brakeman-lib 5.1.2 → 5.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -0
- data/lib/brakeman/checks/base_check.rb +10 -0
- data/lib/brakeman/checks/check_eol_rails.rb +23 -0
- data/lib/brakeman/checks/check_eol_ruby.rb +26 -0
- data/lib/brakeman/checks/check_sql.rb +3 -2
- data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
- data/lib/brakeman/checks/eol_check.rb +47 -0
- data/lib/brakeman/options.rb +8 -0
- data/lib/brakeman/processors/gem_processor.rb +3 -0
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -0
- data/lib/brakeman/scanner.rb +3 -1
- data/lib/brakeman/tracker/config.rb +8 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -0
- metadata +6 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cf18736db7a992849a30cccc66f741442e05b695f9ad1bd27fe06f6bc25db849
|
|
4
|
+
data.tar.gz: a884f20cc12305c0856bcc296ddae3aea746b024c232bf11d7988d4e37bd96a3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: be93f9f9ba9d808989cbed1bfd450b29c272e806d84707ab0420a8a86b8c797f88d4338f22a1124a462be43ac7bfea605566779321a72d772e9c39d216ded8c3
|
|
7
|
+
data.tar.gz: cf9aa7f34fa5cc737b2e7bbecf625025b50f72f1b3c43ab8f346832145e3cab2245d2af79fd021584ab0aa5fdbb2f854dd41fee8f5a5c891197f1f1e8a570a65
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
# 5.2.0 - 2021-12-15
|
|
2
|
+
|
|
3
|
+
* Initial Rails 7 support
|
|
4
|
+
* Require Ruby 2.5.0+
|
|
5
|
+
* Fix issue with calls to `foo.root` in routes
|
|
6
|
+
* Ignore `I18n.locale` in SQL queries
|
|
7
|
+
* Do not treat `sanitize_sql_like` as safe
|
|
8
|
+
* Add new checks for unsupported Ruby and Rails versions
|
|
9
|
+
|
|
1
10
|
# 5.1.2 - 2021-10-28
|
|
2
11
|
|
|
3
12
|
* Handle cases where enums are not symbols
|
|
@@ -513,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
513
513
|
string_building? exp.target or
|
|
514
514
|
string_building? exp.first_arg
|
|
515
515
|
end
|
|
516
|
+
|
|
517
|
+
I18N_CLASS = s(:const, :I18n)
|
|
518
|
+
|
|
519
|
+
def locale_call? exp
|
|
520
|
+
return unless call? exp
|
|
521
|
+
|
|
522
|
+
(exp.target == I18N_CLASS and
|
|
523
|
+
exp.method == :locale) or
|
|
524
|
+
locale_call? exp.target
|
|
525
|
+
end
|
|
516
526
|
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
require_relative 'eol_check'
|
|
2
|
+
|
|
3
|
+
class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
4
|
+
Brakeman::Checks.add self
|
|
5
|
+
|
|
6
|
+
@description = "Checks for unsupported versions of Rails"
|
|
7
|
+
|
|
8
|
+
def run_check
|
|
9
|
+
return unless tracker.config.rails_version
|
|
10
|
+
|
|
11
|
+
check_eol_version :rails, RAILS_EOL_DATES
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
RAILS_EOL_DATES = {
|
|
15
|
+
['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
|
|
16
|
+
['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
|
|
17
|
+
['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
|
|
18
|
+
['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
|
|
19
|
+
['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
|
|
20
|
+
['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
|
|
21
|
+
['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
|
|
22
|
+
}
|
|
23
|
+
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
require_relative 'eol_check'
|
|
2
|
+
|
|
3
|
+
class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
|
|
4
|
+
Brakeman::Checks.add self
|
|
5
|
+
|
|
6
|
+
@description = "Checks for unsupported versions of Ruby"
|
|
7
|
+
|
|
8
|
+
def run_check
|
|
9
|
+
return unless tracker.config.ruby_version
|
|
10
|
+
|
|
11
|
+
check_eol_version :ruby, RUBY_EOL_DATES
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
RUBY_EOL_DATES = {
|
|
15
|
+
['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
|
|
16
|
+
['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
|
|
17
|
+
['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
|
|
18
|
+
['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
