Add Warning#user_input

to report the actual piece of code detected as user input for some
warnings

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -186,6 +186,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
             :message => message,
             :line => exp.line,
             :code => exp,
+            :user_input => @matched.match,
             :confidence => confidence
         end
       end

lib/brakeman/checks/check_evaluation.rb

@@ -20,11 +20,12 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Warns if eval includes user input
   def process_result result
-    if include_user_input? result[:call][-1]
+    if input = include_user_input?(result[:call][-1])
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :message => "User input in eval",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:high]
     end
   end

lib/brakeman/checks/check_execute.rb

@@ -54,6 +54,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         :message => "Possible command injection",
         :line => call.line,
         :code => call,
+        :user_input => failure.match,
         :confidence => confidence
     end
   end

lib/brakeman/checks/check_file_access.rb

@@ -48,7 +48,8 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
           :message => message, 
           :confidence => CONFIDENCE[:high],
           :line => call.line,
-          :code => call
+          :code => call,
+          :user_input => input.match
       end
     end
   end

lib/brakeman/checks/check_link_to.rb

@@ -75,7 +75,9 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
       warn :result => result,
         :warning_type => "Cross Site Scripting", 
         :message => message,
+        :highlight => input.match,
         :confidence => CONFIDENCE[:high]
+
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       method = match[2]
 
@@ -91,6 +93,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         warn :result => result,
           :warning_type => "Cross Site Scripting", 
           :message => "Unescaped model attribute in link_to",
+          :user_input => match,
           :confidence => confidence
       end
 
@@ -107,6 +110,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         warn :result => result, 
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => @matched.match,
           :confidence => CONFIDENCE[:med]
       end
     end

lib/brakeman/checks/check_link_to_href.rb

@@ -56,6 +56,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
         warn :result => result,
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => input.match,
           :confidence => CONFIDENCE[:high]
       end
     elsif has_immediate_model? url_arg
@@ -82,6 +83,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
         warn :result => result, 
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => @matched.match,
           :confidence => CONFIDENCE[:med]
       end
     end

lib/brakeman/checks/check_redirect.rb

@@ -28,7 +28,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
       add_result result
 
-      if res == :immediate
+      if res.type == :immediate
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:low]
@@ -39,6 +39,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
         :message => "Possible unprotected redirect",
         :line => call.line,
         :code => call,
+        :user_input => res.match,
         :confidence => confidence
     end
   end
@@ -64,16 +65,18 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     call[3].each do |arg|
       if call? arg 
-        if request_value? arg or request_value? arg[1]
-          return :immediate
+        if request_value? arg
+          return Match.new(:immediate, arg)
+        elsif request_value? arg[1]
+          return Match.new(:immediate, arg[1])
         elsif arg[2] == :url_for and include_user_input? arg
-          return :immediate
+          return Match.new(:immediate, arg)
           #Ignore helpers like some_model_url?
         elsif arg[2].to_s =~ /_(url|path)$/
           return false
         end
       elsif request_value? arg
-        return :immediate
+        return Match.new(:immediate, arg)
       end
     end
 

lib/brakeman/checks/check_send.rb

@@ -19,19 +19,21 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
     args = process result[:call][3]
     target = process result[:call][1]
 
-    if has_immediate_user_input? args[1]
+    if input = has_immediate_user_input?(args[1])
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User controlled method execution",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:high]
     end
 
-    if has_immediate_user_input?(target)
+    if input = has_immediate_user_input?(target)
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User defined target of method invocation",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:med]
     end
   end

lib/brakeman/checks/check_sql.rb

@@ -122,15 +122,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     if failed and not call.original_line and not duplicate? result
       add_result result
 
-      if include_user_input? args[-1]
+      if input = include_user_input?(args[-1])
         confidence = CONFIDENCE[:high]
+        user_input = input.match
       else
         confidence = CONFIDENCE[:med]
+        user_input = nil
       end
 
       warn :result => result,
         :warning_type => "SQL Injection",
         :message => "Possible SQL injection",
+        :user_input => user_input,
         :confidence => confidence
     end
 

lib/brakeman/checks/check_without_protection.rb

@@ -48,10 +48,12 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
         if true? value
           add_result res
 
-          if include_user_input? call[3]
+          if input = include_user_input?(call[3])
             confidence = CONFIDENCE[:high]
+            user_input = input.match
           else
             confidence = CONFIDENCE[:med]
+            user_input = nil
           end
 
           warn :result => res, 
@@ -59,6 +61,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
             :message => "Unprotected mass assignment",
             :line => call.line,
             :code => call, 
+            :user_input => user_input,
             :confidence => confidence
 
         end

lib/brakeman/warning.rb

 #The Warning class stores information about warnings
 class Brakeman::Warning
   attr_reader :called_from, :check, :class, :confidence, :controller,
-    :line, :method, :model, :template, :warning_set, :warning_type
+    :line, :method, :model, :template, :user_input, :warning_set, :warning_type
 
   attr_accessor :code, :context, :file, :message
 
@@ -12,7 +12,7 @@ class Brakeman::Warning
     @view_name = nil
 
     [:called_from, :check, :class, :code, :confidence, :controller, :file, :line,
-      :message, :method, :model, :template, :warning_set, :warning_type].each do |option|
+      :message, :method, :model, :template, :user_input, :warning_set, :warning_type].each do |option|
 
       self.instance_variable_set("@#{option}", options[option])
     end