brakeman-min 2.6.0 → 2.6.1

data/CHANGES

@@ -1,3 +1,9 @@
+# 2.6.1
+
+* Add check for CVE-2014-3482 and CVE-2014-3483
+* Add support for keyword arguments in blocks
+* Remove unused warning codes (Bill Fischer)
+
 # 2.6.0
 
 * Fix detection of `:host` setting in redirects with chained calls

data/lib/brakeman/checks/check_sql_cves.rb

@@ -48,6 +48,18 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       }
     end
 
+    if tracker.config[:gems] and tracker.config[:gems][:pg]
+      issues << {
+        :cve => "CVE-2014-3482",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
+      } <<
+      {
+        :cve => "CVE-2014-3483",
+        :versions => [%w[2.0.0 2.9.9 3.2.19], %w[3.0.0 3.2.18 3.2.19], %w[4.0.0 4.0.6 4.0.7], %w[4.1.0 4.1.2 4.1.3]],
+        :url => "https://groups.google.com/d/msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J" }
+    end
+
     issues.each do |cve_issue|
       cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
     end

data/lib/brakeman/processors/alias_processor.rb

@@ -180,6 +180,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         #Force block arg(s) to be local
         if node_type? e, :lasgn
           env.current[Sexp.new(:lvar, e.lhs)] = e.rhs
+        elsif node_type? e, :kwarg
+          env.current[Sexp.new(:lvar, e[1])] = e[2]
         elsif node_type? e, :masgn
           e[1..-1].each do |var|
             local = Sexp.new(:lvar, var)

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.6.0"
+  Version = "2.6.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -41,7 +41,7 @@ module Brakeman::WarningCodes
     :CVE_2012_2660 => 38,
     :CVE_2012_2661 => 39,
     :CVE_2012_2695 => 40,
-    :CVE_2012_2931 => 41,
+    #:CVE_2012_2931 => 41,
     :CVE_2012_3424 => 42,
     :CVE_2012_3463 => 43,
     :CVE_2012_3464 => 44,
@@ -65,8 +65,9 @@ module Brakeman::WarningCodes
     :detailed_exceptions => 62,
     :CVE_2013_4491 => 63,
     :CVE_2013_6414 => 64,
-    :CVE_2013_6415 => 65,
-    :CVE_2013_6415_call => 66,
+    # Replaced by CVE_2014_0081
+    #:CVE_2013_6415 => 65,
+    #:CVE_2013_6415_call => 66,
     :CVE_2013_6416 => 67,
     :CVE_2013_6416_call => 68,
     :CVE_2013_6417 => 69,
@@ -78,6 +79,8 @@ module Brakeman::WarningCodes
     :CVE_2014_0082 => 75,
     :regex_dos => 76,
     :CVE_2014_0130 => 77,
+    :CVE_2014_3482 => 78,
+    :CVE_2014_3483 => 79,
   }
 
   def self.code name

metadata

@@ -1,7 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.6.1
+  prerelease: 
 platform: ruby
 authors:
 - Justin Collins
@@ -35,50 +36,41 @@ cert_chain:
   Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
   QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
   RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-date: 2014-06-06 00:00:00.000000000 Z
+date: 2014-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_parser
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70097644561700 !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 3.5.0
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 3.5.0
+  version_requirements: *70097644561700
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70097644561180 !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 2.0.5
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 2.0.5
+  version_requirements: *70097644561180
 - !ruby/object:Gem::Dependency
   name: multi_json
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70097644560680 !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+  version_requirements: *70097644560680
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This version of the gem only requires the minimum number of
   dependencies. Use the 'brakeman' gem for a full install.
@@ -88,16 +80,14 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- bin/brakeman
 - CHANGES
+- WARNING_TYPES
 - FEATURES
 - README.md
-- WARNING_TYPES
-- bin/brakeman
-- lib/brakeman.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
-- lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_content_tag.rb
@@ -151,6 +141,7 @@ files:
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/checks.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
 - lib/brakeman/format/style.css
@@ -186,7 +177,6 @@ files:
 - lib/brakeman/processors/slim_template_processor.rb
 - lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/template_processor.rb
-- lib/brakeman/report.rb
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
 - lib/brakeman/report/initializers/faster_csv.rb
@@ -211,6 +201,7 @@ files:
 - lib/brakeman/report/templates/template_overview.html.erb
 - lib/brakeman/report/templates/view_warnings.html.erb
 - lib/brakeman/report/templates/warning_overview.html.erb
+- lib/brakeman/report.rb
 - lib/brakeman/rescanner.rb
 - lib/brakeman/scanner.rb
 - lib/brakeman/tracker.rb
@@ -218,30 +209,32 @@ files:
 - lib/brakeman/version.rb
 - lib/brakeman/warning.rb
 - lib/brakeman/warning_codes.rb
+- lib/brakeman.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 1.8.9
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []

checksums.yaml

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    N2IyMjQ4YzA0MGJjYTE4M2QzODBlMmNkM2U3ZWYyMDMxNmIzMGZhMw==
-  data.tar.gz: !binary |-
-    OGY5YTMxYjhiYmQ0MmEzMzk3M2Q1YzNkNjM1OTlkZDljN2IxN2IzMA==
-SHA512:
-  metadata.gz: !binary |-
-    Njk1MmNlODJiMzhiZTM4YTcxNWEzNTQ0YjM0ODg4ODE1OTEzYjg0MGQwZjQ3
-    YWFkZDgxOTY5MGM5Njg0NGQ4MjVhYmVhNTk2MGQ2YjZiNjBjZmRhODBmOTQy
-    YTlmMTZkNmFiNjMzYjZiYTM4ZWNjOWZjNTY1ZWFhMjU2YTlkNGI=
-  data.tar.gz: !binary |-
-    NGUwZGQzYWNmNjBmMjk3YTVmNThiYzcyNDc0YTM3NjAzM2I2MjBkYTg4YWRi
-    MzdjMDgyZDI4MTdhN2VhN2FmNmQ3Mjc0YWQ0N2Q1OTFmY2FkMmE4YzRkMTQ5
-    N2M1YTdlYTQ5NWVmMzg3NTEyNjc5Njc1NDE2YWUyYmUxNGEzNDU=