|
|
19
|
+
['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
|
|
20
|
+
['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
|
|
21
|
+
['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
|
|
22
|
+
['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
|
|
23
|
+
['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
|
|
24
|
+
['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
|
|
25
|
+
}
|
|
26
|
+
end
|
|
@@ -584,7 +584,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
584
584
|
end
|
|
585
585
|
|
|
586
586
|
IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
|
|
587
|
-
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
|
|
587
|
+
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
|
|
588
588
|
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
|
|
589
589
|
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
|
590
590
|
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
|
|
@@ -628,7 +628,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
628
628
|
arel? exp or
|
|
629
629
|
exp.method.to_s.end_with? "_id" or
|
|
630
630
|
number_target? exp or
|
|
631
|
-
date_target? exp
|
|
631
|
+
date_target? exp or
|
|
632
|
+
locale_call? exp
|
|
632
633
|
end
|
|
633
634
|
|
|
634
635
|
QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
|
|
@@ -9,7 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
|
|
9
9
|
|
|
10
10
|
def run_check
|
|
11
11
|
return if rails_version and rails_version >= "5.0.0"
|
|
12
|
-
return if tracker.config.ruby_version >= "2.2"
|
|
12
|
+
return if tracker.config.ruby_version and tracker.config.ruby_version >= "2.2"
|
|
13
13
|
|
|
14
14
|
tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
|
|
15
15
|
check_unsafe_symbol_creation(result)
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
require 'date'
|
|
2
|
+
require 'brakeman/checks/base_check'
|
|
3
|
+
|
|
4
|
+
# Not used directly - base check for EOLRails and EOLRuby
|
|
5
|
+
class Brakeman::EOLCheck < Brakeman::BaseCheck
|
|
6
|
+
def check_eol_version library, eol_dates
|
|
7
|
+
version = case library
|
|
8
|
+
when :rails
|
|
9
|
+
tracker.config.rails_version
|
|
10
|
+
when :ruby
|
|
11
|
+
tracker.config.ruby_version
|
|
12
|
+
else
|
|
13
|
+
raise 'Implement using tracker.config.gem_version'
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
eol_dates.each do |(start_version, end_version), eol_date|
|
|
17
|
+
if version_between? start_version, end_version, version
|
|
18
|
+
case
|
|
19
|
+
when Date.today >= eol_date
|
|
20
|
+
warn_about_unsupported_version library, eol_date, version
|
|
21
|
+
when (Date.today + 30) >= eol_date
|
|
22
|
+
warn_about_soon_unsupported_version library, eol_date, version, :medium
|
|
23
|
+
when (Date.today + 60) >= eol_date
|
|
24
|
+
warn_about_soon_unsupported_version library, eol_date, version, :low
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
break
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def warn_about_soon_unsupported_version library, eol_date, version, confidence
|
|
33
|
+
warn warning_type: 'Unmaintained Dependency',
|
|
34
|
+
warning_code: :"pending_eol_#{library}",
|
|
35
|
+
message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
|
|
36
|
+
confidence: confidence,
|
|
37
|
+
gem_info: gemfile_or_environment
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def warn_about_unsupported_version library, eol_date, version
|
|
41
|
+
warn warning_type: 'Unmaintained Dependency',
|
|
42
|
+
warning_code: :"eol_#{library}",
|
|
43
|
+
message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
|
|
44
|
+
confidence: :high,
|
|
45
|
+
gem_info: gemfile_or_environment
|
|
46
|
+
end
|
|
47
|
+
end
|
data/lib/brakeman/options.rb
CHANGED
|
@@ -93,6 +93,14 @@ module Brakeman::Options
|
|
|
93
93
|
options[:rails6] = true
|
|
94
94
|
end
|
|
95
95
|
|
|
96
|
+
opts.on "-7", "--rails7", "Force Rails 7 mode" do
|
|
97
|
+
options[:rails3] = true
