brakeman-lib 4.7.0 → 4.7.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e29d6575b47438b336589ce753da72098ad1b7465a4bb78625d5c666d8c1d0a3
4
- data.tar.gz: 073d249eb7c1915c3c3be01345c25d050127eec929ff2dd77e276433f94606c1
3
+ metadata.gz: 1a0bb1fb9eebcf11e5493213b5cd4a40b6c5359952f754bd7aab4fe727fa3950
4
+ data.tar.gz: '07648dfb71e125045d345bd154a56547f0b8168f6ecd29f6b47442e7923fbd3a'
5
5
  SHA512:
6
- metadata.gz: 87488f856d5b69554147a900ea4a5e0f8826b8a4a1ca95090c472f279d3014a80d28acfa36e131b07c2a9d78a80ec807fa20b45f7e2c133575da164b8ccf3506
7
- data.tar.gz: b73fe208fc26c26428b4883aa36e2b0c310f7b271fe9db0111cd5fc23d3fc040b8f90c0875f4736724685515ee6c3a6d20faf4cb1246042fab0fe66a6de41c61
6
+ metadata.gz: dd82f20198e48a73d7c7ddac934fcc9b192400e0b333f665033b7375c63ed5ffd5baf130ce31afd5aab48f7661cc93694a87b81ba87e29ad5a879c897052e1df
7
+ data.tar.gz: 5975dcd2ef58e1007d45b2206fcdf8232962b22739ccde18c9e72f3aafe72196efb11b4627051ca43bad2aaf7881dc0a7e35b25ef32436b33fea2853bb65b65b
data/CHANGES.md CHANGED
@@ -1,4 +1,14 @@
1
- # 4.7.0
1
+ # 4.7.1 - 2019-10-29
2
+
3
+ * Check string length against limit before joining
4
+ * Fix errors from frozen `Symbol#to_s` in Ruby 2.7
5
+ * Fix flaky rails4 test (Adam Kiczula)
6
+ * Added release dates to each version in CHANGES (TheSpartan1980)
7
+ * Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
8
+ * Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
9
+ * Sort text report by file and line (Jacob Evelyn)
10
+
11
+ # 4.7.0 - 2019-10-16
2
12
 
3
13
  * Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
4
14
  * Ignore interpolation in `%W[]`
@@ -9,11 +19,11 @@
9
19
  * Catch shell injection from `-c` shell commands (Jacob Evelyn)
10
20
  * Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
11
21
 
12
- # 4.6.1
22
+ # 4.6.1 - 2019-07-24
13
23
 
14
24
  * Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
15
25
 
16
- # 4.6.0
26
+ # 4.6.0 - 2019-07-23
17
27
 
18
28
  * Skip calls to `dup`
19
29
  * Add reverse tabnabbing check (Linos Giannopoulos)
@@ -29,7 +39,7 @@
29
39
  * Add special warning code for custom checks
30
40
  * Add call matching by regular expression
31
41
 
32
- # 4.5.1
42
+ # 4.5.1 - 2019-05-11
33
43
 
34
44
  * Add `Brakeman::FilePath` to represent file paths
35
45
  * Handle trailing comma in block args
@@ -44,7 +54,7 @@
44
54
  * Add initial Rails 6 support
45
55
  * Add SQL injection checks for `destroy_by`/`delete_by`
46
56
 
47
- # 4.5.0
57
+ # 4.5.0 - 2019-03-16
48
58
 
49
59
  * Update `ruby_parser`, use `ruby_parser-legacy`
50
60
  * More thoroughly handle `Shellwords` escaping
@@ -61,7 +71,7 @@
61
71
  * Better handling of splat/kwsplat arguments
62
72
  * Improve "user input" reported for SQL injection
63
73
 
64
- # 4.4.0
74
+ # 4.4.0 - 2019-01-17
65
75
 
66
76
  * Set default encoding to UTF-8
67
77
  * Update to Slim 4.0.1 (Jake Peterson)
@@ -84,7 +94,7 @@
84
94
  * Complete overhaul of warning message construction
85
95
  * Deadcode and typo fixes found via Coverity
86
96
 
87
- # 4.3.1
97
+ # 4.3.1 - 2018-06-07
88
98
 
89
99
  * Ignore `Object#freeze`, use the target instead
90
100
  * Ignore `foreign_key` calls in SQL
@@ -97,7 +107,7 @@
97
107
  * Improve handling of conditionals in shell commands (Jacob Evelyn)
98
108
  * Fix error when setting line number in implicit renders
99
109
 
100
- # 4.3.0
110
+ # 4.3.0 - 2018-05-11
101
111
 
102
112
  * Check exec-type calls even if they are targets
103
113
  * Convert `Array#join` to string interpolation
@@ -113,14 +123,14 @@
113
123
  * `--color` can be used to force color output
114
124
  * Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
115
125
 
116
- # 4.2.1
126
+ # 4.2.1 - 2018-03-24
117
127
 
118
128
  * Add warning for CVE-2018-3741
119
129
  * Add warning for CVE-2018-8048
120
130
  * Scan `app/jobs/` directory
121
131
  * Handle `template_exists?` in controllers
122
132
 
