brakeman-lib 5.0.0 → 5.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -0
- data/README.md +10 -1
- data/lib/brakeman.rb +11 -4
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/parsers/template_parser.rb +24 -0
- data/lib/brakeman/processors/alias_processor.rb +21 -10
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d3dc2339132662438de0f96b04c56b445ba69e60ca3e0b58db4c1e3e803e6c1b
|
4
|
+
data.tar.gz: c1b340eb481e9b182f4bed44d709656fde4405a04bc11c63681b06ad0fa4ec6c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fc6e90801ce54677dc85db3c6d0b1b70414462cb54629e4af369007ac5477e0f7f31bafebea54a0120a0f3316a582686e65a9ad4851c51ea50e531f3b8936bb2
|
7
|
+
data.tar.gz: 4c0184c78d871d814d5a098526d785bdd62efc2a898bbbc0c3f2d71af6fd4250cfe9ed5e49fe8c42b3c84d93887ebca71729a3d934f324a93df6652d276ba307
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,12 @@
|
|
1
|
+
# 5.0.1 - 2021-04-27
|
2
|
+
|
3
|
+
* Detect `::Rails.application.configure` too
|
4
|
+
* Set more line numbers on Sexps
|
5
|
+
* Support loading `slim/smart`
|
6
|
+
* Don't fail if $HOME/$USER are not defined
|
7
|
+
* Always ignore slice/only calls for mass assignment
|
8
|
+
* Convert splat array arguments to arguments
|
9
|
+
|
1
10
|
# 5.0.0 - 2021-01-26
|
2
11
|
|
3
12
|
* Ignore `uuid` as a safe attribute
|
data/README.md
CHANGED
@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
|
|
159
159
|
|
160
160
|
# Configuration files
|
161
161
|
|
162
|
-
Brakeman options can stored and read from YAML files.
|
162
|
+
Brakeman options can be stored and read from YAML files.
|
163
|
+
|
164
|
+
To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
|
165
|
+
|
166
|
+
```sh
|
167
|
+
$ brakeman -C --skip-files plugins/
|
168
|
+
---
|
169
|
+
:skip_files:
|
170
|
+
- plugins/
|
171
|
+
```
|
163
172
|
|
164
173
|
Options passed in on the commandline have priority over configuration files.
|
165
174
|
|
data/lib/brakeman.rb
CHANGED
@@ -157,10 +157,17 @@ module Brakeman
|
|
157
157
|
end
|
158
158
|
end
|
159
159
|
|
160
|
-
CONFIG_FILES =
|
161
|
-
|
162
|
-
|
163
|
-
|
160
|
+
CONFIG_FILES = begin
|
161
|
+
[
|
162
|
+
File.expand_path("~/.brakeman/config.yml"),
|
163
|
+
File.expand_path("/etc/brakeman/config.yml")
|
164
|
+
]
|
165
|
+
rescue ArgumentError
|
166
|
+
# In case $HOME or $USER aren't defined for use of `~`
|
167
|
+
[
|
168
|
+
File.expand_path("/etc/brakeman/config.yml")
|
169
|
+
]
|
170
|
+
end
|
164
171
|
|
165
172
|
def self.config_file custom_location, app_path
|
166
173
|
app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
|
@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
69
69
|
if check and original? res
|
70
70
|
|
71
71
|
model = tracker.models[res[:chain].first]
|
72
|
-
|
73
72
|
attr_protected = (model and model.attr_protected)
|
73
|
+
first_arg = call.first_arg
|
74
74
|
|
75
75
|
if attr_protected and tracker.options[:ignore_attr_protected]
|
76
76
|
return
|
77
|
+
elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
78
|
+
return
|
77
79
|
elsif input = include_user_input?(call.arglist)
|
78
|
-
|
79
|
-
|
80
|
-
if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
81
|
-
return
|
82
|
-
elsif not node_type? first_arg, :hash
|
80
|
+
if not node_type? first_arg, :hash
|
83
81
|
if attr_protected
|
84
82
|
confidence = :medium
|
85
83
|
else
|
@@ -9,6 +9,7 @@ module Brakeman
|
|
9
9
|
def initialize tracker, file_parser
|
10
10
|
@tracker = tracker
|
11
11
|
@file_parser = file_parser
|
12
|
+
@slim_smart = nil # Load slim/smart ?
