brakeman-min 3.7.2 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (87) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES +15 -1
  3. data/FEATURES +1 -1
  4. data/lib/brakeman.rb +55 -17
  5. data/lib/brakeman/call_index.rb +2 -2
  6. data/lib/brakeman/checks/base_check.rb +4 -2
  7. data/lib/brakeman/checks/check_basic_auth.rb +3 -3
  8. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
  9. data/lib/brakeman/checks/check_content_tag.rb +12 -12
  10. data/lib/brakeman/checks/check_create_with.rb +5 -5
  11. data/lib/brakeman/checks/check_cross_site_scripting.rb +8 -8
  12. data/lib/brakeman/checks/check_default_routes.rb +4 -4
  13. data/lib/brakeman/checks/check_deserialize.rb +2 -2
  14. data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -4
  15. data/lib/brakeman/checks/check_digest_dos.rb +2 -2
  16. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  17. data/lib/brakeman/checks/check_escape_function.rb +2 -2
  18. data/lib/brakeman/checks/check_evaluation.rb +1 -1
  19. data/lib/brakeman/checks/check_execute.rb +5 -5
  20. data/lib/brakeman/checks/check_file_access.rb +4 -4
  21. data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
  22. data/lib/brakeman/checks/check_filter_skipping.rb +2 -2
  23. data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
  24. data/lib/brakeman/checks/check_header_dos.rb +1 -1
  25. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  26. data/lib/brakeman/checks/check_jruby_xml.rb +2 -4
  27. data/lib/brakeman/checks/check_json_encoding.rb +4 -4
  28. data/lib/brakeman/checks/check_json_parsing.rb +6 -6
  29. data/lib/brakeman/checks/check_link_to.rb +5 -5
  30. data/lib/brakeman/checks/check_link_to_href.rb +37 -31
  31. data/lib/brakeman/checks/check_mail_to.rb +2 -2
  32. data/lib/brakeman/checks/check_mass_assignment.rb +6 -6
  33. data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
  34. data/lib/brakeman/checks/check_model_attr_accessible.rb +5 -5
  35. data/lib/brakeman/checks/check_model_attributes.rb +4 -4
  36. data/lib/brakeman/checks/check_model_serialize.rb +3 -3
  37. data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
  38. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
  39. data/lib/brakeman/checks/check_number_to_currency.rb +5 -5
  40. data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
  41. data/lib/brakeman/checks/check_redirect.rb +2 -2
  42. data/lib/brakeman/checks/check_regex_dos.rb +3 -3
  43. data/lib/brakeman/checks/check_render.rb +4 -4
  44. data/lib/brakeman/checks/check_render_dos.rb +1 -1
  45. data/lib/brakeman/checks/check_render_inline.rb +5 -5
  46. data/lib/brakeman/checks/check_response_splitting.rb +1 -1
  47. data/lib/brakeman/checks/check_route_dos.rb +1 -1
  48. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -2
  49. data/lib/brakeman/checks/check_sanitize_methods.rb +7 -7
  50. data/lib/brakeman/checks/check_secrets.rb +1 -1
  51. data/lib/brakeman/checks/check_select_tag.rb +2 -2
  52. data/lib/brakeman/checks/check_select_vulnerability.rb +3 -3
  53. data/lib/brakeman/checks/check_send.rb +1 -1
  54. data/lib/brakeman/checks/check_session_manipulation.rb +2 -2
  55. data/lib/brakeman/checks/check_session_settings.rb +3 -3
  56. data/lib/brakeman/checks/check_simple_format.rb +4 -4
  57. data/lib/brakeman/checks/check_single_quotes.rb +3 -3
  58. data/lib/brakeman/checks/check_skip_before_filter.rb +3 -3
  59. data/lib/brakeman/checks/check_sql.rb +9 -9
  60. data/lib/brakeman/checks/check_sql_cves.rb +2 -2
  61. data/lib/brakeman/checks/check_ssl_verify.rb +1 -1
  62. data/lib/brakeman/checks/check_strip_tags.rb +7 -7
  63. data/lib/brakeman/checks/check_symbol_dos.rb +2 -2
  64. data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
  65. data/lib/brakeman/checks/check_translate_bug.rb +3 -3
  66. data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -2
  67. data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
  68. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  69. data/lib/brakeman/checks/check_weak_hash.rb +6 -6
  70. data/lib/brakeman/checks/check_without_protection.rb +2 -2
  71. data/lib/brakeman/checks/check_xml_dos.rb +1 -1
  72. data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
  73. data/lib/brakeman/commandline.rb +2 -2
  74. data/lib/brakeman/options.rb +9 -5
  75. data/lib/brakeman/processors/alias_processor.rb +3 -1
  76. data/lib/brakeman/processors/lib/rails2_route_processor.rb +8 -8
  77. data/lib/brakeman/processors/lib/render_helper.rb +3 -3
  78. data/lib/brakeman/report.rb +9 -6
  79. data/lib/brakeman/report/report_base.rb +2 -1
  80. data/lib/brakeman/report/report_text.rb +4 -6
  81. data/lib/brakeman/rescanner.rb +8 -8
  82. data/lib/brakeman/tracker.rb +3 -3
  83. data/lib/brakeman/tracker/collection.rb +1 -1
  84. data/lib/brakeman/util.rb +5 -1
  85. data/lib/brakeman/version.rb +1 -1
  86. data/lib/brakeman/warning.rb +49 -21
  87. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6ea39e3c7752e86b8da762679f4be12d12b1cfe3
4
- data.tar.gz: e20bf45bbb80ec0a7240e660c0cd6ce85ff0a5c5
3
+ metadata.gz: 6da0818252caeb9fcafb77f9d0ed792d68d916e1
4
+ data.tar.gz: ffa5242a910ffdd4ad3165a968621192917f6e65
5
5
  SHA512:
6
- metadata.gz: 242bf5b348b80e1dcffffdec4c59be702ea8e88270208dad51333659d075e68d8538bd07e0b6cb01f08440dfdec3ae86ff63b47ae370628e8ac411a47a917457
7
- data.tar.gz: 0d88e3d597bd0bb1b152ad28c9be4056b0b838829aeb40f440a538481cec908055be2f9cbc3b34226fb22ed2b0c4440e81b61db221f8f5224a729b27e1210443
6
+ metadata.gz: 17475a7bc6c647f7a017bcb9553da54dff68841e3e4a643942e438a1789894181fb9486330fe183aadf720acdd993e9b2e23012d06287b6a5106a30ea0959981
7
+ data.tar.gz: f8ef2192d20f49d9c2f379b31af16589e0fdcf83e9ed9d29005080121b9dc6c773c6b3ba4581225df534694fac170283b517b12bf2909fd1b3fb8648f44eb276
data/CHANGES CHANGED
@@ -1,3 +1,17 @@
1
+ # 4.0.0
2
+
3
+ * Add simple pager for reports output to terminal
4
+ * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
5
+ * Rearrange tests a little bit
6
+ * Treat `request.cookies` like `cookies`
7
+ * Treat `fail`/`raise` like early returns
8
+ * Remove reliance on `CONFIDENCE` constant in checks
9
+ * Remove low confidence mass assignment warnings
10
+ * Reduce warnings about XSS in `link_to`
11
+ * "Plain" report output is now the default
12
+ * --exit-on-error and --exit-on-warn are now the default
13
+ * Fix --exit-on-error and --exit-on-warn in config files
14
+
1
15
  # 3.7.2
2
16
 
