brakeman-lib 4.5.1 → 4.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +158 -109
  3. data/README.md +1 -2
  4. data/lib/brakeman/call_index.rb +54 -15
  5. data/lib/brakeman/checks/base_check.rb +50 -47
  6. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  7. data/lib/brakeman/checks/check_cross_site_scripting.rb +4 -4
  8. data/lib/brakeman/checks/check_deserialize.rb +3 -6
  9. data/lib/brakeman/checks/check_execute.rb +26 -1
  10. data/lib/brakeman/checks/check_file_access.rb +7 -1
  11. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  12. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  13. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  14. data/lib/brakeman/checks/check_json_parsing.rb +2 -2
  15. data/lib/brakeman/checks/check_mass_assignment.rb +1 -1
  16. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  17. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
  18. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
  19. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  20. data/lib/brakeman/checks/check_session_settings.rb +5 -2
  21. data/lib/brakeman/checks/check_sql.rb +24 -22
  22. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  23. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  24. data/lib/brakeman/differ.rb +16 -28
  25. data/lib/brakeman/file_parser.rb +4 -8
  26. data/lib/brakeman/file_path.rb +14 -0
  27. data/lib/brakeman/parsers/haml_embedded.rb +1 -1
  28. data/lib/brakeman/parsers/template_parser.rb +3 -1
  29. data/lib/brakeman/processor.rb +2 -2
  30. data/lib/brakeman/processors/alias_processor.rb +15 -1
  31. data/lib/brakeman/processors/base_processor.rb +2 -0
  32. data/lib/brakeman/processors/controller_processor.rb +4 -4
  33. data/lib/brakeman/processors/gem_processor.rb +10 -2
  34. data/lib/brakeman/processors/haml_template_processor.rb +87 -123
  35. data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
  36. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  37. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  38. data/lib/brakeman/processors/lib/rails2_config_processor.rb +1 -1
  39. data/lib/brakeman/processors/template_alias_processor.rb +28 -0
  40. data/lib/brakeman/processors/template_processor.rb +10 -6
  41. data/lib/brakeman/report/report_text.rb +4 -5
  42. data/lib/brakeman/rescanner.rb +4 -0
  43. data/lib/brakeman/tracker.rb +26 -2
  44. data/lib/brakeman/tracker/config.rb +38 -73
  45. data/lib/brakeman/tracker/constants.rb +2 -1
  46. data/lib/brakeman/util.rb +5 -3
  47. data/lib/brakeman/version.rb +1 -1
  48. data/lib/brakeman/warning.rb +4 -0
  49. data/lib/brakeman/warning_codes.rb +3 -0
  50. data/lib/ruby_parser/bm_sexp.rb +7 -2
  51. metadata +18 -17
data/lib/brakeman/tracker/constants.rb CHANGED
@@ -49,7 +49,7 @@ module Brakeman
49
49
  include Brakeman::Util
50
50
 
51
51
  def initialize
52
- @constants = Hash.new { |h, k| h[k] = [] }
52
+ @constants = {}
53
53
  end
54
54
 
55
55
  def size
@@ -103,6 +103,7 @@ module Brakeman
103
103
  end
104
104
 
105
105
  base_name = Constants.get_constant_base_name(name)
106
+ @constants[base_name] ||= []
106
107
  @constants[base_name] << Constant.new(name, value, context)
107
108
  end
108
109
 
data/lib/brakeman/util.rb CHANGED
@@ -8,9 +8,11 @@ module Brakeman::Util
8
8
 
9
9
  PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
10
10
 
11
- REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
11
+ REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
12
12
 
13
- REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
13
+ REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
14
+
15
+ REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
14
16
 
15
17
  REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
16
18
 
@@ -22,7 +24,7 @@ module Brakeman::Util
22
24
 
23
25
  SESSION = Sexp.new(:call, nil, :session)
24
26
 
25
- ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
27
+ ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
26
28
 
27
29
  ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
28
30
 
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.5.1"
2
+ Version = "4.7.2"
3
3
  end
data/lib/brakeman/warning.rb CHANGED
@@ -271,6 +271,10 @@ class Brakeman::Warning
271
271
  end
272
272
  end
273
273
 
