brakeman-min 6.2.1 → 6.2.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +6 -0
  3. data/README.md +0 -1
  4. data/lib/brakeman/checks/check_eol_rails.rb +6 -0
  5. data/lib/brakeman/checks/check_execute.rb +28 -0
  6. data/lib/brakeman/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ece525fc06c4479c6a04e17d7e2b52d067cb63202c9a18a33cae12e972bd72bc
4
- data.tar.gz: c4bd2918a3446c76cae053d9cf861b3229fa960a7be84659f2111925a594c41c
3
+ metadata.gz: c7523d5074d9d9352e585ad32ec90148c7a66452610d27bc29b7de5fe6770df9
4
+ data.tar.gz: db9859643a7a8ed60a3bb721614fc4a8a2cf2910dcfb5e4b89b32bf20e2af75e
5
5
  SHA512:
6
- metadata.gz: 2669bbdd7dae63586cc805e012ce8fd7630c243691e43b4bc83c45a05ace92bbf58a98971556f9a444b622e6f5a5fcd4cabe8362359388990a9dbb1863ea40df
7
- data.tar.gz: 7837535a3dcfbec38ec65dc4899668c5daa2409657948b034bcc5a46ca6c67ed206580839ff1f04f18ee821efd2bcebbefcef199961abd0b0c3995b7cb5b7c28
6
+ metadata.gz: 536df54884f0d9b9dba43be944335119b4fb75cd4096b69cdcec15b1058cb039985cd8923542f5d0df667d5609813fac1c1a0f511ee8169d4f0771bebb3be5b0
7
+ data.tar.gz: 782ec2ca43bb670743915f255510182bc6399bae367aba68cdad17508916b16abddda1bd6d5874c168d690ef67909495e25289a680a69fb921d9a4dcffdb6a2d
data/CHANGES.md CHANGED
@@ -1,3 +1,9 @@
1
+ # 6.2.2 - 2024-10-15
2
+
3
+ * Ignore more native gems when building gem
4
+ * Revamp command injection in `pipeline*` calls
5
+ * New end-of-support dates for Rails
6
+
1
7
  # 6.2.1 - 2024-08-22
2
8
 
3
9
  Just a packaging fix for brakeman.gem
data/README.md CHANGED
@@ -2,7 +2,6 @@
2
2
 
3
3
  [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
4
4
  [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
5
- [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
6
5
 
7
6
  # Brakeman
8
7
 
data/lib/brakeman/checks/check_eol_rails.rb CHANGED
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
11
11
  check_eol_version :rails, RAILS_EOL_DATES
12
12
  end
13
13
 
14
+ # https://rubyonrails.org/maintenance
15
+ # https://endoflife.date/rails
14
16
  RAILS_EOL_DATES = {
15
17
  ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
16
18
  ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
19
21
  ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
20
22
  ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
21
23
  ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
24
+ ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
25
+ ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
26
+ ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
27
+ ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
22
28
  }
23
29
  end
data/lib/brakeman/checks/check_execute.rb CHANGED
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
53
53
  call = result[:call]
54
54
  args = call.arglist
55
55
  first_arg = call.first_arg
56
+ failure = nil
56
57
 
57
58
  case call.method
58
59
  when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
71
72
  dangerous_interp?(first_arg[3]) ||
72
73
  dangerous_string_building?(first_arg[3])
73
74
  end
75
+ when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
76
+ # Since these pipeline commands pipe together several commands,
77
+ # need to check each argument. If it's an array, check first argument
78
+ # (the command) and also check for `bash -c`. Otherwise check the argument
79
+ # as a unit.
80
+
81
+ args.each do |arg|
82
+ next unless sexp? arg
83
+
84
+ if array?(arg)
85
+ # Check first element of array
86
+ failure = include_user_input?(arg[1]) ||
87
+ dangerous_interp?(arg[1]) ||
88
+ dangerous_string_building?(arg[1])
89
+
90
+ # Check for ['bash', '-c', user_input]
91
+ if dash_c_shell_command?(arg[1], arg[2])
92
+ failure = include_user_input?(arg[3]) ||
93
+ dangerous_interp?(arg[3]) ||
94
+ dangerous_string_building?(arg[3])
95
+ end
96
+ else
97
+ failure = include_user_input?(arg)
98
+ end
99
+
100
+ break if failure
101
+ end
74
102
  when :system, :exec
75
103
  # Normally, if we're in a `system` or `exec` call, we only are worried
76
104
  # about shell injection when there's a single argument, because comma-
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.2.1"
2
+ Version = "6.2.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.2.1
4
+ version: 6.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-22 00:00:00.000000000 Z
11
+ date: 2024-10-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: csv
@@ -377,7 +377,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
377
377
  - !ruby/object:Gem::Version
378
378
  version: '0'
379
379
  requirements: []
380
- rubygems_version: 3.5.11
380
+ rubygems_version: 3.3.27
381
381
  signing_key:
382
382
  specification_version: 4
383
383
  summary: Security vulnerability scanner for Ruby on Rails.