|
12
13
|
end
|
13
14
|
|
14
15
|
def parse_template path, text
|
@@ -88,6 +89,14 @@ module Brakeman
|
|
88
89
|
|
89
90
|
def parse_slim path, text
|
90
91
|
Brakeman.load_brakeman_dependency 'slim'
|
92
|
+
|
93
|
+
if @slim_smart.nil? and load_slim_smart?
|
94
|
+
@slim_smart = true
|
95
|
+
Brakeman.load_brakeman_dependency 'slim/smart'
|
96
|
+
else
|
97
|
+
@slim_smart = false
|
98
|
+
end
|
99
|
+
|
91
100
|
require_relative 'slim_embedded'
|
92
101
|
|
93
102
|
Slim::Template.new(path,
|
@@ -95,6 +104,21 @@ module Brakeman
|
|
95
104
|
:generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
|
96
105
|
end
|
97
106
|
|
107
|
+
def load_slim_smart?
|
108
|
+
return !@slim_smart unless @slim_smart.nil?
|
109
|
+
|
110
|
+
# Terrible hack to find
|
111
|
+
# gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
|
112
|
+
if tracker.app_tree.exists? 'Gemfile'
|
113
|
+
gemfile_contents = tracker.app_tree.file_path('Gemfile').read
|
114
|
+
if gemfile_contents.include? 'slim/smart'
|
115
|
+
return true
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
false
|
120
|
+
end
|
121
|
+
|
98
122
|
def self.parse_inline_erb tracker, text
|
99
123
|
fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
|
100
124
|
tp = self.new(tracker, fp)
|
@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
183
183
|
return exp
|
184
184
|
end
|
185
185
|
|
186
|
+
# If x(*[1,2,3]) change to x(1,2,3)
|
187
|
+
# if that's the only argument
|
188
|
+
if splat_array? exp.first_arg and exp.second_arg.nil?
|
189
|
+
exp.arglist = exp.first_arg[1].sexp_body
|
190
|
+
end
|
191
|
+
|
186
192
|
target = exp.target
|
187
193
|
method = exp.method
|
188
194
|
first_arg = exp.first_arg
|
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
195
201
|
res = process_or_simple_operation(exp)
|
196
202
|
return res if res
|
197
203
|
elsif target == ARRAY_CONST and method == :new
|
198
|
-
return Sexp.new(:array, *exp.args)
|
204
|
+
return Sexp.new(:array, *exp.args).line(exp.line)
|
199
205
|
elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
|
200
|
-
return Sexp.new(:hash)
|
206
|
+
return Sexp.new(:hash).line(exp.line)
|
201
207
|
elsif exp == RAILS_TEST or exp == RAILS_DEV
|
202
|
-
return Sexp.new(:false)
|
208
|
+
return Sexp.new(:false).line(exp.line)
|
203
209
|
end
|
204
210
|
|
205
211
|
#See if it is possible to simplify some basic cases
|
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
237
243
|
env[target_var] = target
|
238
244
|
return target
|
239
245
|
elsif string? target and string_interp? first_arg
|
240
|
-
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
|
246
|
+
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
|
241
247
|
env[target_var] = exp
|
242
248
|
elsif string? first_arg and string_interp? target
|
243
249
|
if string? target.last
|
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
288
294
|
|
289
295
|
# Painful conversion of Array#join into string interpolation
|
290
296
|
def process_array_join array, join_str
|
291
|
-
result = s()
|
297
|
+
result = s().line(array.line)
|
292
298
|
|
293
299
|
join_value = if string? join_str
|
294
300
|
join_str.value
|
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
326
332
|
result.unshift combined_first
|
327
333
|
|
328
334
|
# Have to fix up strings that follow interpolation
|
329
|
-
result.reduce(s(:dstr)) do |memo, e|
|
335
|
+
result.reduce(s(:dstr).line(array.line)) do |memo, e|
|
330
336
|
if string? e and node_type? memo.last, :evstr
