brakeman-lib 5.4.1 → 6.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +14 -0
- data/README.md +2 -2
- data/lib/brakeman/app_tree.rb +0 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -5
- data/lib/brakeman/checks/check_eol_ruby.rb +3 -1
- data/lib/brakeman/report/report_github.rb +1 -1
- data/lib/brakeman/scanner.rb +0 -1
- data/lib/brakeman/tracker/config.rb +15 -11
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +6 -2
- metadata +2 -16
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fa04262bdd0adc42cac58526843c33d79a66b439880e8c8df8c6c1df343fcff6
|
|
4
|
+
data.tar.gz: 7e433c0b3a0ac62bc432bec371432bfacde51c34cd6d2c8ae2e78b698e7c44a4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2b8220a3968c53ba01ac55034a15a2f7021a0bc7c319fda428ae917bb8eead85388a9995115ea67ec41f8a837d68fb2efaa6cfb907ac3d6a00ce92e2a15e4a87
|
|
7
|
+
data.tar.gz: d9374e5121036962f6f3ea04478ecffceda79cfbc0c3a30d7d6fcb426ce60c0185d903056ff7231b0ec4b37d3fbd72a899ff49d6a7010f5ca7a1703d948dcd43
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,17 @@
|
|
|
1
|
+
# 6.0.1 - 2023-07-20
|
|
2
|
+
|
|
3
|
+
* Accept strings for `load_defaults` version
|
|
4
|
+
|
|
5
|
+
# 6.0.0 - 2023-05-24
|
|
6
|
+
|
|
7
|
+
* Add obsolete fingerprints to comparison report
|
|
8
|
+
* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
|
|
9
|
+
* Scan directories that include the word `public`
|
|
10
|
+
* Raise minimum Ruby version to 3.0
|
|
11
|
+
* Drop support for Ruby 1.8/1.9 syntax
|
|
12
|
+
* Fix end-of-life dates for Ruby
|
|
13
|
+
* Fix false positive with `content_tag` in newer Rails
|
|
14
|
+
|
|
1
15
|
# 5.4.1 - 2023-02-21
|
|
2
16
|
|
|
3
17
|
* Fix file/line location for EOL software warnings
|
data/README.md
CHANGED
|
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
|
66
66
|
|
|
67
67
|
Brakeman should work with any version of Rails from 2.3.x to 7.x.
|
|
68
68
|
|
|
69
|
-
Brakeman can analyze code written with Ruby
|
|
69
|
+
Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
|
|
70
70
|
|
|
71
71
|
# Basic Options
|
|
72
72
|
|
|
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
|
|
|
182
182
|
|
|
183
183
|
For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
|
|
184
184
|
|
|
185
|
-
There are a couple [
|
|
185
|
+
There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
|
|
186
186
|
|
|
187
187
|
# Building
|
|
188
188
|
|
data/lib/brakeman/app_tree.rb
CHANGED
|
@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
|
73
73
|
check_argument result, content
|
|
74
74
|
end
|
|
75
75
|
|
|
76
|
-
#
|
|
77
|
-
if
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
76
|
+
# This changed in Rails 6.1.6
|
|
77
|
+
if version_between? '0.0.0', '6.1.5'
|
|
78
|
+
#Attribute keys are never escaped, so check them for user input
|
|
79
|
+
if not @matched and hash? attributes and not request_value? attributes
|
|
80
|
+
hash_iterate(attributes) do |k, _v|
|
|
81
|
+
check_argument result, k
|
|
82
|
+
return if @matched
|
|
83
|
+
end
|
|
81
84
|
end
|
|
82
85
|
end
|
|
83
86
|
|
|
@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
|
|
|
21
21
|
['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
|
|
22
22
|
['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
|
|
23
23
|
['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
|
|
24
|
-
['3.0.0', '
|
|
24
|
+
['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
|
|
25
|
+
['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
|
|
26
|
+
['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
|
|
25
27
|
}
|
|
26
28
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
|
@@ -20,9 +20,7 @@ module Brakeman
|
|
|
20
20
|
|
|
21
21
|
def default_protect_from_forgery?
