brakeman-lib 4.7.1 → 4.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +47 -0
- data/README.md +13 -5
- data/lib/brakeman.rb +20 -0
- data/lib/brakeman/checks/base_check.rb +13 -10
- data/lib/brakeman/checks/check_basic_auth.rb +2 -0
- data/lib/brakeman/checks/check_content_tag.rb +1 -2
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +28 -0
- data/lib/brakeman/checks/check_deserialize.rb +21 -1
- data/lib/brakeman/checks/check_execute.rb +40 -5
- data/lib/brakeman/checks/check_json_entity_escape.rb +38 -0
- data/lib/brakeman/checks/check_link_to.rb +1 -1
- data/lib/brakeman/checks/check_link_to_href.rb +1 -3
- data/lib/brakeman/checks/check_mass_assignment.rb +34 -4
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_page_caching_cve.rb +37 -0
- data/lib/brakeman/checks/check_permit_attributes.rb +1 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -4
- data/lib/brakeman/checks/check_sql.rb +24 -33
- data/lib/brakeman/checks/check_template_injection.rb +32 -0
- data/lib/brakeman/commandline.rb +25 -1
- data/lib/brakeman/differ.rb +0 -5
- data/lib/brakeman/options.rb +21 -1
- data/lib/brakeman/processor.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +2 -3
- data/lib/brakeman/processors/lib/find_all_calls.rb +30 -14
- data/lib/brakeman/processors/lib/render_helper.rb +3 -1
- data/lib/brakeman/report.rb +4 -1
- data/lib/brakeman/report/ignore/config.rb +10 -2
- data/lib/brakeman/report/report_junit.rb +104 -0
- data/lib/brakeman/report/report_markdown.rb +0 -1
- data/lib/brakeman/report/report_text.rb +37 -16
- data/lib/brakeman/scanner.rb +4 -1
- data/lib/brakeman/tracker.rb +3 -1
- data/lib/brakeman/tracker/config.rb +4 -3
- data/lib/brakeman/tracker/constants.rb +8 -7
- data/lib/brakeman/util.rb +21 -3
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +7 -0
- metadata +33 -8
@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
|
|
98
98
|
|
99
99
|
if hash? options[:locals]
|
100
100
|
hash_iterate options[:locals] do |key, value|
|
101
|
-
|
101
|
+
if symbol? key
|
102
|
+
template_env[Sexp.new(:call, nil, key.value)] = value
|
103
|
+
end
|
102
104
|
end
|
103
105
|
end
|
104
106
|
|
data/lib/brakeman/report.rb
CHANGED
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
|
|
6
6
|
class Brakeman::Report
|
7
7
|
attr_reader :tracker
|
8
8
|
|
9
|
-
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
|
9
|
+
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
|
10
10
|
|
11
11
|
def initialize tracker
|
12
12
|
@app_tree = tracker.app_tree
|
@@ -40,6 +40,9 @@ class Brakeman::Report
|
|
40
40
|
return self.to_table
|
41
41
|
when :to_pdf
|
42
42
|
raise "PDF output is not yet supported."
