Module: Brakeman

Defined in:

lib/brakeman.rb,
lib/brakeman/logger.rb,
lib/brakeman/version.rb,
lib/brakeman/app_tree.rb,
lib/brakeman/messages.rb,
lib/brakeman/file_path.rb,
lib/brakeman/processor.rb,
lib/brakeman/commandline.rb,
lib/brakeman/file_parser.rb,
lib/brakeman/report/pager.rb,
lib/brakeman/tracker/model.rb,
lib/brakeman/tracker/config.rb,
lib/brakeman/tracker/library.rb,
lib/brakeman/tracker/template.rb,
lib/brakeman/tracker/constants.rb,
lib/brakeman/tracker/collection.rb,
lib/brakeman/tracker/controller.rb,
lib/brakeman/tracker/file_cache.rb,
lib/brakeman/parsers/rails_erubi.rb,
lib/brakeman/tracker/method_info.rb,
lib/brakeman/report/ignore/config.rb,
lib/brakeman/parsers/haml_embedded.rb,
lib/brakeman/parsers/template_parser.rb,
lib/brakeman/report/ignore/interactive.rb,
lib/brakeman/processors/lib/render_path.rb,
lib/brakeman/processors/lib/safe_call_helper.rb,
lib/brakeman/codeclimate/engine_configuration.rb,
lib/brakeman/processors/lib/file_type_detector.rb,
lib/brakeman/processors/lib/call_conversion_helper.rb

Defined Under Namespace

Modules: CallConversionHelper, Codeclimate, ControllerMethods, FakeHamlFilter, Logger, Messages, ModelMethods, ModuleHelper, Options, ProcessorHelper, RenderHelper, RouteHelper, SafeCallHelper, Util, WarningCodes Classes: ASTFile, AliasProcessor, AppTree, BaseCheck, BaseProcessor, BasicProcessor, CallIndex, CheckBasicAuth, CheckBasicAuthTimingAttack, CheckCSRFTokenForgeryCVE, CheckContentTag, CheckCookieSerialization, CheckCreateWith, CheckCrossSiteScripting, CheckDefaultRoutes, CheckDeserialize, CheckDetailedExceptions, CheckDigestDoS, CheckDivideByZero, CheckDynamicFinders, CheckEOLRails, CheckEOLRuby, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFileDisclosure, CheckFilterSkipping, CheckForceSSL, CheckForgerySetting, CheckHeaderDoS, CheckI18nXSS, CheckJRubyXML, CheckJSONEncoding, CheckJSONEntityEscape, CheckJSONParsing, CheckLinkTo, CheckLinkToHref, CheckMailTo, CheckMassAssignment, CheckMimeTypeDoS, CheckModelAttrAccessible, CheckModelAttributes, CheckModelSerialize, CheckNestedAttributes, CheckNestedAttributesBypass, CheckNumberToCurrency, CheckPageCachingCVE, CheckPathname, CheckPermitAttributes, CheckQuoteTableName, CheckRansack, CheckRedirect, CheckRegexDoS, CheckRender, CheckRenderDoS, CheckRenderInline, CheckRenderRCE, CheckResponseSplitting, CheckReverseTabnabbing, CheckRouteDoS, CheckSQL, CheckSQLCVEs, CheckSSLVerify, CheckSafeBufferManipulation, CheckSanitizeConfigCve, CheckSanitizeMethods, CheckSecrets, CheckSelectTag, CheckSelectVulnerability, CheckSend, CheckSendFile, CheckSessionManipulation, CheckSessionSettings, CheckSimpleFormat, CheckSingleQuotes, CheckSkipBeforeFilter, CheckSprocketsPathTraversal, CheckStripTags, CheckSymbolDoS, CheckSymbolDoSCVE, CheckTemplateInjection, CheckTranslateBug, CheckUnsafeReflection, CheckUnsafeReflectionMethods, CheckUnscopedFind, CheckValidationRegex, CheckVerbConfusion, CheckWeakHash, CheckWeakRSAKey, CheckWithoutProtection, CheckXMLDoS, CheckYAMLParsing, Checks, Collection, Commandline, Config, ConfigAliasProcessor, ConfigProcessor, Constant, Constants, Controller, ControllerAliasProcessor, ControllerProcessor, DependencyError, Differ, EOLCheck, ErbTemplateProcessor, Erubi, ErubiTemplateProcessor, FileCache, FileParser, FilePath, FileTypeDetector, FindAllCalls, FindCall, FindReturnValue, GemProcessor, Haml6TemplateProcessor, HamlTemplateProcessor, IgnoreConfig, InteractiveIgnorer, Library, LibraryProcessor, MethodInfo, MissingChecksError, Model, ModelProcessor, NoApplication, NoBrakemanError, OutputProcessor, Pager, Processor, Rails2ConfigProcessor, Rails2RoutesProcessor, Rails3ConfigProcessor, Rails3RoutesProcessor, Rails4ConfigProcessor, RenderPath, Report, RescanReport, Rescanner, RouteAliasProcessor, RoutesProcessor, Scanner, SexpProcessor, SlimTemplateProcessor, Template, TemplateAliasProcessor, TemplateParser, TemplateProcessor, Tracker, Warning