274
+ def relative_path
275
+ self.file.relative
276
+ end
277
+
274
278
  def to_hash absolute_paths: true
275
279
  if self.called_from and not absolute_paths
276
280
  render_path = self.called_from.with_relative_paths
data/lib/brakeman/warning_codes.rb CHANGED
@@ -111,6 +111,9 @@ module Brakeman::WarningCodes
111
111
  :CVE_2018_3741 => 107,
112
112
  :CVE_2018_3760 => 108,
113
113
  :force_ssl_disabled => 109,
114
+ :unsafe_cookie_serialization => 110,
115
+ :reverse_tabnabbing => 111,
116
+ :custom_check => 9090,
114
117
  }
115
118
 
116
119
  def self.code name
data/lib/ruby_parser/bm_sexp.rb CHANGED
@@ -40,7 +40,7 @@ class Sexp
40
40
  s.line(line)
41
41
  else
42
42
  s.original_line = self.original_line
43
- s.line(self.line)
43
+ s.line(self.line) if self.line
44
44
  end
45
45
 
46
46
  s
@@ -371,7 +371,12 @@ class Sexp
371
371
  # s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
372
372
  def block_call
373
373
  expect :iter
374
- self[1]
374
+
375
+ if self[1].node_type == :lambda
376
+ s(:call, nil, :lambda).line(self.line)
377
+ else
378
+ self[1]
379
+ end
375
380
  end
376
381
 
377
382
  #Returns block of a call with a block.
metadata CHANGED
@@ -1,15 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.5.1
4
+ version: 4.7.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
- cert_chain:
11
- - brakeman-public_cert.pem
12
- date: 2019-05-11 00:00:00.000000000 Z
10
+ cert_chain: []
11
+ date: 2019-11-25 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: minitest
@@ -169,22 +168,16 @@ dependencies:
169
168
  name: haml
170
169
  requirement: !ruby/object:Gem::Requirement
171
170
  requirements:
172
- - - ">="
173
- - !ruby/object:Gem::Version
174
- version: '3.0'
175
- - - "<"
171
+ - - "~>"
176
172
  - !ruby/object:Gem::Version
177
- version: '5.0'
173
+ version: '5.1'
178
174
  type: :runtime
179
175
  prerelease: false
180
176
  version_requirements: !ruby/object:Gem::Requirement
181
177
  requirements:
182
- - - ">="
183
- - !ruby/object:Gem::Version
184
- version: '3.0'
185
- - - "<"
178
+ - - "~>"
186
179
  - !ruby/object:Gem::Version
187
- version: '5.0'
180
+ version: '5.1'
188
181
  - !ruby/object:Gem::Dependency
189
182
  name: slim
190
183
  requirement: !ruby/object:Gem::Requirement
@@ -226,6 +219,7 @@ files:
226
219
  - lib/brakeman/checks/check_basic_auth.rb
227
220
  - lib/brakeman/checks/check_basic_auth_timing_attack.rb
228
221
  - lib/brakeman/checks/check_content_tag.rb
222
+ - lib/brakeman/checks/check_cookie_serialization.rb
229
223
  - lib/brakeman/checks/check_create_with.rb
230
224
  - lib/brakeman/checks/check_cross_site_scripting.rb
231
225
  - lib/brakeman/checks/check_default_routes.rb
@@ -266,6 +260,7 @@ files:
266
260
  - lib/brakeman/checks/check_render_dos.rb
267
261
  - lib/brakeman/checks/check_render_inline.rb
268
262
  - lib/brakeman/checks/check_response_splitting.rb
263
+ - lib/brakeman/checks/check_reverse_tabnabbing.rb
269
264
  - lib/brakeman/checks/check_route_dos.rb
270
265
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
271
266
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -387,7 +382,14 @@ files:
387
382
  homepage: http://brakemanscanner.org
388
383
  licenses:
389
384
  - Brakeman Public Use License
390
- metadata: {}
385
+ metadata:
386
+ bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
387
+ changelog_uri: https://github.com/presidentbeef/brakeman/releases
388
+ documentation_uri: https://brakemanscanner.org/docs/
389
+ homepage_uri: https://brakemanscanner.org/
390
+ mailing_list_uri: https://gitter.im/presidentbeef/brakeman
391
+ source_code_uri: https://github.com/presidentbeef/brakeman
392
+ wiki_uri: https://github.com/presidentbeef/brakeman/wiki
391
393
  post_install_message:
392
394
  rdoc_options: []
393
395
  require_paths:
@@ -403,8 +405,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
403
405
  - !ruby/object:Gem::Version
404
406
  version: '0'
405
407
  requirements: []
406
- rubyforge_project:
407
- rubygems_version: 2.7.8
408
+ rubygems_version: 3.0.3
408
409
  signing_key:
409
410
  specification_version: 4
410
411
  summary: Security vulnerability scanner for Ruby on Rails.