brakeman-lib 4.7.0 → 4.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +122 -112
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +5 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/report/report_text.rb +4 -5
- data/lib/brakeman/version.rb +1 -1
- data/lib/ruby_parser/bm_sexp.rb +6 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1a0bb1fb9eebcf11e5493213b5cd4a40b6c5359952f754bd7aab4fe727fa3950
|
4
|
+
data.tar.gz: '07648dfb71e125045d345bd154a56547f0b8168f6ecd29f6b47442e7923fbd3a'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dd82f20198e48a73d7c7ddac934fcc9b192400e0b333f665033b7375c63ed5ffd5baf130ce31afd5aab48f7661cc93694a87b81ba87e29ad5a879c897052e1df
|
7
|
+
data.tar.gz: 5975dcd2ef58e1007d45b2206fcdf8232962b22739ccde18c9e72f3aafe72196efb11b4627051ca43bad2aaf7881dc0a7e35b25ef32436b33fea2853bb65b65b
|
data/CHANGES.md
CHANGED
@@ -1,4 +1,14 @@
|
|
1
|
-
# 4.7.
|
1
|
+
# 4.7.1 - 2019-10-29
|
2
|
+
|
3
|
+
* Check string length against limit before joining
|
4
|
+
* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
|
5
|
+
* Fix flaky rails4 test (Adam Kiczula)
|
6
|
+
* Added release dates to each version in CHANGES (TheSpartan1980)
|
7
|
+
* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
|
8
|
+
* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
|
9
|
+
* Sort text report by file and line (Jacob Evelyn)
|
10
|
+
|
11
|
+
# 4.7.0 - 2019-10-16
|
2
12
|
|
3
13
|
* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
|
4
14
|
* Ignore interpolation in `%W[]`
|
@@ -9,11 +19,11 @@
|
|
9
19
|
* Catch shell injection from `-c` shell commands (Jacob Evelyn)
|
10
20
|
* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
|
11
21
|
|
12
|
-
# 4.6.1
|
22
|
+
# 4.6.1 - 2019-07-24
|
13
23
|
|
14
24
|
* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
|
15
25
|
|
16
|
-
# 4.6.0
|
26
|
+
# 4.6.0 - 2019-07-23
|
17
27
|
|
18
28
|
* Skip calls to `dup`
|
19
29
|
* Add reverse tabnabbing check (Linos Giannopoulos)
|
@@ -29,7 +39,7 @@
|
|
29
39
|
* Add special warning code for custom checks
|
30
40
|
* Add call matching by regular expression
|
31
41
|
|
32
|
-
# 4.5.1
|
42
|
+
# 4.5.1 - 2019-05-11
|
33
43
|
|
34
44
|
* Add `Brakeman::FilePath` to represent file paths
|
35
45
|
* Handle trailing comma in block args
|
@@ -44,7 +54,7 @@
|
|
44
54
|
* Add initial Rails 6 support
|
45
55
|
* Add SQL injection checks for `destroy_by`/`delete_by`
|
46
56
|
|
47
|
-
# 4.5.0
|
57
|
+
# 4.5.0 - 2019-03-16
|
48
58
|
|
49
59
|
* Update `ruby_parser`, use `ruby_parser-legacy`
|
50
60
|
* More thoroughly handle `Shellwords` escaping
|
@@ -61,7 +71,7 @@
|
|
61
71
|
* Better handling of splat/kwsplat arguments
|
62
72
|
* Improve "user input" reported for SQL injection
|
63
73
|
|
64
|
-
# 4.4.0
|
74
|
+
# 4.4.0 - 2019-01-17
|
65
75
|
|
66
76
|
* Set default encoding to UTF-8
|
67
77
|
* Update to Slim 4.0.1 (Jake Peterson)
|
@@ -84,7 +94,7 @@
|
|
84
94
|
* Complete overhaul of warning message construction
|
85
95
|
* Deadcode and typo fixes found via Coverity
|
86
96
|
|
87
|
-
# 4.3.1
|
97
|
+
# 4.3.1 - 2018-06-07
|
88
98
|
|
89
99
|
* Ignore `Object#freeze`, use the target instead
|
90
100
|
* Ignore `foreign_key` calls in SQL
|
@@ -97,7 +107,7 @@
|
|
97
107
|
* Improve handling of conditionals in shell commands (Jacob Evelyn)
|
98
108
|
* Fix error when setting line number in implicit renders
|
99
109
|
|
100
|
-
# 4.3.0
|
110
|
+
# 4.3.0 - 2018-05-11
|
101
111
|
|
102
112
|
* Check exec-type calls even if they are targets
|
103
113
|
* Convert `Array#join` to string interpolation
|
@@ -113,14 +123,14 @@
|
|
113
123
|
* `--color` can be used to force color output
|
114
124
|
* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
|
115
125
|
|
116
|
-
# 4.2.1
|
126
|
+
# 4.2.1 - 2018-03-24
|
117
127
|
|
118
128
|
* Add warning for CVE-2018-3741
|
119
129
|
* Add warning for CVE-2018-8048
|
120
130
|
* Scan `app/jobs/` directory
|
121
131
|
* Handle `template_exists?` in controllers
|
122
132
|
|
123
|
-
# 4.2.0
|
133
|
+
# 4.2.0 - 2018-02-22
|
124
134
|
|
125
135
|
* Avoid warning about symbol DoS on `Model#attributes`
|
126
136
|
* Avoid warning about open redirects with model methods ending with `_path`
|
@@ -133,12 +143,12 @@
|
|
133
143
|
* Exclude template folders in `lib/` (kru0096)
|
134
144
|
* Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
|
135
145
|
|
136
|
-
# 4.1.1
|
146
|
+
# 4.1.1 - 2017-12-19
|
137
147
|
|
138
148
|
* Remove check for use of `permit` with `*_id` keys
|
139
149
|
* Avoid duplicate warnings about permitted attributes
|
140
150
|
|
141
|
-
# 4.1.0
|
