brakeman-lib 3.6.1 → 3.6.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +15 -0
- data/bin/brakeman +0 -3
- data/lib/brakeman.rb +8 -38
- data/lib/brakeman/checks/base_check.rb +1 -0
- data/lib/brakeman/checks/check_session_settings.rb +7 -1
- data/lib/brakeman/checks/check_sql.rb +11 -1
- data/lib/brakeman/options.rb +4 -4
- data/lib/brakeman/parsers/template_parser.rb +14 -12
- data/lib/brakeman/processors/haml_template_processor.rb +8 -0
- data/lib/brakeman/processors/lib/find_return_value.rb +3 -1
- data/lib/brakeman/util.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +6 -7
- data/lib/brakeman/brakeman.rake +0 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b009aece1db925bc835024219dd9728197628bc3
|
4
|
+
data.tar.gz: b4d231e1a8d98847f66c220570ddfc733b92f8f6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9dd15326cb813bb0f2fd5bb588caaf4f7e1b30f8dc7a353a691f9490df10631aafd0218dd1c55f6e90c97d83401a6650cfb79d1afd073e7a06a9113026f95635
|
7
|
+
data.tar.gz: 7a35e0864a7c7ad084291cf9a313e404a62f4daff8fb5d4d46ad1c8a7270b6e5781a9a56a640c482ae6fdcd500a4bfcb65fcf8a71ae147b2d8fedf4c2cd4c994
|
data/CHANGES
CHANGED
@@ -1,3 +1,18 @@
|
|
1
|
+
# 3.6.2
|
2
|
+
|
3
|
+
* Handle safe call operator in checks
|
4
|
+
* Better handling of `if` expressions in HAML rendering
|
5
|
+
* Remove `--rake` option
|
6
|
+
* Properly handle template names without `.html` or `.js`
|
7
|
+
* Set template file names during rendering for better errors
|
8
|
+
* Limit Slim dependency to before 3.0.8
|
9
|
+
* Catch YAML parsing errors in session settings check
|
10
|
+
* Avoid warning about SQLi with `to_s` in `exists?`
|
11
|
+
* Update RubyParser to 3.9.0
|
12
|
+
* Do not honor additional check paths in config by default
|
13
|
+
* Handle empty `if` expressions when finding return values
|
14
|
+
* Fix finding return value from empty `if`
|
15
|
+
|
1
16
|
# 3.6.1
|
2
17
|
|
3
18
|
* Fix error when using `--compare` (Sean Gransee)
|
data/bin/brakeman
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -114,6 +114,14 @@ module Brakeman
|
|
114
114
|
# After parsing the yaml config file for options, convert any string keys into symbols.
|
115
115
|
options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
|
116
116
|
|
117
|
+
unless line_options[:allow_check_paths_in_config]
|
118
|
+
if options.include? :additional_checks_path
|
119
|
+
options.delete :additional_checks_path
|
120
|
+
|
121
|
+
notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
117
125
|
# notify if options[:quiet] and quiet is nil||false
|
118
126
|
notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
|
119
127
|
options
|
@@ -269,43 +277,6 @@ module Brakeman
|
|
269
277
|
end
|
270
278
|
end
|
271
279
|
|
272
|
-
#Installs Rake task for running Brakeman,
|
273
|
-
#which basically means copying `lib/brakeman/brakeman.rake` to
|
274
|
-
#`lib/tasks/brakeman.rake` in the current Rails application.
