brakeman-lib 4.7.1 → 4.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +8 -0
- data/README.md +1 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +24 -22
- data/lib/brakeman/processor.rb +1 -1
- data/lib/brakeman/util.rb +5 -3
- data/lib/brakeman/version.rb +1 -1
- metadata +11 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ef101a185ff582733d1564d862fcb87afbedb1df01482f1c8815f130bd886a0b
|
4
|
+
data.tar.gz: 938ff3304347e001f5f21880d8d6dfca2bb1d3b26f29dae7d269db67350df70f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: de7d5d8fc614fd226145878158e4e75745e31afce19e87e84e73d19d5182b42128ff36d2a5fa45567286ec989513fa5c1ae40aa53353f56b04c3a7a52a11bef6
|
7
|
+
data.tar.gz: 78006970c55993fbcf96ac56783d3ed04beb1d5bf54d4b716a04158796398577ded0fb1bd7b7070e91074a6daff48e762b6b49515c10ca6d27c84cde0e7b0531
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 4.7.2 - 2019-11-25
|
2
|
+
|
3
|
+
* Remove version guard for `named_scope` vs. `scope`
|
4
|
+
* Find SQL injection in `String#strip_heredoc` target
|
5
|
+
* Handle more `permit!` cases
|
6
|
+
* Ensure file name is set when processing model
|
7
|
+
* Add `request.params` as query parameters
|
8
|
+
|
1
9
|
# 4.7.1 - 2019-10-29
|
2
10
|
|
3
11
|
* Check string length against limit before joining
|
data/README.md
CHANGED
@@ -62,7 +62,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
62
62
|
|
63
63
|
# Compatibility
|
64
64
|
|
65
|
-
Brakeman should work with any version of Rails from 2.3.x to
|
65
|
+
Brakeman should work with any version of Rails from 2.3.x to 6.x.
|
66
66
|
|
67
67
|
Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
|
68
68
|
|
@@ -158,7 +158,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
158
158
|
|
159
159
|
# Look for and warn about uses of Parameters#permit! for mass assignment
|
160
160
|
def check_permit!
|
161
|
-
tracker.find_call(:method => :permit
|
161
|
+
tracker.find_call(:method => :permit!, :nested => true).each do |result|
|
162
162
|
if params? result[:call].target and not result[:chain].include? :slice
|
163
163
|
warn_on_permit! result
|
164
164
|
end
|
@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
71
71
|
def find_scope_calls
|
72
72
|
scope_calls = []
|
73
73
|
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
74
|
+
# Used in pre-3.1.0 versions of Rails
|
75
|
+
ar_scope_calls(:named_scope) do |model, args|
|
76
|
+
call = make_call(nil, :named_scope, args).line(args.line)
|
77
|
+
scope_calls << scope_call_hash(call, model, :named_scope)
|
78
|
+
end
|
79
|
+
|
80
|
+
# Use in 3.1.0 and later
|
81
|
+
ar_scope_calls(:scope) do |model, args|
|
82
|
+
second_arg = args[2]
|
83
|
+
next unless sexp? second_arg
|
84
|
+
|
85
|
+
if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
|
86
|
+
process_scope_with_block(model, args)
|
87
|
+
elsif call? second_arg
|
88
|
+
call = second_arg
|
89
|
+
scope_calls << scope_call_hash(call, model, call.method)
|
90
|
+
else
|
91
|
+
call = make_call(nil, :scope, args).line(args.line)
|
92
|
+
scope_calls << scope_call_hash(call, model, :scope)
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
96
|
scope_calls
|
97
97
|
end
|
98
98
|
|
99
|
-
def ar_scope_calls(symbol_name
|
99
|
+
def ar_scope_calls(symbol_name, &block)
|
100
100
|
active_record_models.each do |name, model|
|
101
101
|
model_args = model.options[symbol_name]
|
102
102
|
if model_args
|
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
393
393
|
nil
|
394
394
|
end
|
395
395
|
|
396
|
+
TO_STRING_METHODS = [:to_s, :strip_heredoc]
|
397
|
+
|
396
398
|
#Returns value if interpolated value is not something safe
|
397
399
|
def unsafe_string_interp? exp
|
398
400
|
if node_type? exp, :evstr
|
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
403
405
|
|
404
406
|
if not sexp? value
|
405
407
|
nil
|
406
|
-
elsif call? value and value.method
|
408
|
+
elsif call? value and TO_STRING_METHODS.include? value.method
|
407
409
|
unsafe_string_interp? value.target
|
408
410
|
elsif call? value and safe_literal_target? value
|
409
411
|
nil
|
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
466
468
|
unless IGNORE_METHODS_IN_SQL.include? exp.method
|
467
469
|
if has_immediate_user_input? exp
|
468
470
|
exp
|
469
|
-
elsif exp.method
|
471
|
+
elsif TO_STRING_METHODS.include? exp.method
|
470
472
|
find_dangerous_value exp.target, ignore_hash
|
471
473
|
else
|
472
474
|
check_call exp
|
data/lib/brakeman/processor.rb
CHANGED
@@ -53,7 +53,7 @@ module Brakeman
|
|
53
53
|
#Process a model source
|
54
54
|
def process_model src, file_name
|
55
55
|
result = ModelProcessor.new(@tracker).process_model src, file_name
|
56
|
-
AliasProcessor.new(@tracker).process result if result
|
56
|
+
AliasProcessor.new(@tracker, file_name).process result if result
|
57
57
|
end
|
58
58
|
|
59
59
|
#Process either an ERB or HAML template
|
data/lib/brakeman/util.rb
CHANGED
@@ -8,9 +8,11 @@ module Brakeman::Util
|
|
8
8
|
|
9
9
|
PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
|
10
10
|
|
11
|
-
|
11
|
+
REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
|
12
12
|
|
13
|
-
|
13
|
+
REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
|
14
|
+
|
15
|
+
REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
|
14
16
|
|
15
17
|
REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
|
16
18
|
|
@@ -22,7 +24,7 @@ module Brakeman::Util
|
|
22
24
|
|
23
25
|
SESSION = Sexp.new(:call, nil, :session)
|
24
26
|
|
25
|
-
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
27
|
+
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
26
28
|
|
27
29
|
ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
|
28
30
|
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,15 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.7.
|
4
|
+
version: 4.7.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
|
-
cert_chain:
|
11
|
-
-
|
12
|
-
date: 2019-10-29 00:00:00.000000000 Z
|
10
|
+
cert_chain: []
|
11
|
+
date: 2019-11-25 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: minitest
|
@@ -383,7 +382,14 @@ files:
|
|
383
382
|
homepage: http://brakemanscanner.org
|
384
383
|
licenses:
|
385
384
|
- Brakeman Public Use License
|
386
|
-
metadata:
|
385
|
+
metadata:
|
386
|
+
bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
|
387
|
+
changelog_uri: https://github.com/presidentbeef/brakeman/releases
|
388
|
+
documentation_uri: https://brakemanscanner.org/docs/
|
389
|
+
homepage_uri: https://brakemanscanner.org/
|
390
|
+
mailing_list_uri: https://gitter.im/presidentbeef/brakeman
|
391
|
+
source_code_uri: https://github.com/presidentbeef/brakeman
|
392
|
+
wiki_uri: https://github.com/presidentbeef/brakeman/wiki
|
387
393
|
post_install_message:
|
388
394
|
rdoc_options: []
|
389
395
|
require_paths:
|