151
|
+
# 4.1.0 - 2017-12-14
|
142
152
|
|
143
153
|
* Process models as root sexp instead of each sexp
|
144
154
|
* Avoid CSRF warning in Rails 5.2 default config
|
@@ -161,12 +171,12 @@
|
|
161
171
|
* Refactor Code Climate engine options parsing (Noah Davis)
|
162
172
|
* Fix upgrade version for CVE-2016-6316
|
163
173
|
|
164
|
-
# 4.0.1
|
174
|
+
# 4.0.1 - 2017-09-25
|
165
175
|
|
166
176
|
* Disable pager when `CI` environment variable is set
|
167
177
|
* Fix output when pager fails
|
168
178
|
|
169
|
-
# 4.0.0
|
179
|
+
# 4.0.0 - 2017-09-25
|
170
180
|
|
171
181
|
* Add simple pager for reports output to terminal
|
172
182
|
* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
|
@@ -180,11 +190,11 @@
|
|
180
190
|
* --exit-on-error and --exit-on-warn are now the default
|
181
191
|
* Fix --exit-on-error and --exit-on-warn in config files
|
182
192
|
|
183
|
-
# 3.7.2
|
193
|
+
# 3.7.2 - 2017-08-16
|
184
194
|
|
185
195
|
* Fix --ensure-latest (David Guyon)
|
186
196
|
|
187
|
-
# 3.7.1
|
197
|
+
# 3.7.1 - 2017-08-16
|
188
198
|
|
189
199
|
* Handle simple guard with return at end of branch
|
190
200
|
* Modularize bin/brakeman
|
@@ -192,7 +202,7 @@
|
|
192
202
|
* Add more collection methods for iteration detection
|
193
203
|
* Update ruby2ruby and ruby_parser
|
194
204
|
|
195
|
-
# 3.7.0
|
205
|
+
# 3.7.0 - 2017-06-30
|
196
206
|
|
197
207
|
* Improve support for rails4/rails5 options in config file
|
198
208
|
* Track more information about constant assignments
|
@@ -201,7 +211,7 @@
|
|
201
211
|
* Fix false positive for redirect_to in Rails 4 (Mário Areias)
|
202
212
|
* Avoid interpolating hashes/arrays on failed access
|
203
213
|
|
204
|
-
# 3.6.2
|
214
|
+
# 3.6.2 - 2017-05-19
|
205
215
|
|
206
216
|
* Handle safe call operator in checks
|
207
217
|
* Better handling of `if` expressions in HAML rendering
|
@@ -216,11 +226,11 @@
|
|
216
226
|
* Handle empty `if` expressions when finding return values
|
217
227
|
* Fix finding return value from empty `if`
|
218
228
|
|
219
|
-
# 3.6.1
|
229
|
+
# 3.6.1 - 2017-03-24
|
220
230
|
|
221
231
|
* Fix error when using `--compare` (Sean Gransee)
|
222
232
|
|
223
|
-
# 3.6.0
|
233
|
+
# 3.6.0 - 2017-03-23
|
224
234
|
|
225
235
|
* Avoid recursive Concerns
|
226
236
|
* Branch inside of `case` expressions
|
@@ -231,7 +241,7 @@
|
|
231
241
|
* Only report CVE-2015-3227 when exact version is known
|
232
242
|
* Check targetless SQL calls outside of known models
|
233
243
|
|
234
|
-
# 3.5.0
|
244
|
+
# 3.5.0 - 2017-02-01
|
235
245
|
|
236
246
|
* Allow `-t None`
|
237
247
|
* Fail on invalid checks specified by `-x` or `-t`
|
@@ -246,7 +256,7 @@
|
|
246
256
|
* Handle `included` block in concerns
|
247
257
|
* Process concerns before controllers
|
248
258
|
|
249
|
-
# 3.4.1
|
259
|
+
# 3.4.1 - 2016-11-02
|
250
260
|
|
251
261
|
* Show action help at start of interactive ignore
|
252
262
|
* Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
|
@@ -256,7 +266,7 @@
|
|
256
266
|
* Avoid warning about `where_values_hash` in SQLi
|
257
267
|
* Fix ignoring link interpolation not at beginning of string
|
258
268
|
|
259
|
-
# 3.4.0
|
269
|
+
# 3.4.0 - 2016-09-08
|
260
270
|
|
261
271
|
* Add new `plain` report format
|
262
272
|
* Add option to prune ignore file with `-I`
|
@@ -265,18 +275,18 @@
|
|
265
275
|
* Support creating reports in non-existent paths
|
266
276
|
* Add `--no-exit-warn`
|
267
277
|
|
268
|
-
# 3.3.5
|
278
|
+
# 3.3.5 - 2016-08-12
|
269
279
|
|
270
280
|
* Fix bug in reports when using --debug option
|
271
281
|
|
272
|
-
# 3.3.4
|
282
|
+
# 3.3.4 - 2016-08-12
|
273
283
|
|
274
284
|
* Add generic warning for CVE-2016-6316
|
275
285
|
* Warn about dangerous use of `content_tag` with CVE-2016-6316
|
276
286
|
* Add warning for CVE-2016-6317
|
277
287
|
* Use Minitest
|
278
288
|
|
279
|
-
# 3.3.3
|
289
|
+
# 3.3.3 - 2016-07-21
|
280
290
|
|
281
291
|
* Show path when no Rails app found (Neil Matatall)
|
282
292
|
* Index calls in view helpers
|
@@ -289,11 +299,11 @@
|
|
289
299
|
* Sexp#value returns nil when there is no value
|
290
300
|
* Improve return value estimation
|
291
301
|
|
292
|
-
# 3.3.2
|
302
|
+
# 3.3.2 - 2016-06-10
|
293
303
|
|
294
304
|
* Fix serious performance regression with global constant tracking
|
295
305
|
|
296
|
-
# 3.3.1
|
306
|
+
# 3.3.1 - 2016-06-03
|
297
307
|
|
298
308
|
* Delay loading vendored gems and modifying load path
|
299
309
|
* Avoid warning about SQL injection with `quoted_primary_key`
|
@@ -304,7 +314,7 @@
|
|
304
314
|
* Add `--force-scan` option (Neil Matatall)
|
305
