brakeman-lib 4.5.0 → 4.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +164 -108
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +59 -56
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +26 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +15 -17
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +10 -16
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +6 -4
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +27 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +6 -7
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +19 -14
- data/lib/brakeman/tracker.rb +30 -6
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -73
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +1 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +7 -2
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +27 -22
@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
|
|
110
110
|
:CVE_2018_8048 => 106,
|
111
111
|
:CVE_2018_3741 => 107,
|
112
112
|
:CVE_2018_3760 => 108,
|
113
|
+
:force_ssl_disabled => 109,
|
114
|
+
:unsafe_cookie_serialization => 110,
|
115
|
+
:reverse_tabnabbing => 111,
|
116
|
+
:custom_check => 9090,
|
113
117
|
}
|
114
118
|
|
115
119
|
def self.code name
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -40,7 +40,7 @@ class Sexp
|
|
40
40
|
s.line(line)
|
41
41
|
else
|
42
42
|
s.original_line = self.original_line
|
43
|
-
s.line(self.line)
|
43
|
+
s.line(self.line) if self.line
|
44
44
|
end
|
45
45
|
|
46
46
|
s
|
@@ -371,7 +371,12 @@ class Sexp
|
|
371
371
|
# s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
|
372
372
|
def block_call
|
373
373
|
expect :iter
|
374
|
-
|
374
|
+
|
375
|
+
if self[1].node_type == :lambda
|
376
|
+
s(:call, nil, :lambda).line(self.line)
|
377
|
+
else
|
378
|
+
self[1]
|
379
|
+
end
|
375
380
|
end
|
376
381
|
|
377
382
|
#Returns block of a call with a block.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.7.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2019-
|
12
|
+
date: 2019-10-29 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: minitest
|
@@ -39,6 +39,20 @@ dependencies:
|
|
39
39
|
- - ">="
|
40
40
|
- !ruby/object:Gem::Version
|
41
41
|
version: '0'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: simplecov
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - ">="
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
type: :development
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0'
|
42
56
|
- !ruby/object:Gem::Dependency
|
43
57
|
name: ruby_parser
|
44
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -127,20 +141,14 @@ dependencies:
|
|
127
141
|
name: highline
|
128
142
|
requirement: !ruby/object:Gem::Requirement
|
129
143
|
requirements:
|
130
|
-
- - "
|
131
|
-
- !ruby/object:Gem::Version
|
132
|
-
version: 1.6.20
|
133
|
-
- - "<"
|
144
|
+
- - "~>"
|
134
145
|
- !ruby/object:Gem::Version
|
135
146
|
version: '2.0'
|
136
147
|
type: :runtime
|
137
148
|
prerelease: false
|
138
149
|
version_requirements: !ruby/object:Gem::Requirement
|
139
150
|
requirements:
|
140
|
-
- - "
|
141
|
-
- !ruby/object:Gem::Version
|
142
|
-
version: 1.6.20
|
143
|
-
- - "<"
|
151
|
+
- - "~>"
|
144
152
|
- !ruby/object:Gem::Version
|
145
153
|
version: '2.0'
|
146
154
|
- !ruby/object:Gem::Dependency
|
@@ -161,22 +169,16 @@ dependencies:
|
|
161
169
|
name: haml
|
162
170
|
requirement: !ruby/object:Gem::Requirement
|
163
171
|
requirements:
|
164
|
-
- - "
|
165
|
-
- !ruby/object:Gem::Version
|
166
|
-
version: '3.0'
|
167
|
-
- - "<"
|
172
|
+
- - "~>"
|
168
173
|
- !ruby/object:Gem::Version
|
169
|
-
version: '5.
|
174
|
+
version: '5.1'
|
170
175
|
type: :runtime
|
171
176
|
prerelease: false
|
172
177
|
version_requirements: !ruby/object:Gem::Requirement
|
173
178
|
requirements:
|
174
|
-
- - "
|
175
|
-
- !ruby/object:Gem::Version
|
176
|
-
version: '3.0'
|
177
|
-
- - "<"
|
179
|
+
- - "~>"
|
178
180
|
- !ruby/object:Gem::Version
|
179
|
-
version: '5.
|
181
|
+
version: '5.1'
|
180
182
|
- !ruby/object:Gem::Dependency
|
181
183
|
name: slim
|
182
184
|
requirement: !ruby/object:Gem::Requirement
|
@@ -218,6 +220,7 @@ files:
|
|
218
220
|
- lib/brakeman/checks/check_basic_auth.rb
|
219
221
|
- lib/brakeman/checks/check_basic_auth_timing_attack.rb
|
220
222
|
- lib/brakeman/checks/check_content_tag.rb
|
223
|
+
- lib/brakeman/checks/check_cookie_serialization.rb
|
221
224
|
- lib/brakeman/checks/check_create_with.rb
|
222
225
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
223
226
|
- lib/brakeman/checks/check_default_routes.rb
|
@@ -232,6 +235,7 @@ files:
|
|
232
235
|
- lib/brakeman/checks/check_file_access.rb
|
233
236
|
- lib/brakeman/checks/check_file_disclosure.rb
|
234
237
|
- lib/brakeman/checks/check_filter_skipping.rb
|
238
|
+
- lib/brakeman/checks/check_force_ssl.rb
|
235
239
|
- lib/brakeman/checks/check_forgery_setting.rb
|
236
240
|
- lib/brakeman/checks/check_header_dos.rb
|
237
241
|
- lib/brakeman/checks/check_i18n_xss.rb
|
@@ -257,6 +261,7 @@ files:
|
|
257
261
|
- lib/brakeman/checks/check_render_dos.rb
|
258
262
|
- lib/brakeman/checks/check_render_inline.rb
|
259
263
|
- lib/brakeman/checks/check_response_splitting.rb
|
264
|
+
- lib/brakeman/checks/check_reverse_tabnabbing.rb
|
260
265
|
- lib/brakeman/checks/check_route_dos.rb
|
261
266
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
262
267
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
@@ -289,6 +294,7 @@ files:
|
|
289
294
|
- lib/brakeman/commandline.rb
|
290
295
|
- lib/brakeman/differ.rb
|
291
296
|
- lib/brakeman/file_parser.rb
|
297
|
+
- lib/brakeman/file_path.rb
|
292
298
|
- lib/brakeman/format/style.css
|
293
299
|
- lib/brakeman/messages.rb
|
294
300
|
- lib/brakeman/options.rb
|
@@ -393,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
393
399
|
- !ruby/object:Gem::Version
|
394
400
|
version: '0'
|
395
401
|
requirements: []
|
396
|
-
|
397
|
-
rubygems_version: 2.7.8
|
402
|
+
rubygems_version: 3.0.3
|
398
403
|
signing_key:
|
399
404
|
specification_version: 4
|
400
405
|
summary: Security vulnerability scanner for Ruby on Rails.
|