brakeman-min 0.4.1 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- data/bin/brakeman +15 -0
- data/lib/checks.rb +4 -0
- data/lib/checks/check_session_settings.rb +45 -2
- data/lib/processor.rb +1 -1
- data/lib/processors/lib/rails3_route_processor.rb +12 -0
- data/lib/version.rb +1 -1
- metadata +4 -4
data/bin/brakeman
CHANGED
@@ -12,6 +12,14 @@ trap("INT") do
|
|
12
12
|
exit!
|
13
13
|
end
|
14
14
|
|
15
|
+
def list_checks
|
16
|
+
require 'scanner'
|
17
|
+
$stderr.puts "Available Checks:"
|
18
|
+
$stderr.puts "-" * 30
|
19
|
+
$stderr.puts Checks.checks.map { |c| c.to_s }.sort.join "\n"
|
20
|
+
exit
|
21
|
+
end
|
22
|
+
|
15
23
|
#Parse command line options
|
16
24
|
options = {}
|
17
25
|
|
@@ -126,6 +134,10 @@ OptionParser.new do |opts|
|
|
126
134
|
|
127
135
|
opts.separator ""
|
128
136
|
|
137
|
+
opts.on "-k", "--checks", "List all available vulnerability checks" do
|
138
|
+
options[:list_checks] = true
|
139
|
+
end
|
140
|
+
|
129
141
|
opts.on_tail "-h", "--help", "Display this message" do
|
130
142
|
puts opts
|
131
143
|
exit
|
@@ -154,6 +166,9 @@ end
|
|
154
166
|
|
155
167
|
OPTIONS = options unless defined? OPTIONS
|
156
168
|
|
169
|
+
#List available checks and exits
|
170
|
+
list_checks if OPTIONS[:list_checks]
|
171
|
+
|
157
172
|
#Set defaults just in case
|
158
173
|
{ :skip_checks => Set.new,
|
159
174
|
:check_arguments => true,
|
data/lib/checks.rb
CHANGED
@@ -1,13 +1,52 @@
|
|
1
1
|
require 'checks/base_check'
|
2
2
|
|
3
|
+
#Checks for session key length and http_only settings
|
3
4
|
class CheckSessionSettings < BaseCheck
|
4
5
|
Checks.add self
|
5
6
|
|
7
|
+
if OPTIONS[:rails3]
|
8
|
+
SessionSettings = Sexp.new(:call, Sexp.new(:colon2, Sexp.new(:const, :Rails3), :Application), :config, Sexp.new(:arglist))
|
9
|
+
else
|
10
|
+
SessionSettings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
|
11
|
+
end
|
12
|
+
|
6
13
|
def run_check
|
7
14
|
settings = tracker.config[:rails] and
|
8
15
|
tracker.config[:rails][:action_controller] and
|
9
16
|
tracker.config[:rails][:action_controller][:session]
|
10
17
|
|
18
|
+
check_for_issues settings, "#{OPTIONS[:app_path]}/config/environment.rb"
|
19
|
+
|
20
|
+
if tracker.initializers["session_store.rb"]
|
21
|
+
process tracker.initializers["session_store.rb"]
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
#Looks for ActionController::Base.session = { ... }
|
26
|
+
#in Rails 2.x apps
|
27
|
+
def process_attrasgn exp
|
28
|
+
if not OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session=
|
29
|
+
check_for_issues exp[3][1], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
|
30
|
+
exp
|
31
|
+
else
|
32
|
+
super
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
#Looks for Rails3::Application.config.session_store :cookie_store, { ... }
|
37
|
+
#in Rails 3.x apps
|
38
|
+
def process_call exp
|
39
|
+
if OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session_store
|
40
|
+
check_for_issues exp[3][2], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
|
41
|
+
exp
|
42
|
+
else
|
43
|
+
super
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
private
|
48
|
+
|
49
|
+
def check_for_issues settings, file
|
11
50
|
if settings and hash? settings
|
12
51
|
hash_iterate settings do |key, value|
|
13
52
|
if symbol? key
|
@@ -18,7 +57,9 @@ class CheckSessionSettings < BaseCheck
|
|
18
57
|
|
19
58
|
warn :warning_type => "Session Setting",
|
20
59
|
:message => "Session cookies should be set to HTTP only",
|
21
|
-
:confidence => CONFIDENCE[:high]
|
60
|
+
:confidence => CONFIDENCE[:high],
|
61
|
+
:line => key.line,
|
62
|
+
:file => file
|
22
63
|
|
23
64
|
elsif key[1] == :secret and
|
24
65
|
string? value and
|
@@ -26,7 +67,9 @@ class CheckSessionSettings < BaseCheck
|
|
26
67
|
|
27
68
|
warn :warning_type => "Session Setting",
|
28
69
|
:message => "Session secret should be at least 30 characters long",
|
29
|
-
:confidence => CONFIDENCE[:high]
|
70
|
+
:confidence => CONFIDENCE[:high],
|
71
|
+
:line => key.line,
|
72
|
+
:file => file
|
30
73
|
|
31
74
|
end
|
32
75
|
end
|
data/lib/processor.rb
CHANGED
@@ -75,7 +75,7 @@ class Processor
|
|
75
75
|
def process_initializer name, src
|
76
76
|
res = BaseProcessor.new(@tracker).process src
|
77
77
|
res = AliasProcessor.new.process res
|
78
|
-
@tracker.initializers[name] = res
|
78
|
+
@tracker.initializers[Pathname.new(name).basename.to_s] = res
|
79
79
|
end
|
80
80
|
|
81
81
|
#Process source for a library file
|
@@ -106,6 +106,15 @@ class RoutesProcessor < BaseProcessor
|
|
106
106
|
|
107
107
|
if symbol? args[0]
|
108
108
|
@tracker.routes[@current_controller] << args[0][1]
|
109
|
+
elsif hash? args[1]
|
110
|
+
hash_iterate args[1] do |k, v|
|
111
|
+
if symbol? k and k[1] == :to and string? v
|
112
|
+
controller, action = extract_action v[1]
|
113
|
+
|
114
|
+
self.current_controller = controller
|
115
|
+
@tracker.routes[@current_controller] << action.to_sym
|
116
|
+
end
|
117
|
+
end
|
109
118
|
elsif string? args[0]
|
110
119
|
route = args[0][1].split "/"
|
111
120
|
if route.length != 2
|
@@ -154,16 +163,19 @@ class RoutesProcessor < BaseProcessor
|
|
154
163
|
def process_resources_block exp
|
155
164
|
process_resources exp[1]
|
156
165
|
process exp[3]
|
166
|
+
exp
|
157
167
|
end
|
158
168
|
|
159
169
|
def process_resource_block exp
|
160
170
|
process_resource exp[1]
|
161
171
|
process exp[3]
|
172
|
+
exp
|
162
173
|
end
|
163
174
|
|
164
175
|
def process_scope_block exp
|
165
176
|
#How to deal with options?
|
166
177
|
process exp[3]
|
178
|
+
exp
|
167
179
|
end
|
168
180
|
|
169
181
|
def extract_action str
|
data/lib/version.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
Version = "0.
|
1
|
+
Version = "0.5.0"
|
metadata
CHANGED
@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease: false
|
5
5
|
segments:
|
6
6
|
- 0
|
7
|
-
-
|
8
|
-
-
|
9
|
-
version: 0.
|
7
|
+
- 5
|
8
|
+
- 0
|
9
|
+
version: 0.5.0
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Justin Collins
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2011-
|
17
|
+
date: 2011-06-08 00:00:00 -07:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|