|
275
|
-
def self.install_rake_task install_path = nil
|
276
|
-
if install_path
|
277
|
-
rake_path = File.join(install_path, "Rakefile")
|
278
|
-
task_path = File.join(install_path, "lib", "tasks", "brakeman.rake")
|
279
|
-
else
|
280
|
-
rake_path = "Rakefile"
|
281
|
-
task_path = File.join("lib", "tasks", "brakeman.rake")
|
282
|
-
end
|
283
|
-
|
284
|
-
if not File.exist? rake_path
|
285
|
-
raise RakeInstallError, "No Rakefile detected"
|
286
|
-
elsif File.exist? task_path
|
287
|
-
raise RakeInstallError, "Task already exists"
|
288
|
-
end
|
289
|
-
|
290
|
-
require 'fileutils'
|
291
|
-
|
292
|
-
if not File.exist? "lib/tasks"
|
293
|
-
notify "Creating lib/tasks"
|
294
|
-
FileUtils.mkdir_p "lib/tasks"
|
295
|
-
end
|
296
|
-
|
297
|
-
path = File.expand_path(File.dirname(__FILE__))
|
298
|
-
|
299
|
-
FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
|
300
|
-
|
301
|
-
if File.exist? task_path
|
302
|
-
notify "Task created in #{task_path}"
|
303
|
-
notify "Usage: rake brakeman:run[output_file]"
|
304
|
-
else
|
305
|
-
raise RakeInstallError, "Could not create task"
|
306
|
-
end
|
307
|
-
end
|
308
|
-
|
309
280
|
#Output configuration to YAML
|
310
281
|
def self.dump_config options
|
311
282
|
require 'yaml'
|
@@ -534,7 +505,6 @@ module Brakeman
|
|
534
505
|
end
|
535
506
|
|
536
507
|
class DependencyError < RuntimeError; end
|
537
|
-
class RakeInstallError < RuntimeError; end
|
538
508
|
class NoBrakemanError < RuntimeError; end
|
539
509
|
class NoApplication < RuntimeError; end
|
540
510
|
class MissingChecksError < RuntimeError; end
|
@@ -115,7 +115,13 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
115
115
|
yaml = @app_tree.read secrets_file
|
116
116
|
require 'date' # https://github.com/dtao/safe_yaml/issues/80
|
117
117
|
require 'safe_yaml/load'
|
118
|
-
|
118
|
+
begin
|
119
|
+
secrets = SafeYAML.load yaml
|
120
|
+
rescue Psych::SyntaxError, RuntimeError => e
|
121
|
+
Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
|
122
|
+
Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
|
123
|
+
return
|
124
|
+
end
|
119
125
|
|
120
126
|
if secrets["production"] and secret = secrets["production"]["secret_key_base"]
|
121
127
|
unless secret.include? "<%="
|
@@ -164,7 +164,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
164
164
|
dangerous_value = case method
|
165
165
|
when :find
|
166
166
|
check_find_arguments call.second_arg
|
167
|
-
when :exists
|
167
|
+
when :exists?
|
168
|
+
check_exists call.first_arg
|
169
|
+
when :delete_all, :destroy_all
|
168
170
|
check_find_arguments call.first_arg
|
169
171
|
when :named_scope, :scope
|
170
172
|
check_scope_arguments call
|
@@ -633,6 +635,14 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
633
635
|
end
|
634
636
|
end
|
635
637
|
|
638
|
+
def check_exists arg
|
639
|
+
if call? arg and arg.method == :to_s
|
640
|
+
false
|
641
|
+
else
|
642
|
+
check_find_arguments arg
|
643
|
+
end
|
644
|
+
end
|
645
|
+
|
636
646
|
#Prior to Rails 2.1.1, the :offset and :limit parameters were not
|
637
647
|
#escaping input properly.
|
638
648
|
#
|
data/lib/brakeman/options.rb
CHANGED
@@ -280,6 +280,10 @@ module Brakeman::Options
|
|
280
280
|
end
|
281
281
|
end
|
282
282
|
|
283
|
+
opts.on "--allow-check-paths-in-config", "Allow loading checks from configuration file (Unsafe)" do
|
284
|
+
options[:allow_check_paths_in_config] = true
|
285
|
+
end
|
286
|
+
|
283
287
|
opts.separator ""
|
284
288
|
|
285
289
|
opts.on "-k", "--checks", "List all available vulnerability checks" do
|
@@ -290,10 +294,6 @@ module Brakeman::Options
|
|
290
294
|
options[:list_optional_checks] = true
|
291
295
|
end
|
292
296
|
|
293
|
-
opts.on "--rake", "Create rake task to run Brakeman" do
|
294
|
-
options[:install_rake_task] = true
|
295
|
-
end
|
296
|
-
|
297
297
|
opts.on "-v", "--version", "Show Brakeman version" do
|
298
298
|
options[:show_version] = true
|
299
299
|
end
|
@@ -22,11 +22,11 @@ module Brakeman
|
|
22
22
|
src = case type
|
23
23
|
when :erb
|
24
24
|
type = :erubis if erubis?
