brakeman-lib 4.4.0 → 4.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +63 -0
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +75 -56
- data/lib/brakeman/checks/check_content_tag.rb +12 -0
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +15 -10
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +0 -1
- data/lib/brakeman/checks/check_execute.rb +44 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +54 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_send.rb +0 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +0 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +27 -20
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +6 -8
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +44 -0
- data/lib/brakeman/parsers/slim_embedded.rb +44 -0
- data/lib/brakeman/parsers/template_parser.rb +8 -8
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +49 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +4 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/slim_template_processor.rb +16 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +2 -2
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +24 -18
- data/lib/brakeman/tracker.rb +35 -7
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -48
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +18 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +1 -1
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +58 -43
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -9,7 +9,7 @@ class Brakeman::Warning
|
|
9
9
|
:line, :method, :model, :template, :user_input, :user_input_type,
|
10
10
|
:warning_code, :warning_set, :warning_type
|
11
11
|
|
12
|
-
attr_accessor :code, :context, :file, :message
|
12
|
+
attr_accessor :code, :context, :file, :message
|
13
13
|
|
14
14
|
TEXT_CONFIDENCE = {
|
15
15
|
0 => "High",
|
@@ -34,11 +34,11 @@ class Brakeman::Warning
|
|
34
34
|
:file => :@file,
|
35
35
|
:gem_info => :@gem_info,
|
36
36
|
:line => :@line,
|
37
|
+
:link => :@link,
|
37
38
|
:link_path => :@link_path,
|
38
39
|
:message => :@message,
|
39
40
|
:method => :@method,
|
40
41
|
:model => :@model,
|
41
|
-
:relative_path => :@relative_path,
|
42
42
|
:template => :@template,
|
43
43
|
:user_input => :@user_input,
|
44
44
|
:warning_set => :@warning_set,
|
@@ -100,9 +100,11 @@ class Brakeman::Warning
|
|
100
100
|
unless @warning_set
|
101
101
|
if self.model
|
102
102
|
@warning_set = :model
|
103
|
+
@file ||= self.model.file
|
103
104
|
elsif self.template
|
104
105
|
@warning_set = :template
|
105
106
|
@called_from = self.template.render_path
|
107
|
+
@file ||= self.template.file
|
106
108
|
elsif self.controller
|
107
109
|
@warning_set = :controller
|
108
110
|
else
|
@@ -112,6 +114,8 @@ class Brakeman::Warning
|
|
112
114
|
|
113
115
|
if options[:warning_code]
|
114
116
|
@warning_code = Brakeman::WarningCodes.code options[:warning_code]
|
117
|
+
else
|
118
|
+
@warning_code = nil
|
115
119
|
end
|
116
120
|
|
117
121
|
Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
|
@@ -221,7 +225,7 @@ class Brakeman::Warning
|
|
221
225
|
when :template
|
222
226
|
@row["Template"] = self.view_name.to_s
|
223
227
|
when :model
|
224
|
-
@row["Model"] = self.model.to_s
|
228
|
+
@row["Model"] = self.model.name.to_s
|
225
229
|
when :controller
|
226
230
|
@row["Controller"] = self.controller.to_s
|
227
231
|
when :warning
|
@@ -235,7 +239,7 @@ class Brakeman::Warning
|
|
235
239
|
def to_s
|
236
240
|
output = "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
|
237
241
|
output << " near line #{self.line}" if self.line
|
238
|
-
output << " in #{self.file}" if self.file
|
242
|
+
output << " in #{self.file.relative}" if self.file
|
239
243
|
output << ": #{self.format_code}" if self.code
|
240
244
|
|
241
245
|
output
|
@@ -247,37 +251,47 @@ class Brakeman::Warning
|
|
247
251
|
warning_code_string = sprintf("%03d", @warning_code)
|
248
252
|
code_string = @code.inspect
|
249
253
|
|
250
|
-
Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{
|
254
|
+
Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
|
251
255
|
end
|
252
256
|
|
253
257
|
def location include_renderer = true
|
254
258
|
case @warning_set
|
255
259
|
when :template
|
256
|
-
|
260
|
+
{ :type => :template, :template => self.view_name(include_renderer) }
|
257
261
|
when :model
|
258
|
-
|
262
|
+
