brakeman-min 2.1.1 → 2.1.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGES +7 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +2 -0
- data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
- data/lib/brakeman/options.rb +4 -0
- data/lib/brakeman/processors/haml_template_processor.rb +0 -16
- data/lib/brakeman/util.rb +3 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +94 -94
data/CHANGES
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
# 2.1.2
|
2
|
+
|
3
|
+
* Do not attempt to load custom Haml filters
|
4
|
+
* Do not warn about `to_json` XSS in Rails 4
|
5
|
+
* Add --table-width option to set width of text reports (ssendev)
|
6
|
+
* Remove fuzzy matching on dangerous attr_accessible values
|
7
|
+
|
1
8
|
# 2.1.1
|
2
9
|
|
3
10
|
* New warning code for dangerous attributes in attr_accessible
|
@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
66
66
|
true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
|
67
67
|
|
68
68
|
json_escape_on = true
|
69
|
+
elsif version_between? "4.0.0", "5.0.0"
|
70
|
+
json_escape_on = true
|
69
71
|
end
|
70
72
|
|
71
73
|
if !json_escape_on or version_between? "0.0.0", "2.0.99"
|
@@ -11,9 +11,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
11
11
|
@description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
|
12
12
|
|
13
13
|
SUSP_ATTRS = [
|
14
|
-
[
|
15
|
-
[
|
16
|
-
[
|
14
|
+
[:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
|
15
|
+
[:role, CONFIDENCE[:med]],
|
16
|
+
[:banned, CONFIDENCE[:med]],
|
17
17
|
[:account_id, CONFIDENCE[:high]],
|
18
18
|
[/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
|
19
19
|
]
|
@@ -29,7 +29,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
29
29
|
:file => model[:file],
|
30
30
|
:warning_type => "Mass Assignment",
|
31
31
|
:warning_code => :dangerous_attr_accessible,
|
32
|
-
:message => "Potentially dangerous attribute #{attribute} available for mass assignment
|
32
|
+
:message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
|
33
33
|
:confidence => confidence
|
34
34
|
break # Prevent from matching single attr multiple times
|
35
35
|
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -177,6 +177,10 @@ module Brakeman::Options
|
|
177
177
|
options[:message_limit] = limit.to_i
|
178
178
|
end
|
179
179
|
|
180
|
+
opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
|
181
|
+
options[:table_width] = width.to_i
|
182
|
+
end
|
183
|
+
|
180
184
|
opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
|
181
185
|
options[:output_files] ||= []
|
182
186
|
options[:output_files].push(file)
|
@@ -4,22 +4,6 @@ require 'brakeman/processors/template_processor'
|
|
4
4
|
class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
5
5
|
HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
|
6
6
|
|
7
|
-
def initialize *args
|
8
|
-
super
|
9
|
-
|
10
|
-
@tracker.libs.each do |name, lib|
|
11
|
-
if name.to_s =~ /^Haml::Filters/
|
12
|
-
begin
|
13
|
-
require lib[:file]
|
14
|
-
rescue Exception => e
|
15
|
-
if @tracker.options[:debug]
|
16
|
-
raise e
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|
22
|
-
|
23
7
|
#Processes call, looking for template output
|
24
8
|
def process_call exp
|
25
9
|
target = exp.target
|
data/lib/brakeman/util.rb
CHANGED
@@ -384,7 +384,9 @@ module Brakeman::Util
|
|
384
384
|
end
|
385
385
|
|
386
386
|
def truncate_table str
|
387
|
-
@terminal_width ||= if
|
387
|
+
@terminal_width ||= if @tracker.options[:table_width]
|
388
|
+
@tracker.options[:table_width]
|
389
|
+
elsif $stdin && $stdin.tty?
|
388
390
|
Brakeman.load_brakeman_dependency 'highline'
|
389
391
|
::HighLine.new.terminal_size[0]
|
390
392
|
else
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-min
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 15
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 2
|
8
8
|
- 1
|
9
|
-
-
|
10
|
-
version: 2.1.
