brakeman-min 3.5.0 → 3.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 34207b00cf9b699ce8f8330d267e6bae5fcb5aa3
4
- data.tar.gz: 476ddf71d3b65d4a42ce4a0c3797afce2a668dd0
3
+ metadata.gz: 99b9788e54de6acd40d016e0c30b7edb0a202d32
4
+ data.tar.gz: 02c4bcf4031cd50ae6580c1dd708c9df346b88e8
5
5
  SHA512:
6
- metadata.gz: 2ff7b88ba0c48c57ba0add9897e5518ebf95612ad4d0ef6077b473f0c5e074f39bd5622773715e6d21f39413b7bb0c3980c7eaf730392c4727eebdc1112c15f1
7
- data.tar.gz: 31087cfd02979e3602e2d642f1594cfdb9439565a7d4295f810730ed48519144e2fb396a3f59da45f6693f5383045bb5e41303b40e2334d6e1dfc5dd502ac01f
6
+ metadata.gz: 2e222dcc215b4fbb34847f7e582e02aecc2b33800f386e3f5ff3373c8a78762c9b66de29384033c0520c688518002dd44c5a0cbf42bfdbcba08d35900b99ef9d
7
+ data.tar.gz: ddaccf9b996c26430acd104c5f1cc4b4639bf07b85be3f9885ef7b83b893a92528f3fc3b9b81213812574e024a21cccc7765691924acc4d0d20ad8f682bb65bb
data/CHANGES CHANGED
@@ -1,3 +1,14 @@
1
+ # 3.6.0
2
+
3
+ * Avoid recursive Concerns
4
+ * Branch inside of `case` expressions
5
+ * Print command line option errors without modification
6
+ * Fix issue with nested interpolation inside SQL strings
7
+ * Ignore GraphQL tags inside ERB templates
8
+ * Add `--exit-on-error` (Michael Grosser)
9
+ * Only report CVE-2015-3227 when exact version is known
10
+ * Check targetless SQL calls outside of known models
11
+
1
12
  # 3.5.0
2
13
 
3
14
  * Allow `-t None`
@@ -102,7 +113,7 @@
102
113
  * Update ruby_parser dependency to 3.8.1
103
114
  * Remove `fastercsv` dependency
104
115
  * Fix finding calls with `targets: nil`
105
- * Remove `multi_json` dependecy
116
+ * Remove `multi_json` dependency
106
117
  * Handle CoffeeScript in HAML
107
118
  * Avoid render warnings about params[:action]/params[:controller]
108
119
  * Index calls in class bodies but outside methods
@@ -118,7 +129,7 @@
118
129
  * Add check for mime-type denial of service (CVE-2016-0751)
119
130
  * Add check for basic auth timing attack (CVE-2015-7576)
120
131
  * Add initial Rails 5 support
121
- * Check for implict integer comparison in dynamic finders
132
+ * Check for implicit integer comparison in dynamic finders
122
133
  * Support directories better in --only-files and --skip-files (Patrick Toomey)
123
134
  * Avoid warning about `permit` in SQL
124
135
  * Handle guards using `detect`
@@ -235,7 +246,7 @@
235
246
  * Remove formatting newlines in HAML template output
236
247
  * Ignore case value in XSS checks
237
248
  * Fix CSV output when there are no warnings
238
- * Handle processing of explictly shadowed block arguments
249
+ * Handle processing of explicitly shadowed block arguments
239
250
 
240
251
  # 3.0.1
241
252
 
@@ -285,7 +296,7 @@
285
296
  * Add `-4` option to force Rails 4 mode
286
297
  * Check entire call for `send`
287
298
  * Check for .gitignore of secrets in subdirectories
288
- * Fix block statment endings in Erubis
299
+ * Fix block statement endings in Erubis
289
300
  * Fix undefined variable in controller processing error (Jason Barnabe)
290
301
 
291
302
  # 2.6.1
data/bin/brakeman CHANGED
@@ -10,7 +10,7 @@ require 'brakeman/version'
10
10
  begin
11
11
  options, parser = Brakeman::Options.parse! ARGV
12
12
  rescue OptionParser::ParseError => e
13
- $stderr.puts e.message.capitalize
13
+ $stderr.puts e.message
14
14
  $stderr.puts "Please see `brakeman --help` for valid options"
15
15
  exit(-1)
16
16
  end
@@ -90,6 +90,11 @@ begin
90
90
  exit Brakeman::Warnings_Found_Exit_Code
91
91
  end
92
92
  end
93
+
94
+ #Return error code if --exit-on-error is used and errors were found
95
+ if tracker.options[:exit_on_error] and tracker.errors.any?
96
+ exit Brakeman::Errors_Found_Exit_Code
97
+ end
93
98
  rescue Brakeman::NoApplication => e
94
99
  warn e.message
95
100
  exit Brakeman::No_App_Found_Exit_Code
data/lib/brakeman.rb CHANGED
@@ -15,6 +15,10 @@ module Brakeman
15
15
  #Exit code returned when user requests non-existent checks
16
16
  Missing_Checks_Exit_Code = 6
17
17
 
18
+ #Exit code returned when errors were found and the --exit-on-error
19
+ #option is set
20
+ Errors_Found_Exit_Code = 7
21
+
18
22
  @debug = false
19
23
  @quiet = false
20
24
  @loaded_dependencies = []
@@ -157,8 +157,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
157
157
  #
158
158
  def process_result result
159
159
  return if duplicate?(result) or result[:call].original_line
160
- return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
161
-
162
160
 
