brakeman-min 3.0.3 → 3.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +7 -0
- data/README.md +42 -32
- data/lib/brakeman/checks/check_json_encoding.rb +47 -0
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +43 -0
- data/lib/brakeman/processors/erubis_template_processor.rb +5 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -0
- metadata +6 -4
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 31a26a3b03270d2eafb08540e523d94c27211d20
|
4
|
+
data.tar.gz: 3fd570c30df5855aebfc9a542e3c54676bacc808
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ea02eed9126d6375399ea7e9a4001978882e2f89c9ba8c90b1467f763aad9691cec19e54dc8cf45efe04d61d39e205d258c2a80b341177d63110868e0e31db39
|
7
|
+
data.tar.gz: d7d24ce1144f1d2db5b74823aeac8f63fef342733537b28929e1d1ba793597eda33fece5fe0fd0c07450d00f7d9435b262b608ac2842215767e853585b10d8c7
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGES
CHANGED
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
|
1
|
+
[![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
|
2
2
|
|
3
3
|
[![Travis CI
|
4
4
|
Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman)
|
@@ -9,55 +9,35 @@ Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://cod
|
|
9
9
|
|
10
10
|
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
|
11
11
|
|
12
|
-
It works with Rails 2.x, 3.x, and 4.x.
|
13
|
-
|
14
|
-
There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
|
15
|
-
|
16
|
-
For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
|
17
|
-
|
18
|
-
# Homepage/News
|
19
|
-
|
20
|
-
Website: http://brakemanscanner.org/
|
21
|
-
|
22
|
-
Twitter: http://twitter.com/brakeman
|
23
|
-
|
24
|
-
Mailing list: brakeman@librelist.com
|
25
|
-
|
26
12
|
# Installation
|
27
13
|
|
28
14
|
Using RubyGems:
|
29
15
|
|
30
16
|
gem install brakeman
|
31
17
|
|
32
|
-
Using Bundler
|
18
|
+
Using Bundler:
|
33
19
|
|
34
20
|
group :development do
|
35
21
|
gem 'brakeman', :require => false
|
36
22
|
end
|
37
23
|
|
38
|
-
|
24
|
+
# Usage
|
39
25
|
|
40
|
-
|
41
|
-
gem install brakeman*.gem
|
26
|
+
From a Rails application's root directory:
|
42
27
|
|
43
|
-
|
28
|
+
brakeman
|
44
29
|
|
45
|
-
|
30
|
+
Outside of Rails root:
|
46
31
|
|
47
|
-
|
48
|
-
|--------------|-----------------------|----------------------------------------|
|
49
|
-
| Ruby 1.8.7 | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
|
50
|
-
| Ruby 1.9+ | `gem 'slim'` | `$ gem install slim` |
|
32
|
+
brakeman /path/to/rails/application
|
51
33
|
|
52
|
-
#
|
34
|
+
# Compatibility
|
53
35
|
|
54
|
-
|
55
|
-
|
56
|
-
It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
|
36
|
+
Brakeman works with Rails 2.x, 3.x, and 4.x.
|
57
37
|
|
58
38
|
# Basic Options
|
59
39
|
|
60
|
-
For a full list of options, use `brakeman --help` or see the OPTIONS.md file.
|
40
|
+
For a full list of options, use `brakeman --help` or see the [OPTIONS.md](OPTIONS.md) file.
|
61
41
|
|
62
42
|
To specify an output file for the results:
|
63
43
|
|
@@ -118,7 +98,7 @@ To create and manage this file, use:
|
|
118
98
|
|
119
99
|
# Warning information
|
120
100
|
|
121
|
-
See WARNING\_TYPES for more information on the warnings reported by this tool.
|
101
|
+
See [WARNING\_TYPES](WARNING_TYPES) for more information on the warnings reported by this tool.
|
122
102
|
|
123
103
|
# Warning context
|
124
104
|
|
@@ -150,6 +130,28 @@ The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.ym
|
|
150
130
|
|
151
131
|
The `-c` option can be used to specify a configuration file to use.