3
17
  * Fix --ensure-latest (David Guyon)
@@ -300,7 +314,7 @@
300
314
  # 3.0.0
301
315
 
302
316
  * Add check for CVE-2014-7829
303
- * Add check for cross site scripting via inline renders
317
+ * Add check for cross-site scripting via inline renders
304
318
  * Fix formatting of command interpolation
305
319
  * Local variables are no longer formatted as `(local var)`
306
320
  * Actually skip skipped before filters
data/FEATURES CHANGED
@@ -1,5 +1,5 @@
1
1
  Can detect:
2
- -Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
2
+ -Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
3
3
  -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
4
4
  -String interpolation in find_by_sql (SQL Injection)
5
5
  -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
@@ -38,7 +38,8 @@ module Brakeman
38
38
  # * :combine_locations - combine warning locations (default: true)
39
39
  # * :config_file - configuration file
40
40
  # * :escape_html - escape HTML by default (automatic)
41
- # * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
41
+ # * :exit_on_error - only affects Commandline module (default: true)
42
+ # * :exit_on_warn - only affects Commandline module (default: true)
42
43
  # * :github_repo - github repo to use for file links (user/repo[/path][@ref])
43
44
  # * :highlight_user_input - highlight user input in reported warnings (default: true)
44
45
  # * :html_style - path to CSS file
@@ -71,6 +72,7 @@ module Brakeman
71
72
  if @quiet
72
73
  options[:report_progress] = false
73
74
  end
75
+
74
76
  scan options
75
77
  end
76
78
 