|
43
|
+
when :to_junit
|
44
|
+
require_report 'junit'
|
45
|
+
Brakeman::Report::JUnit
|
43
46
|
else
|
44
47
|
raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
|
45
48
|
end
|
@@ -94,10 +94,18 @@ module Brakeman
|
|
94
94
|
end
|
95
95
|
end
|
96
96
|
|
97
|
+
def already_ignored_entries_with_empty_notes
|
98
|
+
@already_ignored.select { |i| i if i[:note].strip.empty? }
|
99
|
+
end
|
100
|
+
|
97
101
|
# Read configuration to file
|
98
102
|
def read_from_file file = @file
|
99
103
|
if File.exist? file
|
100
|
-
|
104
|
+
begin
|
105
|
+
@already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
|
106
|
+
rescue => e
|
107
|
+
raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
|
108
|
+
end
|
101
109
|
else
|
102
110
|
Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
|
103
111
|
@already_ignored = []
|
@@ -118,7 +126,7 @@ module Brakeman
|
|
118
126
|
|
119
127
|
w[:note] = @notes[w[:fingerprint]] || ""
|
120
128
|
w
|
121
|
-
end.sort_by { |w| w[:fingerprint] }
|
129
|
+
end.sort_by { |w| [w[:fingerprint], w[:line]] }
|
122
130
|
|
123
131
|
output = {
|
124
132
|
:ignored_warnings => warnings,
|
@@ -0,0 +1,104 @@
|
|
1
|
+
require 'time'
|
2
|
+
require "stringio"
|
3
|
+
require 'rexml/document'
|
4
|
+
|
5
|
+
class Brakeman::Report::JUnit < Brakeman::Report::Base
|
6
|
+
def generate_report
|
7
|
+
io = StringIO.new
|
8
|
+
doc = REXML::Document.new
|
9
|
+
doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
|
10
|
+
|
11
|
+
test_suites = REXML::Element.new 'testsuites'
|
12
|
+
test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
|
13
|
+
properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
|
14
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
|
15
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
|
16
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
|
17
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
|
18
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
|
19
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
|
20
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
|
21
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
|
22
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
|
23
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
|
24
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
|
25
|
+
properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
|
26
|
+
|
27
|
+
errors = test_suites.add_element 'brakeman:errors'
|
28
|
+
tracker.errors.each { |e|
|
29
|
+
error = errors.add_element 'brakeman:error'
|
30
|
+
error.add_attribute 'brakeman:message', e[:error]
|
31
|
+
e[:backtrace].each { |b|
|
32
|
+
backtrace = error.add_element 'brakeman:backtrace'
|
33
|
+
backtrace.add_text b
|
34
|
+
}
|
35
|
+
}
|
36
|
+
|
37
|
+
obsolete = test_suites.add_element 'brakeman:obsolete'
|
38
|
+
tracker.unused_fingerprints.each { |fingerprint|
|
39
|
+
obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
|
40
|
+
}
|
41
|
+
|
42
|
+
ignored = test_suites.add_element 'brakeman:ignored'
|
43
|
+
ignored_warnings.each { |w|
|
44
|
+
warning = ignored.add_element 'brakeman:warning'
|
45
|
+
warning.add_attribute 'brakeman:message', w.message
|
46
|
+
warning.add_attribute 'brakeman:category', w.warning_type
|
47
|
+
warning.add_attribute 'brakeman:file', warning_file(w)
|
48
|
+
warning.add_attribute 'brakeman:line', w.line
|
49
|
+
warning.add_attribute 'brakeman:fingerprint', w.fingerprint
|
50
|
+
warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
|
51
|
+
warning.add_attribute 'brakeman:code', w.format_code
|
52
|
+
warning.add_text w.to_s
|
53
|
+
}
|
54
|
+
|
55
|
+
hostname = `hostname`.strip
|
56
|
+
i = 0
|
57
|
+
all_warnings
|
58
|
+
.map { |warning| [warning.file, [warning]] }
|
59
|
+
.reduce({}) { |entries, entry|
|
60
|
+
key, value = entry
|
61
|
+
entries[key] = entries[key] ? entries[key].concat(value) : value
|
62
|
+
entries
|
63
|
+
}
|
64
|
+
.each { |file, warnings|
|
65
|
+
i += 1
|
66
|
+
test_suite = test_suites.add_element 'testsuite'
|
67
|
+
test_suite.add_attribute 'id', i
|
68
|
+
test_suite.add_attribute 'package', 'brakeman'
|
69
|
+
test_suite.add_attribute 'name', file.relative
|
70
|
+
