brakeman-min 4.3.1 → 4.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +24 -1
  3. data/README.md +35 -6
  4. data/bin/brakeman +2 -0
  5. data/lib/brakeman.rb +5 -3
  6. data/lib/brakeman/app_tree.rb +15 -1
  7. data/lib/brakeman/call_index.rb +7 -4
  8. data/lib/brakeman/checks.rb +16 -8
  9. data/lib/brakeman/checks/base_check.rb +2 -19
  10. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
  11. data/lib/brakeman/checks/check_content_tag.rb +4 -4
  12. data/lib/brakeman/checks/check_create_with.rb +1 -1
  13. data/lib/brakeman/checks/check_cross_site_scripting.rb +3 -3
  14. data/lib/brakeman/checks/check_default_routes.rb +3 -3
  15. data/lib/brakeman/checks/check_deserialize.rb +1 -1
  16. data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
  17. data/lib/brakeman/checks/check_digest_dos.rb +4 -4
  18. data/lib/brakeman/checks/check_escape_function.rb +1 -1
  19. data/lib/brakeman/checks/check_execute.rb +5 -4
  20. data/lib/brakeman/checks/check_file_access.rb +13 -3
  21. data/lib/brakeman/checks/check_file_disclosure.rb +1 -1
  22. data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
  23. data/lib/brakeman/checks/check_forgery_setting.rb +3 -3
  24. data/lib/brakeman/checks/check_header_dos.rb +3 -3
  25. data/lib/brakeman/checks/check_i18n_xss.rb +3 -3
  26. data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
  27. data/lib/brakeman/checks/check_json_encoding.rb +3 -3
  28. data/lib/brakeman/checks/check_json_parsing.rb +8 -11
  29. data/lib/brakeman/checks/check_link_to.rb +3 -3
  30. data/lib/brakeman/checks/check_link_to_href.rb +2 -2
  31. data/lib/brakeman/checks/check_mail_to.rb +3 -3
  32. data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
  33. data/lib/brakeman/checks/check_model_attributes.rb +4 -4
  34. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  35. data/lib/brakeman/checks/check_nested_attributes.rb +3 -3
  36. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
  37. data/lib/brakeman/checks/check_number_to_currency.rb +4 -4
  38. data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
  39. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  40. data/lib/brakeman/checks/check_render.rb +2 -2
  41. data/lib/brakeman/checks/check_render_dos.rb +1 -1
  42. data/lib/brakeman/checks/check_render_inline.rb +1 -1
  43. data/lib/brakeman/checks/check_response_splitting.rb +1 -1
  44. data/lib/brakeman/checks/check_route_dos.rb +1 -1
  45. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
  46. data/lib/brakeman/checks/check_sanitize_methods.rb +3 -3
  47. data/lib/brakeman/checks/check_secrets.rb +1 -1
  48. data/lib/brakeman/checks/check_select_tag.rb +1 -1
  49. data/lib/brakeman/checks/check_select_vulnerability.rb +1 -1
  50. data/lib/brakeman/checks/check_session_manipulation.rb +1 -1
  51. data/lib/brakeman/checks/check_session_settings.rb +1 -1
  52. data/lib/brakeman/checks/check_simple_format.rb +2 -2
  53. data/lib/brakeman/checks/check_single_quotes.rb +14 -10
  54. data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
  55. data/lib/brakeman/checks/check_sprockets_path_traversal.rb +39 -0
  56. data/lib/brakeman/checks/check_sql.rb +1 -1
  57. data/lib/brakeman/checks/check_sql_cves.rb +2 -2
  58. data/lib/brakeman/checks/check_strip_tags.rb +10 -8
  59. data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
  60. data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
  61. data/lib/brakeman/checks/check_translate_bug.rb +7 -7
  62. data/lib/brakeman/checks/check_unsafe_reflection.rb +1 -1
  63. data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
  64. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  65. data/lib/brakeman/checks/check_weak_hash.rb +18 -19