123
- # 4.2.0
133
+ # 4.2.0 - 2018-02-22
124
134
 
125
135
  * Avoid warning about symbol DoS on `Model#attributes`
126
136
  * Avoid warning about open redirects with model methods ending with `_path`
@@ -133,12 +143,12 @@
133
143
  * Exclude template folders in `lib/` (kru0096)
134
144
  * Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
135
145
 
136
- # 4.1.1
146
+ # 4.1.1 - 2017-12-19
137
147
 
138
148
  * Remove check for use of `permit` with `*_id` keys
139
149
  * Avoid duplicate warnings about permitted attributes
140
150
 
141
- # 4.1.0
151
+ # 4.1.0 - 2017-12-14
142
152
 
143
153
  * Process models as root sexp instead of each sexp
144
154
  * Avoid CSRF warning in Rails 5.2 default config
@@ -161,12 +171,12 @@
161
171
  * Refactor Code Climate engine options parsing (Noah Davis)
162
172
  * Fix upgrade version for CVE-2016-6316
163
173
 
164
- # 4.0.1
174
+ # 4.0.1 - 2017-09-25
165
175
 
166
176
  * Disable pager when `CI` environment variable is set
167
177
  * Fix output when pager fails
168
178
 
169
- # 4.0.0
179
+ # 4.0.0 - 2017-09-25
170
180
 
171
181
  * Add simple pager for reports output to terminal
172
182
  * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
@@ -180,11 +190,11 @@
180
190
  * --exit-on-error and --exit-on-warn are now the default
181
191
  * Fix --exit-on-error and --exit-on-warn in config files
182
192
 
183
- # 3.7.2
193
+ # 3.7.2 - 2017-08-16
184
194
 
185
195
  * Fix --ensure-latest (David Guyon)
186
196
 
187
- # 3.7.1
197
+ # 3.7.1 - 2017-08-16
188
198
 
189
199
  * Handle simple guard with return at end of branch
190
200
  * Modularize bin/brakeman
@@ -192,7 +202,7 @@
192
202
  * Add more collection methods for iteration detection
193
203
  * Update ruby2ruby and ruby_parser
194
204
 
195
- # 3.7.0
205
+ # 3.7.0 - 2017-06-30
196
206
 
197
207
  * Improve support for rails4/rails5 options in config file
198
208
  * Track more information about constant assignments
@@ -201,7 +211,7 @@
201
211
  * Fix false positive for redirect_to in Rails 4 (Mário Areias)
202
212
  * Avoid interpolating hashes/arrays on failed access
203
213
 
204
- # 3.6.2
214
+ # 3.6.2 - 2017-05-19
205
215
 
206
216
  * Handle safe call operator in checks
207
217
  * Better handling of `if` expressions in HAML rendering
@@ -216,11 +226,11 @@
216
226
  * Handle empty `if` expressions when finding return values
217
227
  * Fix finding return value from empty `if`
218
228
 
219
- # 3.6.1
229
+ # 3.6.1 - 2017-03-24
220
230
 
221
231
  * Fix error when using `--compare` (Sean Gransee)
222
232
 
223
- # 3.6.0
233
+ # 3.6.0 - 2017-03-23
224
234
 
225
235
  * Avoid recursive Concerns
226
236
  * Branch inside of `case` expressions
@@ -231,7 +241,7 @@
231
241
  * Only report CVE-2015-3227 when exact version is known
232
242
  * Check targetless SQL calls outside of known models
233
243
 
234
- # 3.5.0
244
+ # 3.5.0 - 2017-02-01
235
245
 
236
246
  * Allow `-t None`
237
247
  * Fail on invalid checks specified by `-x` or `-t`
@@ -246,7 +256,7 @@
246
256
  * Handle `included` block in concerns
247
257
  * Process concerns before controllers
248
258
 
249
- # 3.4.1
259
+ # 3.4.1 - 2016-11-02
250
260
 
251
261
  * Show action help at start of interactive ignore
252
262
  * Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
@@ -256,7 +266,7 @@
256
266
  * Avoid warning about `where_values_hash` in SQLi
257
267
  * Fix ignoring link interpolation not at beginning of string
258
268
 
259
- # 3.4.0
269
+ # 3.4.0 - 2016-09-08
260
270
 
261
271
  * Add new `plain` report format
262
272
  * Add option to prune ignore file with `-I`
@@ -265,18 +275,18 @@
265
275
  * Support creating reports in non-existent paths
266
276
  * Add `--no-exit-warn`
267
277
 
268
- # 3.3.5
278
+ # 3.3.5 - 2016-08-12
269
279
 
270
280
  * Fix bug in reports when using --debug option
271
281
 
272
- # 3.3.4
282
+ # 3.3.4 - 2016-08-12
273
283
 
274
284
  * Add generic warning for CVE-2016-6316
275
285
  * Warn about dangerous use of `content_tag` with CVE-2016-6316
276
286
  * Add warning for CVE-2016-6317
277
287
  * Use Minitest
278
288
 
279
- # 3.3.3
289
+ # 3.3.3 - 2016-07-21
280
290
 
281
291
  * Show path when no Rails app found (Neil Matatall)
282
292
  * Index calls in view helpers
@@ -289,11 +299,11 @@
289
299
  * Sexp#value returns nil when there is no value
290
300
  * Improve return value estimation
291
301
 