test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
|
71
|
+
test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
|
72
|
+
test_suite.add_attribute 'tests', checks.checks_run.length
|
73
|
+
test_suite.add_attribute 'failures', warnings.length
|
74
|
+
test_suite.add_attribute 'errors', '0'
|
75
|
+
test_suite.add_attribute 'time', '0'
|
76
|
+
|
77
|
+
test_suite.add_element 'properties'
|
78
|
+
|
79
|
+
warnings.each { |warning|
|
80
|
+
test_case = test_suite.add_element 'testcase'
|
81
|
+
test_case.add_attribute 'name', 'run_check'
|
82
|
+
test_case.add_attribute 'classname', warning.check
|
83
|
+
test_case.add_attribute 'time', '0'
|
84
|
+
|
85
|
+
failure = test_case.add_element 'failure'
|
86
|
+
failure.add_attribute 'message', warning.message
|
87
|
+
failure.add_attribute 'type', warning.warning_type
|
88
|
+
failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
|
89
|
+
failure.add_attribute 'brakeman:file', warning_file(warning)
|
90
|
+
failure.add_attribute 'brakeman:line', warning.line
|
91
|
+
failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
|
92
|
+
failure.add_attribute 'brakeman:code', warning.format_code
|
93
|
+
failure.add_text warning.to_s
|
94
|
+
}
|
95
|
+
|
96
|
+
test_suite.add_element 'system-out'
|
97
|
+
test_suite.add_element 'system-err'
|
98
|
+
}
|
99
|
+
|
100
|
+
doc.add test_suites
|
101
|
+
doc.write io
|
102
|
+
io.string
|
103
|
+
end
|
104
|
+
end
|
@@ -84,7 +84,6 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
|
|
84
84
|
end
|
85
85
|
|
86
86
|
def convert_warning warning, original
|
87
|
-
warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
|
88
87
|
warning["Message"] = markdown_message original, warning["Message"]
|
89
88
|
warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
|
90
89
|
warning
|
@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
145
145
|
end
|
146
146
|
|
147
147
|
def output_warning w
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
148
|
+
text_format = tracker.options[:text_fields] ||
|
149
|
+
[:confidence, :category, :check, :message, :code, :file, :line]
|
150
|
+
|
151
|
+
text_format.map do |option|
|
152
|
+
format_line(w, option)
|
153
|
+
end.compact
|
154
|
+
end
|
155
|
+
|
156
|
+
def format_line w, option
|
157
|
+
case option
|
158
|
+
when :confidence
|
159
|
+
label('Confidence', confidence(w.confidence))
|
160
|
+
when :category
|
161
|
+
label('Category', w.warning_type.to_s)
|
162
|
+
when :check
|
163
|
+
label('Check', w.check.gsub(/^Brakeman::Check/, ''))
|
164
|
+
when :message
|
152
165
|
label('Message', w.message)
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
166
|
+
when :code
|
167
|
+
if w.code
|
168
|
+
label('Code', format_code(w))
|
169
|
+
end
|
170
|
+
when :file
|
171
|
+
label('File', warning_file(w))
|
172
|
+
when :line
|
173
|
+
if w.line
|
174
|
+
label('Line', w.line)
|
175
|
+
end
|
176
|
+
when :link
|
177
|
+
label('Link', w.link)
|
178
|
+
when :fingerprint
|
179
|
+
label('Fingerprint', w.fingerprint)
|
180
|
+
when :category_id
|
181
|
+
label('Category ID', w.warning_code)
|
182
|
+
when :render_path
|
183
|
+
if w.called_from
|
184
|
+
label('Render Path', w.called_from.join(" > "))
|
185
|
+
end
|
163
186
|
end
|
164
|
-
|
165
|
-
out
|
166
187
|
end
|
167
188
|
|
168
189
|
def double_space title, values
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -94,11 +94,14 @@ class Brakeman::Scanner
|
|
94
94
|
#
|
95
95
|
#Stores parsed information in tracker.config
|
96
96
|
def process_config
|
97
|
+
# Sometimes folks like to put constants in environment.rb
|
98
|
+
# so let's always process it even for newer Rails versions
|
99
|
+
process_config_file "environment.rb"
|
100
|
+
|
97
101
|
if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
|
98
102
|
process_config_file "application.rb"
|
99
103
|
process_config_file "environments/production.rb"
|
100
104
|
else
|
101
|
-
process_config_file "environment.rb"
|
102
105
|
process_config_file "gems.rb"
|
103
106
|
end
|
104
107
|
|
data/lib/brakeman/tracker.rb
CHANGED
@@ -198,8 +198,10 @@ class Brakeman::Tracker
|
|
198
198
|
@constants.add name, value, context unless @options[:disable_constant_tracking]