315
|
* Improved line number accuracy in ERB templates (Patrick Toomey)
|
306
316
|
|
307
|
-
# 3.3.0
|
317
|
+
# 3.3.0 - 2016-05-05
|
308
318
|
|
309
319
|
* Skip processing obviously false if branches (more broadly)
|
310
320
|
* Skip if branches with `Rails.env.test?`
|
@@ -322,11 +332,11 @@
|
|
322
332
|
* [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
|
323
333
|
* [Code Climate engine] Report end lines for issues (Gordon Diggs)
|
324
334
|
|
325
|
-
# 3.2.1
|
335
|
+
# 3.2.1 - 2016-02-25
|
326
336
|
|
327
337
|
* Remove `multi_json` dependency from `bin/brakeman`
|
328
338
|
|
329
|
-
# 3.2.0
|
339
|
+
# 3.2.0 - 2016-02-25
|
330
340
|
|
331
341
|
* Skip Symbol DoS check on Rails 5
|
332
342
|
* Only update ignore config file on changes
|
@@ -340,7 +350,7 @@
|
|
340
350
|
* Avoid render warnings about params[:action]/params[:controller]
|
341
351
|
* Index calls in class bodies but outside methods
|
342
352
|
|
343
|
-
# 3.1.5
|
353
|
+
# 3.1.5 - 2016-01-28
|
344
354
|
|
345
355
|
* Fix CodeClimate construction of --only-files (Will Fleming)
|
346
356
|
* Add check for denial of service via routes (CVE-2015-7581)
|
@@ -359,7 +369,7 @@
|
|
359
369
|
* Handle module names with self methods
|
360
370
|
* Add session manipulation documentation
|
361
371
|
|
362
|
-
# 3.1.4
|
372
|
+
# 3.1.4 - 2015-12-22
|
363
373
|
|
364
374
|
* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
|
365
375
|
* Ignore secrets.yml if in .gitignore
|
@@ -367,7 +377,7 @@
|
|
367
377
|
* Increase test coverage for option parsing (Zander Mackie)
|
368
378
|
* Work around safe_yaml error
|
369
379
|
|
370
|
-
# 3.1.3
|
380
|
+
# 3.1.3 - 2015-12-03
|
371
381
|
|
372
382
|
* Check for session secret in secrets.yml
|
373
383
|
* Respect `exit_on_warn` in config file
|
@@ -381,7 +391,7 @@
|
|
381
391
|
* Depend on safe_yaml 1.0 or later
|
382
392
|
* Test coverage improvements for Brakema module (Bethany Rentz)
|
383
393
|
|
384
|
-
# 3.1.2
|
394
|
+
# 3.1.2 - 2015-10-28
|
385
395
|
|
386
396
|
* Treat `current_user` like a model
|
387
397
|
* Set user input value for inline renders
|
@@ -399,7 +409,7 @@
|
|
399
409
|
* Sortable tables in HTML report (David Lanner)
|
400
410
|
* Search for config file relative to application root
|
401
411
|
|
402
|
-
# 3.1.1
|
412
|
+
# 3.1.1 - 2015-09-23
|
403
413
|
|
404
414
|
* Add optional check for use of MD5 and SHA1
|
405
415
|
* Avoid warning when linking to decorated models
|
@@ -413,7 +423,7 @@
|
|
413
423
|
* Support newer terminal-table releases
|
414
424
|
* Allow searching call index methods by regex (Alex Ianus)
|
415
425
|
|
416
|
-
# 3.1.0
|
426
|
+
# 3.1.0 - 2015-08-31
|
417
427
|
|
418
428
|
* Add support for gems.rb/gems.locked
|
419
429
|
* Update render path information in JSON reports
|
@@ -432,18 +442,18 @@
|
|
432
442
|
* Expand safe methods to match methods with targets
|
433
443
|
* Avoid duplicate eval() warnings
|
434
444
|
|
435
|
-
# 3.0.5
|
445
|
+
# 3.0.5 - 2015-06-20
|
436
446
|
|
437
447
|
* Fix check for CVE-2015-3227
|
438
448
|
|
439
|
-
# 3.0.4
|
449
|
+
# 3.0.4 - 2015-06-18
|
440
450
|
|
441
451
|
* Add check for CVE-2015-3226 (XSS via JSON keys)
|
442
452
|
* Add check for CVE-2015-3227 (XML DoS)
|
443
453
|
* Treat `<%==` as unescaped output
|
444
454
|
* Update `ruby_parser` dependency to 3.7.0
|
445
455
|
|
446
|
-
# 3.0.3
|
456
|
+
# 3.0.3 - 2015-04-20
|
447
457
|
|
448
458
|
* Ignore more Arel methods in SQL
|
449
459
|
* Warn about protect_from_forgery without exceptions (Neil Matatall)
|
@@ -454,7 +464,7 @@
|
|
454
464
|
* Do not ignore targets of `to_s` in SQL
|
455
465
|
* Add Rake task to exit with error code on warnings (masarakki)
|
456
466
|
|
457
|
-
# 3.0.2
|
467
|
+
# 3.0.2 - 2015-03-09
|
458
468
|
|
459
469
|
* Alias process methods called in class scope on models
|
460
470
|
* Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
|
@@ -470,7 +480,7 @@
|
|
470
480
|
* Fix CSV output when there are no warnings
|
471
481
|
* Handle processing of explicitly shadowed block arguments
|
472
482
|
|
473
|
-
# 3.0.1
|
483
|
+
# 3.0.1 - 2015-01-23
|
474
484
|
|
475
485
|
* Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
|
476
486
|
* Properly format command interpolation (again)
|
@@ -479,7 +489,7 @@
|
|
479
489
|
* Add `--add-libs-path` for additional libraries (Patrick Toomey)
|
480
490
|
* Properly process libraries (Patrick Toomey)
|
481
491
|
|
482
|
-
# 3.0.0
|
492
|
+
# 3.0.0 - 2015-01-03
|
483
493
|
|
484
494
|
* Add check for CVE-2014-7829
|
485
495
|
* Add check for cross-site scripting via inline renders
|