292
- # 3.3.2
302
+ # 3.3.2 - 2016-06-10
293
303
 
294
304
  * Fix serious performance regression with global constant tracking
295
305
 
296
- # 3.3.1
306
+ # 3.3.1 - 2016-06-03
297
307
 
298
308
  * Delay loading vendored gems and modifying load path
299
309
  * Avoid warning about SQL injection with `quoted_primary_key`
@@ -304,7 +314,7 @@
304
314
  * Add `--force-scan` option (Neil Matatall)
305
315
  * Improved line number accuracy in ERB templates (Patrick Toomey)
306
316
 
307
- # 3.3.0
317
+ # 3.3.0 - 2016-05-05
308
318
 
309
319
  * Skip processing obviously false if branches (more broadly)
310
320
  * Skip if branches with `Rails.env.test?`
@@ -322,11 +332,11 @@
322
332
  * [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
323
333
  * [Code Climate engine] Report end lines for issues (Gordon Diggs)
324
334
 
325
- # 3.2.1
335
+ # 3.2.1 - 2016-02-25
326
336
 
327
337
  * Remove `multi_json` dependency from `bin/brakeman`
328
338
 
329
- # 3.2.0
339
+ # 3.2.0 - 2016-02-25
330
340
 
331
341
  * Skip Symbol DoS check on Rails 5
332
342
  * Only update ignore config file on changes
@@ -340,7 +350,7 @@
340
350
  * Avoid render warnings about params[:action]/params[:controller]
341
351
  * Index calls in class bodies but outside methods
342
352
 
343
- # 3.1.5
353
+ # 3.1.5 - 2016-01-28
344
354
 
345
355
  * Fix CodeClimate construction of --only-files (Will Fleming)
346
356
  * Add check for denial of service via routes (CVE-2015-7581)
@@ -359,7 +369,7 @@
359
369
  * Handle module names with self methods
360
370
  * Add session manipulation documentation
361
371
 
362
- # 3.1.4
372
+ # 3.1.4 - 2015-12-22
363
373
 
364
374
  * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
365
375
  * Ignore secrets.yml if in .gitignore
@@ -367,7 +377,7 @@
367
377
  * Increase test coverage for option parsing (Zander Mackie)
368
378
  * Work around safe_yaml error
369
379
 
370
- # 3.1.3
380
+ # 3.1.3 - 2015-12-03
371
381
 
372
382
  * Check for session secret in secrets.yml
373
383
  * Respect `exit_on_warn` in config file
@@ -381,7 +391,7 @@
381
391
  * Depend on safe_yaml 1.0 or later
382
392
  * Test coverage improvements for Brakema module (Bethany Rentz)
383
393
 
384
- # 3.1.2
394
+ # 3.1.2 - 2015-10-28
385
395
 
386
396
  * Treat `current_user` like a model
387
397
  * Set user input value for inline renders
@@ -399,7 +409,7 @@
399
409
  * Sortable tables in HTML report (David Lanner)
400
410
  * Search for config file relative to application root
401
411
 
402
- # 3.1.1
412
+ # 3.1.1 - 2015-09-23
403
413
 
404
414
  * Add optional check for use of MD5 and SHA1
405
415
  * Avoid warning when linking to decorated models
@@ -413,7 +423,7 @@
413
423
  * Support newer terminal-table releases
414
424
  * Allow searching call index methods by regex (Alex Ianus)
415
425
 
416
- # 3.1.0
426
+ # 3.1.0 - 2015-08-31
417
427
 
418
428
  * Add support for gems.rb/gems.locked
419
429
  * Update render path information in JSON reports
@@ -432,18 +442,18 @@
432
442
  * Expand safe methods to match methods with targets
433
443
  * Avoid duplicate eval() warnings
434
444
 
435
- # 3.0.5
445
+ # 3.0.5 - 2015-06-20
436
446
 
437
447
  * Fix check for CVE-2015-3227
438
448
 
439
- # 3.0.4
449
+ # 3.0.4 - 2015-06-18
440
450
 
441
451
  * Add check for CVE-2015-3226 (XSS via JSON keys)
442
452
  * Add check for CVE-2015-3227 (XML DoS)
443
453
  * Treat `<%==` as unescaped output
444
454
  * Update `ruby_parser` dependency to 3.7.0
445
455
 
446
- # 3.0.3
456
+ # 3.0.3 - 2015-04-20
447
457
 
448
458
  * Ignore more Arel methods in SQL
449
459
  * Warn about protect_from_forgery without exceptions (Neil Matatall)
@@ -454,7 +464,7 @@
454
464
  * Do not ignore targets of `to_s` in SQL
455
465
  * Add Rake task to exit with error code on warnings (masarakki)
456
466
 
457
- # 3.0.2
467
+ # 3.0.2 - 2015-03-09
458
468
 
459
469
  * Alias process methods called in class scope on models
460
470
  * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
@@ -470,7 +480,7 @@
470
480
  * Fix CSV output when there are no warnings
471
481
  * Handle processing of explicitly shadowed block arguments
472
482
 
473
- # 3.0.1
483
+ # 3.0.1 - 2015-01-23
474
484
 
475
485
  * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
476
486
  * Properly format command interpolation (again)
@@ -479,7 +489,7 @@
479
489
  * Add `--add-libs-path` for additional libraries (Patrick Toomey)
480
490
  * Properly process libraries (Patrick Toomey)
481
491
 
