brakeman-lib 4.4.0 → 4.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +63 -0
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +75 -56
- data/lib/brakeman/checks/check_content_tag.rb +12 -0
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +15 -10
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +0 -1
- data/lib/brakeman/checks/check_execute.rb +44 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +54 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_send.rb +0 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +0 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +27 -20
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +6 -8
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +44 -0
- data/lib/brakeman/parsers/slim_embedded.rb +44 -0
- data/lib/brakeman/parsers/template_parser.rb +8 -8
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +49 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +4 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/slim_template_processor.rb +16 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +2 -2
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +24 -18
- data/lib/brakeman/tracker.rb +35 -7
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -48
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +18 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +1 -1
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +58 -43
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -9,7 +9,7 @@ class Brakeman::Warning
|
|
9
9
|
:line, :method, :model, :template, :user_input, :user_input_type,
|
10
10
|
:warning_code, :warning_set, :warning_type
|
11
11
|
|
12
|
-
attr_accessor :code, :context, :file, :message
|
12
|
+
attr_accessor :code, :context, :file, :message
|
13
13
|
|
14
14
|
TEXT_CONFIDENCE = {
|
15
15
|
0 => "High",
|
@@ -34,11 +34,11 @@ class Brakeman::Warning
|
|
34
34
|
:file => :@file,
|
35
35
|
:gem_info => :@gem_info,
|
36
36
|
:line => :@line,
|
37
|
+
:link => :@link,
|
37
38
|
:link_path => :@link_path,
|
38
39
|
:message => :@message,
|
39
40
|
:method => :@method,
|
40
41
|
:model => :@model,
|
41
|
-
:relative_path => :@relative_path,
|
42
42
|
:template => :@template,
|
43
43
|
:user_input => :@user_input,
|
44
44
|
:warning_set => :@warning_set,
|
@@ -100,9 +100,11 @@ class Brakeman::Warning
|
|
100
100
|
unless @warning_set
|
101
101
|
if self.model
|
102
102
|
@warning_set = :model
|
103
|
+
@file ||= self.model.file
|
103
104
|
elsif self.template
|
104
105
|
@warning_set = :template
|
105
106
|
@called_from = self.template.render_path
|
107
|
+
@file ||= self.template.file
|
106
108
|
elsif self.controller
|
107
109
|
@warning_set = :controller
|
108
110
|
else
|
@@ -112,6 +114,8 @@ class Brakeman::Warning
|
|
112
114
|
|
113
115
|
if options[:warning_code]
|
114
116
|
@warning_code = Brakeman::WarningCodes.code options[:warning_code]
|
117
|
+
else
|
118
|
+
@warning_code = nil
|
115
119
|
end
|
116
120
|
|
117
121
|
Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
|
@@ -221,7 +225,7 @@ class Brakeman::Warning
|
|
221
225
|
when :template
|
222
226
|
@row["Template"] = self.view_name.to_s
|
223
227
|
when :model
|
224
|
-
@row["Model"] = self.model.to_s
|
228
|
+
@row["Model"] = self.model.name.to_s
|
225
229
|
when :controller
|
226
230
|
@row["Controller"] = self.controller.to_s
|
227
231
|
when :warning
|
@@ -235,7 +239,7 @@ class Brakeman::Warning
|
|
235
239
|
def to_s
|
236
240
|
output = "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
|
237
241
|
output << " near line #{self.line}" if self.line
|
238
|
-
output << " in #{self.file}" if self.file
|
242
|
+
output << " in #{self.file.relative}" if self.file
|
239
243
|
output << ": #{self.format_code}" if self.code
|
240
244
|
|
241
245
|
output
|
@@ -247,37 +251,47 @@ class Brakeman::Warning
|
|
247
251
|
warning_code_string = sprintf("%03d", @warning_code)
|
248
252
|
code_string = @code.inspect
|
249
253
|
|
250
|
-
Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{
|
254
|
+
Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
|
251
255
|
end
|
252
256
|
|
253
257
|
def location include_renderer = true
|
254
258
|
case @warning_set
|
255
259
|
when :template
|
256
|
-
|
260
|
+
{ :type => :template, :template => self.view_name(include_renderer) }
|
257
261
|
when :model
|
258
|
-
|
262
|
+
