brakeman-min 3.1.4 → 3.1.5.pre1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +30 -0
- data/README.md +3 -2
- data/lib/brakeman.rb +4 -4
- data/lib/brakeman/app_tree.rb +58 -5
- data/lib/brakeman/call_index.rb +22 -31
- data/lib/brakeman/checks.rb +59 -73
- data/lib/brakeman/checks/base_check.rb +13 -5
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +12 -6
- data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
- data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
- data/lib/brakeman/checks/check_render.rb +33 -3
- data/lib/brakeman/checks/check_route_dos.rb +42 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +26 -4
- data/lib/brakeman/checks/check_sql.rb +8 -6
- data/lib/brakeman/checks/check_strip_tags.rb +27 -2
- data/lib/brakeman/options.rb +8 -2
- data/lib/brakeman/processors/alias_processor.rb +14 -1
- data/lib/brakeman/processors/base_processor.rb +8 -0
- data/lib/brakeman/processors/controller_processor.rb +2 -2
- data/lib/brakeman/processors/erb_template_processor.rb +1 -1
- data/lib/brakeman/processors/erubis_template_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +2 -1
- data/lib/brakeman/processors/lib/basic_processor.rb +16 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +4 -2
- data/lib/brakeman/processors/lib/find_call.rb +1 -1
- data/lib/brakeman/processors/lib/render_path.rb +2 -1
- data/lib/brakeman/processors/lib/route_helper.rb +4 -0
- data/lib/brakeman/processors/model_processor.rb +2 -2
- data/lib/brakeman/report/ignore/config.rb +3 -3
- data/lib/brakeman/report/report_csv.rb +1 -2
- data/lib/brakeman/report/report_json.rb +1 -4
- data/lib/brakeman/scanner.rb +7 -2
- data/lib/brakeman/tracker.rb +21 -0
- data/lib/brakeman/tracker/config.rb +6 -0
- data/lib/brakeman/util.rb +4 -3
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +2 -2
- data/lib/brakeman/warning_codes.rb +9 -0
- data/lib/ruby_parser/bm_sexp.rb +23 -23
- metadata +13 -30
- data/lib/brakeman/report/initializers/faster_csv.rb +0 -7
- data/lib/brakeman/report/initializers/multi_json.rb +0 -29
data/lib/brakeman/util.rb
CHANGED
@@ -167,7 +167,8 @@ module Brakeman::Util
|
|
167
167
|
|
168
168
|
#Check if _exp_ represents a method call: s(:call, ...)
|
169
169
|
def call? exp
|
170
|
-
exp.is_a? Sexp and
|
170
|
+
exp.is_a? Sexp and
|
171
|
+
(exp.node_type == :call or exp.node_type == :safe_call)
|
171
172
|
end
|
172
173
|
|
173
174
|
#Check if _exp_ represents a Regexp: s(:lit, /.../)
|
@@ -214,7 +215,7 @@ module Brakeman::Util
|
|
214
215
|
if exp.is_a? Sexp
|
215
216
|
return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
|
216
217
|
|
217
|
-
if exp
|
218
|
+
if call? exp
|
218
219
|
if params? exp[1]
|
219
220
|
return true
|
220
221
|
elsif exp[2] == :[]
|
@@ -230,7 +231,7 @@ module Brakeman::Util
|
|
230
231
|
if exp.is_a? Sexp
|
231
232
|
return true if exp.node_type == :cookies or exp == COOKIES
|
232
233
|
|
233
|
-
if exp
|
234
|
+
if call? exp
|
234
235
|
if cookies? exp[1]
|
235
236
|
return true
|
236
237
|
elsif exp[2] == :[]
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
require '
|
1
|
+
require 'json'
|
2
2
|
require 'digest/sha2'
|
3
3
|
require 'brakeman/warning_codes'
|
4
4
|
|
@@ -241,7 +241,7 @@ class Brakeman::Warning
|
|
241
241
|
end
|
242
242
|
|
243
243
|
def to_json
|
244
|
-
|
244
|
+
JSON.generate self.to_hash
|
245
245
|
end
|
246
246
|
|
247
247
|
private
|
@@ -93,6 +93,15 @@ module Brakeman::WarningCodes
|
|
93
93
|
:session_key_manipulation => 89,
|
94
94
|
:weak_hash_digest => 90,
|
95
95
|
:weak_hash_hmac => 91,
|
96
|
+
:sql_injection_dynamic_finder => 92,
|
97
|
+
:CVE_2015_7576 => 93,
|
98
|
+
:CVE_2016_0751 => 94,
|
99
|
+
:CVE_2015_7577 => 95,
|
100
|
+
:CVE_2015_7578 => 96,
|
101
|
+
:CVE_2015_7580 => 97,
|
102