@@ -498,7 +508,7 @@
|
|
498
508
|
* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
|
499
509
|
* Change `--separate-models` to be the default
|
500
510
|
|
501
|
-
# 2.6.3
|
511
|
+
# 2.6.3 - 2014-10-14
|
502
512
|
|
503
513
|
* Whitelist `exists` arel method from SQL injection check
|
504
514
|
* Avoid warning about Symbol DoS on safe parameters as method targets
|
@@ -507,7 +517,7 @@
|
|
507
517
|
* Add framework for optional checks
|
508
518
|
* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
|
509
519
|
|
510
|
-
# 2.6.2
|
520
|
+
# 2.6.2 - 2014-08-18
|
511
521
|
|
512
522
|
* Add check for CVE-2014-3415
|
513
523
|
* Avoid warning about symbolizing safe parameters
|
@@ -521,13 +531,13 @@
|
|
521
531
|
* Fix block statement endings in Erubis
|
522
532
|
* Fix undefined variable in controller processing error (Jason Barnabe)
|
523
533
|
|
524
|
-
# 2.6.1
|
534
|
+
# 2.6.1 - 2014-07-02
|
525
535
|
|
526
536
|
* Add check for CVE-2014-3482 and CVE-2014-3483
|
527
537
|
* Add support for keyword arguments in blocks
|
528
538
|
* Remove unused warning codes (Bill Fischer)
|
529
539
|
|
530
|
-
# 2.6.0
|
540
|
+
# 2.6.0 - 2014-06-06
|
531
541
|
|
532
542
|
* Fix detection of `:host` setting in redirects with chained calls
|
533
543
|
* Add check for CVE-2014-0130
|
@@ -541,7 +551,7 @@
|
|
541
551
|
* Ignore more model methods in redirects
|
542
552
|
* Fix CheckRender with nested render calls
|
543
553
|
|
544
|
-
# 2.5.0
|
554
|
+
# 2.5.0 - 2014-04-30
|
545
555
|
|
546
556
|
* Add support for RailsLTS 2.3.18.7 and 2.3.18.8
|
547
557
|
* Add support for Rails 4 `before_actions` and friends
|
@@ -556,11 +566,11 @@
|
|
556
566
|
* Handle more non-literals in routes
|
557
567
|
* Add check for regex denial of service (Ben Toews)
|
558
568
|
|
559
|
-
# 2.4.3
|
569
|
+
# 2.4.3 - 2014-03-23
|
560
570
|
|
561
571
|
No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
|
562
572
|
|
563
|
-
# 2.4.2
|
573
|
+
# 2.4.2 - 2014-03-21
|
564
574
|
|
565
575
|
* Remove `rescue Exception`
|
566
576
|
* Fix duplicate warnings about sanitize CVE
|
@@ -569,13 +579,13 @@
|
|
569
579
|
* Skip identically rendered templates
|
570
580
|
* Fix HAML template processing
|
571
581
|
|
572
|
-
# 2.4.1
|
582
|
+
# 2.4.1 - 2014-02-19
|
573
583
|
|
574
584
|
* Add check for CVE-2014-0082
|
575
585
|
* Add check for CVE-2014-0081, replaces CVE-2013-6415
|
576
586
|
* Add check for CVE-2014-0080
|
577
587
|
|
578
|
-
# 2.4.0
|
588
|
+
# 2.4.0 - 2014-02-05
|
579
589
|
|
580
590
|
* Detect Rails LTS versions
|
581
591
|
* Reduce false positives for SQL injection in string building
|
@@ -590,12 +600,12 @@
|
|
590
600
|
* No longer raise exceptions if a class name cannot be determined
|
591
601
|
* Fingerprint attribute warnings individually (Case Taintor)
|
592
602
|
|
593
|
-
# 2.3.1
|
603
|
+
# 2.3.1 - 2013-12-13
|
594
604
|
|
595
605
|
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
|
596
606
|
* Fix link for CVE-2013-6415 (number_to_currency)
|
597
607
|
|
598
|
-
# 2.3.0
|
608
|
+
# 2.3.0 - 2013-12-12
|
599
609
|
|
600
610
|
* Add check for Parameters#permit!
|
601
611
|
* Add check for CVE-2013-4491 (i18n XSS)
|
@@ -609,7 +619,7 @@
|
|
609
619
|
* Whitelist `Model#create` for redirects
|
610
620
|
* Fix scoping issues with instance variables and blocks
|
611
621
|
|
612
|
-
# 2.2.0
|
622
|
+
# 2.2.0 - 2013-10-28
|
613
623
|
|
614
624
|
* Reduce command injection false positives
|
615
625
|
* Use Rails version from Gemfile if it is available
|
@@ -618,14 +628,14 @@
|
|
618
628
|
* Support scanning Rails engines (Geoffrey Hichborn)
|
619
629
|
* Add check for detailed exceptions in production
|
620
630
|
|
621
|
-
# 2.1.2
|
631
|
+
# 2.1.2 - 2013-09-18
|
622
632
|
|
623
633
|
* Do not attempt to load custom Haml filters
|
624
634
|
* Do not warn about `to_json` XSS in Rails 4
|
625
635
|
* Add --table-width option to set width of text reports (ssendev)
|
626
636
|
* Remove fuzzy matching on dangerous attr_accessible values
|
627
637
|
|
628
|
-
# 2.1.1
|
638
|
+
# 2.1.1 - 2013-08-21
|
629
639
|
|
630
640
|
* New warning code for dangerous attributes in attr_accessible
|
631
641
|
* Do not warn on attr_accessible using roles
|
@@ -636,7 +646,7 @@
|
|
636
646
|
* Fix infinite loop when run as rake task (Matthew Shanley)
|
637
647
|
* Respect ignored warnings in tabs format reports
|
638
648
|
|
639
|
-
# 2.1.0
|
649
|
+
# 2.1.0 - 2013-07-17
|
640
650
|
|
641
651
|
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
|
642
652
|
* Support for ignoring warnings
|
@@ -656,7 +666,7 @@
|
|
656
666
|
