brakeman-lib 5.1.1 → 5.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -1
- data/README.md +1 -1
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/check_json_parsing.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +7 -1
- data/lib/brakeman/processors/haml_template_processor.rb +9 -0
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -0
- data/lib/brakeman/processors/model_processor.rb +1 -0
- data/lib/brakeman/report/ignore/config.rb +1 -1
- data/lib/brakeman/report/report_csv.rb +1 -1
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/scanner.rb +12 -12
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +2 -2
- data/lib/ruby_parser/bm_sexp.rb +11 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 650df7997ecbf4c9bf7c1ea47ef851ec2eac1593d0c9fed8197ca5aa78f8fded
|
4
|
+
data.tar.gz: 9582c10b7cd30496793d5d1b3ddbd88fbf610fa834bdab402267c4ad73962622
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bdcc242df0b6e60ba87e1d4445c56bf7ed6c2c2a0dfdd34904fc41369f9b05ed9e370a1c2cf80a6d45d9b1cedcc1f1e56600b96f47437a9ffb6f343a01c41385
|
7
|
+
data.tar.gz: d623285512f64799f9e230289f6c864bcb937770d781a974c1c4ac224ff1a89ac104fd0fc4fcc98c2b840ea68b5f8ddf1b67781b85cbc7257099995848b8f9ef
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 5.1.2 - 2021-10-28
|
2
|
+
|
3
|
+
* Handle cases where enums are not symbols
|
4
|
+
* Support newer Haml with ::Haml::AttributeBuilder.build
|
5
|
+
* Fix issue where the previous output is still visible (Jason Frey)
|
6
|
+
* Fix warning sorting with nil line numbers
|
7
|
+
* Update for latest RubyParser (Ryan Davis)
|
8
|
+
|
1
9
|
# 5.1.1 - 2021-07-19
|
2
10
|
|
3
11
|
* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
|
@@ -449,7 +457,7 @@
|
|
449
457
|
* Delay loading vendored gems and modifying load path
|
450
458
|
* Avoid warning about SQL injection with `quoted_primary_key`
|
451
459
|
* Support more safe `&.` operations
|
452
|
-
* Allow
|
460
|
+
* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
|
453
461
|
* Only consider `if` branches in templates
|
454
462
|
* Avoid overwriting instance/class methods with same name (Tim Wade)
|
455
463
|
* Add `--force-scan` option (Neil Matatall)
|
data/README.md
CHANGED
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
66
66
|
|
67
67
|
Brakeman should work with any version of Rails from 2.3.x to 6.x.
|
68
68
|
|
69
|
-
Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.
|
69
|
+
Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
|
70
70
|
|
71
71
|
# Basic Options
|
72
72
|
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -28,7 +28,7 @@ module Brakeman
|
|
28
28
|
# Accepts an array of filenames and paths with the following format and
|
29
29
|
# returns a Regexp to match them:
|
30
30
|
# * "path1/file1.rb" - Matches a specific filename in the project directory.
|
31
|
-
# * "path1/" - Matches any path that
|
31
|
+
# * "path1/" - Matches any path that contains "path1" in the project directory.
|
32
32
|
# * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
|
33
33
|
#
|
34
34
|
def self.regex_for_paths(paths)
|
@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
|
|
74
74
|
warning_type = "Denial of Service"
|
75
75
|
confidence = :medium
|
76
76
|
gem_name = "#{name} gem"
|
77
|
-
message = msg(msg_version(version, gem_name), " has a symbol creation
|
77
|
+
message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
|
78
78
|
|
79
79
|
if version >= "1.7.0"
|
80
80
|
confidence = :high
|
@@ -324,7 +324,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
324
324
|
end
|
325
325
|
when :values_at
|
326
326
|
if node_type? target, :hash
|
327
|
-
|
327
|
+
res = hash_values_at target, exp.args
|
328
|
+
|
329
|
+
# Only convert to array of values if _all_ keys
|
330
|
+
# are present in the hash.
|
331
|
+
unless res.any?(&:nil?)
|
332
|
+
exp = res
|
333
|
+
end
|
328
334
|
end
|
329
335
|
end
|
330
336
|
|
@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
8
8
|
HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
|
9
9
|
JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
|
10
10
|
COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
|
11
|
+
ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
|
11
12
|
|
12
13
|
def initialize *args
|
13
14
|
super
|
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
133
134
|
|
134
135
|
get_pushed_value(exp.first_arg, default)
|
135
136
|
@javascript = false
|
137
|
+
elsif haml_attribute_builder? exp
|
138
|
+
ignore # probably safe... seems escaped by default?