Constant Summary

Warnings_Found_Exit_Code =

This exit code is used when warnings are found and the –exit-on-warn option is set

3

No_App_Found_Exit_Code =

Exit code returned when no Rails application is detected

4

Not_Latest_Version_Exit_Code =

Exit code returned when brakeman was outdated

5

Missing_Checks_Exit_Code =

Exit code returned when user requests non-existent checks

6

Errors_Found_Exit_Code =

Exit code returned when errors were found and the –exit-on-error option is set

7

Empty_Ignore_Note_Exit_Code =

Exit code returned when an ignored warning has no note and –ensure-ignore-notes is set

8

Obsolete_Ignore_Entries_Exit_Code =

Exit code returned when at least one obsolete ignore entry is present and ‘–ensure-no-obsolete-ignore-entries` is set.

9

CONFIG_FILES =

begin
  [
    File.expand_path("~/.brakeman/config.yml"),
    File.expand_path("/etc/brakeman/config.yml")
  ]
rescue ArgumentError
  # In case $HOME or $USER aren't defined for use of `~`
  [
    File.expand_path("/etc/brakeman/config.yml")
  ]
end

Version =

"8.0.4"

Class Method Summary

• .add_external_checks(options) ⇒ Object
• .alert(message) ⇒ Object
• .announce(message) ⇒ Object
• .check_for_missing_checks(included_checks, excluded_checks, enabled_checks) ⇒ Object
• .cleanup(newline = true) ⇒ Object
• .compare(options) ⇒ Object

  Compare JSON output from a previous scan and return the diff of the two scans.

• .config_file(custom_location, app_path) ⇒ Object
• .debug(message) ⇒ Object
• .debug=(val) ⇒ Object
• .default_options ⇒ Object

  Default set of options.

• .dump_config(options) ⇒ Object

  Output configuration to YAML.

• .ensure_latest(days_old: 0) ⇒ Object

  Returns quit message unless the latest version of Brakeman matches the current version.

• .filter_warnings(tracker, options) ⇒ Object
• .get_output_formats(options) ⇒ Object

  Determine output formats based on options or options.

• .ignore_file_entries_with_empty_notes(file) ⇒ Object

  Returns an array of alert fingerprints for any ignored warnings without notes found in the specified ignore file (if it exists).

• .list_checks(options) ⇒ Object

  Output list of checks (for ‘-k` option).

• .load_brakeman_dependency(name, allow_fail = false) ⇒ Object
• .load_options(line_options) ⇒ Object

  Load options from YAML file.

