brakeman-lib 3.3.2 → 3.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +13 -0
- data/lib/brakeman/app_tree.rb +6 -1
- data/lib/brakeman/checks/base_check.rb +10 -0
- data/lib/brakeman/checks/check_create_with.rb +1 -2
- data/lib/brakeman/checks/check_cross_site_scripting.rb +0 -4
- data/lib/brakeman/checks/check_deserialize.rb +1 -2
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -2
- data/lib/brakeman/checks/check_evaluation.rb +1 -2
- data/lib/brakeman/checks/check_execute.rb +2 -5
- data/lib/brakeman/checks/check_file_access.rb +1 -2
- data/lib/brakeman/checks/check_link_to_href.rb +13 -3
- data/lib/brakeman/checks/check_mass_assignment.rb +2 -4
- data/lib/brakeman/checks/check_redirect.rb +1 -4
- data/lib/brakeman/checks/check_regex_dos.rb +1 -2
- data/lib/brakeman/checks/check_render.rb +10 -5
- data/lib/brakeman/checks/check_render_inline.rb +1 -2
- data/lib/brakeman/checks/check_select_tag.rb +1 -2
- data/lib/brakeman/checks/check_send.rb +1 -2
- data/lib/brakeman/checks/check_session_manipulation.rb +1 -2
- data/lib/brakeman/checks/check_simple_format.rb +1 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +1 -2
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -4
- data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -2
- data/lib/brakeman/checks/check_weak_hash.rb +3 -6
- data/lib/brakeman/parsers/template_parser.rb +9 -0
- data/lib/brakeman/processors/base_processor.rb +25 -0
- data/lib/brakeman/processors/controller_processor.rb +6 -99
- data/lib/brakeman/processors/erb_template_processor.rb +1 -4
- data/lib/brakeman/processors/erubis_template_processor.rb +4 -16
- data/lib/brakeman/processors/haml_template_processor.rb +4 -11
- data/lib/brakeman/processors/lib/find_all_calls.rb +13 -25
- data/lib/brakeman/processors/lib/find_return_value.rb +34 -4
- data/lib/brakeman/processors/lib/module_helper.rb +111 -0
- data/lib/brakeman/processors/lib/render_helper.rb +1 -1
- data/lib/brakeman/processors/library_processor.rb +4 -57
- data/lib/brakeman/processors/model_processor.rb +4 -104
- data/lib/brakeman/processors/slim_template_processor.rb +7 -21
- data/lib/brakeman/processors/template_processor.rb +11 -0
- data/lib/brakeman/scanner.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/ruby_parser/bm_sexp.rb +7 -3
- metadata +4 -3
@@ -1,9 +1,11 @@
|
|
1
1
|
require 'brakeman/processors/base_processor'
|
2
2
|
require 'brakeman/processors/alias_processor'
|
3
|
+
require 'brakeman/processors/lib/module_helper'
|
3
4
|
require 'brakeman/tracker/library'
|
4
5
|
|
5
6
|
#Process generic library and stores it in Tracker.libs
|
6
7
|
class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
8
|
+
include Brakeman::ModuleHelper
|
7
9
|
|
8
10
|
def initialize tracker
|
9
11
|
super
|
@@ -19,66 +21,11 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
|
19
21
|
end
|
20
22
|
|
21
23
|
def process_class exp
|
22
|
-
|
23
|
-
parent = class_name exp.parent_name
|
24
|
-
|
25
|
-
if @current_class
|
26
|
-
outer_class = @current_class
|
27
|
-
name = (outer_class.name.to_s + "::" + name.to_s).to_sym
|
28
|
-
end
|
29
|
-
|
30
|
-
if @current_module
|
31
|
-
name = (@current_module.name.to_s + "::" + name.to_s).to_sym
|
32
|
-
end
|
33
|
-
|
34
|
-
if @tracker.libs[name]
|
35
|
-
@current_class = @tracker.libs[name]
|
