brakeman-lib 4.5.0 → 4.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (91) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +164 -108
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +59 -56
  9. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
  11. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  12. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  13. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  14. data/lib/brakeman/checks/check_execute.rb +26 -1
  15. data/lib/brakeman/checks/check_file_access.rb +7 -1
  16. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  17. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  18. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  19. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  20. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  21. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  22. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  23. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  24. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  25. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  26. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  27. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  28. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
  29. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  30. data/lib/brakeman/checks/check_secrets.rb +1 -1
  31. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  32. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  33. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  34. data/lib/brakeman/checks/check_sql.rb +15 -17
  35. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  36. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  38. data/lib/brakeman/differ.rb +16 -28
  39. data/lib/brakeman/file_parser.rb +10 -16
  40. data/lib/brakeman/file_path.rb +85 -0
  41. data/lib/brakeman/options.rb +7 -0
  42. data/lib/brakeman/parsers/haml_embedded.rb +1 -1
  43. data/lib/brakeman/parsers/template_parser.rb +6 -4
  44. data/lib/brakeman/processor.rb +4 -5
  45. data/lib/brakeman/processors/alias_processor.rb +27 -7
  46. data/lib/brakeman/processors/base_processor.rb +10 -7
  47. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  48. data/lib/brakeman/processors/controller_processor.rb +9 -13
  49. data/lib/brakeman/processors/gem_processor.rb +10 -2
  50. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  51. data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
  52. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  53. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  54. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  55. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  56. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  57. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  58. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  59. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  60. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  61. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  62. data/lib/brakeman/processors/library_processor.rb +5 -5
  63. data/lib/brakeman/processors/model_processor.rb +4 -5
  64. data/lib/brakeman/processors/output_processor.rb +5 -0
  65. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  66. data/lib/brakeman/processors/template_processor.rb +14 -10
  67. data/lib/brakeman/report.rb +3 -3
  68. data/lib/brakeman/report/ignore/config.rb +2 -3
  69. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  70. data/lib/brakeman/report/pager.rb +1 -0
  71. data/lib/brakeman/report/report_base.rb +51 -6
  72. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  73. data/lib/brakeman/report/report_hash.rb +1 -1
  74. data/lib/brakeman/report/report_html.rb +2 -2
  75. data/lib/brakeman/report/report_json.rb +1 -24
  76. data/lib/brakeman/report/report_table.rb +20 -4
  77. data/lib/brakeman/report/report_tabs.rb +1 -1
  78. data/lib/brakeman/report/report_text.rb +6 -7
  79. data/lib/brakeman/rescanner.rb +13 -12
  80. data/lib/brakeman/scanner.rb +19 -14
  81. data/lib/brakeman/tracker.rb +30 -6
  82. data/lib/brakeman/tracker/collection.rb +4 -3
  83. data/lib/brakeman/tracker/config.rb +44 -73
  84. data/lib/brakeman/tracker/constants.rb +2 -1
  85. data/lib/brakeman/util.rb +1 -147
  86. data/lib/brakeman/version.rb +1 -1
  87. data/lib/brakeman/warning.rb +27 -13
  88. data/lib/brakeman/warning_codes.rb +4 -0
  89. data/lib/ruby_parser/bm_sexp.rb +7 -2
  90. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  91. metadata +27 -22
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
110
110
  :CVE_2018_8048 => 106,
111
111
  :CVE_2018_3741 => 107,
112
112
  :CVE_2018_3760 => 108,
113
+ :force_ssl_disabled => 109,
114
+ :unsafe_cookie_serialization => 110,
115
+ :reverse_tabnabbing => 111,
116
+ :custom_check => 9090,
113
117
  }
114
118
 
115
119
  def self.code name
@@ -40,7 +40,7 @@ class Sexp
40
40
  s.line(line)
41
41
  else
42
42
  s.original_line = self.original_line
43
- s.line(self.line)
43
+ s.line(self.line) if self.line
44
44
  end
45
45
 
46
46
  s
@@ -371,7 +371,12 @@ class Sexp
371
371
  # s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
372
372
  def block_call
373
373
  expect :iter
374
- self[1]
374
+
375
+ if self[1].node_type == :lambda
376
+ s(:call, nil, :lambda).line(self.line)
377
+ else
378
+ self[1]
379
+ end
375
380
  end
376
381
 
377
382
  #Returns block of a call with a block.
@@ -45,6 +45,7 @@ class Brakeman::SexpProcessor
45
45
  @expected = Sexp
46
46
  @processors = self.class.processors
47
47
  @context = []
48
+ @current_class = @current_module = @current_method = @visibility = nil
48
49
 