* Fix output format detection to be more strict again
|
657
667
|
* Allow empty Brakeman configuration file
|
658
668
|
|
659
|
-
# 2.0.0
|
669
|
+
# 2.0.0 - 2013-05-20
|
660
670
|
|
661
671
|
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
|
662
672
|
* Add Marshal/CSV deserialization check
|
@@ -686,7 +696,7 @@
|
|
686
696
|
* Use exceptions instead of abort in brakeman lib
|
687
697
|
* Update to Ruby2Ruby 2.0.5
|
688
698
|
|
689
|
-
# 1.9.5
|
699
|
+
# 1.9.5 - 2013-04-05
|
690
700
|
|
691
701
|
* Add check for unsafe symbol creation
|
692
702
|
* Do not warn on mass assignment with `slice`/`only`
|
@@ -701,7 +711,7 @@
|
|
701
711
|
* More fixes for assignments inside branches
|
702
712
|
* Pin to ruby2ruby version 2.0.3
|
703
713
|
|
704
|
-
# 1.9.4
|
714
|
+
# 1.9.4 - 2013-03-19
|
705
715
|
|
706
716
|
* Add check for CVE-2013-1854
|
707
717
|
* Add check for CVE-2013-1855
|
@@ -713,7 +723,7 @@
|
|
713
723
|
* Slightly faster cloning of Sexps
|
714
724
|
* Detect another way to add `strong_parameters`
|
715
725
|
|
716
|
-
# 1.9.3
|
726
|
+
# 1.9.3 - 2013-03-01
|
717
727
|
|
718
728
|
* Add render path to JSON report
|
719
729
|
* Add warning fingerprints
|
@@ -728,7 +738,7 @@
|
|
728
738
|
* Expand HAML dependency to include 4.0
|
729
739
|
* Scroll errors into view when expanding in HTML report
|
730
740
|
|
731
|
-
# 1.9.2
|
741
|
+
# 1.9.2 - 2013-02-14
|
732
742
|
|
733
743
|
* Add check for CVE-2013-0269
|
734
744
|
* Add check for CVE-2013-0276
|
@@ -739,7 +749,7 @@
|
|
739
749
|
* Check for more dangerous YAML methods
|
740
750
|
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
|
741
751
|
|
742
|
-
# 1.9.1
|
752
|
+
# 1.9.1 - 2013-01-19
|
743
753
|
|
744
754
|
* Update to RubyParser 3.1.1 (neersighted)
|
745
755
|
* Remove ActiveSupport dependency (Neil Matatall)
|
@@ -751,7 +761,7 @@
|
|
751
761
|
* Add check for CVE-2013-0156
|
752
762
|
* Add check for unsafe `YAML.load`
|
753
763
|
|
754
|
-
# 1.9.0
|
764
|
+
# 1.9.0 - 2012-12-25
|
755
765
|
|
756
766
|
* Update to RubyParser 3
|
757
767
|
* Ignore route information by default
|
@@ -771,7 +781,7 @@
|
|
771
781
|
* Handle empty model files
|
772
782
|
* Remove "find by regex" feature from `CallIndex`
|
773
783
|
|
774
|
-
# 1.8.3
|
784
|
+
# 1.8.3 - 2012-11-13
|
775
785
|
|
776
786
|
* Use `multi_json` gem for better harmony
|
777
787
|
* Performance improvement for call indexing
|
@@ -787,7 +797,7 @@
|
|
787
797
|
* Fix error in rescan of mixins with symbols in method name
|
788
798
|
* Do not rescan non-Ruby files in config/
|
789
799
|
|
790
|
-
# 1.8.2
|
800
|
+
# 1.8.2 - 2012-10-17
|
791
801
|
|
792
802
|
* Fixed rescanning problems caused by 1.8.0 changes
|
793
803
|
* Fix scope calls with single argument
|
@@ -796,7 +806,7 @@
|
|
796
806
|
* Much improved test coverage
|
797
807
|
* Add CHANGES to gemspec
|
798
808
|
|
799
|
-
# 1.8.1
|
809
|
+
# 1.8.1 - 2012-09-24
|
800
810
|
|
801
811
|
* Recover from errors in output formatting
|
802
812
|
* Fix false positive in redirect_to (Neil Matatall)
|
@@ -808,7 +818,7 @@
|
|
808
818
|
* Handle super calls with blocks
|
809
819
|
* Respect `-q` flag for "Rails 3 detected" message
|
810
820
|
|
811
|
-
# 1.8.0
|
821
|
+
# 1.8.0 - 2012-09-05
|
812
822
|
|
813
823
|
* Support relative paths in reports (fsword)
|
814
824
|
* Allow Brakeman to be run without tty (fsword)
|
@@ -824,7 +834,7 @@
|
|
824
834
|
* Treat model attributes in `or` expressions as immediate values
|
825
835
|
* Switch to method access for Sexp nodes
|
826
836
|
|
827
|
-
# 1.7.1
|
837
|
+
# 1.7.1 - 2012-08-13
|
828
838
|
|
829
839
|
* Add check for CVE-2012-3463
|
830
840
|
* Add check for CVE-2012-3464
|
@@ -832,7 +842,7 @@
|
|
832
842
|
* Add charset to HTML report (hooopo)
|
833
843
|
* Report XSS in select() for Rails 2
|
834
844
|
|
835
|
-
# 1.7.0
|
845
|
+
# 1.7.0 - 2012-07-31
|
836
846
|
|
837
847
|
* Add check for CVE-2012-3424
|
838
848
|
* Link report types to descriptions on website
|
@@ -847,7 +857,7 @@
|
|
847
857
|
* Fix processing of negative array indexes
|
848
858
|
* Add line breaks to truncated table rows
|
849
859
|
|
850
|
-
# 1.6.2
|
860
|
+
# 1.6.2 - 2012-06-13
|
851
861
|
|
852
862
|
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
|
853
863
|
* Avoid warning when redirecting to a model instance
|
@@ -859,7 +869,7 @@
|
|
859
869
|
* Cache before_filter lookups
|
860
870
|
* Turn off quiet mode by default for `--compare`
|
861
871
|
|
862
|
-
# 1.6.1
|
872
|
+
# 1.6.1 - 2012-05-23
|
863
873
|
|
864
874
|
* Major rewrite of CheckSQL
|
865
875
|
* Fix rescanning of deleted templates
|