{ :type => :model, :model => self.model.name }
|
259
263
|
when :controller
|
260
|
-
|
264
|
+
{ :type => :controller, :controller => self.controller }
|
261
265
|
when :warning
|
262
266
|
if self.class
|
263
|
-
|
267
|
+
{ :type => :method, :class => self.class, :method => self.method }
|
264
268
|
else
|
265
|
-
|
269
|
+
nil
|
266
270
|
end
|
267
271
|
end
|
268
272
|
end
|
269
273
|
|
270
|
-
def
|
274
|
+
def relative_path
|
275
|
+
self.file.relative
|
276
|
+
end
|
277
|
+
|
278
|
+
def to_hash absolute_paths: true
|
279
|
+
if self.called_from and not absolute_paths
|
280
|
+
render_path = self.called_from.with_relative_paths
|
281
|
+
else
|
282
|
+
render_path = self.called_from
|
283
|
+
end
|
284
|
+
|
271
285
|
{ :warning_type => self.warning_type,
|
272
286
|
:warning_code => @warning_code,
|
273
287
|
:fingerprint => self.fingerprint,
|
274
288
|
:check_name => self.check.gsub(/^Brakeman::Check/, ''),
|
275
289
|
:message => self.message.to_s,
|
276
|
-
:file => self.file,
|
290
|
+
:file => (absolute_paths ? self.file.absolute : self.file.relative),
|
277
291
|
:line => self.line,
|
278
292
|
:link => self.link,
|
279
293
|
:code => (@code && self.format_code(false)),
|
280
|
-
:render_path =>
|
294
|
+
:render_path => render_path,
|
281
295
|
:location => self.location(false),
|
282
296
|
:user_input => (@user_input && self.format_user_input(false)),
|
283
297
|
:confidence => TEXT_CONFIDENCE[self.confidence]
|
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
|
|
110
110
|
:CVE_2018_8048 => 106,
|
111
111
|
:CVE_2018_3741 => 107,
|
112
112
|
:CVE_2018_3760 => 108,
|
113
|
+
:force_ssl_disabled => 109,
|
114
|
+
:unsafe_cookie_serialization => 110,
|
115
|
+
:reverse_tabnabbing => 111,
|
116
|
+
:custom_check => 9090,
|
113
117
|
}
|
114
118
|
|
115
119
|
def self.code name
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2019-
|
12
|
+
date: 2019-10-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: minitest
|
@@ -25,20 +25,62 @@ dependencies:
|
|
25
25
|
- - ">="
|
26
26
|
- !ruby/object:Gem::Version
|
27
27
|
version: '0'
|
28
|
+
- !ruby/object:Gem::Dependency
|
29
|
+
name: minitest-ci
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
31
|
+
requirements:
|
32
|
+
- - ">="
|
33
|
+
- !ruby/object:Gem::Version
|
34
|
+
version: '0'
|
35
|
+
type: :development
|
36
|
+
prerelease: false
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
38
|
+
requirements:
|
39
|
+
- - ">="
|
40
|
+
- !ruby/object:Gem::Version
|
41
|
+
version: '0'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: simplecov
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - ">="
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
type: :development
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0'
|
28
56
|
- !ruby/object:Gem::Dependency
|
29
57
|
name: ruby_parser
|
30
58
|
requirement: !ruby/object:Gem::Requirement
|
31
59
|
requirements:
|
32
60
|
- - "~>"
|
33
61
|
- !ruby/object:Gem::Version
|
34
|
-
version: '3.
|
62
|
+
version: '3.13'
|
63
|
+
type: :runtime
|
64
|
+
prerelease: false
|
65
|
+
version_requirements: !ruby/object:Gem::Requirement
|
66
|
+
requirements:
|
67
|
+
- - "~>"
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '3.13'
|
70
|
+
- !ruby/object:Gem::Dependency
|
71
|
+
name: ruby_parser-legacy
|
72
|
+
requirement: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - "~>"
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: '1.0'
|
35
77
|
type: :runtime
|
36
78
|
prerelease: false
|
37
79
|
version_requirements: !ruby/object:Gem::Requirement
|
38
80
|
requirements:
|
39
81
|
- - "~>"
|
40
82
|
- !ruby/object:Gem::Version
|
41
|
-
version: '
|
83
|
+
version: '1.0'
|
42
84
|
- !ruby/object:Gem::Dependency
|
43
85
|
name: sexp_processor
|
44
86
|
requirement: !ruby/object:Gem::Requirement
|
@@ -99,20 +141,14 @@ dependencies:
|
|
99
141
|
name: highline
|
100
142
|
requirement: !ruby/object:Gem::Requirement
|
101
143
|
requirements:
|
102
|
-
- - "
|
103
|
-
- !ruby/object:Gem::Version
|
104
|
-
version: 1.6.20
|
105
|
-
- - "<"
|
144
|
+
- - "~>"
|
106
145
|
- !ruby/object:Gem::Version
|
107
146
|
version: '2.0'
|
108
147
|
type: :runtime
|
109
148
|
prerelease: false
|
110
149
|
version_requirements: !ruby/object:Gem::Requirement
|
111
150
|
requirements:
|
112
|
-
- - "
|
113
|
-
- !ruby/object:Gem::Version