|
|
22
22
|
if version_between? "5.2.0.beta1", "9.9.9"
|
|
23
|
-
if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:
|
|
24
|
-
return false
|
|
25
|
-
else
|
|
23
|
+
if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
|
|
26
24
|
return true
|
|
27
25
|
end
|
|
28
26
|
end
|
|
@@ -191,13 +189,19 @@ module Brakeman
|
|
|
191
189
|
# Load defaults based on config.load_defaults value
|
|
192
190
|
# as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
|
|
193
191
|
def load_rails_defaults
|
|
194
|
-
return unless
|
|
192
|
+
return unless node_type? tracker.config.rails[:load_defaults], :lit, :str
|
|
193
|
+
|
|
194
|
+
version = tracker.config.rails[:load_defaults].value.to_s
|
|
195
|
+
|
|
196
|
+
unless version.match? /^\d+\.\d+$/
|
|
197
|
+
Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
|
|
198
|
+
return
|
|
199
|
+
end
|
|
195
200
|
|
|
196
|
-
version = tracker.config.rails[:load_defaults].value
|
|
197
201
|
true_value = Sexp.new(:true)
|
|
198
202
|
false_value = Sexp.new(:false)
|
|
199
203
|
|
|
200
|
-
if version >= 5.0
|
|
204
|
+
if version >= '5.0'
|
|
201
205
|
set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
|
|
202
206
|
set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
|
|
203
207
|
set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
|
|
@@ -205,12 +209,12 @@ module Brakeman
|
|
|
205
209
|
set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
|
|
206
210
|
end
|
|
207
211
|
|
|
208
|
-
if version >= 5.1
|
|
212
|
+
if version >= '5.1'
|
|
209
213
|
set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
|
|
210
214
|
set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
|
|
211
215
|
end
|
|
212
216
|
|
|
213
|
-
if version >= 5.2
|
|
217
|
+
if version >= '5.2'
|
|
214
218
|
set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
|
|
215
219
|
set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
|
|
216
220
|
set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
|
|
@@ -219,7 +223,7 @@ module Brakeman
|
|
|
219
223
|
set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
|
|
220
224
|
end
|
|
221
225
|
|
|
222
|
-
if version >= 6.0
|
|
226
|
+
if version >= '6.0'
|
|
223
227
|
set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
|
|
224
228
|
set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
|
|
225
229
|
set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
|
|
@@ -232,7 +236,7 @@ module Brakeman
|
|
|
232
236
|
set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
|
|
233
237
|
end
|
|
234
238
|
|
|
235
|
-
if version >= 6.1
|
|
239
|
+
if version >= '6.1'
|
|
236
240
|
set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
|
|
237
241
|
set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
|
|
238
242
|
set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
|
|
@@ -244,7 +248,7 @@ module Brakeman
|
|
|
244
248
|
set_rails_config(value: true_value, path: [:active_storage, :track_variants])
|
|
245
249
|
end
|
|
246
250
|
|
|
247
|
-
if version >= 7.0
|
|
251
|
+
if version >= '7.0'
|
|
248
252
|
video_args =
|
|
249
253
|
Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
|
|
250
254
|
hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
|
@@ -493,10 +493,14 @@ module Brakeman
|
|
|
493
493
|
end
|
|
494
494
|
|
|
495
495
|
tracker = run(options)
|
|
496
|
+
new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
|
|
496
497
|
|
|
497
|
-
new_results =
|
|
498
|
+
new_results = new_report[:warnings]
|
|
499
|
+
obsolete_ignored = tracker.unused_fingerprints
|
|
498
500
|
|
|
499
|
-
Brakeman::Differ.new(new_results, previous_results).diff
|
|
501
|
+
Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
|
|
502
|
+
diff[:obsolete] = obsolete_ignored
|
|
503
|
+
end
|
|
500
504
|
end
|
|
501
505
|
|
|
502
506
|
def self.load_brakeman_dependency name, allow_fail = false
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 6.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-07-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -94,20 +94,6 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '3.19'
|
|
97
|
-
- !ruby/object:Gem::Dependency
|
|
98
|
-
name: ruby_parser-legacy
|
|
99
|
-
requirement: !ruby/object:Gem::Requirement
|
|
100
|
-
requirements:
|
|
101
|
-
- - "~>"
|
|
102
|
-
- !ruby/object:Gem::Version
|
|
103
|
-
version: '1.0'
|
|
104
|
-
type: :runtime
|
|
105
|
-
prerelease: false
|
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
-
requirements:
|
|
108
|
-
- - "~>"
|
|
109
|
-
- !ruby/object:Gem::Version
|
|
110
|
-
version: '1.0'
|
|
111
97
|
- !ruby/object:Gem::Dependency
|
|
112
98
|
name: sexp_processor
|
|
113
99
|
requirement: !ruby/object:Gem::Requirement
|