|
|
98
|
+
options[:rails4] = true
|
|
99
|
+
options[:rails5] = true
|
|
100
|
+
options[:rails6] = true
|
|
101
|
+
options[:rails7] = true
|
|
102
|
+
end
|
|
103
|
+
|
|
96
104
|
opts.separator ""
|
|
97
105
|
opts.separator "Scanning options:"
|
|
98
106
|
|
|
@@ -6,6 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
|
|
|
6
6
|
def initialize *args
|
|
7
7
|
super
|
|
8
8
|
@gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
|
|
9
|
+
@ruby_version = /^\s+ruby (\d\.\d.\d+)/
|
|
9
10
|
end
|
|
10
11
|
|
|
11
12
|
def process_gems gem_files
|
|
@@ -95,6 +96,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
|
|
|
95
96
|
def set_gem_version_and_file line, file, line_num
|
|
96
97
|
if line =~ @gem_name_version
|
|
97
98
|
@tracker.config.add_gem $1, $2, file, line_num
|
|
99
|
+
elsif line =~ @ruby_version
|
|
100
|
+
@tracker.config.set_ruby_version $1
|
|
98
101
|
end
|
|
99
102
|
end
|
|
100
103
|
end
|
|
@@ -78,6 +78,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
|
|
|
78
78
|
|
|
79
79
|
#TODO: Need test for this
|
|
80
80
|
def process_root exp
|
|
81
|
+
return exp unless hash? exp.first_arg
|
|
82
|
+
|
|
81
83
|
if value = hash_access(exp.first_arg, :to)
|
|
82
84
|
if string? value
|
|
83
85
|
add_route_from_string value
|
data/lib/brakeman/scanner.rb
CHANGED
|
@@ -137,7 +137,9 @@ class Brakeman::Scanner
|
|
|
137
137
|
end
|
|
138
138
|
|
|
139
139
|
if @app_tree.exists? ".ruby-version"
|
|
140
|
-
|
|
140
|
+
if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
|
|
141
|
+
tracker.config.set_ruby_version version
|
|
142
|
+
end
|
|
141
143
|
end
|
|
142
144
|
|
|
143
145
|
tracker.config.load_rails_defaults
|
|
@@ -14,7 +14,7 @@ module Brakeman
|
|
|
14
14
|
@settings = {}
|
|
15
15
|
@escape_html = nil
|
|
16
16
|
@erubis = nil
|
|
17
|
-
@ruby_version =
|
|
17
|
+
@ruby_version = nil
|
|
18
18
|
@rails_version = nil
|
|
19
19
|
end
|
|
20
20
|
|
|
@@ -106,6 +106,13 @@ module Brakeman
|
|
|
106
106
|
tracker.options[:rails5] = true
|
|
107
107
|
tracker.options[:rails6] = true
|
|
108
108
|
Brakeman.notify "[Notice] Detected Rails 6 application"
|
|
109
|
+
elsif @rails_version.start_with? "7"
|
|
110
|
+
tracker.options[:rails3] = true
|
|
111
|
+
tracker.options[:rails4] = true
|
|
112
|
+
tracker.options[:rails5] = true
|
|
113
|
+
tracker.options[:rails6] = true
|
|
114
|
+
tracker.options[:rails7] = true
|
|
115
|
+
Brakeman.notify "[Notice] Detected Rails 7 application"
|
|
109
116
|
end
|
|
110
117
|
end
|
|
111
118
|
end
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.
|
|
4
|
+
version: 5.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-12-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -271,6 +271,8 @@ files:
|
|
|
271
271
|
- lib/brakeman/checks/check_digest_dos.rb
|
|
272
272
|
- lib/brakeman/checks/check_divide_by_zero.rb
|
|
273
273
|
- lib/brakeman/checks/check_dynamic_finders.rb
|
|
274
|
+
- lib/brakeman/checks/check_eol_rails.rb
|
|
275
|
+
- lib/brakeman/checks/check_eol_ruby.rb
|
|
274
276
|
- lib/brakeman/checks/check_escape_function.rb
|
|
275
277
|
- lib/brakeman/checks/check_evaluation.rb
|
|
276
278
|
- lib/brakeman/checks/check_execute.rb
|
|
@@ -337,6 +339,7 @@ files:
|
|
|
337
339
|
- lib/brakeman/checks/check_without_protection.rb
|
|
338
340
|
- lib/brakeman/checks/check_xml_dos.rb
|
|
339
341
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
|
342
|
+
- lib/brakeman/checks/eol_check.rb
|
|
340
343
|
- lib/brakeman/codeclimate/engine_configuration.rb
|
|
341
344
|
- lib/brakeman/commandline.rb
|
|
342
345
|
- lib/brakeman/differ.rb
|
|
@@ -452,7 +455,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
452
455
|
requirements:
|
|
453
456
|
- - ">="
|
|
454
457
|
- !ruby/object:Gem::Version
|
|
455
|
-
version: 2.
|
|
458
|
+
version: 2.5.0
|
|
456
459
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
457
460
|
requirements:
|
|
458
461
|
- - ">="
|