• .logger ⇒ Object
• .logger=(log) ⇒ Object
• .process_step(description) ⇒ Object
• .quiet=(val) ⇒ Object
• .rescan(tracker, files, options = {}) ⇒ Object

  Rescan a subset of files in a Rails application.

• .run(options) ⇒ Object

  Run Brakeman scan.

• .scan(options) ⇒ Object

  Run a scan.

• .set_default_logger(options = {}) ⇒ Object
• .set_options(options) ⇒ Object

  Sets up options for run, checks given application path.

Class Method Details

.add_external_checks(options) ⇒ Object

# File 'lib/brakeman.rb', line 644

def self.add_external_checks options
  options[:additional_checks_path].each do |path|
    Brakeman::Checks.initialize_checks path
  end if options[:additional_checks_path]
end

.alert(message) ⇒ Object

# File 'lib/brakeman.rb', line 544

def self.alert message
  logger.alert message
end

.announce(message) ⇒ Object

# File 'lib/brakeman.rb', line 540

def self.announce message
  logger.announce message
end

.check_for_missing_checks(included_checks, excluded_checks, enabled_checks) ⇒ Object

# File 'lib/brakeman.rb', line 650

def self.check_for_missing_checks included_checks, excluded_checks, enabled_checks
  checks = included_checks.to_a + excluded_checks.to_a + enabled_checks.to_a

  missing = Brakeman::Checks.missing_checks(checks)

  unless missing.empty?
    raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"
  end
end

.cleanup(newline = true) ⇒ Object

# File 'lib/brakeman.rb', line 122

def self.cleanup(newline = true)
  @logger.cleanup(newline) if @logger
end

.compare(options) ⇒ Object

Compare JSON output from a previous scan and return the diff of the two scans

Raises:

• (ArgumentError)

# File 'lib/brakeman.rb', line 553

def self.compare options
  require 'json'
  require 'brakeman/differ'
  raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]

  begin
    previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
  rescue JSON::ParserError
    self.alert "Error parsing comparison file: #{options[:previous_results_json]}"
    exit!
  end

  tracker = run(options)
  new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)

  new_results = new_report[:warnings]
  obsolete_ignored = tracker.unused_fingerprints

  Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
    diff[:obsolete] = obsolete_ignored
  end
end

.config_file(custom_location, app_path) ⇒ Object

# File 'lib/brakeman.rb', line 218

def self.config_file custom_location, app_path
  app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
  supported_locations = [File.expand_path(custom_location || ""), app_config] + CONFIG_FILES
  supported_locations.detect {|f| File.file?(f) }
end

.debug(message) ⇒ Object

# File 'lib/brakeman.rb', line 548

def self.debug message
  logger.debug message
end

.debug=(val) ⇒ Object

# File 'lib/brakeman.rb', line 660

def self.debug= val
  @debug = val
end

.default_options ⇒ Object

Default set of options

# File 'lib/brakeman.rb', line 225

def self.default_options
  { :assume_all_routes => true,
    :check_arguments => true,
    :collapse_mass_assignment => false,
    :combine_locations => true,
    :engine_paths => ["engines/*"],
    :exit_on_error => true,
    :exit_on_warn => true,
    :highlight_user_input => true,
    :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
    :ignore_model_output => false,
    :ignore_redirect_to_model => true,
    :message_limit => 100,
    :min_confidence => 2,
    :output_color => true,
    :pager => true,
    :parallel_checks => true,
    :parser_timeout => 10,
    :use_prism => true,
    :relative_path => false,
    :report_progress => true,
    :safe_methods => Set.new,
    :show_ignored => false,
    :sql_safe_methods => Set.new,
    :skip_checks => Set.new,
    :skip_vendor => true,
  }
end