|
9
|
+
- 2
|
10
|
+
version: 2.1.2
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Justin Collins
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2013-
|
18
|
+
date: 2013-09-18 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: ruby_parser
|
@@ -78,121 +78,121 @@ files:
|
|
78
78
|
- WARNING_TYPES
|
79
79
|
- FEATURES
|
80
80
|
- README.md
|
81
|
-
- lib/brakeman/
|
81
|
+
- lib/brakeman/version.rb
|
82
|
+
- lib/brakeman/differ.rb
|
83
|
+
- lib/brakeman/util.rb
|
82
84
|
- lib/brakeman/brakeman.rake
|
83
85
|
- lib/brakeman/call_index.rb
|
84
|
-
- lib/brakeman/
|
86
|
+
- lib/brakeman/report/report_json.rb
|
87
|
+
- lib/brakeman/report/report_hash.rb
|
88
|
+
- lib/brakeman/report/report_base.rb
|
89
|
+
- lib/brakeman/report/report_tabs.rb
|
90
|
+
- lib/brakeman/report/report_html.rb
|
91
|
+
- lib/brakeman/report/report_table.rb
|
92
|
+
- lib/brakeman/report/renderer.rb
|
93
|
+
- lib/brakeman/report/templates/controller_overview.html.erb
|
94
|
+
- lib/brakeman/report/templates/model_warnings.html.erb
|
95
|
+
- lib/brakeman/report/templates/template_overview.html.erb
|
96
|
+
- lib/brakeman/report/templates/view_warnings.html.erb
|
97
|
+
- lib/brakeman/report/templates/overview.html.erb
|
98
|
+
- lib/brakeman/report/templates/controller_warnings.html.erb
|
99
|
+
- lib/brakeman/report/templates/header.html.erb
|
100
|
+
- lib/brakeman/report/templates/error_overview.html.erb
|
101
|
+
- lib/brakeman/report/templates/security_warnings.html.erb
|
102
|
+
- lib/brakeman/report/templates/warning_overview.html.erb
|
103
|
+
- lib/brakeman/report/templates/ignored_warnings.html.erb
|
104
|
+
- lib/brakeman/report/report_csv.rb
|
105
|
+
- lib/brakeman/report/initializers/faster_csv.rb
|
106
|
+
- lib/brakeman/report/initializers/multi_json.rb
|
107
|
+
- lib/brakeman/report/ignore/interactive.rb
|
108
|
+
- lib/brakeman/report/ignore/config.rb
|
109
|
+
- lib/brakeman/tracker.rb
|
110
|
+
- lib/brakeman/report.rb
|
111
|
+
- lib/brakeman/scanner.rb
|
112
|
+
- lib/brakeman/processor.rb
|
113
|
+
- lib/brakeman/format/style.css
|
114
|
+
- lib/brakeman/warning_codes.rb
|
115
|
+
- lib/brakeman/app_tree.rb
|
116
|
+
- lib/brakeman/checks/check_select_vulnerability.rb
|
117
|
+
- lib/brakeman/checks/check_escape_function.rb
|
118
|
+
- lib/brakeman/checks/check_single_quotes.rb
|
119
|
+
- lib/brakeman/checks/check_model_serialize.rb
|
85
120
|
- lib/brakeman/checks/check_basic_auth.rb
|
121
|
+
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
122
|
+
- lib/brakeman/checks/check_forgery_setting.rb
|
123
|
+
- lib/brakeman/checks/check_session_settings.rb
|
124
|
+
- lib/brakeman/checks/check_model_attributes.rb
|
125
|
+
- lib/brakeman/checks/check_redirect.rb
|
126
|
+
- lib/brakeman/checks/check_yaml_parsing.rb
|
127
|
+
- lib/brakeman/checks/check_skip_before_filter.rb
|
128
|
+
- lib/brakeman/checks/check_response_splitting.rb
|
129
|
+
- lib/brakeman/checks/check_mail_to.rb
|
86
130
|
- lib/brakeman/checks/check_content_tag.rb
|
87
|
-
- lib/brakeman/checks/
|
88
|
-
- lib/brakeman/checks/
|
131
|
+
- lib/brakeman/checks/check_unsafe_reflection.rb
|
132
|
+
- lib/brakeman/checks/check_sql.rb
|
133
|
+
- lib/brakeman/checks/check_select_tag.rb
|
134
|
+
- lib/brakeman/checks/check_model_attr_accessible.rb
|
135
|
+
- lib/brakeman/checks/check_mass_assignment.rb
|
136
|
+
- lib/brakeman/checks/check_link_to_href.rb
|
137
|
+
- lib/brakeman/checks/check_filter_skipping.rb
|
138
|
+
- lib/brakeman/checks/check_symbol_dos.rb
|
139
|
+
- lib/brakeman/checks/check_sanitize_methods.rb
|
140
|
+
- lib/brakeman/checks/check_file_access.rb
|
89
141
|
- lib/brakeman/checks/check_deserialize.rb
|
90
|
-
- lib/brakeman/checks/
|
91
|
-