|
152
132
|
|
133
|
+
# For Slim Users
|
134
|
+
|
135
|
+
[Slim v3.0.0](https://github.com/slim-template/slim/blob/master/CHANGES#L12) dropped support for Ruby 1.8.7. Install a version of [`slim`](http://slim-lang.com/) compatible with your Ruby.
|
136
|
+
|
137
|
+
| Ruby Version | `Gemfile` | Command Line |
|
138
|
+
|--------------|-----------------------|----------------------------------------|
|
139
|
+
| Ruby 1.8.7 | `gem 'slim', '< 3.0'` | `$ gem install slim --version '< 3.0'` |
|
140
|
+
| Ruby 1.9+ | `gem 'slim'` | `$ gem install slim` |
|
141
|
+
|
142
|
+
# Continuous Integration
|
143
|
+
|
144
|
+
There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
|
145
|
+
|
146
|
+
For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
|
147
|
+
|
148
|
+
# Building
|
149
|
+
|
150
|
+
git clone git://github.com/presidentbeef/brakeman.git
|
151
|
+
cd brakeman
|
152
|
+
gem build brakeman.gemspec
|
153
|
+
gem install brakeman*.gem
|
154
|
+
|
153
155
|
# Who is Using Brakeman?
|
154
156
|
|
155
157
|
* [Code Climate](https://codeclimate.com/)
|
@@ -160,6 +162,14 @@ The `-c` option can be used to specify a configuration file to use.
|
|
160
162
|
|
161
163
|
[..and more!](http://brakemanscanner.org/brakeman_users)
|
162
164
|
|
165
|
+
# Homepage/News
|
166
|
+
|
167
|
+
Website: http://brakemanscanner.org/
|
168
|
+
|
169
|
+
Twitter: http://twitter.com/brakeman
|
170
|
+
|
171
|
+
Mailing list: brakeman@librelist.com
|
172
|
+
|
163
173
|
# License
|
164
174
|
|
165
|
-
see MIT-LICENSE
|
175
|
+
see [MIT-LICENSE](MIT-LICENSE)
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for missing JSON encoding (CVE-2015-3226)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
if (version_between? "4.1.0", "4.1.10" or version_between? "4.2.0", "4.2.1") and not has_workaround?
|
10
|
+
message = "Rails #{tracker.config[:rails_version]} does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version "
|
11
|
+
|
12
|
+
if version_between? "4.1.0", "4.1.10"
|
13
|
+
message << "4.1.11"
|
14
|
+
else
|
15
|
+
message << "4.2.2"
|
16
|
+
end
|
17
|
+
|
18
|
+
if tracker.find_call(:methods => [:to_json, :encode]).any?
|
19
|
+
confidence = CONFIDENCE[:high]
|
20
|
+
else
|
21
|
+
confidence = CONFIDENCE[:med]
|
22
|
+
end
|
23
|
+
|
24
|
+
warn :warning_type => "Cross Site Scripting",
|
25
|
+
:warning_code => :CVE_2015_3226,
|
26
|
+
:message => message,
|
27
|
+
:confidence => confidence,
|
28
|
+
:gem_info => gemfile_or_environment,
|
29
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def has_workaround?
|
34
|
+
workaround = s(:module, :ActiveSupport,
|
35
|
+
s(:module, :JSON,
|
36
|
+
s(:module, :Encoding,
|
37
|
+
s(:call, nil, :private),
|
38
|
+
s(:class, :EscapedString, nil,
|
39
|
+
s(:defn, :to_s,
|
40
|
+
s(:args),
|
41
|
+
s(:self))))))
|
42
|
+
|
43
|
+
tracker.initializers.any? do |name, initializer|
|
44
|
+
initializer == workaround
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -41,7 +41,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
41
41
|
Brakeman.debug "Finding possible SQL calls using constantized()"
|
42
42
|
calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
|
43
43
|
|
44
|
-
connect_targets = active_record_models.keys + [
|
44
|
+
connect_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
|
45
45
|
calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
|
46
46
|
|
47
47
|
Brakeman.debug "Finding calls to named_scope or scope"
|
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for XML denial of service (CVE-2015-3227)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
fix_version = case
|
10
|
+
when version_between?("4.1.0", "4.1.10")
|
11
|
+
"4.1.11"
|
12
|
+
when version_between?("4.2.0", "4.2.1")
|
13
|
+
"4.2.2"
|
14
|
+
when version_between?("4.1.11", "4.1.99")
|
15
|
+
return
|
16
|
+
when version_between?("4.2.2", "9.9.9")
|
17
|
+
return
|
18
|
+
when has_workaround?