.dump_config(options) ⇒ Object

Output configuration to YAML

# File 'lib/brakeman.rb', line 384

def self.dump_config options
  require 'yaml'
  if options[:create_config].is_a? String
    file = options[:create_config]
  else
    file = nil
  end

  options.delete :create_config

  if options[:logger]
    @logger = options.delete(:logger)
  else
    set_default_logger(options)
  end

  options.each do |k,v|
    if v.is_a? Set
      options[k] = v.to_a
    end
  end

  if file
    File.open file, "w" do |f|
      YAML.dump options, f
    end

    announce "Output configuration to #{file}"
  else
    $stdout.puts YAML.dump(options)
  end
end

.ensure_latest(days_old: 0) ⇒ Object

Returns quit message unless the latest version of Brakeman matches the current version.

Optionally checks that the latest version is at least the specified number of days old.

# File 'lib/brakeman.rb', line 422

def self.ensure_latest(days_old: 0)
  require 'date'

  current = Brakeman::Version
  latest = Gem.latest_spec_for('brakeman')
  release_date = latest.date.to_date
  latest_version = latest.version.to_s

  if (Date.today - latest.date.to_date) >= days_old
    if current != latest_version
      return "Brakeman #{current} is not the latest version #{latest_version}"
    else
      false
    end
  else
    false
  end
end

.filter_warnings(tracker, options) ⇒ Object

# File 'lib/brakeman.rb', line 614

def self.filter_warnings tracker, options
  require 'brakeman/report/ignore/config'
  config = nil

  app_tree = Brakeman::AppTree.from_options(options)

  if options[:ignore_file]
    file = options[:ignore_file]
  elsif app_tree.exists? "config/brakeman.ignore"
    file = app_tree.expand_path("config/brakeman.ignore")
  elsif not options[:interactive_ignore]
    return
  end

  process_step "Filtering warnings..." do
    if options[:interactive_ignore]
      require 'brakeman/report/ignore/interactive'
      logger.cleanup
      config = InteractiveIgnorer.new(file, tracker.warnings).start
    else
      logger.announce "Using '#{file}' to filter warnings"
      config = IgnoreConfig.new(file, tracker.warnings)
      config.read_from_file
      config.filter_ignored
    end
  end

  tracker.ignored_filter = config
end

.get_output_formats(options) ⇒ Object

Determine output formats based on options or options

# File 'lib/brakeman.rb', line 256

def self.get_output_formats options
  #Set output format
  if options[:output_format] && options[:output_files] && options[:output_files].size > 1
    raise ArgumentError, "Cannot specify output format if multiple output files specified"
  end
  if options[:output_format]
    get_formats_from_output_format options[:output_format]
  elsif options[:output_files]
    get_formats_from_output_files options[:output_files]
  else
    begin
      self.load_brakeman_dependency 'terminal-table', :allow_fail
      return [:to_s]
    rescue LoadError
      return [:to_json]
    end
  end
end

.ignore_file_entries_with_empty_notes(file) ⇒ Object

Returns an array of alert fingerprints for any ignored warnings without notes found in the specified ignore file (if it exists).

# File 'lib/brakeman.rb', line 604

def self.ignore_file_entries_with_empty_notes file
  return [] unless file

  require 'brakeman/report/ignore/config'

  config = IgnoreConfig.new(file, nil)
  config.read_from_file
  config.already_ignored_entries_with_empty_notes.map { |i| i[:fingerprint] }
end

.list_checks(options) ⇒ Object

Output list of checks (for ‘-k` option)

# File 'lib/brakeman.rb', line 362

def self.list_checks options
  require 'brakeman/scanner'

  add_external_checks options

  if options[:list_optional_checks]
    $stderr.puts "Optional Checks:"
    checks = Checks.optional_checks
  else
    $stderr.puts "Available Checks:"
    checks = Checks.checks
  end

  format_length = 30

  $stderr.puts "-" * format_length
  checks.each do |check|
    $stderr.printf("%-#{format_length}s%s\n", check.name, check.description)
  end
end