- lib/brakeman/checks/
|
142
|
+
- lib/brakeman/checks/base_check.rb
|
143
|
+
- lib/brakeman/checks/check_validation_regex.rb
|
92
144
|
- lib/brakeman/checks/check_evaluation.rb
|
145
|
+
- lib/brakeman/checks/check_digest_dos.rb
|
146
|
+
- lib/brakeman/checks/check_render.rb
|
147
|
+
- lib/brakeman/checks/check_send_file.rb
|
148
|
+
- lib/brakeman/checks/check_json_parsing.rb
|
93
149
|
- lib/brakeman/checks/check_execute.rb
|
94
|
-
- lib/brakeman/checks/
|
95
|
-
- lib/brakeman/checks/check_filter_skipping.rb
|
96
|
-
- lib/brakeman/checks/check_forgery_setting.rb
|
150
|
+
- lib/brakeman/checks/check_translate_bug.rb
|
97
151
|
- lib/brakeman/checks/check_jruby_xml.rb
|
98
|
-
- lib/brakeman/checks/
|
152
|
+
- lib/brakeman/checks/check_default_routes.rb
|
99
153
|
- lib/brakeman/checks/check_link_to.rb
|
100
|
-
- lib/brakeman/checks/check_link_to_href.rb
|
101
|
-
- lib/brakeman/checks/check_mail_to.rb
|
102
|
-
- lib/brakeman/checks/check_mass_assignment.rb
|
103
|
-
- lib/brakeman/checks/check_model_attr_accessible.rb
|
104
|
-
- lib/brakeman/checks/check_model_attributes.rb
|
105
|
-
- lib/brakeman/checks/check_model_serialize.rb
|
106
|
-
- lib/brakeman/checks/check_nested_attributes.rb
|
107
154
|
- lib/brakeman/checks/check_quote_table_name.rb
|
108
|
-
- lib/brakeman/checks/check_redirect.rb
|
109
|
-
- lib/brakeman/checks/check_render.rb
|
110
|
-
- lib/brakeman/checks/check_response_splitting.rb
|
111
|
-
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
112
|
-
- lib/brakeman/checks/check_sanitize_methods.rb
|
113
|
-
- lib/brakeman/checks/check_select_tag.rb
|
114
|
-
- lib/brakeman/checks/check_select_vulnerability.rb
|
115
155
|
- lib/brakeman/checks/check_send.rb
|
116
|
-
- lib/brakeman/checks/
|
117
|
-
- lib/brakeman/checks/check_session_settings.rb
|
118
|
-
- lib/brakeman/checks/check_single_quotes.rb
|
119
|
-
- lib/brakeman/checks/check_skip_before_filter.rb
|
120
|
-
- lib/brakeman/checks/check_sql.rb
|
156
|
+
- lib/brakeman/checks/check_cross_site_scripting.rb
|
121
157
|
- lib/brakeman/checks/check_strip_tags.rb
|
122
|
-
- lib/brakeman/checks/
|
123
|
-
- lib/brakeman/checks/check_translate_bug.rb
|
124
|
-
- lib/brakeman/checks/check_unsafe_reflection.rb
|
125
|
-
- lib/brakeman/checks/check_validation_regex.rb
|
158
|
+
- lib/brakeman/checks/check_nested_attributes.rb
|
126
159
|
- lib/brakeman/checks/check_without_protection.rb
|
127
|
-
- lib/brakeman/checks/check_yaml_parsing.rb
|
128
160
|
- lib/brakeman/checks.rb
|
129
|
-
- lib/brakeman/differ.rb
|
130
|
-
- lib/brakeman/format/style.css
|
131
|
-
- lib/brakeman/options.rb
|
132
|
-
- lib/brakeman/parsers/rails2_erubis.rb
|
133
|
-
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
134
|
-
- lib/brakeman/parsers/rails3_erubis.rb
|
135
|
-
- lib/brakeman/processor.rb
|
136
|
-
- lib/brakeman/processors/alias_processor.rb
|
137
|
-
- lib/brakeman/processors/base_processor.rb
|
138
|
-
- lib/brakeman/processors/config_processor.rb
|
139
161
|
- lib/brakeman/processors/controller_alias_processor.rb
|
140
|
-
- lib/brakeman/processors/controller_processor.rb
|
141
|
-
- lib/brakeman/processors/erb_template_processor.rb
|
142
|
-
- lib/brakeman/processors/erubis_template_processor.rb
|
143
|
-
- lib/brakeman/processors/gem_processor.rb
|
144
|
-
- lib/brakeman/processors/haml_template_processor.rb
|
145
|
-
- lib/brakeman/processors/lib/find_all_calls.rb
|
146
|
-
- lib/brakeman/processors/lib/find_call.rb
|
147
162
|
- lib/brakeman/processors/lib/find_return_value.rb
|
148
|
-
- lib/brakeman/processors/lib/
|
149
|
-
- lib/brakeman/processors/lib/rails2_config_processor.rb
|
163
|
+
- lib/brakeman/processors/lib/route_helper.rb
|
150
164
|
