brakeman-lib 5.2.1 → 5.2.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 45b4ed913efc8767851fa736f69591dad0bd6c26eb2b9c6f84e71acef92670ce
|
4
|
+
data.tar.gz: b40f9ee9b0dbd2187e071609193b3df891dd6e462bd3de572ce4a335db063185
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8966515fb503515fb38a7581061a72464b81a6bcf86b99c58711dbbb88b636b87b5e74a09190b53cd7c09ea1674458bfe874698416c4928dbf44eb46bc234221
|
7
|
+
data.tar.gz: ca7309e4b30e14213b1e697e33113737ee8c2da1d6997f6e28c0a68df965dcd348c9b7c7a4bbe285e7dc7356b7c6fceb2171b13aae92338d02d4e5ef4992c9a4
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 5.2.2 - 2022-04-06
|
2
|
+
|
3
|
+
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
|
4
|
+
* Handle `nil` when joining values (Dan Buettner)
|
5
|
+
* Update message for unsafe reflection (Pedro Baracho)
|
6
|
+
* Add additional String methods for SQL injection check
|
7
|
+
* Respect equality in `if` conditions
|
8
|
+
|
1
9
|
# 5.2.1 - 2022-01-30
|
2
10
|
|
3
11
|
* Add warning codes for EOL software warnings
|
@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
405
405
|
nil
|
406
406
|
end
|
407
407
|
|
408
|
-
TO_STRING_METHODS = [:chomp, :
|
408
|
+
TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
|
409
|
+
:strip_heredoc, :to_s, :tr]
|
409
410
|
|
410
411
|
#Returns value if interpolated value is not something safe
|
411
412
|
def unsafe_string_interp? exp
|
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
744
745
|
date_target? exp.target
|
745
746
|
else
|
746
747
|
false
|
747
|
-
end
|
748
|
+
end
|
748
749
|
end
|
749
750
|
end
|
@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
20
20
|
def check_unsafe_reflection result
|
21
21
|
return unless original? result
|
22
22
|
|
23
|
-
call = result[:call]
|
23
|
+
call = result[:call]
|
24
24
|
method = call.method
|
25
25
|
|
26
26
|
case method
|
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
|
|
37
37
|
end
|
38
38
|
|
39
39
|
if confidence
|
40
|
-
|
40
|
+
case method
|
41
|
+
when :constantize, :safe_constantize
|
42
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
|
43
|
+
else
|
44
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
|
45
|
+
end
|
41
46
|
|
42
47
|
warn :result => result,
|
43
48
|
:warning_type => "Remote Code Execution",
|
@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
404
404
|
end
|
405
405
|
|
406
406
|
def join_item item, join_value
|
407
|
-
if item.is_a?
|
407
|
+
if item.nil? || item.is_a?(String)
|
408
408
|
"#{item}#{join_value}"
|
409
409
|
elsif string? item or symbol? item or number? item
|
410
410
|
s(:str, "#{item.value}#{join_value}").line(item.line)
|
@@ -864,6 +864,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
864
864
|
elsif false? condition
|
865
865
|
no_branch = true
|
866
866
|
exps = [nil, exp.else_clause]
|
867
|
+
elsif equality_check? condition and condition.target == condition.first_arg
|
868
|
+
no_branch = true
|
869
|
+
exps = [exp.then_clause, nil]
|
867
870
|
else
|
868
871
|
no_branch = false
|
869
872
|
exps = [exp.then_clause, exp.else_clause]
|
@@ -897,6 +900,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
897
900
|
env.current[var] = safe_literal(var.line)
|
898
901
|
exp[branch_index] = process_if_branch branch
|
899
902
|
env.current[var] = previous_value
|
903
|
+
elsif i == 0 and equality_check? condition
|
904
|
+
# For conditions like a == b,
|
905
|
+
# set a to b inside the true branch
|
906
|
+
var = condition.target
|
907
|
+
previous_value = env.current[var]
|
908
|
+
env.current[var] = condition.first_arg
|
909
|
+
exp[branch_index] = process_if_branch branch
|
910
|
+
env.current[var] = previous_value
|
900
911
|
elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
|
901
912
|
var = condition.first_arg
|
902
913
|
env.current[var] = safe_literal(var.line)
|
@@ -931,6 +942,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
931
942
|
end
|
932
943
|
end
|
933
944
|
|
945
|
+
def equality_check? exp
|
946
|
+
call? exp and
|
947
|
+
exp.method == :==
|
948
|
+
end
|
949
|
+
|
934
950
|
def simple_when? exp
|
935
951
|
node_type? exp[1], :array and
|
936
952
|
not node_type? exp[1][1], :splat, :array and
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-04-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -86,14 +86,14 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: '3.
|
89
|
+
version: '3.19'
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: '3.
|
96
|
+
version: '3.19'
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: ruby_parser-legacy
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|