2.2.0 has removed test/unit from Stdlib
-if RUBY_VERSION >= '2.2.0'
-  gem 'test-unit', platforms: :mri
-end
+gem 'test-unit', '~> 3.3', '>= 3.3.5'
+gem 'minitest', '~> 5.14'
 
 if RUBY_ENGINE == 'rbx' && !ENV['TRAVIS']
   gem 'psych'
@@ -56,9 +55,9 @@ if ENV['SINATRA']
   end
 end
 
-gem 'rake', '>= 0.8.7'
-gem 'sass', '>= 3.1.0'
-gem 'kramdown'
+gem 'rake', '~> 13.0', '>= 13.0.1'
+gem 'sassc', '~> 2.2', '>= 2.2.1'
+gem 'kramdown', '~> 2.1'
 
 if ENV['TASK'] == 'bench'
   gem 'benchmark-ips'

data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/command.rb

@@ -110,19 +110,19 @@ module Slim
           Template.new(@options[:file]) { @options[:input].read }.render(nil, locals)
         end
 
-      rescue Exception => ex
-        raise ex if @options[:trace] || SystemExit === ex
-        $stderr.print "#{ex.class}: " if ex.class != RuntimeError
-        $stderr.puts ex.message
-        $stderr.puts '  Use --trace for backtrace.'
-        exit 1
-      else
-        unless @options[:output]
-          file = args.shift
-          @options[:output] = file ? File.open(file, 'w') : $stdout
-        end
-        @options[:output].puts(result)
-        exit 0
+    rescue Exception => ex
+      raise ex if @options[:trace] || SystemExit === ex
+      $stderr.print "#{ex.class}: " if ex.class != RuntimeError
+      $stderr.puts ex.message
+      $stderr.puts '  Use --trace for backtrace.'
+      exit 1
+    else
+      unless @options[:output]
+        file = args.shift
+        @options[:output] = file ? File.open(file, 'w') : $stdout
+      end
+      @options[:output].puts(result)
+      exit 0
     end
   end
 end

data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/parser.rb

@@ -70,7 +70,7 @@ module Slim
         end
       end
       keys = Regexp.union @attr_shortcut.keys.sort_by {|k| -k.size }
-      @attr_shortcut_re = /\A(#{keys}+)((?:\p{Word}|-)*)/
+      @attr_shortcut_re = /\A(#{keys}+)((?:\p{Word}|-|\/\d+|:(\w|-)+)*)/
       keys = Regexp.union @tag_shortcut.keys.sort_by {|k| -k.size }
       @tag_re = /\A(?:#{keys}|\*(?=[^\s]+)|(\p{Word}(?:\p{Word}|:|-)*\p{Word}|\p{Word}+))/
       keys = Regexp.escape @code_attr_delims.keys.join

data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/version.rb

@@ -1,5 +1,5 @@
 module Slim
   # Slim version string
   # @api public
-  VERSION = '4.0.1'
+  VERSION = '4.1.0'
 end

data/lib/brakeman.rb

@@ -20,6 +20,10 @@ module Brakeman
   #option is set
   Errors_Found_Exit_Code = 7
 
+  #Exit code returned when an ignored warning has no note and
+  #--ensure-ignore-notes is set
+  Empty_Ignore_Note_Exit_Code = 8
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []
@@ -498,6 +502,18 @@ module Brakeman
     end
   end
 
+  # Returns an array of alert fingerprints for any ignored warnings without
+  # notes found in the specified ignore file (if it exists).
+  def self.ignore_file_entries_with_empty_notes file
+    return [] unless file
+
+    require 'brakeman/report/ignore/config'
+
+    config = IgnoreConfig.new(file, nil)
+    config.read_from_file
+    config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
+  end
+
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
 

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -0,0 +1,28 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
+
+  def run_check
+    fix_version = case
+      when version_between?('0.0.0', '5.2.4.2')
+        '5.2.4.3'
+      when version_between?('6.0.0', '6.0.3')
+        '6.0.3.1'
+      else
+        nil
+      end
+
+    if fix_version
+      warn :warning_type => "Cross-Site Request Forgery",
+        :warning_code => :CVE_2020_8166,
+        :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
+        :confidence => :medium,
+        :gem_info => gemfile_or_environment,
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+    end
+  end
+end
+

data/lib/brakeman/checks/check_deserialize.rb

@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
   end
 
   def check_yaml
-    check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
+    check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
+
+    # Check for safe_yaml gem use with YAML.load(..., safe: true)
+    if uses_safe_yaml?
+      tracker.find_call(target: :YAML, method: :load).each do |result|
+        call = result[:call]
+        options = call.second_arg
+
+        if hash? options and true? hash_access(options, :safe)
+          next
+        else
+          check_deserialize result, :YAML
+        end
+      end
+    else
+      check_methods :YAML, :load
+    end
   end
 
   def check_csv
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
 
     false
   end
+
+  def uses_safe_yaml?
+    tracker.config.has_gem? :safe_yaml
+  end
 end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -160,12 +160,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   # Look for and warn about uses of Parameters#permit! for mass assignment
   def check_permit!
     tracker.find_call(:method => :permit!, :nested => true).each do |result|
-      if params? result[:call].target and not result[:chain].include? :slice
-        warn_on_permit! result
+      if params? result[:call].target
+        unless inside_safe_method? result or calls_slice? result
+          warn_on_permit! result
+        end
       end
     end
   end
 
