brakeman-lib 4.3.1 → 4.4.0

data/lib/brakeman/report/report_tabs.rb

@@ -1,6 +1,8 @@
+require 'brakeman/report/report_table'
+
 #Generated tab-separated output suitable for the Jenkins Brakeman Plugin:
 #https://github.com/presidentbeef/brakeman-jenkins-plugin
-class Brakeman::Report::Tabs < Brakeman::Report::Base
+class Brakeman::Report::Tabs < Brakeman::Report::Table
   def generate_report
     [[:generic_warnings, "General"], [:controller_warnings, "Controller"],
       [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|

data/lib/brakeman/report/report_text.rb

@@ -33,6 +33,22 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     end
   end
 
+  def generate_controllers
+    double_space "Controller Overview", controller_information.map { |ci|
+      controller = [
+        label("Controller", ci["Name"]),
+        label("Parent", ci["Parent"]),
+        label("Routes", ci["Routes"])
+      ]
+
+      if ci["Includes"] and not ci["Includes"].empty?
+        controller.insert(2, label("Includes", ci["Includes"]))
+      end
+
+      controller
+    }
+  end
+
   def generate_header
     [
       header("Brakeman Report"), 

data/lib/brakeman/scanner.rb

@@ -143,7 +143,11 @@ class Brakeman::Scanner
       gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
     end
 
-    if gem_files[:gemfile] or gem_files[:gemlock]
+    if @app_tree.gemspec
+      gem_files[:gemspec] = { :src => parse_ruby(@app_tree.read(@app_tree.gemspec)), :file => @app_tree.gemspec }
+    end
+
+    if not gem_files.empty?
       @processor.process_gems gem_files
     end
   rescue => e

data/lib/brakeman/tracker/config.rb

@@ -81,7 +81,7 @@ module Brakeman
     def set_rails_version
       # Ignore ~>, etc. when using values from Gemfile
       version = gem_version(:rails) || gem_version(:railties)
-      if version and version.match(/(\d+\.\d+\.\d+.*)/)
+      if version and version.match(/(\d+\.\d+(\.\d+.*)?)/)
         @rails_version = $1
 
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?

data/lib/brakeman/util.rb

@@ -483,21 +483,4 @@ module Brakeman::Util
       end
     end.join
   end
-
-  # rely on Terminal::Table to build the structure, extract the data out in CSV format
-  def table_to_csv table
-    return "" unless table
-
-    Brakeman.load_brakeman_dependency 'terminal-table'
-    headings = table.headings
-    if headings.is_a? Array
-      headings = headings.first
-    end
-
-    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
-    table.rows.each do |row|
-      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
-    end
-    output
-  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.3.1"
+  Version = "4.4.0"
 end

data/lib/brakeman/warning.rb

@@ -1,6 +1,7 @@
 require 'json'
 require 'digest/sha2'
 require 'brakeman/warning_codes'
+require 'brakeman/messages'
 
 #The Warning class stores information about warnings
 class Brakeman::Warning
@@ -115,6 +116,10 @@ class Brakeman::Warning
 
     Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
 
+    if options[:message].is_a? String
+      @message = Brakeman::Messages::Message.new(options[:message])
+    end
+
     @format_message = nil
     @row = nil
   end
@@ -176,7 +181,7 @@ class Brakeman::Warning
   def format_message
     return @format_message if @format_message
 
-    @format_message = self.message.dup
+    @format_message = self.message.to_s.dup
 
     if self.line
       @format_message << " near line #{self.line}"
@@ -208,9 +213,9 @@ class Brakeman::Warning
 
   #Generates a hash suitable for inserting into a table
   def to_row type = :warning
-    @row = { "Confidence" => self.confidence,
+    @row = { "Confidence" => TEXT_CONFIDENCE[self.confidence],
       "Warning Type" => self.warning_type.to_s,
-      "Message" => self.format_message }
+      "Message" => self.message }
 
     case type
     when :template
@@ -267,7 +272,7 @@ class Brakeman::Warning
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
       :check_name => self.check.gsub(/^Brakeman::Check/, ''),
-      :message => self.message,
+      :message => self.message.to_s,
       :file => self.file,
       :line => self.line,
       :link => self.link,

data/lib/brakeman/warning_codes.rb

@@ -109,6 +109,7 @@ module Brakeman::WarningCodes
     :dangerous_permit_key => 105,
     :CVE_2018_8048 => 106,
     :CVE_2018_3741 => 107,
+    :CVE_2018_3760 => 108,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.3.1
+  version: 4.4.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2018-06-07 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.11.0
+        version: '3.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.11.0
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -176,9 +176,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.3.6
-    - - "<"
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 3.0.8
+        version: 4.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -186,9 +186,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.3.6
-    - - "<"
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 3.0.8
+        version: 4.0.1
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -262,6 +262,7 @@ files:
 - lib/brakeman/checks/check_simple_format.rb
 - lib/brakeman/checks/check_single_quotes.rb
 - lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_sprockets_path_traversal.rb
 - lib/brakeman/checks/check_sql.rb
 - lib/brakeman/checks/check_sql_cves.rb
 - lib/brakeman/checks/check_ssl_verify.rb
@@ -281,6 +282,7 @@ files:
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
 - lib/brakeman/format/style.css
+- lib/brakeman/messages.rb
 - lib/brakeman/options.rb
 - lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
@@ -307,6 +309,7 @@ files:
 - lib/brakeman/processors/lib/rails2_route_processor.rb
 - lib/brakeman/processors/lib/rails3_config_processor.rb
 - lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/rails4_config_processor.rb
 - lib/brakeman/processors/lib/render_helper.rb
 - lib/brakeman/processors/lib/render_path.rb
 - lib/brakeman/processors/lib/route_helper.rb
@@ -363,7 +366,7 @@ files:
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
 licenses:
-- MIT
+- CC-BY-NC-SA-4.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -381,7 +384,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.8
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.