brakeman-lib 6.2.1 → 6.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +6 -0
- data/README.md +0 -1
- data/lib/brakeman/checks/check_eol_rails.rb +6 -0
- data/lib/brakeman/checks/check_execute.rb +28 -0
- data/lib/brakeman/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 43bb8b6197d17937fa07b7d6b69afaf5a0d4c0fad6332f2126a6f317e5e49262
|
4
|
+
data.tar.gz: 29698bd867c9bfd2dc13baf27c463da77132be4f13d93fd1448428977241c9a2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8513e27561f8608fca48561c64ceaa42bf43042fee54d1b3102f1ad4dc855eb980c5cf963ed7cc48e8056d91b3d168553efab52f86c5064075b53aa49c1278af
|
7
|
+
data.tar.gz: da6eef18fb43bfcb014f46e86cbd5df82c97b359f53abf18f263366940f45cb621bc85f1dc4933ac2319c063c963b2469c1eb936d26fec36e351c89577c822d9
|
data/CHANGES.md
CHANGED
data/README.md
CHANGED
@@ -2,7 +2,6 @@
|
|
2
2
|
|
3
3
|
[![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
|
4
4
|
[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
|
5
|
-
[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
|
6
5
|
|
7
6
|
# Brakeman
|
8
7
|
|
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
11
11
|
check_eol_version :rails, RAILS_EOL_DATES
|
12
12
|
end
|
13
13
|
|
14
|
+
# https://rubyonrails.org/maintenance
|
15
|
+
# https://endoflife.date/rails
|
14
16
|
RAILS_EOL_DATES = {
|
15
17
|
['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
|
16
18
|
['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
|
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
19
21
|
['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
|
20
22
|
['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
|
21
23
|
['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
|
24
|
+
['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
|
25
|
+
['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
|
26
|
+
['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
|
27
|
+
['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
|
22
28
|
}
|
23
29
|
end
|
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
53
53
|
call = result[:call]
|
54
54
|
args = call.arglist
|
55
55
|
first_arg = call.first_arg
|
56
|
+
failure = nil
|
56
57
|
|
57
58
|
case call.method
|
58
59
|
when :popen
|
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
71
72
|
dangerous_interp?(first_arg[3]) ||
|
72
73
|
dangerous_string_building?(first_arg[3])
|
73
74
|
end
|
75
|
+
when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
|
76
|
+
# Since these pipeline commands pipe together several commands,
|
77
|
+
# need to check each argument. If it's an array, check first argument
|
78
|
+
# (the command) and also check for `bash -c`. Otherwise check the argument
|
79
|
+
# as a unit.
|
80
|
+
|
81
|
+
args.each do |arg|
|
82
|
+
next unless sexp? arg
|
83
|
+
|
84
|
+
if array?(arg)
|
85
|
+
# Check first element of array
|
86
|
+
failure = include_user_input?(arg[1]) ||
|
87
|
+
dangerous_interp?(arg[1]) ||
|
88
|
+
dangerous_string_building?(arg[1])
|
89
|
+
|
90
|
+
# Check for ['bash', '-c', user_input]
|
91
|
+
if dash_c_shell_command?(arg[1], arg[2])
|
92
|
+
failure = include_user_input?(arg[3]) ||
|
93
|
+
dangerous_interp?(arg[3]) ||
|
94
|
+
dangerous_string_building?(arg[3])
|
95
|
+
end
|
96
|
+
else
|
97
|
+
failure = include_user_input?(arg)
|
98
|
+
end
|
99
|
+
|
100
|
+
break if failure
|
101
|
+
end
|
74
102
|
when :system, :exec
|
75
103
|
# Normally, if we're in a `system` or `exec` call, we only are worried
|
76
104
|
# about shell injection when there's a single argument, because comma-
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.2.
|
4
|
+
version: 6.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-10-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: csv
|
@@ -467,7 +467,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
467
467
|
- !ruby/object:Gem::Version
|
468
468
|
version: '0'
|
469
469
|
requirements: []
|
470
|
-
rubygems_version: 3.
|
470
|
+
rubygems_version: 3.3.27
|
471
471
|
signing_key:
|
472
472
|
specification_version: 4
|
473
473
|
summary: Security vulnerability scanner for Ruby on Rails.
|