482
- # 3.0.0
492
+ # 3.0.0 - 2015-01-03
483
493
 
484
494
  * Add check for CVE-2014-7829
485
495
  * Add check for cross-site scripting via inline renders
@@ -498,7 +508,7 @@
498
508
  * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
499
509
  * Change `--separate-models` to be the default
500
510
 
501
- # 2.6.3
511
+ # 2.6.3 - 2014-10-14
502
512
 
503
513
  * Whitelist `exists` arel method from SQL injection check
504
514
  * Avoid warning about Symbol DoS on safe parameters as method targets
@@ -507,7 +517,7 @@
507
517
  * Add framework for optional checks
508
518
  * Fix stack overflow for cycles in class ancestors (Jeff Rafter)
509
519
 
510
- # 2.6.2
520
+ # 2.6.2 - 2014-08-18
511
521
 
512
522
  * Add check for CVE-2014-3415
513
523
  * Avoid warning about symbolizing safe parameters
@@ -521,13 +531,13 @@
521
531
  * Fix block statement endings in Erubis
522
532
  * Fix undefined variable in controller processing error (Jason Barnabe)
523
533
 
524
- # 2.6.1
534
+ # 2.6.1 - 2014-07-02
525
535
 
526
536
  * Add check for CVE-2014-3482 and CVE-2014-3483
527
537
  * Add support for keyword arguments in blocks
528
538
  * Remove unused warning codes (Bill Fischer)
529
539
 
530
- # 2.6.0
540
+ # 2.6.0 - 2014-06-06
531
541
 
532
542
  * Fix detection of `:host` setting in redirects with chained calls
533
543
  * Add check for CVE-2014-0130
@@ -541,7 +551,7 @@
541
551
  * Ignore more model methods in redirects
542
552
  * Fix CheckRender with nested render calls
543
553
 
544
- # 2.5.0
554
+ # 2.5.0 - 2014-04-30
545
555
 
546
556
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
547
557
  * Add support for Rails 4 `before_actions` and friends
@@ -556,11 +566,11 @@
556
566
  * Handle more non-literals in routes
557
567
  * Add check for regex denial of service (Ben Toews)
558
568
 
559
- # 2.4.3
569
+ # 2.4.3 - 2014-03-23
560
570
 
561
571
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
562
572
 
563
- # 2.4.2
573
+ # 2.4.2 - 2014-03-21
564
574
 
565
575
  * Remove `rescue Exception`
566
576
  * Fix duplicate warnings about sanitize CVE
@@ -569,13 +579,13 @@
569
579
  * Skip identically rendered templates
570
580
  * Fix HAML template processing
571
581
 
572
- # 2.4.1
582
+ # 2.4.1 - 2014-02-19
573
583
 
574
584
  * Add check for CVE-2014-0082
575
585
  * Add check for CVE-2014-0081, replaces CVE-2013-6415
576
586
  * Add check for CVE-2014-0080
577
587
 
578
- # 2.4.0
588
+ # 2.4.0 - 2014-02-05
579
589
 
580
590
  * Detect Rails LTS versions
581
591
  * Reduce false positives for SQL injection in string building
@@ -590,12 +600,12 @@
590
600
  * No longer raise exceptions if a class name cannot be determined
591
601
  * Fingerprint attribute warnings individually (Case Taintor)
592
602
 
593
- # 2.3.1
603
+ # 2.3.1 - 2013-12-13
594
604
 
595
605
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
596
606
  * Fix link for CVE-2013-6415 (number_to_currency)
597
607
 
598
- # 2.3.0
608
+ # 2.3.0 - 2013-12-12
599
609
 
600
610
  * Add check for Parameters#permit!
601
611
  * Add check for CVE-2013-4491 (i18n XSS)
@@ -609,7 +619,7 @@
609
619
  * Whitelist `Model#create` for redirects
610
620
  * Fix scoping issues with instance variables and blocks
611
621
 
612
- # 2.2.0
622
+ # 2.2.0 - 2013-10-28
613
623
 
614
624
  * Reduce command injection false positives
615
625
  * Use Rails version from Gemfile if it is available
@@ -618,14 +628,14 @@
618
628
  * Support scanning Rails engines (Geoffrey Hichborn)
619
629
  * Add check for detailed exceptions in production
620
630
 
621
- # 2.1.2
631
+ # 2.1.2 - 2013-09-18
622
632
 
623
633
  * Do not attempt to load custom Haml filters
624
634
  * Do not warn about `to_json` XSS in Rails 4
625
635
  * Add --table-width option to set width of text reports (ssendev)
626
636
  * Remove fuzzy matching on dangerous attr_accessible values
627
637
 
628
- # 2.1.1
638
+ # 2.1.1 - 2013-08-21
629
639
 
630
640
  * New warning code for dangerous attributes in attr_accessible
631
641
  * Do not warn on attr_accessible using roles
@@ -636,7 +646,7 @@
636
646
  * Fix infinite loop when run as rake task (Matthew Shanley)
637
647
  * Respect ignored warnings in tabs format reports
638
648
 
