brakeman-lib 5.4.1 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +10 -0
- data/README.md +2 -2
- data/lib/brakeman/app_tree.rb +0 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -5
- data/lib/brakeman/checks/check_eol_ruby.rb +3 -1
- data/lib/brakeman/report/report_github.rb +1 -1
- data/lib/brakeman/scanner.rb +0 -1
- data/lib/brakeman/tracker/config.rb +1 -3
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +6 -2
- metadata +3 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: baf72edb48740cecdeb55594386bfa2fd6284a498d1ab7991d24bf30715f424f
|
4
|
+
data.tar.gz: 2510eda8d6bc947676d872f3980492c21d227679ae2761a5847ce782f538f628
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5a7739712e782e33cbfe5de51fa2e8c2f53e2366983e113c64c0acdc820a5b04034fc9917da0ce999503fdc897e30218860d4534bbc41b164892629bdfbdac31
|
7
|
+
data.tar.gz: d9b526f6c7289543c1c0429722e4b99c276fe4ce145ce7ab4bcfadfec9455dba0fe9e3c0aeceab00d8ba790e0f4076a9459c574a138476eb9b344e3cb3ea6e9a
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
# 6.0.0 - 2023-05-24
|
2
|
+
|
3
|
+
* Add obsolete fingerprints to comparison report
|
4
|
+
* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
|
5
|
+
* Scan directories that include the word `public`
|
6
|
+
* Raise minimum Ruby version to 3.0
|
7
|
+
* Drop support for Ruby 1.8/1.9 syntax
|
8
|
+
* Fix end-of-life dates for Ruby
|
9
|
+
* Fix false positive with `content_tag` in newer Rails
|
10
|
+
|
1
11
|
# 5.4.1 - 2023-02-21
|
2
12
|
|
3
13
|
* Fix file/line location for EOL software warnings
|
data/README.md
CHANGED
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
66
66
|
|
67
67
|
Brakeman should work with any version of Rails from 2.3.x to 7.x.
|
68
68
|
|
69
|
-
Brakeman can analyze code written with Ruby
|
69
|
+
Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
|
70
70
|
|
71
71
|
# Basic Options
|
72
72
|
|
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
|
|
182
182
|
|
183
183
|
For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
|
184
184
|
|
185
|
-
There are a couple [
|
185
|
+
There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
|
186
186
|
|
187
187
|
# Building
|
188
188
|
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
73
73
|
check_argument result, content
|
74
74
|
end
|
75
75
|
|
76
|
-
#
|
77
|
-
if
|
78
|
-
|
79
|
-
|
80
|
-
|
76
|
+
# This changed in Rails 6.1.6
|
77
|
+
if version_between? '0.0.0', '6.1.5'
|
78
|
+
#Attribute keys are never escaped, so check them for user input
|
79
|
+
if not @matched and hash? attributes and not request_value? attributes
|
80
|
+
hash_iterate(attributes) do |k, _v|
|
81
|
+
check_argument result, k
|
82
|
+
return if @matched
|
83
|
+
end
|
81
84
|
end
|
82
85
|
end
|
83
86
|
|
@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
|
|
21
21
|
['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
|
22
22
|
['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
|
23
23
|
['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
|
24
|
-
['3.0.0', '
|
24
|
+
['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
|
25
|
+
['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
|
26
|
+
['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
|
25
27
|
}
|
26
28
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -20,9 +20,7 @@ module Brakeman
|
|
20
20
|
|
21
21
|
def default_protect_from_forgery?
|
22
22
|
if version_between? "5.2.0.beta1", "9.9.9"
|
23
|
-
if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:
|
24
|
-
return false
|
25
|
-
else
|
23
|
+
if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
|
26
24
|
return true
|
27
25
|
end
|
28
26
|
end
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -493,10 +493,14 @@ module Brakeman
|
|
493
493
|
end
|
494
494
|
|
495
495
|
tracker = run(options)
|
496
|
+
new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
|
496
497
|
|
497
|
-
new_results =
|
498
|
+
new_results = new_report[:warnings]
|
499
|
+
obsolete_ignored = tracker.unused_fingerprints
|
498
500
|
|
499
|
-
Brakeman::Differ.new(new_results, previous_results).diff
|
501
|
+
Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
|
502
|
+
diff[:obsolete] = obsolete_ignored
|
503
|
+
end
|
500
504
|
end
|
501
505
|
|
502
506
|
def self.load_brakeman_dependency name, allow_fail = false
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 6.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-05-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -94,20 +94,6 @@ dependencies:
|
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '3.19'
|
97
|
-
- !ruby/object:Gem::Dependency
|
98
|
-
name: ruby_parser-legacy
|
99
|
-
requirement: !ruby/object:Gem::Requirement
|
100
|
-
requirements:
|
101
|
-
- - "~>"
|
102
|
-
- !ruby/object:Gem::Version
|
103
|
-
version: '1.0'
|
104
|
-
type: :runtime
|
105
|
-
prerelease: false
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
107
|
-
requirements:
|
108
|
-
- - "~>"
|
109
|
-
- !ruby/object:Gem::Version
|
110
|
-
version: '1.0'
|
111
97
|
- !ruby/object:Gem::Dependency
|
112
98
|
name: sexp_processor
|
113
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -465,7 +451,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
465
451
|
- !ruby/object:Gem::Version
|
466
452
|
version: '0'
|
467
453
|
requirements: []
|
468
|
-
rubygems_version: 3.
|
454
|
+
rubygems_version: 3.2.3
|
469
455
|
signing_key:
|
470
456
|
specification_version: 4
|
471
457
|
summary: Security vulnerability scanner for Ruby on Rails.
|