diff --git a/lib/brakeman/app_tree.rb b/lib/brakeman/app_tree.rb index eaacaf6dff..895e722c88 100644 --- a/lib/brakeman/app_tree.rb +++ b/lib/brakeman/app_tree.rb @@ -112,7 +112,8 @@ def layout_exists?(name) def lib_paths @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } + find_additional_lib_paths + - find_helper_paths + find_helper_paths + + find_job_paths end private @@ -121,6 +122,10 @@ def find_helper_paths find_paths "app/helpers" end + def find_job_paths + find_paths "app/jobs" + end + def find_additional_lib_paths @additional_libs_path.collect{ |path| find_paths path }.flatten end diff --git a/test/apps/rails5.2/app/jobs/delete_stuff_job.rb b/test/apps/rails5.2/app/jobs/delete_stuff_job.rb new file mode 100644 index 0000000000..f5008bf85b --- /dev/null +++ b/test/apps/rails5.2/app/jobs/delete_stuff_job.rb @@ -0,0 +1,5 @@ +class DeleteStuffJob < ApplicationJob + def perform file + `rm -rf #{file}` + end +end diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb index e8f99e92be..20de2c4f02 100644 --- a/test/tests/rails52.rb +++ b/test/tests/rails52.rb @@ -13,7 +13,7 @@ def expected :controller => 0, :model => 0, :template => 0, - :generic => 2 + :generic => 3 } end @@ -53,6 +53,19 @@ def test_command_injection_1 :user_input => s(:ivar, :@blah) end + def test_command_injection_in_job + assert_warning :type => :warning, + :warning_code => 14, + :fingerprint => "e712e2741ad78f4e947bec84f36a0d703849d3b0facdabd8cc74851d7b702a48", + :warning_type => "Command Injection", + :line => 3, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/jobs/delete_stuff_job.rb", + :code => s(:dxstr, "rm -rf ", s(:evstr, s(:lvar, :file))), + :user_input => s(:lvar, :file) + end + def test_command_injection_shellwords assert_no_warning :type => :warning, :warning_code => 14,