|
199
199
|
end
|
200
200
|
|
201
|
+
# This method does not return all constants at this time,
|
202
|
+
# just ones with "simple" values.
|
201
203
|
def constant_lookup name
|
202
|
-
@constants.
|
204
|
+
@constants.get_simple_value name unless @options[:disable_constant_tracking]
|
203
205
|
end
|
204
206
|
|
205
207
|
def find_class name
|
@@ -15,6 +15,7 @@ module Brakeman
|
|
15
15
|
@escape_html = nil
|
16
16
|
@erubis = nil
|
17
17
|
@ruby_version = ""
|
18
|
+
@rails_version = nil
|
18
19
|
end
|
19
20
|
|
20
21
|
def default_protect_from_forgery?
|
@@ -53,7 +54,7 @@ module Brakeman
|
|
53
54
|
end
|
54
55
|
|
55
56
|
def gem_version name
|
56
|
-
extract_version @gems.dig(name, :version)
|
57
|
+
extract_version @gems.dig(name.to_sym, :version)
|
57
58
|
end
|
58
59
|
|
59
60
|
def add_gem name, version, file, line
|
@@ -66,11 +67,11 @@ module Brakeman
|
|
66
67
|
end
|
67
68
|
|
68
69
|
def has_gem? name
|
69
|
-
!!@gems[name]
|
70
|
+
!!@gems[name.to_sym]
|
70
71
|
end
|
71
72
|
|
72
73
|
def get_gem name
|
73
|
-
@gems[name]
|
74
|
+
@gems[name.to_sym]
|
74
75
|
end
|
75
76
|
|
76
77
|
def set_rails_version version = nil
|
@@ -1,7 +1,10 @@
|
|
1
1
|
require 'brakeman/processors/output_processor'
|
2
|
+
require 'brakeman/util'
|
2
3
|
|
3
4
|
module Brakeman
|
4
5
|
class Constant
|
6
|
+
include Brakeman::Util
|
7
|
+
|
5
8
|
attr_reader :name, :name_array, :file, :value, :context
|
6
9
|
|
7
10
|
def initialize name, value, context = {}
|
@@ -107,13 +110,11 @@ module Brakeman
|
|
107
110
|
@constants[base_name] << Constant.new(name, value, context)