- lib/brakeman/processors/lib/rails2_route_processor.rb
|
151
|
-
- lib/brakeman/processors/lib/rails3_config_processor.rb
|
152
|
-
- lib/brakeman/processors/lib/rails3_route_processor.rb
|
153
165
|
- lib/brakeman/processors/lib/render_helper.rb
|
154
|
-
- lib/brakeman/processors/lib/
|
155
|
-
- lib/brakeman/processors/
|
166
|
+
- lib/brakeman/processors/lib/rails2_config_processor.rb
|
167
|
+
- lib/brakeman/processors/lib/rails3_route_processor.rb
|
168
|
+
- lib/brakeman/processors/lib/processor_helper.rb
|
169
|
+
- lib/brakeman/processors/lib/rails3_config_processor.rb
|
170
|
+
- lib/brakeman/processors/lib/find_all_calls.rb
|
171
|
+
- lib/brakeman/processors/lib/find_call.rb
|
172
|
+
- lib/brakeman/processors/template_alias_processor.rb
|
156
173
|
- lib/brakeman/processors/model_processor.rb
|
157
174
|
- lib/brakeman/processors/output_processor.rb
|
175
|
+
- lib/brakeman/processors/library_processor.rb
|
176
|
+
- lib/brakeman/processors/erb_template_processor.rb
|
177
|
+
- lib/brakeman/processors/template_processor.rb
|
178
|
+
- lib/brakeman/processors/alias_processor.rb
|
179
|
+
- lib/brakeman/processors/config_processor.rb
|
180
|
+
- lib/brakeman/processors/gem_processor.rb
|
181
|
+
- lib/brakeman/processors/erubis_template_processor.rb
|
158
182
|
- lib/brakeman/processors/route_processor.rb
|
183
|
+
- lib/brakeman/processors/controller_processor.rb
|
159
184
|
- lib/brakeman/processors/slim_template_processor.rb
|
160
|
-
- lib/brakeman/processors/
|
161
|
-
- lib/brakeman/processors/
|
162
|
-
- lib/brakeman/report/ignore/config.rb
|
163
|
-
- lib/brakeman/report/ignore/interactive.rb
|
164
|
-
- lib/brakeman/report/initializers/faster_csv.rb
|
165
|
-
- lib/brakeman/report/initializers/multi_json.rb
|
166
|
-
- lib/brakeman/report/renderer.rb
|
167
|
-
- lib/brakeman/report/report_base.rb
|
168
|
-
- lib/brakeman/report/report_csv.rb
|
169
|
-
- lib/brakeman/report/report_hash.rb
|
170
|
-
- lib/brakeman/report/report_html.rb
|
171
|
-
- lib/brakeman/report/report_json.rb
|
172
|
-
- lib/brakeman/report/report_table.rb
|
173
|
-
- lib/brakeman/report/report_tabs.rb
|
174
|
-
- lib/brakeman/report/templates/controller_overview.html.erb
|
175
|
-
- lib/brakeman/report/templates/controller_warnings.html.erb
|
176
|
-
- lib/brakeman/report/templates/error_overview.html.erb
|
177
|
-
- lib/brakeman/report/templates/header.html.erb
|
178
|
-
- lib/brakeman/report/templates/ignored_warnings.html.erb
|
179
|
-
- lib/brakeman/report/templates/model_warnings.html.erb
|
180
|
-
- lib/brakeman/report/templates/overview.html.erb
|
181
|
-
- lib/brakeman/report/templates/security_warnings.html.erb
|
182
|
-
- lib/brakeman/report/templates/template_overview.html.erb
|
183
|
-
- lib/brakeman/report/templates/view_warnings.html.erb
|
184
|
-
- lib/brakeman/report/templates/warning_overview.html.erb
|
185
|
-
- lib/brakeman/report.rb
|
186
|
-
- lib/brakeman/rescanner.rb
|
187
|
-
- lib/brakeman/scanner.rb
|
188
|
-
- lib/brakeman/tracker.rb
|
189
|
-
- lib/brakeman/util.rb
|
190
|
-
- lib/brakeman/version.rb
|
185
|
+
- lib/brakeman/processors/haml_template_processor.rb
|
186
|
+
- lib/brakeman/processors/base_processor.rb
|
191
187
|
- lib/brakeman/warning.rb
|
192
|
-
- lib/brakeman/
|
193
|
-
- lib/brakeman.rb
|
188
|
+
- lib/brakeman/options.rb
|
189
|
+
- lib/brakeman/rescanner.rb
|
190
|
+
- lib/brakeman/parsers/rails2_erubis.rb
|
191
|
+
- lib/brakeman/parsers/rails3_erubis.rb
|
192
|
+
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
194
193
|
- lib/ruby_parser/bm_sexp.rb
|
195
194
|
- lib/ruby_parser/bm_sexp_processor.rb
|
195
|
+
- lib/brakeman.rb
|
196
196
|
homepage: http://brakemanscanner.org
|
197
197
|
licenses:
|
198
198
|
- MIT
|