brakeman-lib 4.9.0 → 4.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +7 -0
- data/lib/brakeman/checks/check_model_attributes.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +1 -1
- data/lib/brakeman/tracker/config.rb +3 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f4533db1d64281404ef6fa22a1b23e8ed35bcb2657aac30585fb38ef44f46ec6
|
|
4
|
+
data.tar.gz: b4d0b3c6c37cd04bd06f368fcd678c52da8809f998a2c5f8127363505022f529
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bac4dc339c777b879c7ec5e372dd3423c1300802561ad2d6be12ec38185785a93f88c5966d7276d5179f142861ea291c16c772052a07fd6969db6790f788ec72
|
|
7
|
+
data.tar.gz: 602fbe26d2880cc2f5443b7ce555d1f3411dc59902b9b68d87cf35813aa80d3704b685778222f14aa97509247d9be95d80c71ffd649755848618682877a3ab38
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# 4.9.1 - 2020-09-04
|
|
2
|
+
|
|
3
|
+
* Check `chomp`ed strings for SQL injection
|
|
4
|
+
* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
|
|
5
|
+
* Always set line number for joined arrays
|
|
6
|
+
* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
|
|
7
|
+
|
|
1
8
|
# 4.9.0 - 2020-08-04
|
|
2
9
|
|
|
3
10
|
* Add check for CVE-2020-8166 (Jamie Finnigan)
|
|
@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
|
|
|
8
8
|
@description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
|
|
9
9
|
|
|
10
10
|
def run_check
|
|
11
|
-
return if mass_assign_disabled?
|
|
11
|
+
return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
|
|
12
12
|
|
|
13
13
|
#Roll warnings into one warning for all models
|
|
14
14
|
if tracker.options[:collapse_mass_assignment]
|
|
@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
393
393
|
nil
|
|
394
394
|
end
|
|
395
395
|
|
|
396
|
-
TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
|
|
396
|
+
TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
|
|
397
397
|
|
|
398
398
|
#Returns value if interpolated value is not something safe
|
|
399
399
|
def unsafe_string_interp? exp
|
|
@@ -10,7 +10,7 @@ module Brakeman
|
|
|
10
10
|
def join_arrays lhs, rhs, original_exp = nil
|
|
11
11
|
if array? lhs and array? rhs
|
|
12
12
|
result = Sexp.new(:array)
|
|
13
|
-
result.line(lhs.line || rhs.line)
|
|
13
|
+
result.line(lhs.line || rhs.line || 1)
|
|
14
14
|
result.concat lhs[1..-1]
|
|
15
15
|
result.concat rhs[1..-1]
|
|
16
16
|
result
|
|
@@ -79,7 +79,9 @@ module Brakeman
|
|
|
79
79
|
# Only used by Rails2ConfigProcessor right now
|
|
80
80
|
extract_version(version)
|
|
81
81
|
else
|
|
82
|
-
gem_version(:rails) ||
|
|
82
|
+
gem_version(:rails) ||
|
|
83
|
+
gem_version(:railties) ||
|
|
84
|
+
gem_version(:activerecord)
|
|
83
85
|
end
|
|
84
86
|
|
|
85
87
|
if version
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.9.
|
|
4
|
+
version: 4.9.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-09-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|