639
- # 2.1.0
649
+ # 2.1.0 - 2013-07-17
640
650
 
641
651
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)
642
652
  * Support for ignoring warnings
@@ -656,7 +666,7 @@
656
666
  * Fix output format detection to be more strict again
657
667
  * Allow empty Brakeman configuration file
658
668
 
659
- # 2.0.0
669
+ # 2.0.0 - 2013-05-20
660
670
 
661
671
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
662
672
  * Add Marshal/CSV deserialization check
@@ -686,7 +696,7 @@
686
696
  * Use exceptions instead of abort in brakeman lib
687
697
  * Update to Ruby2Ruby 2.0.5
688
698
 
689
- # 1.9.5
699
+ # 1.9.5 - 2013-04-05
690
700
 
691
701
  * Add check for unsafe symbol creation
692
702
  * Do not warn on mass assignment with `slice`/`only`
@@ -701,7 +711,7 @@
701
711
  * More fixes for assignments inside branches
702
712
  * Pin to ruby2ruby version 2.0.3
703
713
 
704
- # 1.9.4
714
+ # 1.9.4 - 2013-03-19
705
715
 
706
716
  * Add check for CVE-2013-1854
707
717
  * Add check for CVE-2013-1855
@@ -713,7 +723,7 @@
713
723
  * Slightly faster cloning of Sexps
714
724
  * Detect another way to add `strong_parameters`
715
725
 
716
- # 1.9.3
726
+ # 1.9.3 - 2013-03-01
717
727
 
718
728
  * Add render path to JSON report
719
729
  * Add warning fingerprints
@@ -728,7 +738,7 @@
728
738
  * Expand HAML dependency to include 4.0
729
739
  * Scroll errors into view when expanding in HTML report
730
740
 
731
- # 1.9.2
741
+ # 1.9.2 - 2013-02-14
732
742
 
733
743
  * Add check for CVE-2013-0269
734
744
  * Add check for CVE-2013-0276
@@ -739,7 +749,7 @@
739
749
  * Check for more dangerous YAML methods
740
750
  * Support MultiJSON 1.2 for Rails 3.0 and 3.1
741
751
 
742
- # 1.9.1
752
+ # 1.9.1 - 2013-01-19
743
753
 
744
754
  * Update to RubyParser 3.1.1 (neersighted)
745
755
  * Remove ActiveSupport dependency (Neil Matatall)
@@ -751,7 +761,7 @@
751
761
  * Add check for CVE-2013-0156
752
762
  * Add check for unsafe `YAML.load`
753
763
 
754
- # 1.9.0
764
+ # 1.9.0 - 2012-12-25
755
765
 
756
766
  * Update to RubyParser 3
757
767
  * Ignore route information by default
@@ -771,7 +781,7 @@
771
781
  * Handle empty model files
772
782
  * Remove "find by regex" feature from `CallIndex`
773
783
 
774
- # 1.8.3
784
+ # 1.8.3 - 2012-11-13
775
785
 
776
786
  * Use `multi_json` gem for better harmony
777
787
  * Performance improvement for call indexing
@@ -787,7 +797,7 @@
787
797
  * Fix error in rescan of mixins with symbols in method name
788
798
  * Do not rescan non-Ruby files in config/
789
799
 
790
- # 1.8.2
800
+ # 1.8.2 - 2012-10-17
791
801
 
792
802
  * Fixed rescanning problems caused by 1.8.0 changes
793
803
  * Fix scope calls with single argument
@@ -796,7 +806,7 @@
796
806
  * Much improved test coverage
797
807
  * Add CHANGES to gemspec
798
808
 
799
- # 1.8.1
809
+ # 1.8.1 - 2012-09-24
800
810
 
801
811
  * Recover from errors in output formatting
802
812
  * Fix false positive in redirect_to (Neil Matatall)
@@ -808,7 +818,7 @@
808
818
  * Handle super calls with blocks
809
819
  * Respect `-q` flag for "Rails 3 detected" message
810
820
 
811
- # 1.8.0
821
+ # 1.8.0 - 2012-09-05
812
822
 
813
823
  * Support relative paths in reports (fsword)
814
824
  * Allow Brakeman to be run without tty (fsword)
@@ -824,7 +834,7 @@
824
834
  * Treat model attributes in `or` expressions as immediate values
825
835
  * Switch to method access for Sexp nodes
826
836
 
827
- # 1.7.1
837
+ # 1.7.1 - 2012-08-13
828
838
 
829
839
  * Add check for CVE-2012-3463
830
840
  * Add check for CVE-2012-3464
@@ -832,7 +842,7 @@
832
842
  * Add charset to HTML report (hooopo)
833
843
  * Report XSS in select() for Rails 2
834
844
 
835
- # 1.7.0
845
+ # 1.7.0 - 2012-07-31
836
846
 
837
847
  * Add check for CVE-2012-3424
838
848
  * Link report types to descriptions on website
@@ -847,7 +857,7 @@
847
857
  * Fix processing of negative array indexes
848
858
  * Add line breaks to truncated table rows
849
859
 
850
- # 1.6.2
860
+ # 1.6.2 - 2012-06-13
851
861
 
852
862
  * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
853
863
  * Avoid warning when redirecting to a model instance
@@ -859,7 +869,7 @@
859
869
  * Cache before_filter lookups
860
870
  * Turn off quiet mode by default for `--compare`
861
871
 