@@ -869,7 +879,7 @@
|
|
869
879
|
* Fix highlighting of HTML escaped values in HTML report
|
870
880
|
* Report line number of highlighted value, if available
|
871
881
|
|
872
|
-
# 1.6.0
|
882
|
+
# 1.6.0 - 2012-04-20
|
873
883
|
|
874
884
|
* Remove the Ruport dependency (Neil Matatall)
|
875
885
|
* Add more informational JSON output (Neil Matatall)
|
@@ -881,7 +891,7 @@
|
|
881
891
|
* Fix rescanning of deleted files
|
882
892
|
* Properly check for rails_xss in Gemfile
|
883
893
|
|
884
|
-
# 1.5.3
|
894
|
+
# 1.5.3 - 2012-04-10
|
885
895
|
|
886
896
|
* Add check for user input in Object#send (Neil Matatall)
|
887
897
|
* Handle render :layout in views
|
@@ -895,7 +905,7 @@
|
|
895
905
|
* Improve handling of modules and nesting
|
896
906
|
* Test for zero errors in test reports
|
897
907
|
|
898
|
-
# 1.5.2
|
908
|
+
# 1.5.2 - 2012-03-22
|
899
909
|
|
900
910
|
* Fix link_to checks for Rails 2.0 and 2.3
|
901
911
|
* Fix rescanning of lib files (Neil Matatall)
|
@@ -906,7 +916,7 @@
|
|
906
916
|
* Fix handling of views when using rails_xss
|
907
917
|
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
|
908
918
|
|
909
|
-
# 1.5.1
|
919
|
+
# 1.5.1- 2012-03-06
|
910
920
|
|
911
921
|
* Fix detection of global mass assignment setting
|
912
922
|
* Fix partial rendering in Rails 3
|
@@ -916,7 +926,7 @@
|
|
916
926
|
* Add tracking of module and class to Brakeman::BaseProcessor
|
917
927
|
* Report module when using Brakeman::FindCall
|
918
928
|
|
919
|
-
# 1.5.0
|
929
|
+
# 1.5.0 - 2012-03-02
|
920
930
|
|
921
931
|
* Add version check for SafeBuffer vulnerability
|
922
932
|
* Add check for select vulnerability in Rails 3
|
@@ -927,7 +937,7 @@
|
|
927
937
|
* Standardize methods to check for SQL injection
|
928
938
|
* Fix Rails 2 route parsing issue with nested routes
|
929
939
|
|
930
|
-
# 1.4.0
|
940
|
+
# 1.4.0 - 2012-02-24
|
931
941
|
|
932
942
|
* Add check for user input in link_to href parameter
|
933
943
|
* Match ERB processing to rails_xss plugin when plugin used
|
@@ -935,7 +945,7 @@
|
|
935
945
|
* Warnings below minimum confidence are dropped completely
|
936
946
|
* Brakeman.run always returns a Tracker
|
937
947
|
|
938
|
-
# 1.3.0
|
948
|
+
# 1.3.0 - 2012-02-09
|
939
949
|
|
940
950
|
* Add file paths to HTML report
|
941
951
|
* Add caching of filters
|
@@ -948,7 +958,7 @@
|
|
948
958
|
* Better variable substitution
|
949
959
|
* Table output option for rescan reports
|
950
960
|
|
951
|
-
# 1.2.2
|
961
|
+
# 1.2.2 - 2012-01-26
|
952
962
|
|
953
963
|
* --no-progress works again
|
954
964
|
* Make CheckLinkTo a separate check
|
@@ -956,7 +966,7 @@
|
|
956
966
|
* Handle empty resource(s) blocks
|
957
967
|
* Add RescanReport#existing_warnings
|
958
968
|
|
959
|
-
## 1.2.1
|
969
|
+
## 1.2.1 - 2012-01-20
|
960
970
|
|
961
971
|
* Remove link_to warning for Rails 3.x or when using rails_xss
|
962
972
|
* Don't warn if first argument to link_to is escaped
|
@@ -968,7 +978,7 @@
|
|
968
978
|
* Add Brakeman::RescanReport#to_s
|
969
979
|
* Add Brakeman::Warning#to_s
|
970
980
|
|
971
|
-
## 1.2.0
|
981
|
+
## 1.2.0 - 2012-01-14
|
972
982
|
|
973
983
|
* Speed improvements for CheckExecute and CheckRender
|
974
984
|
* Check named_scope() and scope() for SQL injection
|
@@ -977,7 +987,7 @@
|
|
977
987
|
* Add --summary option to only output summary
|
978
988
|
* Fix a problem with Rails 3 routes
|
979
989
|
|
980
|
-
## 1.1.0
|
990
|
+
## 1.1.0 - 2011-12-22
|
981
991
|
|
982
992
|
* Relax required versions for dependencies
|
983
993
|
* Performance improvements for source processing
|
@@ -987,14 +997,14 @@
|
|
987
997
|
* Compatibility with newer Haml versions
|
988
998
|
* Fix some warnings
|
989
999
|
|
990
|
-
## 1.0.0
|
1000
|
+
## 1.0.0 - 2011-12-08
|
991
1001
|
|
992
1002
|
* Better handling of assignments inside ifs
|
993
1003
|
* Check more expressions for SQL injection
|
994
1004
|
* Use latest ruby_parser for better 1.9 syntax support
|
995
1005
|
* Better behavior for Brakeman as a library
|
996
1006
|
|
997
|
-
## 1.0.0rc1
|
1007
|
+
## 1.0.0rc1 - 2011-12-06
|
998
1008
|
|
999
1009
|
* Brakeman can now be used as a library
|
1000
1010
|
* Faster call search
|
@@ -1007,23 +1017,23 @@
|
|
1007
1017
|
* Ignore mass assignment using all literal arguments
|
1008
1018
|
* Keep expanded context in view with HTML output
|
1009
1019
|
|
1010
|
-
## 0.9.2
|
1020
|
+
## 0.9.2 - 2011-11-22
|
1011
1021
|
|
1012
1022
|
* Fix Rails 3 configuration parsing
|
1013
1023
|
* Add t() helper to check for translate XSS bug
|
1014
1024
|
|
1015
|
-
## 0.9.1
|
1025
|
+
