brakeman-lib 4.10.0 → 4.10.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +8 -0
- data/lib/brakeman/checks/check_execute.rb +1 -1
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/file_parser.rb +5 -0
- data/lib/brakeman/processors/alias_processor.rb +2 -2
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/util.rb +2 -2
- data/lib/brakeman/version.rb +1 -1
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +19 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9433874563193068795eb4d4a90dd176132b04130cf68a9689753caff3c9df1e
|
4
|
+
data.tar.gz: 19e73894774e624624edecd48c28dd53aa4da68e7482afe272fec48398551040
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fbbd606baa82361d62752a44a0c3a095083d8e3b89c213cad7e8bdc97341a7fd09c3973c80c50d58349dc5bc9e98fe2ca390710d2419636a81f40d6dd75add6f
|
7
|
+
data.tar.gz: 89331cbf5168e088bdac777e65b3ee4cbe3244792f64f3c13db084e00db0fc3ebf792801d7c1f7fcc2b3c929cafd83e27381ecd03550d69b761cb94cf228856b
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 4.10.1 - 2020-12-24
|
2
|
+
|
3
|
+
* Declare REXML as a dependency (Ruby 3.0 compatibility)
|
4
|
+
* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
|
5
|
+
* Prevent render loops when template names are absolute paths
|
6
|
+
* Ensure RubyParser is passed file path as a String
|
7
|
+
* Support new Haml 5.2.0 escaping method
|
8
|
+
|
1
9
|
# 4.10.0 - 2020-09-28
|
2
10
|
|
3
11
|
* Add SARIF report format (Steve Winton)
|
@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
208
208
|
if node_type? e, :if
|
209
209
|
# If we're in a conditional, evaluate the `then` and `else` clauses to
|
210
210
|
# see if they're dangerous.
|
211
|
-
if res = dangerous?(e.
|
211
|
+
if res = dangerous?(e.sexp_body.sexp_body)
|
212
212
|
return res
|
213
213
|
end
|
214
214
|
elsif node_type? e, :or, :evstr, :dstr
|
data/lib/brakeman/file_parser.rb
CHANGED
@@ -33,7 +33,12 @@ module Brakeman
|
|
33
33
|
end
|
34
34
|
end
|
35
35
|
|
36
|
+
# _path_ can be a string or a Brakeman::FilePath
|
36
37
|
def parse_ruby input, path
|
38
|
+
if path.is_a? Brakeman::FilePath
|
39
|
+
path = path.relative
|
40
|
+
end
|
41
|
+
|
37
42
|
begin
|
38
43
|
Brakeman.debug "Parsing #{path}"
|
39
44
|
RubyParser.new.parse input, path, @timeout
|
@@ -236,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
236
236
|
env[target_var] = target
|
237
237
|
return target
|
238
238
|
elsif string? target and string_interp? first_arg
|
239
|
-
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg
|
239
|
+
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
|
240
240
|
env[target_var] = exp
|
241
241
|
elsif string? first_arg and string_interp? target
|
242
242
|
if string? target.last
|
@@ -941,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
941
941
|
args = exp.args
|
942
942
|
exp.pop # remove last arg
|
943
943
|
if args.length > 1
|
944
|
-
exp.arglist = args
|
944
|
+
exp.arglist = args.sexp_body
|
945
945
|
end
|
946
946
|
end
|
947
947
|
|
@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
76
76
|
end
|
77
77
|
end
|
78
78
|
|
79
|
+
ESCAPE_METHODS = [
|
80
|
+
:html_escape,
|
81
|
+
:html_escape_without_haml_xss,
|
82
|
+
:escape_once,
|
83
|
+
:escape_once_without_haml_xss
|
84
|
+
]
|
85
|
+
|
79
86
|
def get_pushed_value exp, default = :output
|
80
87
|
return exp unless sexp? exp
|
81
88
|
|
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
105
112
|
when :call
|
106
113
|
if exp.method == :to_s or exp.method == :strip
|
107
114
|
get_pushed_value(exp.target, default)
|
108
|
-
elsif haml_helpers? exp.target and exp.method
|
115
|
+
elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
|
109
116
|
get_pushed_value(exp.first_arg, :escaped_output)
|
110
117
|
elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
|
111
118
|
get_pushed_value(exp.first_arg, :escaped_output)
|
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
20
20
|
|
21
21
|
#Process template
|
22
22
|
def process_template name, args, _, line = nil
|
23
|
+
# Strip forward slash from beginning of template path.
|
24
|
+
# This also happens in RenderHelper#process_template but
|
25
|
+
# we need it here too to accurately avoid circular renders below.
|
26
|
+
name = name.to_s.gsub(/^\//, "")
|
27
|
+
|
23
28
|
if @called_from
|
24
29
|
if @called_from.include_template? name
|
25
30
|
Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
|
data/lib/brakeman/util.rb
CHANGED
@@ -321,7 +321,7 @@ module Brakeman::Util
|
|
321
321
|
if node_type? current, :class
|
322
322
|
return true
|
323
323
|
elsif sexp? current
|
324
|
-
todo = current
|
324
|
+
todo = current.sexp_body.concat todo
|
325
325
|
end
|
326
326
|
end
|
327
327
|
|
@@ -334,7 +334,7 @@ module Brakeman::Util
|
|
334
334
|
if args.empty? or args.first.empty?