36
|
-
@current_class.add_file @file_name, exp
|
37
|
-
else
|
38
|
-
@current_class = Brakeman::Library.new name, parent, @file_name, exp, @tracker
|
39
|
-
@tracker.libs[name] = @current_class
|
40
|
-
end
|
41
|
-
|
42
|
-
exp.body = process_all! exp.body
|
43
|
-
|
44
|
-
if outer_class
|
45
|
-
@current_class = outer_class
|
46
|
-
else
|
47
|
-
@current_class = nil
|
48
|
-
end
|
49
|
-
|
50
|
-
exp
|
24
|
+
handle_class exp, @tracker.libs, Brakeman::Library
|
51
25
|
end
|
52
26
|
|
53
27
|
def process_module exp
|
54
|
-
|
55
|
-
|
56
|
-
if @current_module
|
57
|
-
outer_module = @current_module
|
58
|
-
name = (outer_module.name.to_s + "::" + name.to_s).to_sym
|
59
|
-
end
|
60
|
-
|
61
|
-
if @current_class
|
62
|
-
name = (@current_class.name.to_s + "::" + name.to_s).to_sym
|
63
|
-
end
|
64
|
-
|
65
|
-
if @tracker.libs[name]
|
66
|
-
@current_module = @tracker.libs[name]
|
67
|
-
@current_module.add_file @file_name, exp
|
68
|
-
else
|
69
|
-
@current_module = Brakeman::Library.new name, nil, @file_name, exp, @tracker
|
70
|
-
@tracker.libs[name] = @current_module
|
71
|
-
end
|
72
|
-
|
73
|
-
exp.body = process_all! exp.body
|
74
|
-
|
75
|
-
if outer_module
|
76
|
-
@current_module = outer_module
|
77
|
-
else
|
78
|
-
@current_module = nil
|
79
|
-
end
|
80
|
-
|
81
|
-
exp
|
28
|
+
handle_module exp, Brakeman::Library
|
82
29
|
end
|
83
30
|
|
84
31
|
def process_defn exp
|
@@ -1,8 +1,10 @@
|
|
1
1
|
require 'brakeman/processors/base_processor'
|
2
|
+
require 'brakeman/processors/lib/module_helper'
|
2
3
|
require 'brakeman/tracker/model'
|
3
4
|
|
4
5
|
#Processes models. Puts results in tracker.models
|
5
6
|
class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
7
|
+
include Brakeman::ModuleHelper
|
6
8
|
|
7
9
|
def initialize tracker
|
8
10
|
super
|
@@ -31,63 +33,11 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
31
33
|
return exp
|
32
34
|
end
|
33
35
|
|
34
|
-
|
35
|
-
outer_class = @current_class
|
36
|
-
name = (outer_class.name.to_s + "::" + name.to_s).to_sym
|
37
|
-
end
|
38
|
-
|
39
|
-
if @current_module
|
40
|
-
name = (@current_module.name.to_s + "::" + name.to_s).to_sym
|
41
|
-
end
|
42
|
-
|
43
|
-
if @tracker.models[name]
|
44
|
-
@current_class = @tracker.models[name]
|
45
|
-
@current_class.add_file @file_name, exp
|
46
|
-
else
|
47
|
-
@current_class = Brakeman::Model.new name, parent, @file_name, exp, @tracker
|
48
|
-
@tracker.models[name] = @current_class
|
49
|
-
end
|
50
|
-
|
51
|
-
exp.body = process_all! exp.body
|
52
|
-
|
53
|
-
if outer_class
|
54
|
-
@current_class = outer_class
|
55
|
-
else
|
56
|
-
@current_class = nil
|
57
|
-
end
|
58
|
-
|
59
|
-
exp
|
36
|
+
handle_class exp, @tracker.models, Brakeman::Model
|
60
37
|
end
|
61
38
|
|
62
39
|
def process_module exp
|
63
|
-
|
64
|
-
|
65
|
-
if @current_module
|
66
|
-
outer_module = @current_module
|
67
|
-
name = (outer_module.name.to_s + "::" + name.to_s).to_sym
|
68
|
-
end
|
69
|
-
|
70
|
-
if @current_class
|
71
|
-
name = (@current_class.name.to_s + "::" + name.to_s).to_sym
|
72
|
-
end
|
73
|
-
|
74
|
-
if @tracker.libs[name]
|
75
|
-
@current_module = @tracker.libs[name]
|
76
|
-
@current_module.add_file @file_name, exp
|
77
|
-
else
|
78
|
-
@current_module = Brakeman::Model.new name, nil, @file_name, exp, @tracker