163
161
  call = result[:call]
164
162
  method = call.method
@@ -596,6 +594,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
596
594
  safe_value? exp.last
597
595
  when :or
598
596
  safe_value? exp.lhs and safe_value? exp.rhs
597
+ when :dstr
598
+ not unsafe_string_interp? exp
599
599
  else
600
600
  false
601
601
  end
@@ -17,12 +17,6 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
17
17
  "4.2.2"
18
18
  when version_between?("4.0.0", "4.0.99")
19
19
  "4.2.2"
20
- when (version.nil? and tracker.options[:rails3])
21
- version = "3.x"
22
- "3.2.22"
23
- when (version.nil? and tracker.options[:rails4])
24
- version = "4.x"
25
- "4.2.2"
26
20
  else
27
21
  return
28
22
  end
@@ -43,6 +43,10 @@ module Brakeman::Options
43
43
  options[:exit_on_warn] = exit_on_warn
44
44
  end
45
45
 
46
+ opts.on "--[no-]exit-on-error", "Exit code is non-zero if errors found" do |exit_on_error|
47
+ options[:exit_on_error] = exit_on_error
48
+ end
49
+
46
50
  opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
47
51
  options[:ensure_latest] = true
48
52
  end
@@ -71,4 +71,11 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
71
71
  @newline_pending = 0
72
72
  end
73
73
  end
74
+
75
+ # This is borrowed from graphql's erb plugin:
76
+ # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
77
+ def convert_input(src, input)
78
+ input = input.gsub(/<%graphql/, "<%#")
79
+ super(src, input)
80
+ end
74
81
  end
@@ -616,6 +616,75 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
616
616
  exp
617
617
  end
618
618
 
619
+ def simple_when? exp
620
+ node_type? exp[1], :array and
621
+ not node_type? exp[1][1], :splat, :array and
622
+ (exp[1].length == 2 or
623
+ exp[1].all? { |e| e.is_a? Symbol or node_type? e, :lit, :str })
624
+ end
625
+
626
+ def process_case exp
627
+ if @ignore_ifs.nil?
628
+ @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
629
+ end
630
+
631
+ if @ignore_ifs
632
+ process_default exp
633
+ return exp
634
+ end
635
+
636
+ branch_scopes = []
637
+ was_inside = @inside_if
638
+ @inside_if = true
639
+
640
+ exp[1] = process exp[1] if exp[1]
641
+
642
+ case_value = if node_type? exp[1], :lvar, :ivar, :call
643
+ exp[1].deep_clone
644
+ end
645
+
646
+ exp.each_sexp do |e|
647
+ if node_type? e, :when
648
+ scope do
649
+ @branch_env = env.current
650
+
651
+ # set value of case var if possible
652
+ if case_value and simple_when? e
653
+ @branch_env[case_value] = e[1][1]
654
+ end
655
+
656
+ # when blocks aren't blocks, they are lists of expressions
657
+ process_default e
658
+
659
+ branch_scopes << env.current
660
+
661
+ @branch_env = nil
662
+ end
663
+ end
664
+ end
665
+
666
+ # else clause
667
+ if sexp? exp.last
668
+ scope do
669
+ @branch_env = env.current
670
+
671
+ process_default exp[-1]
672
+
673
+ branch_scopes << env.current
674
+
675
+ @branch_env = nil
676
+ end
677
+ end
678
+
679
+ @inside_if = was_inside
680
+
681
+ branch_scopes.each do |s|
682
+ merge_if_branch s
683
+ end
684
+
685
+ exp
686
+ end
687
+
619
688
  def process_if_branch exp
620
689
  if sexp? exp
621
690
  if block? exp
@@ -934,6 +1003,36 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
934
1003
  end
935
1004
  end
936
1005
 
1006
+ def value_from_case exp
1007
+ result = []
1008
+
1009
+ exp.each do |e|
1010
+ if node_type? e, :when
1011
+ result << e.last
1012
+ end
1013
+ end
1014
+
1015
+ result << exp.last if exp.last # else
1016
+
1017
+ result.reduce do |c, e|
1018
+ if c.nil?
1019
+ e
1020
+ elsif node_type? e, :if
1021
+ c.combine(value_from_if e)
1022
+ elsif raise? e
1023
+ c # ignore exceptions
1024
+ elsif e
1025
+ c.combine e
1026
+ else # when e is nil
1027
+ c
1028
+ end
1029
+ end
1030
+ end
1031
+
1032
+ def raise? exp
1033
+ call? exp and exp.method == :raise
1034
+ end
1035
+
937
1036
  #Set variable to given value.
938
1037
  #Creates "branched" versions of values when appropriate.
939
1038
  #Avoids creating multiple branched versions inside same
@@ -941,6 +1040,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
941
1040
  def set_value var, value
942
1041
  if node_type? value, :if
943
1042
  value = value_from_if(value)
1043
+ elsif node_type? value, :case
1044
+ value = value_from_case(value)
944
1045
  end
945
1046
 
946
1047
  if @ignore_ifs or not @inside_if
@@ -16,6 +16,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
16
16
  @current_module = nil
17
17
  @visibility = :public
18
18
  @file_name = nil
19
+ @concerns = Set.new
19
20
  end
20
21
 
21
22
  #Use this method to process a Controller
@@ -65,7 +66,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
65
66
  return unless @current_class
66
67
 
67
68
  if mod = @tracker.find_class(concern_name)
68
- if mod.options[:included]
69
+ if mod.options[:included] and not @concerns.include? concern_name
70
+ @concerns << concern_name
69
71
  process mod.options[:included].deep_clone
70
72
  end
71
73
  end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "3.5.0"
2
+ Version = "3.6.0"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.0
4
+ version: 3.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - brakeman-public_cert.pem
12
- date: 2017-02-01 00:00:00.000000000 Z
12
+ date: 2017-03-22 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: minitest