|
19
|
+
return
|
20
|
+
else
|
21
|
+
"4.2.2"
|
22
|
+
end
|
23
|
+
|
24
|
+
message = "Rails #{tracker.config[:rails_version]} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
|
25
|
+
|
26
|
+
warn :warning_type => "Denial of Service",
|
27
|
+
:warning_code => :CVE_2015_3227,
|
28
|
+
:message => message,
|
29
|
+
:confidence => CONFIDENCE[:med],
|
30
|
+
:gem_info => gemfile_or_environment,
|
31
|
+
:link_path => "repos/canvas-lms/config/application.rb"
|
32
|
+
end
|
33
|
+
|
34
|
+
def has_workaround?
|
35
|
+
tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
|
36
|
+
arg = match.call.first_arg
|
37
|
+
if string? arg
|
38
|
+
value = arg.value
|
39
|
+
value == 'Nokogiri' or value == 'LibXML'
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -80,6 +80,11 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
|
|
80
80
|
|
81
81
|
if arg.node_type == :str
|
82
82
|
ignore
|
83
|
+
elsif exp.method == :safe_append=
|
84
|
+
s = Sexp.new :output, arg
|
85
|
+
s.line(exp.line)
|
86
|
+
@current_template[:outputs] << s
|
87
|
+
s
|
83
88
|
else
|
84
89
|
s = Sexp.new :escaped_output, arg
|
85
90
|
s.line(exp.line)
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-min
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
|
31
31
|
mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2015-
|
33
|
+
date: 2015-06-18 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: test-unit
|
@@ -52,14 +52,14 @@ dependencies:
|
|
52
52
|
requirements:
|
53
53
|
- - "~>"
|
54
54
|
- !ruby/object:Gem::Version
|
55
|
-
version: 3.
|
55
|
+
version: 3.7.0
|
56
56
|
type: :runtime
|
57
57
|
prerelease: false
|
58
58
|
version_requirements: !ruby/object:Gem::Requirement
|
59
59
|
requirements:
|
60
60
|
- - "~>"
|
61
61
|
- !ruby/object:Gem::Version
|
62
|
-
version: 3.
|
62
|
+
version: 3.7.0
|
63
63
|
- !ruby/object:Gem::Dependency
|
64
64
|
name: ruby2ruby
|
65
65
|
requirement: !ruby/object:Gem::Requirement
|
@@ -126,6 +126,7 @@ files:
|
|
126
126
|
- lib/brakeman/checks/check_header_dos.rb
|
127
127
|
- lib/brakeman/checks/check_i18n_xss.rb
|
128
128
|
- lib/brakeman/checks/check_jruby_xml.rb
|
129
|
+
- lib/brakeman/checks/check_json_encoding.rb
|
129
130
|
- lib/brakeman/checks/check_json_parsing.rb
|
130
131
|
- lib/brakeman/checks/check_link_to.rb
|
131
132
|
- lib/brakeman/checks/check_link_to_href.rb
|
@@ -164,6 +165,7 @@ files:
|
|
164
165
|
- lib/brakeman/checks/check_unscoped_find.rb
|
165
166
|
- lib/brakeman/checks/check_validation_regex.rb
|
166
167
|
- lib/brakeman/checks/check_without_protection.rb
|
168
|
+
- lib/brakeman/checks/check_xml_dos.rb
|
167
169
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
168
170
|
- lib/brakeman/differ.rb
|
169
171
|
- lib/brakeman/file_parser.rb
|
metadata.gz.sig
CHANGED
Binary file
|