|
25
|
-
parse_erb text
|
25
|
+
parse_erb path, text
|
26
26
|
when :haml
|
27
|
-
parse_haml text
|
27
|
+
parse_haml path, text
|
28
28
|
when :slim
|
29
|
-
parse_slim text
|
29
|
+
parse_slim path, text
|
30
30
|
else
|
31
31
|
tracker.error "Unknown template type in #{path}"
|
32
32
|
nil
|
@@ -46,21 +46,21 @@ module Brakeman
|
|
46
46
|
nil
|
47
47
|
end
|
48
48
|
|
49
|
-
def parse_erb text
|
49
|
+
def parse_erb path, text
|
50
50
|
if tracker.config.escape_html?
|
51
51
|
if tracker.options[:rails3]
|
52
52
|
require 'brakeman/parsers/rails3_erubis'
|
53
|
-
Brakeman::Rails3Erubis.new(text).src
|
53
|
+
Brakeman::Rails3Erubis.new(text, :filename => path).src
|
54
54
|
else
|
55
55
|
require 'brakeman/parsers/rails2_xss_plugin_erubis'
|
56
|
-
Brakeman::Rails2XSSPluginErubis.new(text).src
|
56
|
+
Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
|
57
57
|
end
|
58
58
|
elsif tracker.config.erubis?
|
59
59
|
require 'brakeman/parsers/rails2_erubis'
|
60
|
-
Brakeman::ScannerErubis.new(text).src
|
60
|
+
Brakeman::ScannerErubis.new(text, :filename => path).src
|
61
61
|
else
|
62
62
|
require 'erb'
|
63
|
-
src = ERB.new(text, nil,
|
63
|
+
src = ERB.new(text, nil, path).src
|
64
64
|
src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
|
65
65
|
src
|
66
66
|
end
|
@@ -71,25 +71,27 @@ module Brakeman
|
|
71
71
|
tracker.config.erubis?
|
72
72
|
end
|
73
73
|
|
74
|
-
def parse_haml text
|
74
|
+
def parse_haml path, text
|
75
75
|
Brakeman.load_brakeman_dependency 'haml'
|
76
76
|
Brakeman.load_brakeman_dependency 'sass'
|
77
77
|
|
78
78
|
Haml::Engine.new(text,
|
79
|
+
:filename => path,
|
79
80
|
:escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
|
80
81
|
end
|
81
82
|
|
82
|
-
def parse_slim text
|
83
|
+
def parse_slim path, text
|
83
84
|
Brakeman.load_brakeman_dependency 'slim'
|
84
85
|
|
85
|
-
Slim::Template.new(
|
86
|
+
Slim::Template.new(path,
|
87
|
+
:disable_capture => true,
|
86
88
|
:generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
|
87
89
|
end
|
88
90
|
|
89
91
|
def self.parse_inline_erb tracker, text
|
90
92
|
fp = Brakeman::FileParser.new(nil, nil)
|
91
93
|
tp = self.new(tracker, fp)
|
92
|
-
src = tp.parse_erb text
|
94
|
+
src = tp.parse_erb '_inline_', text
|
93
95
|
type = tp.erubis? ? :erubis : :erb
|
94
96
|
|
95
97
|
return type, fp.parse_ruby(src, "_inline_")
|
@@ -170,6 +170,14 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
170
170
|
exp
|
171
171
|
when :block, :rlist, :dstr
|
172
172
|
exp.map! { |e| get_pushed_value e }
|
173
|
+
when :if
|
174
|
+
clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
|
175
|
+
|
176
|
+
if clauses.length > 1
|
177
|
+
s(:or, *clauses)
|
178
|
+
else
|
179
|
+
clauses.first
|
180
|
+
end
|
173
181
|
else
|
174
182
|
if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
|
175
183
|
add_escaped_output exp.first_arg
|
@@ -81,7 +81,9 @@ class Brakeman::FindReturnValue
|
|
81
81
|
then_clause = exp.then_clause
|
82
82
|
else_clause = exp.else_clause
|
83
83
|
|
84
|
-
if then_clause.nil?