|
114
|
-
version: 1.6.20
|
115
|
-
- - "<"
|
151
|
+
- - "~>"
|
116
152
|
- !ruby/object:Gem::Version
|
117
153
|
version: '2.0'
|
118
154
|
- !ruby/object:Gem::Dependency
|
@@ -131,44 +167,18 @@ dependencies:
|
|
131
167
|
version: '2.6'
|
132
168
|
- !ruby/object:Gem::Dependency
|
133
169
|
name: haml
|
134
|
-
requirement: !ruby/object:Gem::Requirement
|
135
|
-
requirements:
|
136
|
-
- - ">="
|
137
|
-
- !ruby/object:Gem::Version
|
138
|
-
version: '3.0'
|
139
|
-
- - "<"
|
140
|
-
- !ruby/object:Gem::Version
|
141
|
-
version: '5.0'
|
142
|
-
type: :runtime
|
143
|
-
prerelease: false
|
144
|
-
version_requirements: !ruby/object:Gem::Requirement
|
145
|
-
requirements:
|
146
|
-
- - ">="
|
147
|
-
- !ruby/object:Gem::Version
|
148
|
-
version: '3.0'
|
149
|
-
- - "<"
|
150
|
-
- !ruby/object:Gem::Version
|
151
|
-
version: '5.0'
|
152
|
-
- !ruby/object:Gem::Dependency
|
153
|
-
name: sass
|
154
170
|
requirement: !ruby/object:Gem::Requirement
|
155
171
|
requirements:
|
156
172
|
- - "~>"
|
157
173
|
- !ruby/object:Gem::Version
|
158
|
-
version: '
|
159
|
-
- - "<"
|
160
|
-
- !ruby/object:Gem::Version
|
161
|
-
version: 3.5.0
|
174
|
+
version: '5.1'
|
162
175
|
type: :runtime
|
163
176
|
prerelease: false
|
164
177
|
version_requirements: !ruby/object:Gem::Requirement
|
165
178
|
requirements:
|
166
179
|
- - "~>"
|
167
180
|
- !ruby/object:Gem::Version
|
168
|
-
version: '
|
169
|
-
- - "<"
|
170
|
-
- !ruby/object:Gem::Version
|
171
|
-
version: 3.5.0
|
181
|
+
version: '5.1'
|
172
182
|
- !ruby/object:Gem::Dependency
|
173
183
|
name: slim
|
174
184
|
requirement: !ruby/object:Gem::Requirement
|
@@ -210,6 +220,7 @@ files:
|
|
210
220
|
- lib/brakeman/checks/check_basic_auth.rb
|
211
221
|
- lib/brakeman/checks/check_basic_auth_timing_attack.rb
|
212
222
|
- lib/brakeman/checks/check_content_tag.rb
|
223
|
+
- lib/brakeman/checks/check_cookie_serialization.rb
|
213
224
|
- lib/brakeman/checks/check_create_with.rb
|
214
225
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
215
226
|
- lib/brakeman/checks/check_default_routes.rb
|
@@ -224,6 +235,7 @@ files:
|
|
224
235
|
- lib/brakeman/checks/check_file_access.rb
|
225
236
|
- lib/brakeman/checks/check_file_disclosure.rb
|
226
237
|
- lib/brakeman/checks/check_filter_skipping.rb
|
238
|
+
- lib/brakeman/checks/check_force_ssl.rb
|
227
239
|
- lib/brakeman/checks/check_forgery_setting.rb
|
228
240
|
- lib/brakeman/checks/check_header_dos.rb
|
229
241
|
- lib/brakeman/checks/check_i18n_xss.rb
|
@@ -249,6 +261,7 @@ files:
|
|
249
261
|
- lib/brakeman/checks/check_render_dos.rb
|
250
262
|
- lib/brakeman/checks/check_render_inline.rb
|
251
263
|
- lib/brakeman/checks/check_response_splitting.rb
|
264
|
+
- lib/brakeman/checks/check_reverse_tabnabbing.rb
|
252
265
|
- lib/brakeman/checks/check_route_dos.rb
|
253
266
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
254
267
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
@@ -281,12 +294,15 @@ files:
|
|
281
294
|
- lib/brakeman/commandline.rb
|
282
295
|
- lib/brakeman/differ.rb
|
283
296
|
- lib/brakeman/file_parser.rb
|
297
|
+
- lib/brakeman/file_path.rb
|
284
298
|
- lib/brakeman/format/style.css
|
285
299
|
- lib/brakeman/messages.rb
|
286
300
|
- lib/brakeman/options.rb
|
301
|
+
- lib/brakeman/parsers/haml_embedded.rb
|
287
302
|
- lib/brakeman/parsers/rails2_erubis.rb
|
288
303
|
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
289
304
|
- lib/brakeman/parsers/rails3_erubis.rb
|
305
|
+
- lib/brakeman/parsers/slim_embedded.rb
|
290
306
|
- lib/brakeman/parsers/template_parser.rb
|
291
307
|
- lib/brakeman/processor.rb
|
292
308
|
- lib/brakeman/processors/alias_processor.rb
|
@@ -366,7 +382,7 @@ files:
|
|
366
382
|
- lib/ruby_parser/bm_sexp_processor.rb
|
367
383
|
homepage: http://brakemanscanner.org
|
368
384
|
licenses:
|
369
|
-
-
|
385
|
+
- Brakeman Public Use License
|
370
386
|
metadata: {}
|
371
387
|
post_install_message:
|
372
388
|
rdoc_options: []
|
@@ -383,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
383
399
|
- !ruby/object:Gem::Version
|
384
400
|
version: '0'
|
385
401
|
requirements: []
|
386
|
-
|
387
|
-
rubygems_version: 2.7.8
|
402
|
+
rubygems_version: 3.0.3
|
388
403
|
signing_key:
|
389
404
|
specification_version: 4
|
390
405
|
summary: Security vulnerability scanner for Ruby on Rails.
|