Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on interpolation with __FILE__ #1542

Closed
akimd opened this issue Jan 7, 2021 · 2 comments
Closed

Crash on interpolation with __FILE__ #1542

akimd opened this issue Jan 7, 2021 · 2 comments

Comments

@akimd
Copy link

akimd commented Jan 7, 2021

Background

Brakeman version: 4.10.0
Rails version: 6.0.3.4
Ruby version: 2.5.7p206

Link to Rails application code: private, sorry

Parse Error

Minimal example that does not parse. This is a view.

<%
"#{__FILE__}"
%>

I could not get ruby_parser to crash on this.

Here is what I get:

$ brakeman --only app/views/commandes/foo.html.erb --debug
Loading scanner...
Processing application in /home/solutions/reference_dev/reference_dev
Processing gems...
Parsing /home/solutions/reference_dev/reference_dev/Gemfile
[Notice] Detected Rails 6 application
Processing configuration...
Parsing /home/solutions/reference_dev/reference_dev/config/environment.rb
Parsing /home/solutions/reference_dev/reference_dev/config/application.rb
Parsing /home/solutions/reference_dev/reference_dev/config/environments/production.rb
[Notice] Escaping HTML by default
Parsing files...
Parsing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb
Parsing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb
undefined method `force_encoding' for #<Brakeman::FilePath:0x000055f83b8096f0>
While processing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:604:in `literal_concat'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby27_parser.rb:6399:in `_reduce_502'
/opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `_racc_do_parse_c'
/opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `do_parse'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1329:in `block in process'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `block in catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:108:in `timeout'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1317:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:36:in `block in process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `each'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:39:in `parse_ruby'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/parsers/template_parser.rb:35:in `parse_template'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:87:in `block in parse_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:29:in `block in read_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `each'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `read_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:86:in `parse_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:45:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:373:in `scan'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:84:in `run'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:157:in `run_brakeman'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:125:in `regular_report'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:166:in `run_report'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:35:in `run'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:20:in `start'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bin/brakeman:10:in `<top (required)>'
/opt/ruby/bin/brakeman:23:in `load'
/opt/ruby/bin/brakeman:23:in `<main>'
Processing initializers...
Processing libs...
Processing routes...          
Parsing /home/solutions/reference_dev/reference_dev/config/routes.rb
Processing templates...       
Processing data flow in templates...
Processing models...          
Processing controllers...     
Processing data flow in controllers...
Indexing call sites...        
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCookieSerialization
 - CheckCreateWith
 - CheckCSRFTokenForgeryCVE
Checking for XSS in content_tag
Automatic to_json escaping is enabled.
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
Finding system calls using ``
Finding other system calls
Processing system calls
Finding eval-like calls
Processing eval-like calls
 - CheckI18nXSS
 - CheckJRubyXML
Finding possible file access
Finding calls to load()
Finding calls using FileUtils
Processing found calls
 - CheckJSONEncoding
 - CheckJSONEntityEscape
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPageCachingCVE
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
Finding calls to redirect_to()
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
Automatic to_json escaping is enabled.
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
Finding dynamic regexes
Processing dynamic regexes
Finding instances of #send
Finding all calls to send_file()
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
Finding possible SQL calls on models
Finding possible SQL calls with no target
Finding possible SQL calls using constantized()
Finding calls to named_scope or scope
Processing possible SQL calls
 - CheckSymbolDoSCVE
 - CheckTemplateInjection
Finding calls to strip_tags()
 - CheckTranslateBug
 - CheckUnsafeReflection
Finding ERB.new calls
Processing ERB.new calls
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...

== Brakeman Report ==

Application Path: /home/solutions/reference_dev/reference_dev
Rails Version: 6.0.3.4
Brakeman Version: 4.10.0
Scan Date: 2021-01-07 13:23:33 +0100
Duration: 0.969251921 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 0
Models: 0
Templates: 0
Errors: 1
Security Warnings: 1

== Warning Types ==

Default Routes: 1

== Controller Overview ==



== Template Output ==



== Errors ==

Error: undefined method `force_encoding' for #<Brakeman::FilePath:0x000055f83b8096f0> While processing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb
Location: /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:604:in `literal_concat'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby27_parser.rb:6399:in `_reduce_502'
/opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `_racc_do_parse_c'
/opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `do_parse'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1329:in `block in process'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `block in catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:108:in `timeout'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1317:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:36:in `block in process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `each'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:39:in `parse_ruby'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/parsers/template_parser.rb:35:in `parse_template'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:87:in `block in parse_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:29:in `block in read_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `each'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `read_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:86:in `parse_files'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:45:in `process'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:373:in `scan'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:84:in `run'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:157:in `run_brakeman'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:125:in `regular_report'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:166:in `run_report'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:35:in `run'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:20:in `start'
/opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bin/brakeman:10:in `<top (required)>'
/opt/ruby/bin/brakeman:23:in `load'
/opt/ruby/bin/brakeman:23:in `<main>'

== Warnings ==

Confidence: High
Category: Default Routes
Check: DefaultRoutes
Message: All public methods in controllers are available as actions in `routes.rb`
File: config/routes.rb
Line: 60

Cheers!
@akimd akimd mentioned this issue Jan 7, 2021
Open
@presidentbeef
Copy link
Owner

This was fixed in 4.10.1. Please try it out!

#1534

@akimd
Copy link
Author

akimd commented Jan 8, 2021

Oops, sorry, I thought I was up to date. Thanks!

Repository owner locked and limited conversation to collaborators Jan 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@presidentbeef @akimd