|
108
111
|
end
|
109
112
|
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
def get_literal name
|
116
|
-
if x = self[name] and literal? x
|
113
|
+
# Returns constant values that are not too complicated.
|
114
|
+
# Right now that means literal values (string, array, etc.)
|
115
|
+
# or calls on Dir.glob(..).whatever.
|
116
|
+
def get_simple_value name
|
117
|
+
if x = self[name] and (literal? x or dir_glob? x)
|
117
118
|
x
|
118
119
|
else
|
119
120
|
nil
|
data/lib/brakeman/util.rb
CHANGED
@@ -8,9 +8,11 @@ module Brakeman::Util
|
|
8
8
|
|
9
9
|
PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
|
10
10
|
|
11
|
-
|
11
|
+
REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
|
12
12
|
|
13
|
-
|
13
|
+
REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
|
14
|
+
|
15
|
+
REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
|
14
16
|
|
15
17
|
REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
|
16
18
|
|
@@ -22,7 +24,7 @@ module Brakeman::Util
|
|
22
24
|
|
23
25
|
SESSION = Sexp.new(:call, nil, :session)
|
24
26
|
|
25
|
-
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
27
|
+
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
26
28
|
|
27
29
|
ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
|
28
30
|
|
@@ -291,6 +293,22 @@ module Brakeman::Util
|
|
291
293
|
exp.is_a? Sexp and types.include? exp.node_type
|
292
294
|
end
|
293
295
|
|
296
|
+
LITERALS = [:lit, :false, :str, :true, :array, :hash]
|
297
|
+
|
298
|
+
def literal? exp
|
299
|
+
exp.is_a? Sexp and LITERALS.include? exp.node_type
|
300
|
+
end
|
301
|
+
|
302
|
+
DIR_CONST = s(:const, :Dir)
|
303
|
+
|
304
|
+
# Dir.glob(...).whatever
|
305
|
+
def dir_glob? exp
|
306
|
+
exp = exp.block_call if node_type? exp, :iter
|
307
|
+
return unless call? exp
|
308
|
+
|
309
|
+
(exp.target == DIR_CONST and exp.method == :glob) or dir_glob? exp.target
|
310
|
+
end
|
311
|
+
|
294
312
|
#Returns true if the given _exp_ contains a :class node.
|
295
313
|
#
|
296
314
|
#Useful for checking if a module is just a module or if it is a namespace.
|
data/lib/brakeman/version.rb
CHANGED
@@ -113,6 +113,13 @@ module Brakeman::WarningCodes
|
|
113
113
|
:force_ssl_disabled => 109,
|
114
114
|
:unsafe_cookie_serialization => 110,
|
115
115
|
:reverse_tabnabbing => 111,
|
116
|
+
:mass_assign_permit_all => 112,
|
117
|
+
:json_html_escape_config => 113,
|
118
|
+
:json_html_escape_module => 114,
|
119
|
+
:CVE_2020_8159 => 115,
|
120
|
+
:CVE_2020_8166 => 116,
|
121
|
+
:erb_template_injection => 117,
|
122
|
+
|
116
123
|
:custom_check => 9090,
|
117
124
|
}
|
118
125
|
|
metadata
CHANGED
@@ -1,15 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.9.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
|
-
cert_chain:
|
11
|
-
-
|
12
|
-
date: 2019-10-29 00:00:00.000000000 Z
|
10
|
+
cert_chain: []
|
11
|
+
date: 2020-08-04 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: minitest
|
@@ -53,6 +52,20 @@ dependencies:
|
|
53
52
|
- - ">="
|
54
53
|
- !ruby/object:Gem::Version
|
55
54
|
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: simplecov-html
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - '='
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 0.10.2
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - '='
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: 0.10.2
|
56
69
|
- !ruby/object:Gem::Dependency
|
57
70
|
name: ruby_parser
|
58
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -188,7 +201,7 @@ dependencies:
|
|
188
201
|
version: 1.3.6
|
189
202
|
- - "<="
|
190
203
|
- !ruby/object:Gem::Version
|
191
|
-
version: 4.
|
204
|
+
version: '4.1'
|
192
205
|
type: :runtime
|
193
206
|
prerelease: false
|
194
207
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -198,7 +211,7 @@ dependencies:
|
|
198
211
|
version: 1.3.6
|
199
212
|
- - "<="
|
200
213
|
- !ruby/object:Gem::Version
|
201
|
-
version: 4.
|
214
|
+
version: '4.1'
|
202
215
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
203
216
|
via static analysis. This package declares gem dependencies instead of bundling
|
204
217
|
them.