@@ -156,23 +158,26 @@ module Brakeman
156
158
  #Default set of options
157
159
  def self.default_options
158
160
  { :assume_all_routes => true,
159
- :skip_checks => Set.new,
160
161
  :check_arguments => true,
161
- :safe_methods => Set.new,
162
- :min_confidence => 2,
163
- :combine_locations => true,
164
162
  :collapse_mass_assignment => false,
163
+ :combine_locations => true,
164
+ :engine_paths => ["engines/*"],
165
+ :exit_on_error => true,
166
+ :exit_on_warn => true,
165
167
  :highlight_user_input => true,
166
- :ignore_redirect_to_model => true,
168
+ :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
167
169
  :ignore_model_output => false,
170
+ :ignore_redirect_to_model => true,
168
171
  :index_libs => true,
169
172
  :message_limit => 100,
173
+ :min_confidence => 2,
174
+ :output_color => true,
175
+ :pager => true,
170
176
  :parallel_checks => true,
171
177
  :relative_path => false,
172
178
  :report_progress => true,
173
- :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
174
- :output_color => true,
175
- :engine_paths => ["engines/*"]
179
+ :safe_methods => Set.new,
180
+ :skip_checks => Set.new,
176
181
  }
177
182
  end
178
183
 
@@ -213,10 +218,12 @@ module Brakeman
213
218
  [:to_markdown]
214
219
  when :cc, :to_cc, :codeclimate, :to_codeclimate
215
220
  [:to_codeclimate]
216
- when :plain ,:to_plain
217
- [:to_plain]
221
+ when :plain ,:to_plain, :text, :to_text, :to_s
222
+ [:to_text]
223
+ when :table, :to_table
224
+ [:to_table]
218
225
  else
219
- [:to_s]
226
+ [:to_text]
220
227
  end
221
228
  end
222
229
  private_class_method :get_formats_from_output_format
@@ -239,9 +246,11 @@ module Brakeman
239
246
  when /(\.cc|\.codeclimate)$/i
240
247
  :to_codeclimate
241
248
  when /\.plain$/i
242
- :to_plain
249
+ :to_text
250
+ when /\.table$/i
251
+ :to_table
243
252
  else
244
- :to_s
253
+ :to_text
245
254
  end
246
255
  end
247
256
  end
@@ -388,12 +397,41 @@ module Brakeman
388
397
  tracker.options[:output_color] = false
389
398
  end
390
399
 
391
- output_formats.each do |output_format|
392
- puts tracker.report.format(output_format)
400
+ if not $stdout.tty? or not tracker.options[:pager] or output_formats.length > 1 # does this ever happen??
401
+ output_formats.each do |output_format|
402
+ puts tracker.report.format(output_format)
403
+ end
404
+ else
405
+ page_output tracker.report.format(output_formats.first)
393
406
  end
394
407
  end
395
408
  private_class_method :write_report_to_formats
396
409
 
410
+ def self.page_output text
411
+ if system("which less")
412
+ # Adapted from https://github.com/piotrmurach/tty-pager/
413
+ write_io = open("|less -R", 'w')
414
+ pid = write_io.pid
415
+
416
+ write_io.write(text)
417
+ write_io.close
418
+
419
+ Process.waitpid2(pid, Process::WNOHANG)
420
+ else
421
+ load_brakeman_dependency 'highline'
422
+ h = ::HighLine.new
423
+ h.page_at = :auto
424
+ h.say tracker.report.format(output_formats.first)
425
+ end
426
+ rescue Errno::ECHILD
427
+ # on jruby 9x waiting on pid raises (per tty-pager)
428
+ true
429
+ rescue => e
430
+ warn "[Error] #{e}"
431
+ warn "[Error] Could not use pager. Set --no-pager to avoid this issue."
432
+ puts tracker.report.format(output_formats.first)
433
+ end
434
+
397
435
  #Rescan a subset of files in a Rails application.
398
436
  #
399
437
  #A full scan must have been run already to use this method.
@@ -508,7 +546,7 @@ module Brakeman
508
546
  missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
509
547
 
510
548
  unless missing.empty?
511
- raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.to_a.join(', ')}"
549
+ raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"
512
550
  end
513
551
  end
514
552
 
@@ -67,7 +67,7 @@ class Brakeman::CallIndex
67
67
 
68
68
  def remove_template_indexes template_name = nil
69
69
  [@calls_by_method, @calls_by_target].each do |calls_by|
70
- calls_by.each do |name, calls|
70
+ calls_by.each do |_name, calls|
71
71
  calls.delete_if do |call|
72
72
  from_template call, template_name
73
73
  end
@@ -77,7 +77,7 @@ class Brakeman::CallIndex
77
77
 