862
- # 1.6.1
872
+ # 1.6.1 - 2012-05-23
863
873
 
864
874
  * Major rewrite of CheckSQL
865
875
  * Fix rescanning of deleted templates
@@ -869,7 +879,7 @@
869
879
  * Fix highlighting of HTML escaped values in HTML report
870
880
  * Report line number of highlighted value, if available
871
881
 
872
- # 1.6.0
882
+ # 1.6.0 - 2012-04-20
873
883
 
874
884
  * Remove the Ruport dependency (Neil Matatall)
875
885
  * Add more informational JSON output (Neil Matatall)
@@ -881,7 +891,7 @@
881
891
  * Fix rescanning of deleted files
882
892
  * Properly check for rails_xss in Gemfile
883
893
 
884
- # 1.5.3
894
+ # 1.5.3 - 2012-04-10
885
895
 
886
896
  * Add check for user input in Object#send (Neil Matatall)
887
897
  * Handle render :layout in views
@@ -895,7 +905,7 @@
895
905
  * Improve handling of modules and nesting
896
906
  * Test for zero errors in test reports
897
907
 
898
- # 1.5.2
908
+ # 1.5.2 - 2012-03-22
899
909
 
900
910
  * Fix link_to checks for Rails 2.0 and 2.3
901
911
  * Fix rescanning of lib files (Neil Matatall)
@@ -906,7 +916,7 @@
906
916
  * Fix handling of views when using rails_xss
907
917
  * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
908
918
 
909
- # 1.5.1
919
+ # 1.5.1- 2012-03-06
910
920
 
911
921
  * Fix detection of global mass assignment setting
912
922
  * Fix partial rendering in Rails 3
@@ -916,7 +926,7 @@
916
926
  * Add tracking of module and class to Brakeman::BaseProcessor
917
927
  * Report module when using Brakeman::FindCall
918
928
 
919
- # 1.5.0
929
+ # 1.5.0 - 2012-03-02
920
930
 
921
931
  * Add version check for SafeBuffer vulnerability
922
932
  * Add check for select vulnerability in Rails 3
@@ -927,7 +937,7 @@
927
937
  * Standardize methods to check for SQL injection
928
938
  * Fix Rails 2 route parsing issue with nested routes
929
939
 
930
- # 1.4.0
940
+ # 1.4.0 - 2012-02-24
931
941
 
932
942
  * Add check for user input in link_to href parameter
933
943
  * Match ERB processing to rails_xss plugin when plugin used
@@ -935,7 +945,7 @@
935
945
  * Warnings below minimum confidence are dropped completely
936
946
  * Brakeman.run always returns a Tracker
937
947
 
938
- # 1.3.0
948
+ # 1.3.0 - 2012-02-09
939
949
 
940
950
  * Add file paths to HTML report
941
951
  * Add caching of filters
@@ -948,7 +958,7 @@
948
958
  * Better variable substitution
949
959
  * Table output option for rescan reports
950
960
 
951
- # 1.2.2
961
+ # 1.2.2 - 2012-01-26
952
962
 
953
963
  * --no-progress works again
954
964
  * Make CheckLinkTo a separate check
@@ -956,7 +966,7 @@
956
966
  * Handle empty resource(s) blocks
957
967
  * Add RescanReport#existing_warnings
958
968
 
959
- ## 1.2.1
969
+ ## 1.2.1 - 2012-01-20
960
970
 
961
971
  * Remove link_to warning for Rails 3.x or when using rails_xss
962
972
  * Don't warn if first argument to link_to is escaped
@@ -968,7 +978,7 @@
968
978
  * Add Brakeman::RescanReport#to_s
969
979
  * Add Brakeman::Warning#to_s
970
980
 
971
- ## 1.2.0
981
+ ## 1.2.0 - 2012-01-14
972
982
 
973
983
  * Speed improvements for CheckExecute and CheckRender
974
984
  * Check named_scope() and scope() for SQL injection
@@ -977,7 +987,7 @@
977
987
  * Add --summary option to only output summary
978
988
  * Fix a problem with Rails 3 routes
979
989
 
980
- ## 1.1.0
990
+ ## 1.1.0 - 2011-12-22
981
991
 
982
992
  * Relax required versions for dependencies
983
993
  * Performance improvements for source processing
@@ -987,14 +997,14 @@
987
997
  * Compatibility with newer Haml versions
988
998
  * Fix some warnings
989
999
 
990
- ## 1.0.0
1000
+ ## 1.0.0 - 2011-12-08
991
1001
 
992
1002
  * Better handling of assignments inside ifs
993
1003
  * Check more expressions for SQL injection
994
1004
  * Use latest ruby_parser for better 1.9 syntax support
995
1005
  * Better behavior for Brakeman as a library
996
1006
 
997
- ## 1.0.0rc1
1007
+ ## 1.0.0rc1 - 2011-12-06
998
1008
 
999
1009
  * Brakeman can now be used as a library
1000
1010
  * Faster call search
@@ -1007,23 +1017,23 @@
1007
1017
  * Ignore mass assignment using all literal arguments
1008
1018
  * Keep expanded context in view with HTML output
1009
1019
 