+  # Ignore blah_some_path(params.permit!)
+  def inside_safe_method? result
+    parent_call = result.dig(:parent, :call)
+
+    call? parent_call and
+      parent_call.method.match(/_path$/)
+  end
+
+  def calls_slice? result
+    result[:chain].include? :slice or
+      (result[:full_call] and result[:full_call][:chain].include? :slice)
+  end
+
   # Look for actual use of params in mass assignment to avoid
   # warning about uses of Parameters#permit! without any mass assignment
   # or when mass assignment is restricted by model instead.
@@ -191,7 +206,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     warn :result => result,
       :warning_type => "Mass Assignment",
       :warning_code => :mass_assign_permit!,
-      :message => "Parameters should be whitelisted for mass assignment",
+      :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
       :confidence => confidence
   end
 
@@ -203,7 +218,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
         warn :result => result,
           :warning_type => "Mass Assignment",
           :warning_code => :mass_assign_permit_all,
-          :message => "Parameters should be whitelisted for mass assignment",
+          :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
           :confidence => :high
       end
     end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
+  @description = "Reports models which have dangerous attributes defined via attr_accessible"
 
   SUSP_ATTRS = [
     [:admin, :high], # Very dangerous unless some Rails authorization used

data/lib/brakeman/checks/check_permit_attributes.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Warn on potentially dangerous attributes whitelisted via permit"
+  @description = "Warn on potentially dangerous attributes allowed via permit"
 
   SUSPICIOUS_KEYS = {
     admin: :high,

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
 #
 #  skip_before_filter :verify_authenticity_token, :except => [...]
 #
-#which is essentially a blacklist approach (no actions are checked EXCEPT the
-#ones listed) versus a whitelist approach (ONLY the actions listed will skip
+#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
+#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
 #the check)
 class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   Brakeman::Checks.add self
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller.name, #ugh this should be a controller warning, too
         :warning_type => "Cross-Site Request Forgery",
         :warning_code => :csrf_blacklist,
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping CSRF check"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
         :code => filter,
         :confidence => :medium,
         :file => controller.file
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :controller => controller.name,
         :warning_code => :auth_blacklist,
         :warning_type => "Authentication",
-        :message => msg("Use whitelist (", msg_code(":only => [..]"), ") when skipping authentication"),
+        :message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
         :code => filter,
         :confidence => :medium,
         :link_path => "authentication_whitelist",

data/lib/brakeman/checks/check_template_injection.rb

@@ -0,0 +1,32 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Searches for evaluation of user input through template injection"
+
+  #Process calls
+  def run_check
+    Brakeman.debug "Finding ERB.new calls"
+    erb_calls = tracker.find_call :target => :ERB, :method => :new, :nested => true
+
+    Brakeman.debug "Processing ERB.new calls"
+    erb_calls.each do |call|
+      process_result call
+    end
+  end
+
+  #Warns if eval includes user input
+  def process_result result
+    return unless original? result
+
+    if input = include_user_input?(result[:call].arglist)
+      warn :result => result,
+        :warning_type => "Template Injection",
+        :warning_code => :erb_template_injection,
+        :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
+        :user_input => input,
+        :confidence => :high
+    end
+  end
+end

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -137,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }.freeze
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -214,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end

data/lib/brakeman/report/ignore/config.rb

@@ -94,6 +94,10 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/scanner.rb

@@ -94,11 +94,14 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
+    # Sometimes folks like to put constants in environment.rb
+    # so let's always process it even for newer Rails versions
+    process_config_file "environment.rb"
+
     if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
-      process_config_file "environment.rb"
       process_config_file "gems.rb"
     end
 

data/lib/brakeman/tracker.rb

@@ -198,8 +198,10 @@ class Brakeman::Tracker
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end
 
+  # This method does not return all constants at this time,
+  # just ones with "simple" values.
   def constant_lookup name
-    @constants.get_literal name unless @options[:disable_constant_tracking]
+    @constants.get_simple_value name unless @options[:disable_constant_tracking]
   end
 
   def find_class name

data/lib/brakeman/tracker/constants.rb

@@ -1,7 +1,10 @@
 require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 module Brakeman
   class Constant
+    include Brakeman::Util
+
     attr_reader :name, :name_array, :file, :value, :context
 
     def initialize name, value, context = {}
@@ -107,13 +110,11 @@ module Brakeman
       @constants[base_name] << Constant.new(name, value, context)
     end
 