|
79
|
-
@tracker.libs[name] = @current_module
|
80
|
-
end
|
81
|
-
|
82
|
-
exp.body = process_all! exp.body
|
83
|
-
|
84
|
-
if outer_module
|
85
|
-
@current_module = outer_module
|
86
|
-
else
|
87
|
-
@current_module = nil
|
88
|
-
end
|
89
|
-
|
90
|
-
exp
|
40
|
+
handle_module exp, Brakeman::Model
|
91
41
|
end
|
92
42
|
|
93
43
|
#Handle calls outside of methods,
|
@@ -138,54 +88,4 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
138
88
|
call
|
139
89
|
end
|
140
90
|
end
|
141
|
-
|
142
|
-
#Add method definition to tracker
|
143
|
-
def process_defn exp
|
144
|
-
return exp unless @current_class
|
145
|
-
name = exp.method_name
|
146
|
-
|
147
|
-
@current_method = name
|
148
|
-
res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
|
149
|
-
res.line(exp.line)
|
150
|
-
@current_method = nil
|
151
|
-
|
152
|
-
if @current_class
|
153
|
-
@current_class.add_method @visibility, name, res, @file_name
|
154
|
-
elsif @current_module
|
155
|
-
@current_module.add_method @visibility, name, res, @file_name
|
156
|
-
end
|
157
|
-
|
158
|
-
res
|
159
|
-
end
|
160
|
-
|
161
|
-
#Add method definition to tracker
|
162
|
-
def process_defs exp
|
163
|
-
return exp unless @current_class
|
164
|
-
name = exp.method_name
|
165
|
-
|
166
|
-
if node_type? exp[1], :self
|
167
|
-
if @current_class
|
168
|
-
target = @current_class.name
|
169
|
-
elsif @current_module
|
170
|
-
target = @current_module.name
|
171
|
-
else
|
172
|
-
target = nil
|
173
|
-
end
|
174
|
-
else
|
175
|
-
target = class_name exp[1]
|
176
|
-
end
|
177
|
-
|
178
|
-
@current_method = name
|
179
|
-
res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
|
180
|
-
res.line(exp.line)
|
181
|
-
@current_method = nil
|
182
|
-
|
183
|
-
if @current_class
|
184
|
-
@current_class.add_method @visibility, name, res, @file_name
|
185
|
-
elsif @current_module
|
186
|
-
@current_module.add_method @visibility, name, res, @file_name
|
187
|
-
end
|
188
|
-
res
|
189
|
-
end
|
190
|
-
|
191
91
|
end
|
@@ -16,20 +16,20 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
|
|
16
16
|
arg = normalize_output(exp.first_arg)
|
17
17
|
|
18
18
|
if is_escaped? arg
|
19
|
-
|
19
|
+
add_escaped_output arg
|
20
20
|
elsif string? arg
|
21
21
|
ignore
|
22
22
|
elsif render? arg
|
23
|
-
|
23
|
+
add_output make_render_in_view arg
|
24
24
|
elsif string_interp? arg
|
25
25
|
process_inside_interp arg
|
26
26
|
elsif node_type? arg, :ignore
|
27
27
|
ignore
|
28
28
|
else
|
29
|
-
|
29
|
+
add_output arg
|
30
30
|
end
|
31
31
|
elsif is_escaped? exp
|
32
|
-
|
32
|
+
add_escaped_output exp.first_arg
|
33
33
|
elsif target == nil and method == :render
|
34
34
|
exp.arglist = process exp.arglist
|
35
35
|
make_render_in_view exp
|
@@ -39,20 +39,6 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
|
|
39
39
|
end
|
40
40
|
end
|
41
41
|
|
42
|
-
def make_output exp
|
43
|
-
s = Sexp.new :output, exp
|
44
|
-
s.line(exp.line)
|
45
|
-
@current_template.add_output s
|
46
|
-
s
|
47
|
-
end
|
48
|
-
|
49
|
-
def make_escaped_output exp
|
50
|
-
s = Sexp.new :escaped_output, exp.first_arg
|
51
|
-
s.line(exp.line)
|
52
|
-
@current_template.add_output s
|
53
|
-
s
|
54
|
-
end
|
55
|
-
|
56
42
|
#Slim likes to interpolate output into strings then pass them to safe_concat.
