Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add optional use of Prism parser #1858

Merged
merged 13 commits into from
Jul 22, 2024
Merged

Add optional use of Prism parser #1858

merged 13 commits into from
Jul 22, 2024

Conversation

presidentbeef
Copy link
Owner

  1. Install latest Prism or toss it in your Gemfile
  2. Use --prism to parse with Prism, but still fall back to RubyParser if that fails

Why all the weirdness with installing Prism separately? Why not have Prism be a real dependency? Mainly because Brakeman bundles gems, and we can't bundle gems with native extensions. But Prism is a default gem, so it doesn't need to get bundled! But... we'll need a newer version that what is currently shipped with Ruby. So... perhaps for the next version of Ruby that bumps the Prism version, it can be loaded by default. But even then it can't be a gem dependency, because that would force use of the latest Ruby 😞

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 12, 2024
edited
Loading

DryRun Security Summary

The provided code changes focus on improving the functionality and testing of the Brakeman security scanner tool, including the addition of Prism parser support, improved error handling, and enhanced testing.

Expand for full summary

Summary:

The provided code changes focus on improving the functionality and testing of the Brakeman security scanner tool. The key changes include:

  1. Addition of Prism Parser Support: The changes introduce the ability to use the Prism parser as an alternative to the default RubyParser for parsing Ruby files. This is intended to improve the performance and robustness of the file parsing process.

  2. Improved Error Handling: The code now includes better error handling for various exceptions that may occur during the parsing process, providing more context about the files that failed to parse.

  3. Enhanced Testing: The changes include updates to the test suite, specifically the rails8.rb test, to integrate Brakeman with the Prism plugin and use stubbing to ensure consistent and reliable security analysis.

From an application security perspective, these changes do not directly introduce any security vulnerabilities. The focus is on improving the core functionality and testing of the Brakeman tool, which is a crucial component for identifying security issues in Ruby on Rails applications.

However, it's important to consider the security implications of the Prism parser and ensure that it is regularly updated and does not have any known vulnerabilities. Additionally, the timeout handling and error logging mechanisms should be reviewed to ensure they are configured appropriately and do not introduce any potential security concerns.

Overall, the changes in this pull request appear to be a routine update to the Brakeman project, with a focus on enhancing the tool's performance, robustness, and testing capabilities. These improvements can ultimately lead to more effective security scanning and the identification of potential vulnerabilities in Ruby on Rails applications.

Files Changed:

  1. test/tests/options.rb: The changes add a new test case to check the behavior when the --prism option is used in the Brakeman tool. This ensures that the command-line options are thoroughly tested, which is important for the security analysis performed by Brakeman.
  2. lib/brakeman/options.rb: The changes introduce a new command-line option --[no-]prism to enable or disable the use of the Prism parser. This provides users with more flexibility in configuring the Brakeman tool.
  3. lib/brakeman/scanner.rb: The changes update the parse_files and parse_ruby_file methods to include the tracker.options[:use_prism] option, which is passed to the Brakeman::FileParser class. This suggests the integration of the Prism parser into the file parsing process.
  4. lib/brakeman/file_parser.rb: The changes introduce support for the Prism parser, including a fallback to the RubyParser if Prism encounters issues during the parsing process. The code also includes improved error handling for various exceptions that may occur during parsing.
  5. test/tests/rails8.rb: The changes update the report method to include the use_prism: true option when running the Brakeman scan. This demonstrates the integration of the Prism plugin into the test suite, ensuring that the security analysis benefits from the enhanced capabilities provided by Prism.

Code Analysis

We ran 7 analyzers against 5 files and 0 analyzers had findings. 7 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@presidentbeef presidentbeef merged commit ed7242d into main Jul 22, 2024
15 of 16 checks passed
@presidentbeef presidentbeef deleted the use_prism branch July 22, 2024 19:42
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@presidentbeef