-    LITERALS = [:lit, :false, :str, :true, :array, :hash]
-    def literal? exp
-      exp.is_a? Sexp and LITERALS.include? exp.node_type
-    end
-
-    def get_literal name
-      if x = self[name] and literal? x
+    # Returns constant values that are not too complicated.
+    # Right now that means literal values (string, array, etc.)
+    # or calls on Dir.glob(..).whatever.
+    def get_simple_value name
+      if x = self[name] and (literal? x or dir_glob? x)
         x
       else
         nil

data/lib/brakeman/util.rb

@@ -293,6 +293,22 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  LITERALS = [:lit, :false, :str, :true, :array, :hash]
+
+  def literal? exp
+    exp.is_a? Sexp and LITERALS.include? exp.node_type
+  end
+
+  DIR_CONST = s(:const, :Dir)
+
+  # Dir.glob(...).whatever
+  def dir_glob? exp
+    exp = exp.block_call if node_type? exp, :iter
+    return unless call? exp
+
+    (exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
+  end
+
   #Returns true if the given _exp_ contains a :class node.
   #
   #Useful for checking if a module is just a module or if it is a namespace.

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.2"
+  Version = "4.9.0"
 end

data/lib/brakeman/warning_codes.rb

@@ -117,6 +117,8 @@ module Brakeman::WarningCodes
     :json_html_escape_config => 113,
     :json_html_escape_module => 114,
     :CVE_2020_8159 => 115,
+    :CVE_2020_8166 => 116,
+    :erb_template_injection => 117,
 
     :custom_check => 9090,
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.8.2
+  version: 4.9.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-12 00:00:00.000000000 Z
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -209,48 +209,48 @@ files:
 - bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib/safe_yaml/version.rb
 - bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/run_specs_all_ruby_versions.sh
 - bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/safe_yaml.gemspec
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/History.rdoc
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/Manifest.txt
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/README.rdoc
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/composite_sexp_processor.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/pt_testcase.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/sexp.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/sexp_matcher.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/sexp_processor.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/strict_sexp.rb
-- bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib/unique.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/CHANGES
-- bundle/ruby/2.7.0/gems/slim-4.0.1/Gemfile
-- bundle/ruby/2.7.0/gems/slim-4.0.1/LICENSE
-- bundle/ruby/2.7.0/gems/slim-4.0.1/README.jp.md
-- bundle/ruby/2.7.0/gems/slim-4.0.1/README.md
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/code_attributes.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/command.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/controls.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/do_inserter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/embedded.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/end_inserter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/engine.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/erb_converter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/filter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/grammar.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/include.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/interpolation.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/logic_less.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/logic_less/context.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/logic_less/filter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/parser.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/smart.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/smart/escaper.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/smart/filter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/smart/parser.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/splat/builder.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/splat/filter.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/template.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/translator.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/lib/slim/version.rb
-- bundle/ruby/2.7.0/gems/slim-4.0.1/slim.gemspec
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/History.rdoc
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/Manifest.txt
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/README.rdoc
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/composite_sexp_processor.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/pt_testcase.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/sexp.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/sexp_matcher.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/sexp_processor.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/strict_sexp.rb
+- bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib/unique.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/CHANGES
+- bundle/ruby/2.7.0/gems/slim-4.1.0/Gemfile
+- bundle/ruby/2.7.0/gems/slim-4.1.0/LICENSE
+- bundle/ruby/2.7.0/gems/slim-4.1.0/README.jp.md
+- bundle/ruby/2.7.0/gems/slim-4.1.0/README.md
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/code_attributes.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/command.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/controls.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/do_inserter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/embedded.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/end_inserter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/engine.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/erb_converter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/filter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/grammar.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/include.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/interpolation.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/logic_less.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/logic_less/context.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/logic_less/filter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/parser.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/smart.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/smart/escaper.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/smart/filter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/smart/parser.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/splat/builder.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/splat/filter.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/template.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/translator.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/lib/slim/version.rb
+- bundle/ruby/2.7.0/gems/slim-4.1.0/slim.gemspec
 - bundle/ruby/2.7.0/gems/temple-0.8.2/CHANGES
 - bundle/ruby/2.7.0/gems/temple-0.8.2/EXPRESSIONS.md
 - bundle/ruby/2.7.0/gems/temple-0.8.2/Gemfile
@@ -381,6 +381,7 @@ files:
 - lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
 - lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
@@ -442,6 +443,7 @@ files:
 - lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
 - lib/brakeman/checks/check_unscoped_find.rb