brakeman-lib 5.2.0 → 5.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +17 -0
- data/lib/brakeman/checks/check_sql.rb +3 -2
- data/lib/brakeman/checks/check_unsafe_reflection.rb +7 -2
- data/lib/brakeman/processors/alias_processor.rb +41 -2
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9aadbbfe9251a955f84f5c7d5e317f66386533b90f314e34555a80501a3df153
|
|
4
|
+
data.tar.gz: 4576fc34cceb9269e2daee88b940305590410791a4fc6be2bdc8401f3ae99554
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 661e96a6fcc739bc93ef8c605e2fb8dea9ee895fb9121860d225e91717a5ea4108e7d0c57163fb8fe4e119e5f11c75022301293524c3808a323a10e55c087bc7
|
|
7
|
+
data.tar.gz: '0842840bd4735a2411d66ce708876cce60e1bc47cf153affe92bdbcd1f9fd92cf7919c9bd510f78900ce8d994cd9b3b06eaf571f8905c2eb8b60692f0ec529af'
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,20 @@
|
|
|
1
|
+
# 5.2.3 - 2022-05-01
|
|
2
|
+
|
|
3
|
+
* Fix error with hash shorthand syntax
|
|
4
|
+
* Match order of interactive options with help message (Rory O'Kane)
|
|
5
|
+
|
|
6
|
+
# 5.2.2 - 2022-04-06
|
|
7
|
+
|
|
8
|
+
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
|
|
9
|
+
* Handle `nil` when joining values (Dan Buettner)
|
|
10
|
+
* Update message for unsafe reflection (Pedro Baracho)
|
|
11
|
+
* Add additional String methods for SQL injection check
|
|
12
|
+
* Respect equality in `if` conditions
|
|
13
|
+
|
|
14
|
+
# 5.2.1 - 2022-01-30
|
|
15
|
+
|
|
16
|
+
* Add warning codes for EOL software warnings
|
|
17
|
+
|
|
1
18
|
# 5.2.0 - 2021-12-15
|
|
2
19
|
|
|
3
20
|
* Initial Rails 7 support
|
|
@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
405
405
|
nil
|
|
406
406
|
end
|
|
407
407
|
|
|
408
|
-
TO_STRING_METHODS = [:chomp, :
|
|
408
|
+
TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
|
|
409
|
+
:strip_heredoc, :to_s, :tr]
|
|
409
410
|
|
|
410
411
|
#Returns value if interpolated value is not something safe
|
|
411
412
|
def unsafe_string_interp? exp
|
|
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
744
745
|
date_target? exp.target
|
|
745
746
|
else
|
|
746
747
|
false
|
|
747
|
-
end
|
|
748
|
+
end
|
|
748
749
|
end
|
|
749
750
|
end
|
|
@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
|
20
20
|
def check_unsafe_reflection result
|
|
21
21
|
return unless original? result
|
|
22
22
|
|
|
23
|
-
call = result[:call]
|
|
23
|
+
call = result[:call]
|
|
24
24
|
method = call.method
|
|
25
25
|
|
|
26
26
|
case method
|
|
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
if confidence
|
|
40
|
-
|
|
40
|
+
case method
|
|
41
|
+
when :constantize, :safe_constantize
|
|
42
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
|
|
43
|
+
else
|
|
44
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
|
|
45
|
+
end
|
|
41
46
|
|
|
42
47
|
warn :result => result,
|
|
43
48
|
:warning_type => "Remote Code Execution",
|
|
@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
404
404
|
end
|
|
405
405
|
|
|
406
406
|
def join_item item, join_value
|
|
407
|
-
if item.is_a?
|
|
407
|
+
if item.nil? || item.is_a?(String)
|
|
408
408
|
"#{item}#{join_value}"
|
|
409
409
|
elsif string? item or symbol? item or number? item
|
|
410
410
|
s(:str, "#{item.value}#{join_value}").line(item.line)
|
|
@@ -703,7 +703,30 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
703
703
|
end
|
|
704
704
|
end
|
|
705
705
|
|
|
706
|
-
|
|
706
|
+
# Return early unless there might be short-hand syntax,
|
|
707
|
+
# since handling it is kind of expensive.
|
|
708
|
+
return exp unless exp.any? { |e| e.nil? }
|
|
709
|
+
|
|
710
|
+
# Need to handle short-hand hash syntax
|
|
711
|
+
new_hash = [:hash]
|
|
712
|
+
hash_iterate(exp) do |key, value|
|
|
713
|
+
# e.g. { a: }
|
|
714
|
+
if value.nil? and symbol? key
|
|
715
|
+
# Only handling local variables for now, not calls
|
|
716
|
+
lvar = s(:lvar, key.value)
|
|
717
|
+
if var_value = env[lvar]
|
|
718
|
+
new_hash << key << var_value.deep_clone(key.line || 0)
|
|
719
|
+
else
|
|
720
|
+
# If the value is unknown, assume it was a call
|
|
721
|
+
# and set the value to a call
|
|
722
|
+
new_hash.concat << key << s(:call, nil, key.value).line(key.line || 0)
|
|
723
|
+
end
|
|
724
|
+
else
|
|
725
|
+
new_hash.concat << key << value
|
|
726
|
+
end
|
|
727
|
+
end
|
|
728
|
+
|
|
729
|
+
Sexp.from_array(new_hash).line(exp.line || 0)
|
|
707
730
|
end
|
|
708
731
|
|
|
709
732
|
#Merge values into hash when processing
|
|
@@ -864,6 +887,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
864
887
|
elsif false? condition
|
|
865
888
|
no_branch = true
|
|
866
889
|
exps = [nil, exp.else_clause]
|
|
890
|
+
elsif equality_check? condition and condition.target == condition.first_arg
|
|
891
|
+
no_branch = true
|
|
892
|
+
exps = [exp.then_clause, nil]
|
|
867
893
|
else
|
|
868
894
|
no_branch = false
|
|
869
895
|
exps = [exp.then_clause, exp.else_clause]
|
|
@@ -897,6 +923,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
897
923
|
env.current[var] = safe_literal(var.line)
|
|
898
924
|
exp[branch_index] = process_if_branch branch
|
|
899
925
|
env.current[var] = previous_value
|
|
926
|
+
elsif i == 0 and equality_check? condition
|
|
927
|
+
# For conditions like a == b,
|
|
928
|
+
# set a to b inside the true branch
|
|
929
|
+
var = condition.target
|
|
930
|
+
previous_value = env.current[var]
|
|
931
|
+
env.current[var] = condition.first_arg
|
|
932
|
+
exp[branch_index] = process_if_branch branch
|
|
933
|
+
env.current[var] = previous_value
|
|
900
934
|
elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
|
|
901
935
|
var = condition.first_arg
|
|
902
936
|
env.current[var] = safe_literal(var.line)
|
|
@@ -931,6 +965,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
931
965
|
end
|
|
932
966
|
end
|
|
933
967
|
|
|
968
|
+
def equality_check? exp
|
|
969
|
+
call? exp and
|
|
970
|
+
exp.method == :==
|
|
971
|
+
end
|
|
972
|
+
|
|
934
973
|
def simple_when? exp
|
|
935
974
|
node_type? exp[1], :array and
|
|
936
975
|
not node_type? exp[1][1], :splat, :array and
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.
|
|
4
|
+
version: 5.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-05-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -86,14 +86,14 @@ dependencies:
|
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '3.
|
|
89
|
+
version: '3.19'
|
|
90
90
|
type: :runtime
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '3.
|
|
96
|
+
version: '3.19'
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: ruby_parser-legacy
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|