Merge pull request #1933 from aliismayilov/ignore-tempfile-path

Consider Tempfile.create.path as safe input

Author: presidentbeef

lib/brakeman/checks/base_check.rb

@@ -151,10 +151,13 @@ def boolean_method? method
     method[-1] == "?"
   end
 
-  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+  TEMP_FILE_PATH = [
+    s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze,
+    s(:call, s(:call, s(:const, :Tempfile), :create), :path).freeze
+  ].freeze
 
   def temp_file_path? exp
-    exp == TEMP_FILE_PATH
+    TEMP_FILE_PATH.include? exp
   end
 
   #Report a warning

lib/brakeman/processors/alias_processor.rb

@@ -436,6 +436,12 @@ def temp_file_open? exp
       exp.method == :open
   end
 
+  def temp_file_create? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :create
+  end
+
   def temp_file_new line
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
@@ -465,6 +471,9 @@ def process_iter exp
       elsif temp_file_open? call
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = temp_file_new(exp.line)
+      elsif temp_file_create? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local

test/apps/rails5.2/lib/shell.rb

@@ -136,4 +136,14 @@ def open3_capture_stdin_data
     Open3.capture2e("cat", stdin_data: "User.z = #{u.z}")
     Open3.capture3("cat", stdin_data: "User.z = #{u.z}")
   end
+
+  def tempfile_create
+    # these should not warn
+    tempfile = Tempfile.create
+    `something -out #{tempfile.path}`
+
+    Tempfile.create do |tempfile|
+      system("something -out #{tempfile.path}")
+    end
+  end
 end