|
+
:CVE_2015_7579 => 98,
|
103
|
+
:dynamic_render_path_rce => 99,
|
104
|
+
:CVE_2015_7581 => 100,
|
96
105
|
}
|
97
106
|
|
98
107
|
def self.code name
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -141,13 +141,13 @@ class Sexp
|
|
141
141
|
#s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
|
142
142
|
# ^-----------target-----------^
|
143
143
|
def target
|
144
|
-
expect :call, :attrasgn
|
144
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
145
145
|
self[1]
|
146
146
|
end
|
147
147
|
|
148
148
|
#Sets the target of a method call:
|
149
149
|
def target= exp
|
150
|
-
expect :call, :attrasgn
|
150
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
151
151
|
@my_hash_value = nil
|
152
152
|
self[1] = exp
|
153
153
|
end
|
@@ -157,10 +157,10 @@ class Sexp
|
|
157
157
|
#s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
|
158
158
|
# ^- method
|
159
159
|
def method
|
160
|
-
expect :call, :attrasgn, :super, :zsuper, :result
|
160
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper, :result
|
161
161
|
|
162
162
|
case self.node_type
|
163
|
-
when :call, :attrasgn
|
163
|
+
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
164
164
|
self[2]
|
165
165
|
when :super, :zsuper
|
166
166
|
:super
|
@@ -170,14 +170,14 @@ class Sexp
|
|
170
170
|
end
|
171
171
|
|
172
172
|
def method= name
|
173
|
-
expect :call
|
173
|
+
expect :call, :safe_call
|
174
174
|
|
175
175
|
self[2] = name
|
176
176
|
end
|
177
177
|
|
178
178
|
#Sets the arglist in a method call.
|
179
179
|
def arglist= exp
|
180
|
-
expect :call, :attrasgn
|
180
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
181
181
|
@my_hash_value = nil
|
182
182
|
start_index = 3
|
183
183
|
|
@@ -201,10 +201,10 @@ class Sexp
|
|
201
201
|
# s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
|
202
202
|
# ^------------ arglist ------------^
|
203
203
|
def arglist
|
204
|
-
expect :call, :attrasgn, :super, :zsuper
|
204
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
|
205
205
|
|
206
206
|
case self.node_type
|
207
|
-
when :call, :attrasgn
|
207
|
+
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
208
208
|
self[3..-1].unshift :arglist
|
209
209
|
when :super, :zsuper
|
210
210
|
if self[1]
|
@@ -220,10 +220,10 @@ class Sexp
|
|
220
220
|
# s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
|
221
221
|
# ^--------args--------^
|
222
222
|
def args
|
223
|
-
expect :call, :attrasgn, :super, :zsuper
|
223
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
|
224
224
|
|
225
225
|
case self.node_type
|
226
|
-
when :call, :attrasgn
|
226
|
+
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
227
227
|
if self[3]
|
228
228
|
self[3..-1]
|
229
229
|
else
|
@@ -239,11 +239,11 @@ class Sexp
|
|
239
239
|
end
|
240
240
|
|
241
241
|
def each_arg replace = false
|
242
|
-
expect :call, :attrasgn, :super, :zsuper
|
242
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
|
243
243
|
range = nil
|
244
244
|
|
245
245
|
case self.node_type
|
246
|
-
when :call, :attrasgn
|
246
|
+
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
247
247
|
if self[3]
|
248
248
|
range = (3...self.length)
|
249
249
|
end
|
@@ -270,43 +270,43 @@ class Sexp
|
|
270
270
|
|
271
271
|
#Returns first argument of a method call.
|
272
272
|
def first_arg
|
273
|
-
expect :call, :attrasgn
|
273
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
274
274
|
self[3]
|
275
275
|
end
|
276
276
|
|
277
277
|
#Sets first argument of a method call.
|
278
278
|
def first_arg= exp
|
279
|
-
expect :call, :attrasgn
|
279
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
280
280
|
@my_hash_value = nil
|
281
281
|
self[3] = exp
|
282
282
|
end
|
283
283
|
|
284
284
|
#Returns second argument of a method call.