|
136
139
|
else
|
137
140
|
add_output exp, default
|
138
141
|
end
|
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
154
157
|
exp.method == :attributes
|
155
158
|
end
|
156
159
|
|
160
|
+
def haml_attribute_builder? exp
|
161
|
+
call? exp and
|
162
|
+
exp.target == ATTRIBUTE_BUILDER and
|
163
|
+
exp.method == :build
|
164
|
+
end
|
165
|
+
|
157
166
|
def fix_textareas? exp
|
158
167
|
call? exp and
|
159
168
|
exp.target == HAMLOUT and
|
@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
|
|
17
17
|
]
|
18
18
|
|
19
19
|
rows = tracker.filtered_warnings.sort_by do |w|
|
20
|
-
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
20
|
+
[w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
|
21
21
|
end.map do |warning|
|
22
22
|
generate_row(headers, warning)
|
23
23
|
end
|
@@ -93,7 +93,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
|
-
# Returns a hash of all check descriptions, keyed by check
|
96
|
+
# Returns a hash of all check descriptions, keyed by check name
|
97
97
|
def check_descriptions
|
98
98
|
@check_descriptions ||= Brakeman::Checks.checks.map do |check|
|
99
99
|
[check.name.gsub(/^Check/, ''), check.description]
|
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
92
92
|
HighLine.color("No warnings found", :bold, :green)
|
93
93
|
else
|
94
94
|
warnings = tracker.filtered_warnings.sort_by do |w|
|
95
|
-
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
95
|
+
[w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
|
96
96
|
end.map do |w|
|
97
97
|
output_warning w
|
98
98
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -40,32 +40,32 @@ class Brakeman::Scanner
|
|
40
40
|
|
41
41
|
#Process everything in the Rails application
|
42
42
|
def process
|
43
|
-
Brakeman.notify "Processing gems..."
|
43
|
+
Brakeman.notify "Processing gems... "
|
44
44
|
process_gems
|
45
45
|
guess_rails_version
|
46
|
-
Brakeman.notify "Processing configuration..."
|
46
|
+
Brakeman.notify "Processing configuration... "
|
47
47
|
process_config
|
48
|
-
Brakeman.notify "Parsing files..."
|
48
|
+
Brakeman.notify "Parsing files... "
|
49
49
|
parse_files
|
50
|
-
Brakeman.notify "Detecting file types..."
|
50
|
+
Brakeman.notify "Detecting file types... "
|
51
51
|
detect_file_types
|
52
|
-
Brakeman.notify "Processing initializers..."
|
52
|
+
Brakeman.notify "Processing initializers... "
|
53
53
|
process_initializers
|
54
|
-
Brakeman.notify "Processing libs..."
|
54
|
+
Brakeman.notify "Processing libs... "
|
55
55
|
process_libs
|
56
|
-
Brakeman.notify "Processing routes...
|
56
|
+
Brakeman.notify "Processing routes... "
|
57
57
|
process_routes
|
58
|
-
Brakeman.notify "Processing templates...
|
58
|
+
Brakeman.notify "Processing templates... "
|
59
59
|
process_templates
|
60
|
-
Brakeman.notify "Processing data flow in templates..."
|
60
|
+
Brakeman.notify "Processing data flow in templates... "
|
61
61
|
process_template_data_flows
|
62
|
-
Brakeman.notify "Processing models...
|
62
|
+
Brakeman.notify "Processing models... "
|
63
63
|
process_models
|
64
|
-
Brakeman.notify "Processing controllers...
|
64
|
+
Brakeman.notify "Processing controllers... "
|
65
65
|
process_controllers
|
66
66
|
Brakeman.notify "Processing data flow in controllers..."
|
67
67
|
process_controller_data_flows
|
68
|
-
Brakeman.notify "Indexing call sites...
|
68
|
+
Brakeman.notify "Indexing call sites... "
|
69
69
|
index_call_sites
|
70
70
|
tracker
|
71
71
|
end
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -394,7 +394,7 @@ module Brakeman
|
|
394
394
|
if options[:parallel_checks]
|
395
395
|
notify "Running checks in parallel..."
|
396
396
|
else
|
397
|
-
notify "
|
397
|
+
notify "Running checks..."
|
398
398
|
end
|
399
399
|
|
400
400
|
tracker.run_checks
|
@@ -479,7 +479,7 @@ module Brakeman
|
|
479
479
|
$stderr.puts message if @debug
|
480
480
|
end
|
481
481
|
|
482
|
-
# Compare JSON
|
482
|
+
# Compare JSON output from a previous scan and return the diff of the two scans
|
483
483
|
def self.compare options
|
484
484
|
require 'json'
|
485
485
|
require 'brakeman/differ'
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -544,7 +544,7 @@ class Sexp
|
|
544
544
|
end
|
545
545
|
|
546
546
|
# Number of "statements" in a method.
|
547
|
-
# This is more
|
547
|
+
# This is more efficient than `Sexp#body.length`
|
548
548
|
# because `Sexp#body` creates a new Sexp.
|
549
549
|
def method_length
|
550
550
|
expect :defn, :defs
|
@@ -642,4 +642,14 @@ end
|
|
642
642
|
RUBY
|
643
643
|
end
|
644
644
|
|
645
|
+
class String
|
646
|
+
##
|
647
|
+
# This is a hack used by the lexer to sneak in line numbers at the
|
648
|
+
# identifier level. This should be MUCH smaller than making
|
649
|
+
# process_token return [value, lineno] and modifying EVERYTHING that
|
650
|
+
# reduces tIDENTIFIER.
|
651
|
+
|
652
|
+
attr_accessor :lineno
|
653
|
+
end
|
654
|
+
|
645
655
|
class WrongSexpError < RuntimeError; end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.1.
|
4
|
+
version: 5.1.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-10-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -86,14 +86,14 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: '3.
|
89
|
+
version: '3.18'
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: '3.
|
96
|
+
version: '3.18'
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: ruby_parser-legacy
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|