|
335
335
|
#nothing to do
|
336
336
|
elsif node_type? args.first, :arglist
|
337
|
-
call.concat args.first
|
337
|
+
call.concat args.first.sexp_body
|
338
338
|
elsif args.first.node_type.is_a? Sexp #just a list of args
|
339
339
|
call.concat args.first
|
340
340
|
else
|
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -175,7 +175,7 @@ class Sexp
|
|
175
175
|
start_index = 3
|
176
176
|
|
177
177
|
if exp.is_a? Sexp and exp.node_type == :arglist
|
178
|
-
exp = exp
|
178
|
+
exp = exp.sexp_body
|
179
179
|
end
|
180
180
|
|
181
181
|
exp.each_with_index do |e, i|
|
@@ -198,10 +198,10 @@ class Sexp
|
|
198
198
|
|
199
199
|
case self.node_type
|
200
200
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
201
|
-
self
|
201
|
+
self.sexp_body(3).unshift :arglist
|
202
202
|
when :super, :zsuper
|
203
203
|
if self[1]
|
204
|
-
self
|
204
|
+
self.sexp_body.unshift :arglist
|
205
205
|
else
|
206
206
|
Sexp.new(:arglist)
|
207
207
|
end
|
@@ -218,13 +218,13 @@ class Sexp
|
|
218
218
|
case self.node_type
|
219
219
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
220
220
|
if self[3]
|
221
|
-
self
|
221
|
+
self.sexp_body(3)
|
222
222
|
else
|
223
223
|
Sexp.new
|
224
224
|
end
|
225
225
|
when :super, :zsuper
|
226
226
|
if self[1]
|
227
|
-
self
|
227
|
+
self.sexp_body
|
228
228
|
else
|
229
229
|
Sexp.new
|
230
230
|
end
|
@@ -512,7 +512,7 @@ class Sexp
|
|
512
512
|
self.slice!(index..-1) #Remove old body
|
513
513
|
|
514
514
|
if exp.first == :rlist
|
515
|
-
exp = exp
|
515
|
+
exp = exp.sexp_body
|
516
516
|
end
|
517
517
|
|
518
518
|
#Insert new body
|
@@ -529,11 +529,11 @@ class Sexp
|
|
529
529
|
|
530
530
|
case self.node_type
|
531
531
|
when :defn, :class
|
532
|
-
self
|
532
|
+
self.sexp_body(3)
|
533
533
|
when :defs
|
534
|
-
self
|
534
|
+
self.sexp_body(4)
|
535
535
|
when :module
|
536
|
-
self
|
536
|
+
self.sexp_body(2)
|
537
537
|
end
|
538
538
|
end
|
539
539
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.10.
|
4
|
+
version: 4.10.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-12-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -184,14 +184,14 @@ dependencies:
|
|
184
184
|
requirements:
|
185
185
|
- - "~>"
|
186
186
|
- !ruby/object:Gem::Version
|
187
|
-
version: 5.1
|
187
|
+
version: '5.1'
|
188
188
|
type: :runtime
|
189
189
|
prerelease: false
|
190
190
|
version_requirements: !ruby/object:Gem::Requirement
|
191
191
|
requirements:
|
192
192
|
- - "~>"
|
193
193
|
- !ruby/object:Gem::Version
|
194
|
-
version: 5.1
|
194
|
+
version: '5.1'
|
195
195
|
- !ruby/object:Gem::Dependency
|
196
196
|
name: slim
|
197
197
|
requirement: !ruby/object:Gem::Requirement
|
@@ -212,6 +212,20 @@ dependencies:
|
|
212
212
|
- - "<="
|
213
213
|
- !ruby/object:Gem::Version
|
214
214
|
version: '4.1'
|
215
|
+
- !ruby/object:Gem::Dependency
|
216
|
+
name: rexml
|
217
|
+
requirement: !ruby/object:Gem::Requirement
|
218
|
+
requirements:
|
219
|
+
- - "~>"
|
220
|
+
- !ruby/object:Gem::Version
|
221
|
+
version: '3.0'
|
222
|
+
type: :runtime
|
223
|
+
prerelease: false
|
224
|
+
version_requirements: !ruby/object:Gem::Requirement
|
225
|
+
requirements:
|
226
|
+
- - "~>"
|
227
|
+
- !ruby/object:Gem::Version
|
228
|
+
version: '3.0'
|
215
229
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
216
230
|
via static analysis. This package declares gem dependencies instead of bundling
|
217
231
|
them.
|
@@ -425,7 +439,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
425
439
|
- !ruby/object:Gem::Version
|
426
440
|
version: '0'
|
427
441
|
requirements: []
|
428
|
-
rubygems_version: 3.
|
442
|
+
rubygems_version: 3.2.2
|
429
443
|
signing_key:
|
430
444
|
specification_version: 4
|
431
445
|
summary: Security vulnerability scanner for Ruby on Rails.
|