## 0.9.1 - 2011-11-18
|
1016
1026
|
|
1017
1027
|
* Add warning for translator helper XSS vulnerability
|
1018
1028
|
|
1019
|
-
## 0.9.0
|
1029
|
+
## 0.9.0 - 2011-11-17
|
1020
1030
|
|
1021
1031
|
* Process Rails 3 configuration files
|
1022
1032
|
* Fix CSV output
|
1023
1033
|
* Check for config.active_record.whitelist_attributes = true
|
1024
1034
|
* Always produce a warning for without_protection => true
|
1025
1035
|
|
1026
|
-
## 0.8.4
|
1036
|
+
## 0.8.4 - 2011-11-04
|
1027
1037
|
|
1028
1038
|
* Option for separate attr_accessible warnings
|
1029
1039
|
* Option to set CSS file for HTML output
|
@@ -1032,23 +1042,23 @@
|
|
1032
1042
|
* Fix hash_insert()
|
1033
1043
|
* Remove use of Queue from threaded checks
|
1034
1044
|
|
1035
|
-
## 0.8.3
|
1045
|
+
## 0.8.3 - 2011-10-25
|
1036
1046
|
|
1037
1047
|
* Respect -w flag in .tabs format (tw-ngreen)
|
1038
1048
|
* Escape HTML output of error messages
|
1039
1049
|
* Add --skip-libs option
|
1040
1050
|
|
1041
|
-
## 0.8.2
|
1051
|
+
## 0.8.2 - 2011-10-01
|
1042
1052
|
|
1043
1053
|
* Run checks in parallel threads by default
|
1044
1054
|
* Fix compatibility with ruby_parser 2.3.1
|
1045
1055
|
|
1046
|
-
## 0.8.1
|
1056
|
+
## 0.8.1 - 2011-09-28
|
1047
1057
|
|
1048
1058
|
* Add option to assume all controller methods are actions
|
1049
1059
|
* Recover from errors when parsing routes
|
1050
1060
|
|
1051
|
-
## 0.8.0
|
1061
|
+
## 0.8.0 - 2011-09-15
|
1052
1062
|
|
1053
1063
|
* Add check for mass assignment using without_protection
|
1054
1064
|
* Add check for password in http_basic_authenticate_with
|
@@ -1059,30 +1069,30 @@
|
|
1059
1069
|
* Add ruby_parser hack for Ruby 1.9 hash syntax
|
1060
1070
|
* Add a few Rails 3.1 tests
|
1061
1071
|
|
1062
|
-
## 0.7.2
|
1072
|
+
## 0.7.2 - 2011-08-27
|
1063
1073
|
|
1064
1074
|
* Fix handling of params and cookies with nested access
|
1065
1075
|
* Add CVEs for checks added in 0.7.0
|
1066
1076
|
|
1067
|
-
## 0.7.1
|
1077
|
+
## 0.7.1 - 2011-08-18
|
1068
1078
|
|
1069
1079
|
* Require BaseProcessor for GemProcessor
|
1070
1080
|
|
1071
|
-
## 0.7.0
|
1081
|
+
## 0.7.0 - 2011-08-17
|
1072
1082
|
|
1073
1083
|
* Allow local variable as a class name
|
1074
1084
|
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
|
1075
1085
|
* Check for default routes in Rails 3 apps
|
1076
1086
|
* Look in Gemfile or Gemfile.lock for Rails version
|
1077
1087
|
|
1078
|
-
## 0.6.1
|
1088
|
+
## 0.6.1 - 2011-07-29
|
1079
1089
|
|
1080
1090
|
* Fix XSS check for cookies as parameters in output
|
1081
1091
|
* Don't bother calling super in CheckSessionSettings
|
1082
1092
|
* Add escape_once as a safe method
|
1083
1093
|
* Accept '\Z' or '\z' in model validations
|
1084
1094
|
|
1085
|
-
## 0.6.0
|
1095
|
+
## 0.6.0 - 2011-07-20
|
1086
1096
|
|
1087
1097
|
* Tests are in place and fully functional
|
1088
1098
|
* Hide errors by default in HTML output
|
@@ -1095,17 +1105,17 @@
|
|
1095
1105
|
* Fixes to escaped output scanning
|
1096
1106
|
* Update CSRF CVE-2011-0447 message to be less assertive
|
1097
1107
|
|
1098
|
-
## 0.5.2
|
1108
|
+
## 0.5.2 - 2011-06-29
|
1099
1109
|
|
1100
1110
|
* Output report file name when finished
|
1101
1111
|
* Add initial tests for Rails 2.x
|
1102
1112
|
* Fix ERB line numbers when using Ruby 1.9
|
1103
1113
|
|
1104
|
-
## 0.5.1
|
1114
|
+
## 0.5.1 - 2011-06-17
|
1105
1115
|
|
1106
1116
|
* Fix issue with 'has_one' => in routes
|
1107
1117
|
|
1108
|
-
## 0.5.0
|
1118
|
+
## 0.5.0 - 2011-06-08
|
1109
1119
|
|
1110
1120
|
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
|
1111
1121
|
* Allow empty blocks in Rails 3 routes
|
@@ -1113,52 +1123,52 @@
|
|
1113
1123
|
* Add line numbers to session setting warnings
|
1114
1124
|
* Add --checks option to list checks
|
1115
1125
|
|
1116
|
-
## 0.4.1
|
1126
|
+
## 0.4.1 - 2011-05-23
|
1117
1127
|
|
1118
1128
|
* Fix reported line numbers when using new Erubis parser
|
1119
1129
|
(Mostly affects Rails 3 apps)
|
1120
1130
|
|
1121
|
-
## 0.4.0
|
1131
|
+
## 0.4.0 - 2011-05-19
|
1122
1132
|
|
1123
1133
|
* Handle Rails XSS protection properly
|
1124
1134
|
* More detection options for rails_xss
|
1125
1135
|
* Add --escape-html option
|
1126
1136
|
|
1127
|
-
## 0.3.2
|
1137
|
+
## 0.3.2 - 2011-05-12
|
1128
1138
|
|
1129
1139
|
* Autodetect Rails 3 applications
|
1130
1140
|
* Turn on auto-escaping for Rails 3 apps
|
1131
1141
|
* Check Model.create() for mass assignment
|
1132
1142
|
|
1133
|
-
## 0.3.1
|
1143
|
+
## 0.3.1 - 2011-05-03
|
1134
1144
|
|
1135
1145
|
* Always output a line number in tabbed output format
|
1136