|
57
43
|
#Better to pull those values out directly.
|
58
44
|
def process_inside_interp exp
|
@@ -76,13 +62,13 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
|
|
76
62
|
elsif exp == SAFE_BUFFER
|
77
63
|
ignore
|
78
64
|
elsif render? exp
|
79
|
-
|
65
|
+
add_output make_render_in_view exp
|
80
66
|
elsif node_type? :output, :escaped_output
|
81
67
|
exp
|
82
68
|
elsif is_escaped? exp
|
83
|
-
|
69
|
+
add_escaped_output exp
|
84
70
|
else
|
85
|
-
|
71
|
+
add_output exp
|
86
72
|
end
|
87
73
|
end
|
88
74
|
end
|
@@ -71,4 +71,15 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
71
71
|
arg
|
72
72
|
end
|
73
73
|
end
|
74
|
+
|
75
|
+
def add_escaped_output output
|
76
|
+
add_output output, :escaped_output
|
77
|
+
end
|
78
|
+
|
79
|
+
def add_output output, type = :output
|
80
|
+
s = Sexp.new(type, output)
|
81
|
+
s.line(output.line)
|
82
|
+
@current_template.add_output s
|
83
|
+
s
|
84
|
+
end
|
74
85
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -23,7 +23,7 @@ class Brakeman::Scanner
|
|
23
23
|
@app_tree = Brakeman::AppTree.from_options(options)
|
24
24
|
|
25
25
|
if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
|
26
|
-
raise Brakeman::NoApplication, "Please supply the path to a Rails application."
|
26
|
+
raise Brakeman::NoApplication, "Please supply the path to a Rails application (looking in #{@app_tree.root})."
|
27
27
|
end
|
28
28
|
|
29
29
|
@processor = processor || Brakeman::Processor.new(@app_tree, options)
|
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
#of a Sexp.
|
4
4
|
class Sexp
|
5
5
|
attr_accessor :original_line, :or_depth
|
6
|
-
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
|
6
|
+
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2, :op_asgn_or]
|
7
7
|
|
8
8
|
def method_missing name, *args
|
9
9
|
#Brakeman does not use this functionality,
|
@@ -51,7 +51,7 @@ class Sexp
|
|
51
51
|
|
52
52
|
def value
|
53
53
|
raise WrongSexpError, "Sexp#value called on multi-item Sexp", caller[1..-1] if size > 2
|
54
|
-
|
54
|
+
self[1]
|
55
55
|
end
|
56
56
|
|
57
57
|
def value= exp
|
@@ -436,7 +436,11 @@ class Sexp
|
|
436
436
|
expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
|
437
437
|
|
438
438
|
if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
|
439
|
-
self[
|
439
|
+
if self[2] == :[]=
|
440
|
+
self[4]
|
441
|
+
else
|
442
|
+
self[3]
|
443
|
+
end
|
440
444
|
else
|
441
445
|
self[2]
|
442
446
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.3.
|
4
|
+
version: 3.3.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2016-
|
12
|
+
date: 2016-07-21 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: test-unit
|
@@ -278,6 +278,7 @@ files:
|
|
278
278
|
- lib/brakeman/processors/lib/find_all_calls.rb
|
279
279
|
- lib/brakeman/processors/lib/find_call.rb
|
280
280
|
- lib/brakeman/processors/lib/find_return_value.rb
|
281
|
+
- lib/brakeman/processors/lib/module_helper.rb
|
281
282
|
- lib/brakeman/processors/lib/processor_helper.rb
|
282
283
|
- lib/brakeman/processors/lib/rails2_config_processor.rb
|
283
284
|
- lib/brakeman/processors/lib/rails2_route_processor.rb
|
@@ -355,7 +356,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
355
356
|
version: '0'
|
356
357
|
requirements: []
|
357
358
|
rubyforge_project:
|
358
|
-
rubygems_version: 2.
|
359
|
+
rubygems_version: 2.4.8
|
359
360
|
signing_key:
|
360
361
|
specification_version: 4
|
361
362
|
summary: Security vulnerability scanner for Ruby on Rails.
|