78
78
  def remove_indexes_by_class classes
79
79
  [@calls_by_method, @calls_by_target].each do |calls_by|
80
- calls_by.each do |name, calls|
80
+ calls_by.each do |_name, calls|
81
81
  calls.delete_if do |call|
82
82
  call[:location][:type] == :class and classes.include? call[:location][:class]
83
83
  end
@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
10
10
  include Brakeman::Util
11
11
  attr_reader :tracker, :warnings
12
12
 
13
- CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
13
+ # This is for legacy support.
14
+ # Use :high, :medium, or :low instead when creating warnings.
15
+ CONFIDENCE = Brakeman::Warning::CONFIDENCE
14
16
 
15
17
  Match = Struct.new(:type, :match)
16
18
 
@@ -60,7 +62,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
60
62
  #Default Sexp processing. Iterates over each value in the Sexp
61
63
  #and processes them if they are also Sexps.
62
64
  def process_default exp
63
- exp.each_with_index do |e, i|
65
+ exp.each_with_index do |e, _i|
64
66
  if sexp? e
65
67
  process e
66
68
  else
@@ -17,7 +17,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
17
17
  end
18
18
 
19
19
  def check_basic_auth_filter
20
- controllers = tracker.controllers.select do |name, c|
20
+ controllers = tracker.controllers.select do |_name, c|
21
21
  c.options[:http_basic_authenticate_with]
22
22
  end
23
23
 
@@ -30,7 +30,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
30
30
  :warning_code => :basic_auth_password,
31
31
  :message => "Basic authentication password stored in source code",
32
32
  :code => call,
33
- :confidence => 0,
33
+ :confidence => :high,
34
34
  :file => controller.file
35
35
  break
36
36
  end
@@ -50,7 +50,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
50
50
  :warning_type => "Basic Auth",
51
51
  :warning_code => :basic_auth_password,
52
52
  :message => "Basic authentication password stored in source code",
53
- :confidence => 0
53
+ :confidence => :high
54
54
  end
55
55
  end
56
56
  end
@@ -26,7 +26,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
26
26
  :warning_type => "Timing Attack",
27
27
  :warning_code => :CVE_2015_7576,
28
28
  :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
29
- :confidence => CONFIDENCE[:high],
29
+ :confidence => :high,
30
30
  :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
31
31
  end
32
32
  end
@@ -66,7 +66,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
66
66
 
67
67
  #Attribute keys are never escaped, so check them for user input
68
68
  if not @matched and hash? attributes and not request_value? attributes
69
- hash_iterate(attributes) do |k, v|
69
+ hash_iterate(attributes) do |k, _v|
70
70
  check_argument result, k
71
71
  return if @matched
72
72
  end
@@ -79,7 +79,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
79
79
  if request_value? attributes or not hash? attributes
80
80
  check_argument result, attributes
81
81
  else #check hash values
82
- hash_iterate(attributes) do |k, v|
82
+ hash_iterate(attributes) do |_k, v|
83
83
  check_argument result, v
84
84
  return if @matched
85
85
  end
@@ -101,11 +101,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
101
101
  add_result result
102
102
 
103
103
  warn :result => result,
104
- :warning_type => "Cross Site Scripting",
104
+ :warning_type => "Cross-Site Scripting",
105
105
  :warning_code => :xss_content_tag,
106
106
  :message => message,
107
107
  :user_input => input,
108
- :confidence => CONFIDENCE[:high],
108
+ :confidence => :high,
109
109
  :link_path => "content_tag"
110
110
 
111
111
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
@@ -113,13 +113,13 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
113
113
  add_result result
114
114
 
115
115
  if likely_model_attribute? match
116
- confidence = CONFIDENCE[:high]
116
+ confidence = :high
117
117
  else
118
- confidence = CONFIDENCE[:med]
118
+ confidence = :medium
119
119
  end
120
120
 
121
121
  warn :result => result,
122
- :warning_type => "Cross Site Scripting",
122
+ :warning_type => "Cross-Site Scripting",
123
123
  :warning_code => :xss_content_tag,
124
124
  :message => "Unescaped model attribute in content_tag",
125
125
  :user_input => match,
@@ -135,11 +135,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
135
135
  add_result result
136
136
 
137
137
  warn :result => result,
138
- :warning_type => "Cross Site Scripting",
138
+ :warning_type => "Cross-Site Scripting",
139
139
  :warning_code => :xss_content_tag,
140
140
  :message => message,
141
141
  :user_input => @matched,
142
- :confidence => CONFIDENCE[:med],
142
+ :confidence => :medium,
143
143
  :link_path => "content_tag"
144
144
  end
145
145
  end
@@ -159,9 +159,9 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
159
159
  def check_cve_2016_6316
160
160
  if cve_2016_6316?
161
161
  confidence = if @content_tags.any?
162
- CONFIDENCE[:high]
162
+ :high
163
163
  else
164
- CONFIDENCE[:med]
164
+ :medium
165
165
  end
166
166
 