1010
- ## 0.9.2
1020
+ ## 0.9.2 - 2011-11-22
1011
1021
 
1012
1022
  * Fix Rails 3 configuration parsing
1013
1023
  * Add t() helper to check for translate XSS bug
1014
1024
 
1015
- ## 0.9.1
1025
+ ## 0.9.1 - 2011-11-18
1016
1026
 
1017
1027
  * Add warning for translator helper XSS vulnerability
1018
1028
 
1019
- ## 0.9.0
1029
+ ## 0.9.0 - 2011-11-17
1020
1030
 
1021
1031
  * Process Rails 3 configuration files
1022
1032
  * Fix CSV output
1023
1033
  * Check for config.active_record.whitelist_attributes = true
1024
1034
  * Always produce a warning for without_protection => true
1025
1035
 
1026
- ## 0.8.4
1036
+ ## 0.8.4 - 2011-11-04
1027
1037
 
1028
1038
  * Option for separate attr_accessible warnings
1029
1039
  * Option to set CSS file for HTML output
@@ -1032,23 +1042,23 @@
1032
1042
  * Fix hash_insert()
1033
1043
  * Remove use of Queue from threaded checks
1034
1044
 
1035
- ## 0.8.3
1045
+ ## 0.8.3 - 2011-10-25
1036
1046
 
1037
1047
  * Respect -w flag in .tabs format (tw-ngreen)
1038
1048
  * Escape HTML output of error messages
1039
1049
  * Add --skip-libs option
1040
1050
 
1041
- ## 0.8.2
1051
+ ## 0.8.2 - 2011-10-01
1042
1052
 
1043
1053
  * Run checks in parallel threads by default
1044
1054
  * Fix compatibility with ruby_parser 2.3.1
1045
1055
 
1046
- ## 0.8.1
1056
+ ## 0.8.1 - 2011-09-28
1047
1057
 
1048
1058
  * Add option to assume all controller methods are actions
1049
1059
  * Recover from errors when parsing routes
1050
1060
 
1051
- ## 0.8.0
1061
+ ## 0.8.0 - 2011-09-15
1052
1062
 
1053
1063
  * Add check for mass assignment using without_protection
1054
1064
  * Add check for password in http_basic_authenticate_with
@@ -1059,30 +1069,30 @@
1059
1069
  * Add ruby_parser hack for Ruby 1.9 hash syntax
1060
1070
  * Add a few Rails 3.1 tests
1061
1071
 
1062
- ## 0.7.2
1072
+ ## 0.7.2 - 2011-08-27
1063
1073
 
1064
1074
  * Fix handling of params and cookies with nested access
1065
1075
  * Add CVEs for checks added in 0.7.0
1066
1076
 
1067
- ## 0.7.1
1077
+ ## 0.7.1 - 2011-08-18
1068
1078
 
1069
1079
  * Require BaseProcessor for GemProcessor
1070
1080
 
1071
- ## 0.7.0
1081
+ ## 0.7.0 - 2011-08-17
1072
1082
 
1073
1083
  * Allow local variable as a class name
1074
1084
  * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
1075
1085
  * Check for default routes in Rails 3 apps
1076
1086
  * Look in Gemfile or Gemfile.lock for Rails version
1077
1087
 
1078
- ## 0.6.1
1088
+ ## 0.6.1 - 2011-07-29
1079
1089
 
1080
1090
  * Fix XSS check for cookies as parameters in output
1081
1091
  * Don't bother calling super in CheckSessionSettings
1082
1092
  * Add escape_once as a safe method
1083
1093
  * Accept '\Z' or '\z' in model validations
1084
1094
 
1085
- ## 0.6.0
1095
+ ## 0.6.0 - 2011-07-20
1086
1096
 
1087
1097
  * Tests are in place and fully functional
1088
1098
  * Hide errors by default in HTML output
@@ -1095,17 +1105,17 @@
1095
1105
  * Fixes to escaped output scanning
1096
1106
  * Update CSRF CVE-2011-0447 message to be less assertive
1097
1107
 
1098
- ## 0.5.2
1108
+ ## 0.5.2 - 2011-06-29
1099
1109
 
1100
1110
  * Output report file name when finished
1101
1111
  * Add initial tests for Rails 2.x
1102
1112
  * Fix ERB line numbers when using Ruby 1.9
1103
1113
 
1104
- ## 0.5.1
1114
+ ## 0.5.1 - 2011-06-17
1105
1115
 
1106
1116
  * Fix issue with 'has_one' => in routes
1107
1117
 
1108
- ## 0.5.0
1118
+ ## 0.5.0 - 2011-06-08
1109
1119
 
1110
1120
  * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
1111
1121
  * Allow empty blocks in Rails 3 routes
@@ -1113,52 +1123,52 @@
1113
1123
  * Add line numbers to session setting warnings
1114
1124
  * Add --checks option to list checks
1115
1125
 
1116
- ## 0.4.1
1126
+ ## 0.4.1 - 2011-05-23
1117
1127
 
1118
1128
  * Fix reported line numbers when using new Erubis parser
1119
1129
  (Mostly affects Rails 3 apps)
1120
1130
 
