brakeman-lib 4.9.0 → 4.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +7 -0
- data/lib/brakeman/checks/check_model_attributes.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +1 -1
- data/lib/brakeman/tracker/config.rb +3 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f4533db1d64281404ef6fa22a1b23e8ed35bcb2657aac30585fb38ef44f46ec6
|
|
4
|
+
data.tar.gz: b4d0b3c6c37cd04bd06f368fcd678c52da8809f998a2c5f8127363505022f529
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bac4dc339c777b879c7ec5e372dd3423c1300802561ad2d6be12ec38185785a93f88c5966d7276d5179f142861ea291c16c772052a07fd6969db6790f788ec72
|
|
7
|
+
data.tar.gz: 602fbe26d2880cc2f5443b7ce555d1f3411dc59902b9b68d87cf35813aa80d3704b685778222f14aa97509247d9be95d80c71ffd649755848618682877a3ab38
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# 4.9.1 - 2020-09-04
|
|
2
|
+
|
|
3
|
+
* Check `chomp`ed strings for SQL injection
|
|
4
|
+
* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
|
|
5
|
+
* Always set line number for joined arrays
|
|
6
|
+
* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
|
|
7
|
+
|
|
1
8
|
# 4.9.0 - 2020-08-04
|
|
2
9
|
|
|
3
10
|
* Add check for CVE-2020-8166 (Jamie Finnigan)
|
|
@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
|
|
|
8
8
|
@description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
|
|
9
9
|
|
|
10
10
|
def run_check
|
|
11
|
-
return if mass_assign_disabled?
|
|
11
|
+
return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
|
|
12
12
|
|
|
13
13
|
#Roll warnings into one warning for all models
|
|
14
14
|
if tracker.options[:collapse_mass_assignment]
|
|
@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
393
393
|
nil
|
|
394
394
|
end
|
|
395
395
|
|
|
396
|
-
TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
|
|
396
|
+
TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
|
|
397
397
|
|
|
398
398
|
#Returns value if interpolated value is not something safe
|
|
399
399
|
def unsafe_string_interp? exp
|
|
@@ -10,7 +10,7 @@ module Brakeman
|
|
|
10
10
|
def join_arrays lhs, rhs, original_exp = nil
|
|
11
11
|
if array? lhs and array? rhs
|
|
12
12
|
result = Sexp.new(:array)
|
|
13
|
-
result.line(lhs.line || rhs.line)
|
|
13
|
+
result.line(lhs.line || rhs.line || 1)
|
|
14
14
|
result.concat lhs[1..-1]
|
|
15
15
|
result.concat rhs[1..-1]
|
|
16
16
|
result
|
|
@@ -79,7 +79,9 @@ module Brakeman
|
|
|
79
79
|
# Only used by Rails2ConfigProcessor right now
|
|
80
80
|
extract_version(version)
|
|
81
81
|
else
|
|
82
|
-
gem_version(:rails) ||
|
|
82
|
+
gem_version(:rails) ||
|
|
83
|
+
gem_version(:railties) ||
|
|
84
|
+
gem_version(:activerecord)
|
|
83
85
|
end
|
|
84
86
|
|
|
85
87
|
if version
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.9.
|
|
4
|
+
version: 4.9.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-09-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|