167
167
  fix_version = case
@@ -179,7 +179,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
179
179
  return
180
180
  end
181
181
 
182
- warn :warning_type => "Cross Site Scripting",
182
+ warn :warning_type => "Cross-Site Scripting",
183
183
  :warning_code => :CVE_2016_6316,
184
184
  :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
185
185
  :confidence => confidence,
@@ -51,15 +51,15 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
51
51
  if call? exp and exp.method == :permit
52
52
  nil
53
53
  elsif request_value? exp
54
- CONFIDENCE[:high]
54
+ :high
55
55
  elsif hash? exp
56
56
  nil
57
57
  elsif has_immediate_user_input?(exp)
58
- CONFIDENCE[:high]
58
+ :high
59
59
  elsif include_user_input? exp
60
- CONFIDENCE[:med]
60
+ :medium
61
61
  else
62
- CONFIDENCE[:low]
62
+ :weak
63
63
  end
64
64
  end
65
65
 
@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
68
68
  :warning_code => :CVE_2014_3514,
69
69
  :message => @message,
70
70
  :gem_info => gemfile_or_environment,
71
- :confidence => CONFIDENCE[:med],
71
+ :confidence => :medium,
72
72
  :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
73
73
  end
74
74
  end
@@ -73,11 +73,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
73
73
  message = "Unescaped #{friendly_type_of input}"
74
74
 
75
75
  warn :template => @current_template,
76
- :warning_type => "Cross Site Scripting",
76
+ :warning_type => "Cross-Site Scripting",
77
77
  :warning_code => :cross_site_scripting,
78
78
  :message => message,
79
79
  :code => input.match,
80
- :confidence => CONFIDENCE[:high]
80
+ :confidence => :high
81
81
 
82
82
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
83
83
  method = if call? match
@@ -90,9 +90,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
90
90
  add_result exp
91
91
 
92
92
  if likely_model_attribute? match
93
- confidence = CONFIDENCE[:high]
93
+ confidence = :high
94
94
  else
95
- confidence = CONFIDENCE[:med]
95
+ confidence = :medium
96
96
  end
97
97
 
98
98
  message = "Unescaped model attribute"
@@ -106,7 +106,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
106
106
  end
107
107
 
108
108
  warn :template => @current_template,
109
- :warning_type => "Cross Site Scripting",
109
+ :warning_type => "Cross-Site Scripting",
110
110
  :warning_code => warning_code,
111
111
  :message => message,
112
112
  :code => match,
@@ -178,18 +178,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
178
178
  warning_code = :cross_site_scripting
179
179
 
180
180
  if @known_dangerous.include? exp.method
181
- confidence = CONFIDENCE[:high]
181
+ confidence = :high
182
182
  if exp.method == :to_json
183
183
  message += " in JSON hash"
184
184
  link_path += "_to_json"
185
185
  warning_code = :xss_to_json
186
186
  end
187
187
  else
188
- confidence = CONFIDENCE[:low]
188
+ confidence = :weak
189
189
  end
190
190
 
191
191
  warn :template => @current_template,
192
- :warning_type => "Cross Site Scripting",
192
+ :warning_type => "Cross-Site Scripting",
193
193
  :warning_code => warning_code,
194
194
  :message => message,
195
195
  :code => exp,
@@ -21,7 +21,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
21
21
  :warning_code => :all_default_routes,
22
22
  :message => "All public methods in controllers are available as actions in routes.rb",
23
23
  :line => tracker.routes[:allow_all_actions].line,
24
- :confidence => CONFIDENCE[:high],
24
+ :confidence => :high,
25
25
  :file => "#{tracker.app_path}/config/routes.rb"
26
26
  end
27
27
  end
@@ -43,7 +43,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
43
43
  :warning_code => :controller_default_routes,
44
44
  :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
45
45
  :line => actions[2],
46
- :confidence => CONFIDENCE[:med],
46
+ :confidence => :medium,
47
47
  :file => "#{tracker.app_path}/config/routes.rb"
48
48
  end
49
49
  end
@@ -67,9 +67,9 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
67
67
  end
68
68
 
69
69
  if allow_all_actions? or @actions_allowed_on_controller
70
- confidence = CONFIDENCE[:high]
70
+ confidence = :high
71
71
  else
72
- confidence = CONFIDENCE[:med]
72
+ confidence = :medium
73
73
  end
74
74
 
75
75
  warn :warning_type => "Remote Code Execution",