brakeman-lib 6.2.1 → 6.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +6 -0
- data/README.md +0 -1
- data/lib/brakeman/checks/check_eol_rails.rb +6 -0
- data/lib/brakeman/checks/check_execute.rb +28 -0
- data/lib/brakeman/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 43bb8b6197d17937fa07b7d6b69afaf5a0d4c0fad6332f2126a6f317e5e49262
|
4
|
+
data.tar.gz: 29698bd867c9bfd2dc13baf27c463da77132be4f13d93fd1448428977241c9a2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8513e27561f8608fca48561c64ceaa42bf43042fee54d1b3102f1ad4dc855eb980c5cf963ed7cc48e8056d91b3d168553efab52f86c5064075b53aa49c1278af
|
7
|
+
data.tar.gz: da6eef18fb43bfcb014f46e86cbd5df82c97b359f53abf18f263366940f45cb621bc85f1dc4933ac2319c063c963b2469c1eb936d26fec36e351c89577c822d9
|
data/CHANGES.md
CHANGED
data/README.md
CHANGED
@@ -2,7 +2,6 @@
|
|
2
2
|
|
3
3
|
[](https://circleci.com/gh/presidentbeef/brakeman)
|
4
4
|
[](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
|
5
|
-
[](https://gitter.im/presidentbeef/brakeman)
|
6
5
|
|
7
6
|
# Brakeman
|
8
7
|
|
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
11
11
|
check_eol_version :rails, RAILS_EOL_DATES
|
12
12
|
end
|
13
13
|
|
14
|
+
# https://rubyonrails.org/maintenance
|
15
|
+
# https://endoflife.date/rails
|
14
16
|
RAILS_EOL_DATES = {
|
15
17
|
['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
|
16
18
|
['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
|
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
19
21
|
['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
|
20
22
|
['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
|
21
23
|
['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
|
24
|
+
['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
|
25
|
+
['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
|
26
|
+
['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
|
27
|
+
['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
|
22
28
|
}
|
23
29
|
end
|
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
53
53
|
call = result[:call]
|
54
54
|
args = call.arglist
|
55
55
|
first_arg = call.first_arg
|
56
|
+
failure = nil
|
56
57
|
|
57
58
|
case call.method
|
58
59
|
when :popen
|
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
71
72
|
dangerous_interp?(first_arg[3]) ||
|
72
73
|
dangerous_string_building?(first_arg[3])
|
73
74
|
end
|
75
|
+
when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
|
76
|
+
# Since these pipeline commands pipe together several commands,
|
77
|
+
# need to check each argument. If it's an array, check first argument
|
78
|
+
# (the command) and also check for `bash -c`. Otherwise check the argument
|
79
|
+
# as a unit.
|
80
|
+
|
81
|
+
args.each do |arg|
|
82
|
+
next unless sexp? arg
|
83
|
+
|
84
|
+
if array?(arg)
|
85
|
+
# Check first element of array
|
86
|
+
failure = include_user_input?(arg[1]) ||
|
87
|
+
dangerous_interp?(arg[1]) ||
|
88
|
+
dangerous_string_building?(arg[1])
|
89
|
+
|
90
|
+
# Check for ['bash', '-c', user_input]
|
91
|
+
if dash_c_shell_command?(arg[1], arg[2])
|
92
|
+
failure = include_user_input?(arg[3]) ||
|
93
|
+
dangerous_interp?(arg[3]) ||
|
94
|
+
dangerous_string_building?(arg[3])
|
95
|
+
end
|
96
|
+
else
|
97
|
+
failure = include_user_input?(arg)
|
98
|
+
end
|
99
|
+
|
100
|
+
break if failure
|
101
|
+
end
|
74
102
|
when :system, :exec
|
75
103
|
# Normally, if we're in a `system` or `exec` call, we only are worried
|
76
104
|
# about shell injection when there's a single argument, because comma-
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.2.
|
4
|
+
version: 6.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-10-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: csv
|
@@ -467,7 +467,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
467
467
|
- !ruby/object:Gem::Version
|
468
468
|
version: '0'
|
469
469
|
requirements: []
|
470
|
-
rubygems_version: 3.
|
470
|
+
rubygems_version: 3.3.27
|
471
471
|
signing_key:
|
472
472
|
specification_version: 4
|
473
473
|
summary: Security vulnerability scanner for Ruby on Rails.
|