search

presidentbeef / brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications
https://brakemanscanner.org/
Other
6.97k stars 726 forks source link

Crash when parsing routes with lambdas. #1417

Closed 6temes closed 4 years ago

6temes commented 4 years ago

Background

Brakeman version: 4.7.0 Rails version: 6.0.0 Ruby version: 2.6.5

Link to Rails application code: ?

Issue

After updating to 4.7.0 brakeman crashes when processing the routes.

The routes contain lambdas that are used in constraints:

  should_show_agent_routes = lambda { |req|
    !agent_app_env_set.call || req.subdomain.include?(ENV['AGENT_APP_SUBDOMAIN'])
  }

[...]

###
  # Agent routes
  #
  constraints should_show_agent_routes do
    devise_for :agents

Other Error

Run Brakeman with --debug to see the full stack trace.

Stack trace:

Loading scanner...
Processing application in /Users/user/Code
Processing gems...
[Notice] Detected Rails 6 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
Processing libs...ssed
Processing routes...
bundler: failed to load command: brakeman (/Users/user/.rbenv/versions/2.6.5/bin/brakeman)
WrongSexpError: Expected call or attrasgn or safe_call or safe_attrasgn or super or zsuper or result but given s(:lambda)
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:47:in `process_iter'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:76:in `block in process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:78:in `block in process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:78:in `block in process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:59:in `process_iter'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:76:in `block in process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:24:in `process_routes'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/processor.rb:35:in `process_routes'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/scanner.rb:224:in `process_routes'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/scanner.rb:51:in `process'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman.rb:361:in `scan'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman.rb:80:in `run'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:133:in `run_brakeman'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:118:in `regular_report'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:142:in `run_report'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:35:in `run'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:20:in `start'
  /Users/user/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/brakeman-4.7.0/bin/brakeman:10:in `<top (required)>'
  /Users/user/.rbenv/versions/2.6.5/bin/brakeman:23:in `load'
  /Users/user/.rbenv/versions/2.6.5/bin/brakeman:23:in `<top (required)>'
presidentbeef commented 4 years ago

Hi @6temes - I believe this is the same as #1410