|
84
|
+
if then_clause.nil? and else_clause.nil?
|
85
|
+
nil
|
86
|
+
elsif then_clause.nil?
|
85
87
|
last_value else_clause
|
86
88
|
elsif else_clause.nil?
|
87
89
|
last_value then_clause
|
data/lib/brakeman/util.rb
CHANGED
@@ -429,7 +429,7 @@ module Brakeman::Util
|
|
429
429
|
# views/test/something.html.erb -> test/something
|
430
430
|
def template_path_to_name path
|
431
431
|
names = path.split("/")
|
432
|
-
names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
|
432
|
+
names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
|
433
433
|
names[(names.index("views") + 1)..-1].join("/").to_sym
|
434
434
|
end
|
435
435
|
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.6.
|
4
|
+
version: 3.6.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2017-
|
12
|
+
date: 2017-05-20 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: minitest
|
@@ -31,14 +31,14 @@ dependencies:
|
|
31
31
|
requirements:
|
32
32
|
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version: 3.
|
34
|
+
version: 3.9.0
|
35
35
|
type: :runtime
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
39
|
- - "~>"
|
40
40
|
- !ruby/object:Gem::Version
|
41
|
-
version: 3.
|
41
|
+
version: 3.9.0
|
42
42
|
- !ruby/object:Gem::Dependency
|
43
43
|
name: ruby2ruby
|
44
44
|
requirement: !ruby/object:Gem::Requirement
|
@@ -158,7 +158,7 @@ dependencies:
|
|
158
158
|
version: 1.3.6
|
159
159
|
- - "<"
|
160
160
|
- !ruby/object:Gem::Version
|
161
|
-
version:
|
161
|
+
version: 3.0.8
|
162
162
|
type: :runtime
|
163
163
|
prerelease: false
|
164
164
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -168,7 +168,7 @@ dependencies:
|
|
168
168
|
version: 1.3.6
|
169
169
|
- - "<"
|
170
170
|
- !ruby/object:Gem::Version
|
171
|
-
version:
|
171
|
+
version: 3.0.8
|
172
172
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
173
173
|
via static analysis. This package declares gem dependencies instead of bundling
|
174
174
|
them.
|
@@ -184,7 +184,6 @@ files:
|
|
184
184
|
- bin/brakeman
|
185
185
|
- lib/brakeman.rb
|
186
186
|
- lib/brakeman/app_tree.rb
|
187
|
-
- lib/brakeman/brakeman.rake
|
188
187
|
- lib/brakeman/call_index.rb
|
189
188
|
- lib/brakeman/checks.rb
|
190
189
|
- lib/brakeman/checks/base_check.rb
|
data/lib/brakeman/brakeman.rake
DELETED
@@ -1,17 +0,0 @@
|
|
1
|
-
namespace :brakeman do
|
2
|
-
|
3
|
-
desc "Run Brakeman"
|
4
|
-
task :run, :output_files do |t, args|
|
5
|
-
require 'brakeman'
|
6
|
-
|
7
|
-
files = args[:output_files].split(' ') if args[:output_files]
|
8
|
-
Brakeman.run :app_path => ".", :output_files => files, :print_report => true
|
9
|
-
end
|
10
|
-
|
11
|
-
desc "Check your code with Brakeman"
|
12
|
-
task :check do
|
13
|
-
require 'brakeman'
|
14
|
-
result = Brakeman.run app_path: '.', print_report: true
|
15
|
-
exit Brakeman::Warnings_Found_Exit_Code unless result.filtered_warnings.empty?
|
16
|
-
end
|
17
|
-
end
|