1146
|
* Restrict characters in category name in tabbed output format to
|
1137
1147
|
word characters and spaces, for Hudson/Jenkins plugin
|
1138
1148
|
|
1139
|
-
## 0.3.0
|
1149
|
+
## 0.3.0 - 2011-03-21
|
1140
1150
|
|
1141
1151
|
* Check for SQL injection in calls using constantize()
|
1142
1152
|
* Check for SQL injection in calls to count_by_sql()
|
1143
1153
|
|
1144
|
-
## 0.2.2
|
1154
|
+
## 0.2.2 - 2011-02-22
|
1145
1155
|
|
1146
1156
|
* Fix version_between? when no Rails version is specified
|
1147
1157
|
|
1148
|
-
## 0.2.1
|
1158
|
+
## 0.2.1 - 2011-02-18
|
1149
1159
|
|
1150
1160
|
* Add code snippet to tab output messages
|
1151
1161
|
|
1152
|
-
## 0.2.0
|
1162
|
+
## 0.2.0 - 2011-02-16
|
1153
1163
|
|
1154
1164
|
* Add check for mail_to vulnerability - CVE-2011-0446
|
1155
1165
|
* Add check for CSRF weakness - CVE-2011-0447
|
1156
1166
|
|
1157
|
-
## 0.1.1
|
1167
|
+
## 0.1.1 - 2011-01-25
|
1158
1168
|
|
1159
1169
|
* Be more permissive with ActiveSupport version
|
1160
1170
|
|
1161
|
-
## 0.1.0
|
1171
|
+
## 0.1.0 - 2011-01-18
|
1162
1172
|
|
1163
1173
|
* Check link_to for XSS (because arguments are not escaped)
|
1164
1174
|
* Process layouts better (although not perfectly yet)
|
@@ -19,7 +19,11 @@ class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
|
|
19
19
|
return unless hash? html_opts
|
20
20
|
|
21
21
|
target = hash_access html_opts, :target
|
22
|
-
|
22
|
+
unless target &&
|
23
|
+
(string?(target) && target.value == "_blank" ||
|
24
|
+
symbol?(target) && target.value == :_blank)
|
25
|
+
return
|
26
|
+
end
|
23
27
|
|
24
28
|
target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
|
25
29
|
|
@@ -19,16 +19,17 @@ module Brakeman
|
|
19
19
|
end
|
20
20
|
end
|
21
21
|
|
22
|
+
STRING_LENGTH_LIMIT = 50
|
23
|
+
|
22
24
|
# Join two string literals into one.
|
23
25
|
def join_strings lhs, rhs, original_exp = nil
|
24
26
|
if string? lhs and string? rhs
|
25
|
-
|
26
|
-
result.value = lhs.value + rhs.value
|
27
|
-
|
28
|
-
if result.value.length > 50
|
27
|
+
if (lhs.value.length + rhs.value.length > STRING_LENGTH_LIMIT)
|
29
28
|
# Avoid gigantic strings
|
30
29
|
lhs
|
31
30
|
else
|
31
|
+
result = Sexp.new(:str).line(lhs.line)
|
32
|
+
result.value = lhs.value + rhs.value
|
32
33
|
result
|
33
34
|
end
|
34
35
|
elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
|
@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
19
19
|
add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
|
20
20
|
add_chunk generate_templates if tracker.options[:debug]
|
21
21
|
add_chunk generate_obsolete
|
22
|
-
add_chunk generate_errors
|
22
|
+
add_chunk generate_errors
|
23
23
|
add_chunk generate_warnings
|
24
24
|
end
|
25
25
|
|
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
51
51
|
|
52
52
|
def generate_header
|
53
53
|
[
|
54
|
-
header("Brakeman Report"),
|
54
|
+
header("Brakeman Report"),
|
55
55
|
label("Application Path", tracker.app_path),
|
56
56
|
label("Rails Version", rails_version),
|
57
57
|
label("Brakeman Version", Brakeman::Version),
|
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
92
92
|
HighLine.color("No warnings found", :bold, :green)
|
93
93
|
else
|
94
94
|
warnings = tracker.filtered_warnings.sort_by do |w|
|
95
|
-
[w.confidence, w.warning_type, w.fingerprint]
|
95
|
+
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
96
96
|
end.map do |w|
|
97
97
|
output_warning w
|
98
98
|
end
|
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
140
140
|
end
|
141
141
|
|
142
142
|
double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
|
143
|
-
[HighLine.new.color(template.first
|
143
|
+
[HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
|
144
144
|
}.compact
|
145
145
|
end
|
146
146
|
|
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
211
211
|
double_space "Controller Overview", controllers
|
212
212
|
end
|
213
213
|
end
|
214
|
-
|
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -371,7 +371,12 @@ class Sexp
|
|
371
371
|
# s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
|
372
372
|
def block_call
|
373
373
|
expect :iter
|
374
|
-
|
374
|
+
|
375
|
+
if self[1].node_type == :lambda
|
376
|
+
s(:call, nil, :lambda).line(self.line)
|
377
|
+
else
|
378
|
+
self[1]
|
379
|
+
end
|
375
380
|
end
|
376
381
|
|
377
382
|
#Returns block of a call with a block.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.7.
|
4
|
+
version: 4.7.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2019-10-
|
12
|
+
date: 2019-10-29 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: minitest
|