brakeman-lib 6.2.1 → 6.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9b4180d78dba5897e7117534051ba6f4b80a1a8b4d1466fe2b880520649105fa
4
- data.tar.gz: 3c10945788262ea9242aa0eb0ef00e856a11190d02cca058e0ee13a1fb6f264d
3
+ metadata.gz: 43bb8b6197d17937fa07b7d6b69afaf5a0d4c0fad6332f2126a6f317e5e49262
4
+ data.tar.gz: 29698bd867c9bfd2dc13baf27c463da77132be4f13d93fd1448428977241c9a2
5
5
  SHA512:
6
- metadata.gz: b74abc3a86bf25d76e535586fad633eb36687ce7f4de8b1f466a7f4675a84855787a2a136771d157e916787986a891cf839d7a4df8064ab47d6b1daae7f7227d
7
- data.tar.gz: 7ad9548050bcfaddd78a9d974ddb97c085558b842093d2cc6cd0171a5404f8c2388c79519f87f9b0121edace58dcd8417a52cb6db31a6d848d990c267f258c61
6
+ metadata.gz: 8513e27561f8608fca48561c64ceaa42bf43042fee54d1b3102f1ad4dc855eb980c5cf963ed7cc48e8056d91b3d168553efab52f86c5064075b53aa49c1278af
7
+ data.tar.gz: da6eef18fb43bfcb014f46e86cbd5df82c97b359f53abf18f263366940f45cb621bc85f1dc4933ac2319c063c963b2469c1eb936d26fec36e351c89577c822d9
data/CHANGES.md CHANGED
@@ -1,3 +1,9 @@
1
+ # 6.2.2 - 2024-10-15
2
+
3
+ * Ignore more native gems when building gem
4
+ * Revamp command injection in `pipeline*` calls
5
+ * New end-of-support dates for Rails
6
+
1
7
  # 6.2.1 - 2024-08-22
2
8
 
3
9
  Just a packaging fix for brakeman.gem
data/README.md CHANGED
@@ -2,7 +2,6 @@
2
2
 
3
3
  [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
4
4
  [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
5
- [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
6
5
 
7
6
  # Brakeman
8
7
 
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
11
11
  check_eol_version :rails, RAILS_EOL_DATES
12
12
  end
13
13
 
14
+ # https://rubyonrails.org/maintenance
15
+ # https://endoflife.date/rails
14
16
  RAILS_EOL_DATES = {
15
17
  ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
16
18
  ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
19
21
  ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
20
22
  ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
21
23
  ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
24
+ ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
25
+ ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
26
+ ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
27
+ ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
22
28
  }
23
29
  end
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
53
53
  call = result[:call]
54
54
  args = call.arglist
55
55
  first_arg = call.first_arg
56
+ failure = nil
56
57
 
57
58
  case call.method
58
59
  when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
71
72
  dangerous_interp?(first_arg[3]) ||
72
73
  dangerous_string_building?(first_arg[3])
73
74
  end
75
+ when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
76
+ # Since these pipeline commands pipe together several commands,
77
+ # need to check each argument. If it's an array, check first argument
78
+ # (the command) and also check for `bash -c`. Otherwise check the argument
79
+ # as a unit.
80
+
81
+ args.each do |arg|
82
+ next unless sexp? arg
83
+
84
+ if array?(arg)
85
+ # Check first element of array
86
+ failure = include_user_input?(arg[1]) ||
87
+ dangerous_interp?(arg[1]) ||
88
+ dangerous_string_building?(arg[1])
89
+
90
+ # Check for ['bash', '-c', user_input]
91
+ if dash_c_shell_command?(arg[1], arg[2])
92
+ failure = include_user_input?(arg[3]) ||
93
+ dangerous_interp?(arg[3]) ||
94
+ dangerous_string_building?(arg[3])
95
+ end
96
+ else
97
+ failure = include_user_input?(arg)
98
+ end
99
+
100
+ break if failure
101
+ end
74
102
  when :system, :exec
75
103
  # Normally, if we're in a `system` or `exec` call, we only are worried
76
104
  # about shell injection when there's a single argument, because comma-
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.2.1"
2
+ Version = "6.2.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.2.1
4
+ version: 6.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-22 00:00:00.000000000 Z
11
+ date: 2024-10-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: csv
@@ -467,7 +467,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
467
467
  - !ruby/object:Gem::Version
468
468
  version: '0'
469
469
  requirements: []
470
- rubygems_version: 3.5.11
470
+ rubygems_version: 3.3.27
471
471
  signing_key:
472
472
  specification_version: 4
473
473
  summary: Security vulnerability scanner for Ruby on Rails.