49
50
  if @processors.empty?
50
51
  public_methods.each do |name|
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.5.0
4
+ version: 4.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - brakeman-public_cert.pem
12
- date: 2019-03-16 00:00:00.000000000 Z
12
+ date: 2019-10-29 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: minitest
@@ -39,6 +39,20 @@ dependencies:
39
39
  - - ">="
40
40
  - !ruby/object:Gem::Version
41
41
  version: '0'
42
+ - !ruby/object:Gem::Dependency
43
+ name: simplecov
44
+ requirement: !ruby/object:Gem::Requirement
45
+ requirements:
46
+ - - ">="
47
+ - !ruby/object:Gem::Version
48
+ version: '0'
49
+ type: :development
50
+ prerelease: false
51
+ version_requirements: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - ">="
54
+ - !ruby/object:Gem::Version
55
+ version: '0'
42
56
  - !ruby/object:Gem::Dependency
43
57
  name: ruby_parser
44
58
  requirement: !ruby/object:Gem::Requirement
@@ -127,20 +141,14 @@ dependencies:
127
141
  name: highline
128
142
  requirement: !ruby/object:Gem::Requirement
129
143
  requirements:
130
- - - ">="
131
- - !ruby/object:Gem::Version
132
- version: 1.6.20
133
- - - "<"
144
+ - - "~>"
134
145
  - !ruby/object:Gem::Version
135
146
  version: '2.0'
136
147
  type: :runtime
137
148
  prerelease: false
138
149
  version_requirements: !ruby/object:Gem::Requirement
139
150
  requirements:
140
- - - ">="
141
- - !ruby/object:Gem::Version
142
- version: 1.6.20
143
- - - "<"
151
+ - - "~>"
144
152
  - !ruby/object:Gem::Version
145
153
  version: '2.0'
146
154
  - !ruby/object:Gem::Dependency
@@ -161,22 +169,16 @@ dependencies:
161
169
  name: haml
162
170
  requirement: !ruby/object:Gem::Requirement
163
171
  requirements:
164
- - - ">="
165
- - !ruby/object:Gem::Version
166
- version: '3.0'
167
- - - "<"
172
+ - - "~>"
168
173
  - !ruby/object:Gem::Version
169
- version: '5.0'
174
+ version: '5.1'
170
175
  type: :runtime
171
176
  prerelease: false
172
177
  version_requirements: !ruby/object:Gem::Requirement
173
178
  requirements:
174
- - - ">="
175
- - !ruby/object:Gem::Version
176
- version: '3.0'
177
- - - "<"
179
+ - - "~>"
178
180
  - !ruby/object:Gem::Version
179
- version: '5.0'
181
+ version: '5.1'
180
182
  - !ruby/object:Gem::Dependency
181
183
  name: slim
182
184
  requirement: !ruby/object:Gem::Requirement
@@ -218,6 +220,7 @@ files:
218
220
  - lib/brakeman/checks/check_basic_auth.rb
219
221
  - lib/brakeman/checks/check_basic_auth_timing_attack.rb
220
222
  - lib/brakeman/checks/check_content_tag.rb
223
+ - lib/brakeman/checks/check_cookie_serialization.rb
221
224
  - lib/brakeman/checks/check_create_with.rb
222
225
  - lib/brakeman/checks/check_cross_site_scripting.rb
223
226
  - lib/brakeman/checks/check_default_routes.rb
@@ -232,6 +235,7 @@ files:
232
235
  - lib/brakeman/checks/check_file_access.rb
233
236
  - lib/brakeman/checks/check_file_disclosure.rb
234
237
  - lib/brakeman/checks/check_filter_skipping.rb
238
+ - lib/brakeman/checks/check_force_ssl.rb
235
239
  - lib/brakeman/checks/check_forgery_setting.rb
236
240
  - lib/brakeman/checks/check_header_dos.rb
237
241
  - lib/brakeman/checks/check_i18n_xss.rb
@@ -257,6 +261,7 @@ files:
257
261
  - lib/brakeman/checks/check_render_dos.rb
258
262
  - lib/brakeman/checks/check_render_inline.rb
259
263
  - lib/brakeman/checks/check_response_splitting.rb
264
+ - lib/brakeman/checks/check_reverse_tabnabbing.rb
260
265
  - lib/brakeman/checks/check_route_dos.rb
261
266
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
262
267
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -289,6 +294,7 @@ files:
289
294
  - lib/brakeman/commandline.rb
290
295
  - lib/brakeman/differ.rb
291
296
  - lib/brakeman/file_parser.rb
297
+ - lib/brakeman/file_path.rb
292
298
  - lib/brakeman/format/style.css
293
299
  - lib/brakeman/messages.rb
294
300
  - lib/brakeman/options.rb
@@ -393,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
393
399
  - !ruby/object:Gem::Version
394
400
  version: '0'
395
401
  requirements: []
396
- rubyforge_project:
397
- rubygems_version: 2.7.8
402
+ rubygems_version: 3.0.3
398
403
  signing_key:
399
404
  specification_version: 4
400
405
  summary: Security vulnerability scanner for Ruby on Rails.