|
@@ -223,6 +236,7 @@ files:
|
|
223
236
|
- lib/brakeman/checks/check_cookie_serialization.rb
|
224
237
|
- lib/brakeman/checks/check_create_with.rb
|
225
238
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
239
|
+
- lib/brakeman/checks/check_csrf_token_forgery_cve.rb
|
226
240
|
- lib/brakeman/checks/check_default_routes.rb
|
227
241
|
- lib/brakeman/checks/check_deserialize.rb
|
228
242
|
- lib/brakeman/checks/check_detailed_exceptions.rb
|
@@ -241,6 +255,7 @@ files:
|
|
241
255
|
- lib/brakeman/checks/check_i18n_xss.rb
|
242
256
|
- lib/brakeman/checks/check_jruby_xml.rb
|
243
257
|
- lib/brakeman/checks/check_json_encoding.rb
|
258
|
+
- lib/brakeman/checks/check_json_entity_escape.rb
|
244
259
|
- lib/brakeman/checks/check_json_parsing.rb
|
245
260
|
- lib/brakeman/checks/check_link_to.rb
|
246
261
|
- lib/brakeman/checks/check_link_to_href.rb
|
@@ -253,6 +268,7 @@ files:
|
|
253
268
|
- lib/brakeman/checks/check_nested_attributes.rb
|
254
269
|
- lib/brakeman/checks/check_nested_attributes_bypass.rb
|
255
270
|
- lib/brakeman/checks/check_number_to_currency.rb
|
271
|
+
- lib/brakeman/checks/check_page_caching_cve.rb
|
256
272
|
- lib/brakeman/checks/check_permit_attributes.rb
|
257
273
|
- lib/brakeman/checks/check_quote_table_name.rb
|
258
274
|
- lib/brakeman/checks/check_redirect.rb
|
@@ -282,6 +298,7 @@ files:
|
|
282
298
|
- lib/brakeman/checks/check_strip_tags.rb
|
283
299
|
- lib/brakeman/checks/check_symbol_dos.rb
|
284
300
|
- lib/brakeman/checks/check_symbol_dos_cve.rb
|
301
|
+
- lib/brakeman/checks/check_template_injection.rb
|
285
302
|
- lib/brakeman/checks/check_translate_bug.rb
|
286
303
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
287
304
|
- lib/brakeman/checks/check_unscoped_find.rb
|
@@ -349,6 +366,7 @@ files:
|
|
349
366
|
- lib/brakeman/report/report_hash.rb
|
350
367
|
- lib/brakeman/report/report_html.rb
|
351
368
|
- lib/brakeman/report/report_json.rb
|
369
|
+
- lib/brakeman/report/report_junit.rb
|
352
370
|
- lib/brakeman/report/report_markdown.rb
|
353
371
|
- lib/brakeman/report/report_table.rb
|
354
372
|
- lib/brakeman/report/report_tabs.rb
|
@@ -383,7 +401,14 @@ files:
|
|
383
401
|
homepage: http://brakemanscanner.org
|
384
402
|
licenses:
|
385
403
|
- Brakeman Public Use License
|
386
|
-
metadata:
|
404
|
+
metadata:
|
405
|
+
bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
|
406
|
+
changelog_uri: https://github.com/presidentbeef/brakeman/releases
|
407
|
+
documentation_uri: https://brakemanscanner.org/docs/
|
408
|
+
homepage_uri: https://brakemanscanner.org/
|
409
|
+
mailing_list_uri: https://gitter.im/presidentbeef/brakeman
|
410
|
+
source_code_uri: https://github.com/presidentbeef/brakeman
|
411
|
+
wiki_uri: https://github.com/presidentbeef/brakeman/wiki
|
387
412
|
post_install_message:
|
388
413
|
rdoc_options: []
|
389
414
|
require_paths:
|
@@ -399,7 +424,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
399
424
|
- !ruby/object:Gem::Version
|
400
425
|
version: '0'
|
401
426
|
requirements: []
|
402
|
-
rubygems_version: 3.
|
427
|
+
rubygems_version: 3.1.2
|
403
428
|
signing_key:
|
404
429
|
specification_version: 4
|
405
430
|
summary: Security vulnerability scanner for Ruby on Rails.
|