{ :type => :model, :model => self.model.name }
|
259
263
|
when :controller
|
260
|
-
|
264
|
+
{ :type => :controller, :controller => self.controller }
|
261
265
|
when :warning
|
262
266
|
if self.class
|
263
|
-
|
267
|
+
{ :type => :method, :class => self.class, :method => self.method }
|
264
268
|
else
|
265
|
-
|
269
|
+
nil
|
266
270
|
end
|
267
271
|
end
|
268
272
|
end
|
269
273
|
|
270
|
-
def
|
274
|
+
def relative_path
|
275
|
+
self.file.relative
|
276
|
+
end
|
277
|
+
|
278
|
+
def to_hash absolute_paths: true
|
279
|
+
if self.called_from and not absolute_paths
|
280
|
+
render_path = self.called_from.with_relative_paths
|
281
|
+
else
|
282
|
+
render_path = self.called_from
|
283
|
+
end
|
284
|
+
|
271
285
|
{ :warning_type => self.warning_type,
|
272
286
|
:warning_code => @warning_code,
|
273
287
|
:fingerprint => self.fingerprint,
|
274
288
|
:check_name => self.check.gsub(/^Brakeman::Check/, ''),
|
275
289
|
:message => self.message.to_s,
|
276
|
-
:file => self.file,
|
290
|
+
:file => (absolute_paths ? self.file.absolute : self.file.relative),
|
277
291
|
:line => self.line,
|
278
292
|
:link => self.link,
|
279
293
|
:code => (@code && self.format_code(false)),
|
280
|
-
:render_path =>
|
294
|
+
:render_path => render_path,
|
281
295
|
:location => self.location(false),
|
282
296
|
:user_input => (@user_input && self.format_user_input(false)),
|
283
297
|
:confidence => TEXT_CONFIDENCE[self.confidence]
|
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
|
|
110
110
|
:CVE_2018_8048 => 106,
|
111
111
|
:CVE_2018_3741 => 107,
|
112
112
|
:CVE_2018_3760 => 108,
|
113
|
+
:force_ssl_disabled => 109,
|
114
|
+
:unsafe_cookie_serialization => 110,
|
115
|
+
:reverse_tabnabbing => 111,
|
116
|
+
:custom_check => 9090,
|
113
117
|
}
|
114
118
|
|
115
119
|
def self.code name
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2019-
|
12
|
+
date: 2019-10-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: minitest
|
@@ -25,20 +25,62 @@ dependencies:
|
|
25
25
|
- - ">="
|
26
26
|
- !ruby/object:Gem::Version
|
27
27
|
version: '0'
|
28
|
+
- !ruby/object:Gem::Dependency
|
29
|
+
name: minitest-ci
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
31
|
+
requirements:
|
32
|
+
- - ">="
|
33
|
+
- !ruby/object:Gem::Version
|
34
|
+
version: '0'
|
35
|
+
type: :development
|
36
|
+
prerelease: false
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
38
|
+
requirements:
|
39
|
+
- - ">="
|
40
|
+
- !ruby/object:Gem::Version
|
41
|
+
version: '0'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: simplecov
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - ">="
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
type: :development
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0'
|
28
56
|
- !ruby/object:Gem::Dependency
|
29
57
|
name: ruby_parser
|
30
58
|
requirement: !ruby/object:Gem::Requirement
|
31
59
|
requirements:
|
32
60
|
- - "~>"
|
33
61
|
- !ruby/object:Gem::Version
|
34
|
-
version: '3.
|
62
|
+
version: '3.13'
|
63
|
+
type: :runtime
|
64
|
+
prerelease: false
|
65
|
+
version_requirements: !ruby/object:Gem::Requirement
|
66
|
+
requirements:
|
67
|
+
- - "~>"
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '3.13'
|
70
|
+
- !ruby/object:Gem::Dependency
|
71
|
+
name: ruby_parser-legacy
|
72
|
+
requirement: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - "~>"
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: '1.0'
|
35
77
|
type: :runtime
|
36
78
|
prerelease: false
|
37
79
|
version_requirements: !ruby/object:Gem::Requirement
|
38
80
|
requirements:
|
39
81
|
- - "~>"
|
40
82
|
- !ruby/object:Gem::Version
|
41
|
-
version: '
|
83
|
+
version: '1.0'
|
42
84
|
- !ruby/object:Gem::Dependency
|
43
85
|
name: sexp_processor
|
44
86
|
requirement: !ruby/object:Gem::Requirement
|
@@ -99,20 +141,14 @@ dependencies:
|
|
99
141
|
name: highline
|
100
142
|
requirement: !ruby/object:Gem::Requirement
|
101
143
|
requirements:
|
102
|
-
- - "
|
103
|
-
- !ruby/object:Gem::Version
|
104
|
-
version: 1.6.20
|
105
|
-
- - "<"
|
144
|
+
- - "~>"
|
106
145
|
- !ruby/object:Gem::Version
|
107
146
|
version: '2.0'
|
108
147
|
type: :runtime
|
109
148
|
prerelease: false
|
110
149
|
version_requirements: !ruby/object:Gem::Requirement
|
111
150
|
requirements:
|
112
|
-
- - "
|
113
|
-
- !ruby/object:Gem::Version