.load_brakeman_dependency(name, allow_fail = false) ⇒ Object

# File 'lib/brakeman.rb', line 576

def self.load_brakeman_dependency name, allow_fail = false
  return if @loaded_dependencies.include? name

  unless @vendored_paths
    path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"

    if File.exist? path_load
      require path_load
    end

    @vendored_paths = true
  end

  begin
    require name
  rescue LoadError => e
    if allow_fail
      raise e
    else
      $stderr.puts e.message
      $stderr.puts "Please install the appropriate dependency: #{name}."
      exit!(-1)
    end
  end
end

.load_options(line_options) ⇒ Object

Load options from YAML file

# File 'lib/brakeman.rb', line 168

def self.load_options line_options
  custom_location = line_options[:config_file]
  app_path = line_options[:app_path]

  #Load configuration file
  if config = config_file(custom_location, app_path)
    require 'yaml'
    options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true

    if options
      options.each { |k, v| options[k] = Set.new v if v.is_a? Array }

      # After parsing the yaml config file for options, convert any string keys into symbols.
      options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }

      # Brakeman.logger is probably not set yet
      logger = Brakeman::Logger.get_logger(options.merge(line_options))

      unless line_options[:allow_check_paths_in_config]
        if options.include? :additional_checks_path
          options.delete :additional_checks_path

          logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow'
        end
      end

      logger.alert "Using configuration in #{config}"
      options
    else
      logger = Brakeman::Logger.get_logger(line_options)
      logger.alert "Empty configuration file: #{config}"
      {}
    end
  else
    {}
  end
end

.logger ⇒ Object

# File 'lib/brakeman.rb', line 110

def self.logger
  @logger
end

.logger=(log) ⇒ Object

# File 'lib/brakeman.rb', line 114

def self.logger= log
  @logger = log
end

.process_step(description) ⇒ Object

# File 'lib/brakeman.rb', line 668

def self.process_step(description, &)
  logger.context(description, &)
end

.quiet=(val) ⇒ Object

# File 'lib/brakeman.rb', line 664

def self.quiet= val
  @quiet = val
end

.rescan(tracker, files, options = {}) ⇒ Object

Rescan a subset of files in a Rails application.

A full scan must have been run already to use this method. The returned Tracker object from Brakeman.run is used as a starting point for the rescan.

Options may be given as a hash with the same values as Brakeman.run. Note that these options will be merged into the Tracker.

This method returns a RescanReport object with information about the scan. However, the Tracker object will also be modified as the scan is run.

# File 'lib/brakeman.rb', line 529

def self.rescan tracker, files, options = {}
  require 'brakeman/rescanner'

  options = tracker.options.merge options

  @quiet = !!tracker.options[:quiet]
  @debug = !!tracker.options[:debug]

  Rescanner.new(options, tracker.processor, files).recheck
end

.run(options) ⇒ Object

Run Brakeman scan. Returns Tracker object.

Options:

* :app_path - path to root of Rails app (required)
* :additional_checks_path - array of additional directories containing additional out-of-tree checks to run
* :additional_libs_path - array of additional application relative lib directories (ex. app/mailers) to process
* :assume_all_routes - assume all methods are routes (default: true)
* :check_arguments - check arguments of methods (default: true)
* :collapse_mass_assignment - report unprotected models in single warning (default: false)
* :combine_locations - combine warning locations (default: true)
* :config_file - configuration file
* :escape_html - escape HTML by default (automatic)
* :exit_on_error - only affects Commandline module (default: true)
* :exit_on_warn - only affects Commandline module (default: true)
* :github_repo - github repo to use for file links (user/repo[/path][@ref])
* :highlight_user_input - highlight user input in reported warnings (default: true)
* :html_style - path to CSS file
* :ignore_model_output - consider models safe (default: false)
* :interprocedural - limited interprocedural processing of method calls (default: false)
* :message_limit - limit length of messages
* :min_confidence - minimum confidence (0-2, 0 is highest)
* :output_files - files for output
* :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
* :parallel_checks - run checks in parallel (default: true)
* :parser_timeout - set timeout for parsing an individual file (default: 10 seconds)
* :print_report - if no output file specified, print to stdout (default: false)
* :quiet - suppress most messages (default: true)
* :rails3 - force Rails 3 mode (automatic)
* :rails4 - force Rails 4 mode (automatic)
* :rails5 - force Rails 5 mode (automatic)
* :rails6 - force Rails 6 mode (automatic)
* :report_routes - show found routes on controllers (default: false)
* :run_checks - array of checks to run (run all if not specified)
* :safe_methods - array of methods to consider safe
* :show_ignored - Display warnings that are usually ignored
* :sql_safe_methods - array of sql sanitization methods to consider safe
* :skip_vendor - do not process vendor/ directory (default: true)
* :skip_checks - checks not to run (run all if not specified)
* :absolute_paths - show absolute path of each file (default: false)
* :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)

Alternatively, just supply a path as a string.

# File 'lib/brakeman.rb', line 81

def self.run options
  if not $stderr.tty? and options[:report_progress].nil?
    options[:report_progress] = false
  end

  options = set_options options

  @quiet = !!options[:quiet]
  @debug = !!options[:debug]

  if @quiet
    options[:report_progress] = false
  end

  @logger = options[:logger] || set_default_logger(options)

  if options[:use_prism]
    begin
      require 'prism'
    rescue LoadError => e
      Brakeman.alert "Asked to use Prism, but failed to load: #{e}"
    end
  end

  Brakeman.announce "Brakeman v#{Brakeman::Version}"

  scan options
end

.scan(options) ⇒ Object

Run a scan. Generally called from Brakeman.run instead of directly.

# File 'lib/brakeman.rb', line 442

def self.scan options
  #Load scanner
  scanner, tracker = nil

  process_step 'Loading scanner' do
    begin
      require 'brakeman/scanner'
    rescue LoadError
      raise NoBrakemanError, 'Cannot find lib/ directory.'
    end

    add_external_checks options

    #Start scanning
    scanner = Scanner.new options
    tracker = scanner.tracker

    check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
  end

  logger.announce "Scanning #{tracker.app_path}"
  scanner.process

  tracker.run_checks

  self.filter_warnings tracker, options

  if options[:output_files]
    process_step 'Generating report' do
      write_report_to_files tracker, options[:output_files]
    end
  elsif options[:print_report]
    process_step 'Generating report' do
      write_report_to_formats tracker, options[:output_formats]
    end
  end

  tracker
end

.set_default_logger(options = {}) ⇒ Object

# File 'lib/brakeman.rb', line 118

def self.set_default_logger(options = {})
  @logger = Brakeman::Logger.get_logger(options)
end

.set_options(options) ⇒ Object

Sets up options for run, checks given application path

# File 'lib/brakeman.rb', line 127

def self.set_options options
  if options.is_a? String
    options = { :app_path => options }
  end

  if options[:quiet] == :command_line
    command_line = true
    options.delete :quiet
  end

  options = default_options.merge(load_options(options)).merge(options)

  if options[:quiet].nil? and not command_line
    options[:quiet] = true
  end

  if options[:rails4]
    options[:rails3] = true
  elsif options[:rails5]
    options[:rails3] = true
    options[:rails4] = true
  elsif options[:rails6]
    options[:rails3] = true
    options[:rails4] = true
    options[:rails5] = true
  end

  options[:output_formats] = get_output_formats options
  options[:github_url] = get_github_url options


  # Use ENV value only if option was not already explicitly set
  # (i.e. prefer commandline option over environment variable).
  if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE'] and not ENV['BUNDLE_GEMFILE'].empty?
    options[:gemfile] = ENV['BUNDLE_GEMFILE']
  end

  options
end