|
285
285
|
def second_arg
|
286
|
-
expect :call, :attrasgn
|
286
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
287
287
|
self[4]
|
288
288
|
end
|
289
289
|
|
290
290
|
#Sets second argument of a method call.
|
291
291
|
def second_arg= exp
|
292
|
-
expect :call, :attrasgn
|
292
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
293
293
|
@my_hash_value = nil
|
294
294
|
self[4] = exp
|
295
295
|
end
|
296
296
|
|
297
297
|
def third_arg
|
298
|
-
expect :call, :attrasgn
|
298
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
299
299
|
self[5]
|
300
300
|
end
|
301
301
|
|
302
302
|
def third_arg= exp
|
303
|
-
expect :call, :attrasgn
|
303
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
304
304
|
@my_hash_value = nil
|
305
305
|
self[5] = exp
|
306
306
|
end
|
307
307
|
|
308
308
|
def last_arg
|
309
|
-
expect :call, :attrasgn
|
309
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
310
310
|
|
311
311
|
if self[3]
|
312
312
|
self[-1]
|
@@ -427,9 +427,9 @@ class Sexp
|
|
427
427
|
# s(:lasgn, :x, s(:lit, 1))
|
428
428
|
# ^--rhs---^
|
429
429
|
def rhs
|
430
|
-
expect :attrasgn, *ASSIGNMENT_BOOL
|
430
|
+
expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
|
431
431
|
|
432
|
-
if self.node_type == :attrasgn
|
432
|
+
if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
|
433
433
|
self[3]
|
434
434
|
else
|
435
435
|
self[2]
|
@@ -438,10 +438,10 @@ class Sexp
|
|
438
438
|
|
439
439
|
#Sets the right hand side of assignment or boolean.
|
440
440
|
def rhs= exp
|
441
|
-
expect :attrasgn, *ASSIGNMENT_BOOL
|
441
|
+
expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
|
442
442
|
@my_hash_value = nil
|
443
443
|
|
444
|
-
if self.node_type == :attrasgn
|
444
|
+
if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
|
445
445
|
self[3] = exp
|
446
446
|
else
|
447
447
|
self[2] = exp
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-min
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.1.
|
4
|
+
version: 3.1.5.pre1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date:
|
12
|
+
date: 2016-02-22 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: test-unit
|
@@ -31,48 +31,28 @@ dependencies:
|
|
31
31
|
requirements:
|
32
32
|
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version: 3.
|
34
|
+
version: 3.8.1
|
35
35
|
type: :runtime
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
39
|
- - "~>"
|
40
40
|
- !ruby/object:Gem::Version
|
41
|
-
version: 3.
|
41
|
+
version: 3.8.1
|
42
42
|
- !ruby/object:Gem::Dependency
|
43
43
|
name: ruby2ruby
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
45
|
-
requirements:
|
46
|
-
- - ">="
|
47
|
-
- !ruby/object:Gem::Version
|
48
|
-
version: 2.1.1
|
49
|
-
- - "<"
|
50
|
-
- !ruby/object:Gem::Version
|
51
|
-
version: 2.3.0
|
52
|
-
type: :runtime
|
53
|
-
prerelease: false
|
54
|
-
version_requirements: !ruby/object:Gem::Requirement
|
55
|
-
requirements:
|
56
|
-
- - ">="
|
57
|
-
- !ruby/object:Gem::Version
|
58
|
-
version: 2.1.1
|
59
|
-
- - "<"
|
60
|
-
- !ruby/object:Gem::Version
|
61
|
-
version: 2.3.0
|
62
|
-
- !ruby/object:Gem::Dependency
|
63
|
-
name: multi_json
|
64
44
|
requirement: !ruby/object:Gem::Requirement
|
65
45
|
requirements:
|
66
46
|
- - "~>"
|
67
47
|
- !ruby/object:Gem::Version
|
68
|
-
version:
|
48
|
+
version: 2.3.0
|
69
49
|
type: :runtime
|
70
50
|
prerelease: false
|
71
51
|
version_requirements: !ruby/object:Gem::Requirement
|
72
52
|
requirements:
|
73
53
|
- - "~>"
|
74
54
|
- !ruby/object:Gem::Version
|
75
|
-
version:
|
55
|
+
version: 2.3.0
|
76
56
|
- !ruby/object:Gem::Dependency
|
77
57
|
name: safe_yaml
|
78