|
331
337
|
e.value = "#{join_value}#{e.value}"
|
332
338
|
elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
|
333
|
-
memo << s(:str, join_value)
|
339
|
+
memo << s(:str, join_value).line(e.line)
|
334
340
|
end
|
335
341
|
|
336
342
|
memo << e
|
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
341
347
|
if item.is_a? String
|
342
348
|
"#{item}#{join_value}"
|
343
349
|
elsif string? item or symbol? item or number? item
|
344
|
-
s(:str, "#{item.value}#{join_value}")
|
350
|
+
s(:str, "#{item.value}#{join_value}").line(item.line)
|
345
351
|
else
|
346
|
-
s(:evstr, item)
|
352
|
+
s(:evstr, item).line(item.line)
|
347
353
|
end
|
348
354
|
end
|
349
355
|
|
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
359
365
|
s(:call, TEMP_FILE_CLASS, :new).line(line)
|
360
366
|
end
|
361
367
|
|
368
|
+
def splat_array? exp
|
369
|
+
node_type? exp, :splat and
|
370
|
+
node_type? exp[1], :array
|
371
|
+
end
|
372
|
+
|
362
373
|
def process_iter exp
|
363
374
|
@exp_context.push exp
|
364
375
|
exp[1] = process exp.block_call
|
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
679
690
|
end
|
680
691
|
end
|
681
692
|
else
|
682
|
-
new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
|
693
|
+
new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
|
683
694
|
|
684
695
|
env[match] = new_value
|
685
696
|
end
|
@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
8
8
|
include Brakeman::SafeCallHelper
|
9
9
|
include Brakeman::Util
|
10
10
|
|
11
|
-
IGNORE = Sexp.new
|
11
|
+
IGNORE = Sexp.new(:ignore).line(0)
|
12
12
|
|
13
13
|
#Return a new Processor.
|
14
14
|
def initialize tracker
|
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
216
216
|
#
|
217
217
|
#And also :layout for inside templates
|
218
218
|
def find_render_type call, in_view = false
|
219
|
-
rest = Sexp.new(:hash)
|
219
|
+
rest = Sexp.new(:hash).line(call.line)
|
220
220
|
type = nil
|
221
221
|
value = nil
|
222
222
|
first_arg = call.first_arg
|
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
236
236
|
end
|
237
237
|
elsif first_arg.is_a? Symbol or first_arg.is_a? String
|
238
238
|
type = :action
|
239
|
-
value = Sexp.new(:lit, first_arg.to_sym)
|
239
|
+
value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
|
240
240
|
elsif first_arg.nil?
|
241
241
|
type = :default
|
242
242
|
elsif not hash? first_arg
|
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
293
293
|
@tracker.processor.process_template(template_name, ast, type, nil, @current_file)
|
294
294
|
@tracker.processor.process_template_alias(@tracker.templates[template_name])
|
295
295
|
|
296
|
-
return s(:lit, template_name), options
|
296
|
+
return s(:lit, template_name).line(value.line), options
|
297
297
|
end
|
298
298
|
end
|
@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
|
|
2
2
|
|
3
3
|
class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
|
4
4
|
APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
|
5
|
+
ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
|
5
6
|
|
6
7
|
# Look for Rails.application.configure do ... end
|
7
8
|
def process_iter exp
|
8
|
-
if exp.block_call == APPLICATION_CONFIG
|
9
|
+
if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
|
9
10
|
@inside_config = true
|
10
11
|
process exp.block if sexp? exp.block
|
11
12
|
@inside_config = false
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.
|
4
|
+
version: 5.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|