|
114
|
-
version: 1.6.20
|
115
|
-
- - "<"
|
151
|
+
- - "~>"
|
116
152
|
- !ruby/object:Gem::Version
|
117
153
|
version: '2.0'
|
118
154
|
- !ruby/object:Gem::Dependency
|
@@ -131,44 +167,18 @@ dependencies:
|
|
131
167
|
version: '2.6'
|
132
168
|
- !ruby/object:Gem::Dependency
|
133
169
|
name: haml
|
134
|
-
requirement: !ruby/object:Gem::Requirement
|
135
|
-
requirements:
|
136
|
-
- - ">="
|
137
|
-
- !ruby/object:Gem::Version
|
138
|
-
version: '3.0'
|
139
|
-
- - "<"
|
140
|
-
- !ruby/object:Gem::Version
|
141
|
-
version: '5.0'
|
142
|
-
type: :runtime
|
143
|
-
prerelease: false
|
144
|
-
version_requirements: !ruby/object:Gem::Requirement
|
145
|
-
requirements:
|
146
|
-
- - ">="
|
147
|
-
- !ruby/object:Gem::Version
|
148
|
-
version: '3.0'
|
149
|
-
- - "<"
|
150
|
-
- !ruby/object:Gem::Version
|
151
|
-
version: '5.0'
|
152
|
-
- !ruby/object:Gem::Dependency
|
153
|
-
name: sass
|
154
170
|
requirement: !ruby/object:Gem::Requirement
|
155
171
|
requirements:
|
156
172
|
- - "~>"
|
157
173
|
- !ruby/object:Gem::Version
|
158
|
-
version: '
|
159
|
-
- - "<"
|
160
|
-
- !ruby/object:Gem::Version
|
161
|
-
version: 3.5.0
|
174
|
+
version: '5.1'
|
162
175
|
type: :runtime
|
163
176
|
prerelease: false
|
164
177
|
version_requirements: !ruby/object:Gem::Requirement
|
165
178
|
requirements:
|
166
179
|
- - "~>"
|
167
180
|
- !ruby/object:Gem::Version
|
168
|
-
version: '
|
169
|
-
- - "<"
|
170
|
-
- !ruby/object:Gem::Version
|
171
|
-
version: 3.5.0
|
181
|
+
version: '5.1'
|
172
182
|
- !ruby/object:Gem::Dependency
|
173
183
|
name: slim
|
174
184
|
requirement: !ruby/object:Gem::Requirement
|
@@ -210,6 +220,7 @@ files:
|
|
210
220
|
- lib/brakeman/checks/check_basic_auth.rb
|
211
221
|
- lib/brakeman/checks/check_basic_auth_timing_attack.rb
|
212
222
|
- lib/brakeman/checks/check_content_tag.rb
|
223
|
+
- lib/brakeman/checks/check_cookie_serialization.rb
|
213
224
|
- lib/brakeman/checks/check_create_with.rb
|
214
225
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
215
226
|
- lib/brakeman/checks/check_default_routes.rb
|
@@ -224,6 +235,7 @@ files:
|
|
224
235
|
- lib/brakeman/checks/check_file_access.rb
|
225
236
|
- lib/brakeman/checks/check_file_disclosure.rb
|
226
237
|
- lib/brakeman/checks/check_filter_skipping.rb
|
238
|
+
- lib/brakeman/checks/check_force_ssl.rb
|
227
239
|
- lib/brakeman/checks/check_forgery_setting.rb
|
228
240
|
- lib/brakeman/checks/check_header_dos.rb
|
229
241
|
- lib/brakeman/checks/check_i18n_xss.rb
|
@@ -249,6 +261,7 @@ files:
|
|
249
261
|
- lib/brakeman/checks/check_render_dos.rb
|
250
262
|
- lib/brakeman/checks/check_render_inline.rb
|
251
263
|
- lib/brakeman/checks/check_response_splitting.rb
|
264
|
+
- lib/brakeman/checks/check_reverse_tabnabbing.rb
|
252
265
|
- lib/brakeman/checks/check_route_dos.rb
|
253
266
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
254
267
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
@@ -281,12 +294,15 @@ files:
|
|
281
294
|
- lib/brakeman/commandline.rb
|
282
295
|
- lib/brakeman/differ.rb
|
283
296
|
- lib/brakeman/file_parser.rb
|
297
|
+
- lib/brakeman/file_path.rb
|
284
298
|
- lib/brakeman/format/style.css
|
285
299
|
- lib/brakeman/messages.rb
|
286
300
|
- lib/brakeman/options.rb
|
301
|
+
- lib/brakeman/parsers/haml_embedded.rb
|
287
302
|
- lib/brakeman/parsers/rails2_erubis.rb
|
288
303
|
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
289
304
|
- lib/brakeman/parsers/rails3_erubis.rb
|
305
|
+
- lib/brakeman/parsers/slim_embedded.rb
|
290
306
|
- lib/brakeman/parsers/template_parser.rb
|
291
307
|
- lib/brakeman/processor.rb
|
292
308
|
- lib/brakeman/processors/alias_processor.rb
|
@@ -366,7 +382,7 @@ files:
|
|
366
382
|
- lib/ruby_parser/bm_sexp_processor.rb
|
367
383
|
homepage: http://brakemanscanner.org
|
368
384
|
licenses:
|
369
|
-
-
|
385
|
+
- Brakeman Public Use License
|
370
386
|
metadata: {}
|
371
387
|
post_install_message:
|
372
388
|
rdoc_options: []
|
@@ -383,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
383
399
|
- !ruby/object:Gem::Version
|
384
400
|
version: '0'
|
385
401
|
requirements: []
|
386
|
-
|
387
|
-
rubygems_version: 2.7.8
|
402
|
+
rubygems_version: 3.0.3
|
388
403
|
signing_key:
|
389
404
|
specification_version: 4
|
390
405
|
summary: Security vulnerability scanner for Ruby on Rails.
|