1121
- ## 0.4.0
1131
+ ## 0.4.0 - 2011-05-19
1122
1132
 
1123
1133
  * Handle Rails XSS protection properly
1124
1134
  * More detection options for rails_xss
1125
1135
  * Add --escape-html option
1126
1136
 
1127
- ## 0.3.2
1137
+ ## 0.3.2 - 2011-05-12
1128
1138
 
1129
1139
  * Autodetect Rails 3 applications
1130
1140
  * Turn on auto-escaping for Rails 3 apps
1131
1141
  * Check Model.create() for mass assignment
1132
1142
 
1133
- ## 0.3.1
1143
+ ## 0.3.1 - 2011-05-03
1134
1144
 
1135
1145
  * Always output a line number in tabbed output format
1136
1146
  * Restrict characters in category name in tabbed output format to
1137
1147
  word characters and spaces, for Hudson/Jenkins plugin
1138
1148
 
1139
- ## 0.3.0
1149
+ ## 0.3.0 - 2011-03-21
1140
1150
 
1141
1151
  * Check for SQL injection in calls using constantize()
1142
1152
  * Check for SQL injection in calls to count_by_sql()
1143
1153
 
1144
- ## 0.2.2
1154
+ ## 0.2.2 - 2011-02-22
1145
1155
 
1146
1156
  * Fix version_between? when no Rails version is specified
1147
1157
 
1148
- ## 0.2.1
1158
+ ## 0.2.1 - 2011-02-18
1149
1159
 
1150
1160
  * Add code snippet to tab output messages
1151
1161
 
1152
- ## 0.2.0
1162
+ ## 0.2.0 - 2011-02-16
1153
1163
 
1154
1164
  * Add check for mail_to vulnerability - CVE-2011-0446
1155
1165
  * Add check for CSRF weakness - CVE-2011-0447
1156
1166
 
1157
- ## 0.1.1
1167
+ ## 0.1.1 - 2011-01-25
1158
1168
 
1159
1169
  * Be more permissive with ActiveSupport version
1160
1170
 
1161
- ## 0.1.0
1171
+ ## 0.1.0 - 2011-01-18
1162
1172
 
1163
1173
  * Check link_to for XSS (because arguments are not escaped)
1164
1174
  * Process layouts better (although not perfectly yet)
@@ -19,7 +19,11 @@ class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
19
19
  return unless hash? html_opts
20
20
 
21
21
  target = hash_access html_opts, :target
22
- return unless target && string?(target) && target.value == "_blank"
22
+ unless target &&
23
+ (string?(target) && target.value == "_blank" ||
24
+ symbol?(target) && target.value == :_blank)
25
+ return
26
+ end
23
27
 
24
28
  target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
25
29
 
@@ -19,16 +19,17 @@ module Brakeman
19
19
  end
20
20
  end
21
21
 
22
+ STRING_LENGTH_LIMIT = 50
23
+
22
24
  # Join two string literals into one.
23
25
  def join_strings lhs, rhs, original_exp = nil
24
26
  if string? lhs and string? rhs
25
- result = Sexp.new(:str).line(lhs.line)
26
- result.value = lhs.value + rhs.value
27
-
28
- if result.value.length > 50
27
+ if (lhs.value.length + rhs.value.length > STRING_LENGTH_LIMIT)
29
28
  # Avoid gigantic strings
30
29
  lhs
31
30
  else
31
+ result = Sexp.new(:str).line(lhs.line)
32
+ result.value = lhs.value + rhs.value
32
33
  result
33
34
  end
34
35
  elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
19
19
  add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
20
20
  add_chunk generate_templates if tracker.options[:debug]
21
21
  add_chunk generate_obsolete
22
- add_chunk generate_errors
22
+ add_chunk generate_errors
23
23
  add_chunk generate_warnings
24
24
  end
25
25
 
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
51
51
 
52
52
  def generate_header
53
53
  [
54
- header("Brakeman Report"),
54
+ header("Brakeman Report"),
55
55
  label("Application Path", tracker.app_path),
56
56
  label("Rails Version", rails_version),
57
57
  label("Brakeman Version", Brakeman::Version),
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
92
92
  HighLine.color("No warnings found", :bold, :green)
93
93
  else
94
94
  warnings = tracker.filtered_warnings.sort_by do |w|
95
- [w.confidence, w.warning_type, w.fingerprint]
95
+ [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
96
96
  end.map do |w|
97
97
  output_warning w
98
98
  end
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
140
140
  end
141
141
 
142
142
  double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
143
- [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
143
+ [HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
144
144
  }.compact
145
145
  end
146
146
 
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
211
211
  double_space "Controller Overview", controllers
212
212
  end
213
213
  end
214
-
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.7.0"
2
+ Version = "4.7.1"
3
3
  end
@@ -371,7 +371,12 @@ class Sexp
371
371
  # s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
372
372
  def block_call
373
373
  expect :iter
374
- self[1]
374
+
375
+ if self[1].node_type == :lambda
376
+ s(:call, nil, :lambda).line(self.line)
377
+ else
378
+ self[1]
379
+ end
375
380
  end
376
381
 
377
382
  #Returns block of a call with a block.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.7.0
4
+ version: 4.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - brakeman-public_cert.pem
12
- date: 2019-10-16 00:00:00.000000000 Z
12
+ date: 2019-10-29 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: minitest