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -108,6 +88,7 @@ files:
|
|
108
88
|
- lib/brakeman/checks.rb
|
109
89
|
- lib/brakeman/checks/base_check.rb
|
110
90
|
- lib/brakeman/checks/check_basic_auth.rb
|
91
|
+
- lib/brakeman/checks/check_basic_auth_timing_attack.rb
|
111
92
|
- lib/brakeman/checks/check_content_tag.rb
|
112
93
|
- lib/brakeman/checks/check_create_with.rb
|
113
94
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
@@ -115,6 +96,7 @@ files:
|
|
115
96
|
- lib/brakeman/checks/check_deserialize.rb
|
116
97
|
- lib/brakeman/checks/check_detailed_exceptions.rb
|
117
98
|
- lib/brakeman/checks/check_digest_dos.rb
|
99
|
+
- lib/brakeman/checks/check_dynamic_finders.rb
|
118
100
|
- lib/brakeman/checks/check_escape_function.rb
|
119
101
|
- lib/brakeman/checks/check_evaluation.rb
|
120
102
|
- lib/brakeman/checks/check_execute.rb
|
@@ -131,10 +113,12 @@ files:
|
|
131
113
|
- lib/brakeman/checks/check_link_to_href.rb
|
132
114
|
- lib/brakeman/checks/check_mail_to.rb
|
133
115
|
- lib/brakeman/checks/check_mass_assignment.rb
|
116
|
+
- lib/brakeman/checks/check_mime_type_dos.rb
|
134
117
|
- lib/brakeman/checks/check_model_attr_accessible.rb
|
135
118
|
- lib/brakeman/checks/check_model_attributes.rb
|
136
119
|
- lib/brakeman/checks/check_model_serialize.rb
|
137
120
|
- lib/brakeman/checks/check_nested_attributes.rb
|
121
|
+
- lib/brakeman/checks/check_nested_attributes_bypass.rb
|
138
122
|
- lib/brakeman/checks/check_number_to_currency.rb
|
139
123
|
- lib/brakeman/checks/check_quote_table_name.rb
|
140
124
|
- lib/brakeman/checks/check_redirect.rb
|
@@ -143,6 +127,7 @@ files:
|
|
143
127
|
- lib/brakeman/checks/check_render_dos.rb
|
144
128
|
- lib/brakeman/checks/check_render_inline.rb
|
145
129
|
- lib/brakeman/checks/check_response_splitting.rb
|
130
|
+
- lib/brakeman/checks/check_route_dos.rb
|
146
131
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
147
132
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
148
133
|
- lib/brakeman/checks/check_select_tag.rb
|
@@ -209,8 +194,6 @@ files:
|
|
209
194
|
- lib/brakeman/report/config/remediation.yml
|
210
195
|
- lib/brakeman/report/ignore/config.rb
|
211
196
|
- lib/brakeman/report/ignore/interactive.rb
|
212
|
-
- lib/brakeman/report/initializers/faster_csv.rb
|
213
|
-
- lib/brakeman/report/initializers/multi_json.rb
|
214
197
|
- lib/brakeman/report/renderer.rb
|
215
198
|
- lib/brakeman/report/report_base.rb
|
216
199
|
- lib/brakeman/report/report_codeclimate.rb
|
@@ -262,9 +245,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
262
245
|
version: '0'
|
263
246
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
264
247
|
requirements:
|
265
|
-
- - "
|
248
|
+
- - ">"
|
266
249
|
- !ruby/object:Gem::Version
|
267
|
-
version:
|
250
|
+
version: 1.3.1
|
268
251
|
requirements: []
|
269
252
|
rubyforge_project:
|
270
253
|
rubygems_version: 2.4.8
|
@@ -1,29 +0,0 @@
|
|
1
|
-
#MultiJson interface changed in 1.3.0, but need
|
2
|
-
#to support older MultiJson for Rails 3.1.
|
3
|
-
mj_engine = nil
|
4
|
-
|
5
|
-
if MultiJson.respond_to? :default_adapter
|
6
|
-
mj_engine = MultiJson.default_adapter
|
7
|
-
else
|
8
|
-
mj_engine = MultiJson.default_engine
|
9
|
-
|
10
|
-
module MultiJson
|
11
|
-
def self.dump *args
|
12
|
-
encode *args
|
13
|
-
end
|
14
|
-
|
15
|
-
def self.load *args
|
16
|
-
decode *args
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
20
|
-
|
21
|
-
#This is so OkJson will work with symbol values
|
22
|
-
if mj_engine == :ok_json
|
23
|
-
class Symbol
|
24
|
-
def to_json
|
25
|
-
self.to_s.inspect
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|