brakeman-lib 5.2.0 → 5.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +17 -0
- data/lib/brakeman/checks/check_sql.rb +3 -2
- data/lib/brakeman/checks/check_unsafe_reflection.rb +7 -2
- data/lib/brakeman/processors/alias_processor.rb +41 -2
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9aadbbfe9251a955f84f5c7d5e317f66386533b90f314e34555a80501a3df153
|
|
4
|
+
data.tar.gz: 4576fc34cceb9269e2daee88b940305590410791a4fc6be2bdc8401f3ae99554
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 661e96a6fcc739bc93ef8c605e2fb8dea9ee895fb9121860d225e91717a5ea4108e7d0c57163fb8fe4e119e5f11c75022301293524c3808a323a10e55c087bc7
|
|
7
|
+
data.tar.gz: '0842840bd4735a2411d66ce708876cce60e1bc47cf153affe92bdbcd1f9fd92cf7919c9bd510f78900ce8d994cd9b3b06eaf571f8905c2eb8b60692f0ec529af'
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,20 @@
|
|
|
1
|
+
# 5.2.3 - 2022-05-01
|
|
2
|
+
|
|
3
|
+
* Fix error with hash shorthand syntax
|
|
4
|
+
* Match order of interactive options with help message (Rory O'Kane)
|
|
5
|
+
|
|
6
|
+
# 5.2.2 - 2022-04-06
|
|
7
|
+
|
|
8
|
+
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
|
|
9
|
+
* Handle `nil` when joining values (Dan Buettner)
|
|
10
|
+
* Update message for unsafe reflection (Pedro Baracho)
|
|
11
|
+
* Add additional String methods for SQL injection check
|
|
12
|
+
* Respect equality in `if` conditions
|
|
13
|
+
|
|
14
|
+
# 5.2.1 - 2022-01-30
|
|
15
|
+
|
|
16
|
+
* Add warning codes for EOL software warnings
|
|
17
|
+
|
|
1
18
|
# 5.2.0 - 2021-12-15
|
|
2
19
|
|
|
3
20
|
* Initial Rails 7 support
|
|
@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
405
405
|
nil
|
|
406
406
|
end
|
|
407
407
|
|
|
408
|
-
TO_STRING_METHODS = [:chomp, :
|
|
408
|
+
TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
|
|
409
|
+
:strip_heredoc, :to_s, :tr]
|
|
409
410
|
|
|
410
411
|
#Returns value if interpolated value is not something safe
|
|
411
412
|
def unsafe_string_interp? exp
|
|
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
744
745
|
date_target? exp.target
|
|
745
746
|
else
|
|
746
747
|
false
|
|
747
|
-
end
|
|
748
|
+
end
|
|
748
749
|
end
|
|
749
750
|
end
|
|
@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
|
20
20
|
def check_unsafe_reflection result
|
|
21
21
|
return unless original? result
|
|
22
22
|
|
|
23
|
-
call = result[:call]
|
|
23
|
+
call = result[:call]
|
|
24
24
|
method = call.method
|
|
25
25
|
|
|
26
26
|
case method
|
|
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
if confidence
|
|
40
|
-
|
|
40
|
+
case method
|
|
41
|
+
when :constantize, :safe_constantize
|
|
42
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
|
|
43
|
+
else
|
|
44
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
|
|
45
|
+
end
|
|
41
46
|
|
|
42
47
|
warn :result => result,
|
|
43
48
|
:warning_type => "Remote Code Execution",
|
|
@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
404
404
|
end
|
|
405
405
|
|
|
406
406
|
def join_item item, join_value
|
|
407
|
-
if item.is_a?
|
|
407
|
+
if item.nil? || item.is_a?(String)
|
|
408
408
|
"#{item}#{join_value}"
|
|
409
409
|
elsif string? item or symbol? item or number? item
|
|
410
410
|
s(:str, "#{item.value}#{join_value}").line(item.line)
|
|
@@ -703,7 +703,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
703
703
|
end
|
|
704
704
|
end
|
|
705
705
|
|
|
706
|
-
|
|
706
|
+
# Return early unless there might be short-hand syntax,
|
|
707
|
+
# since handling it is kind of expensive.
|
|
708
|
+
return exp unless exp.any? { |e| e.nil? }
|
|
709
|
+
|
|
710
|
+
# Need to handle short-hand hash syntax
|
|
711
|
+
new_hash = [:hash]
|
|
712
|
+
hash_iterate(exp) do |key, value|
|
|
713
|
+
# e.g. { a: }
|
|
714
|
+
if value.nil? and symbol? key
|
|
715
|
+
# Only handling local variables for now, not calls
|
|
716
|
+
lvar = s(:lvar, key.value)
|
|
717
|
+
if var_value = env[lvar]
|
|
718
|
+
new_hash << key << var_value.deep_clone(key.line || 0)
|
|
719
|
+
else
|
|
720
|
+
# If the value is unknown, assume it was a call
|
|
721
|
+
# and set the value to a call
|
|
722
|
+
new_hash.concat << key << s(:call, nil, key.value).line(key.line || 0)
|
|
723
|
+
end
|
|
724
|
+
else
|
|
725
|
+
new_hash.concat << key << value
|
|
726
|
+
end
|
|
727
|
+
end
|
|
728
|
+
|
|
729
|
+
Sexp.from_array(new_hash).line(exp.line || 0)
|
|
707
730
|
end
|
|
708
731
|
|
|
709
732
|
#Merge values into hash when processing
|
|
@@ -864,6 +887,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
864
887
|
elsif false? condition
|
|
865
888
|
no_branch = true
|
|
866
889
|
exps = [nil, exp.else_clause]
|
|
890
|
+
elsif equality_check? condition and condition.target == condition.first_arg
|
|
891
|
+
no_branch = true
|
|
892
|
+
exps = [exp.then_clause, nil]
|
|
867
893
|
else
|
|
868
894
|
no_branch = false
|
|
869
895
|
exps = [exp.then_clause, exp.else_clause]
|
|
@@ -897,6 +923,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
897
923
|
env.current[var] = safe_literal(var.line)
|
|
898
924
|
exp[branch_index] = process_if_branch branch
|
|
899
925
|
env.current[var] = previous_value
|
|
926
|
+
elsif i == 0 and equality_check? condition
|
|
927
|
+
# For conditions like a == b,
|
|
928
|
+
# set a to b inside the true branch
|
|
929
|
+
var = condition.target
|
|
930
|
+
previous_value = env.current[var]
|
|
931
|
+
env.current[var] = condition.first_arg
|
|
932
|
+
exp[branch_index] = process_if_branch branch
|
|
933
|
+
env.current[var] = previous_value
|
|
900
934
|
elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
|
|
901
935
|
var = condition.first_arg
|
|
902
936
|
env.current[var] = safe_literal(var.line)
|
|
@@ -931,6 +965,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
931
965
|
end
|
|
932
966
|
end
|
|
933
967
|
|
|
968
|
+
def equality_check? exp
|
|
969
|
+
call? exp and
|
|
970
|
+
exp.method == :==
|
|
971
|
+
end
|
|
972
|
+
|
|
934
973
|
def simple_when? exp
|
|
935
974
|
node_type? exp[1], :array and
|
|
936
975
|
not node_type? exp[1][1], :splat, :array and
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.
|
|
4
|
+
version: 5.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-05-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -86,14 +86,14 @@ dependencies:
|
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '3.
|
|
89
|
+
version: '3.19'
|
|
90
90
|
type: :runtime
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '3.
|
|
96
|
+
version: '3.19'
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: ruby_parser-legacy
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|