  66. data/lib/brakeman/checks/check_xml_dos.rb +1 -1
  67. data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
  68. data/lib/brakeman/format/style.css +8 -0
  69. data/lib/brakeman/messages.rb +220 -0
  70. data/lib/brakeman/options.rb +13 -0
  71. data/lib/brakeman/parsers/template_parser.rb +2 -2
  72. data/lib/brakeman/processors/alias_processor.rb +7 -0
  73. data/lib/brakeman/processors/config_processor.rb +4 -1
  74. data/lib/brakeman/processors/gem_processor.rb +30 -2
  75. data/lib/brakeman/processors/lib/call_conversion_helper.rb +2 -1
  76. data/lib/brakeman/processors/lib/rails3_route_processor.rb +0 -2
  77. data/lib/brakeman/processors/lib/rails4_config_processor.rb +18 -0
  78. data/lib/brakeman/processors/lib/render_helper.rb +5 -0
  79. data/lib/brakeman/processors/lib/render_path.rb +15 -0
  80. data/lib/brakeman/processors/library_processor.rb +1 -1
  81. data/lib/brakeman/report/report_base.rb +17 -161
  82. data/lib/brakeman/report/report_csv.rb +17 -0
  83. data/lib/brakeman/report/report_html.rb +34 -31
  84. data/lib/brakeman/report/report_json.rb +21 -0
  85. data/lib/brakeman/report/report_markdown.rb +13 -6
  86. data/lib/brakeman/report/report_table.rb +157 -0
  87. data/lib/brakeman/report/report_tabs.rb +3 -1
  88. data/lib/brakeman/report/report_text.rb +16 -0
  89. data/lib/brakeman/scanner.rb +5 -1
  90. data/lib/brakeman/tracker/config.rb +1 -1
  91. data/lib/brakeman/util.rb +0 -17
  92. data/lib/brakeman/version.rb +1 -1
  93. data/lib/brakeman/warning.rb +9 -4
  94. data/lib/brakeman/warning_codes.rb +1 -0
  95. metadata +9 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 907164bd18400db5d5653c8af124ca18fb240a4528698c5edd0f2115c1011331
4
- data.tar.gz: 35bc513c359c97dec4b2e33a50c16fe80aa03b9e044c8e7b21e35a74c37bab10
3
+ metadata.gz: 4238826e8268de87080a3478ae1fc77f9a3008babe69274edc12b526cffa3dbe
4
+ data.tar.gz: d6a3b102d3c965cc92ec4a12052da0ca69f64bb7cc42c98d36641a4667ce743b
5
5
  SHA512:
6
- metadata.gz: fa036e105bf7ab29d4f14386b1f9e2fdf20dac014db5dcfdb7fdf1a4ca718acb59ade69c818e89ff1a87cf6e16b19223038459fd5f9b7c879e34757a198c883b
7
- data.tar.gz: 72ecefa9947339c9e8d92882c5c491911132836c8c3f1bfd6be36a307987d7528a66ad9c02ab211cc3fe368c4d7227e4197c1ea6b906327edc7a7744e9bcd499
6
+ metadata.gz: 34eeacb132f5af9176e25d283bf9eca29c8c80836be9680bc6c09b16f160c24a2c0523f81a71992ee1fe9b3f3d0a00c2326aa0cc8c5851c1db6c00bcbde08033
7
+ data.tar.gz: a789832cb8340f5ebedd7153464e5526cce69762d9cceeadae10f13dd1913ad6adced3d88c595491f2d174aa1575627a92546c7c8807a30906d61b541ccd8e30
data/CHANGES.md CHANGED
@@ -1,3 +1,26 @@
1
+ # 4.4.0
2
+
3
+ * Set default encoding to UTF-8
4
+ * Update to Slim 4.0.1 (Jake Peterson)
5
+ * Update to RubyParser 3.12.0
6
+ * Add rendered template information to render paths
7
+ * Fix trim mode for ERb templates in old Rails versions
8
+ * Fix thread-safety issue in CallIndex
9
+ * Add `--enable` option to enable optional checks
10
+ * Support reading gem versions from gemspecs
11
+ * Support gem versions which are just major.minor (e.g. 3.0)
12
+ * Treat `if not` like `unless`
13
+ * Handle empty `secrets.yml` files (Naoki Kimura)
14
+ * Correctly set `rel="noreferrer"` in HTML reports
15
+ * Avoid warning about command injection when `String#shellescape` and `Shellwords.shelljoin` are used (George Ogata)
16
+ * Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
17
+ * Trim some unnecessary files from bundled gems
18
+ * Add check for CVE-2018-3760
19
+ * Avoid nils when concatenating arrays
20
+ * Ignore Tempfiles in FileAccess warnings (Christina Koller)
21
+ * Complete overhaul of warning message construction
22
+ * Deadcode and typo fixes found via Coverity
23
+
1
24
  # 4.3.1
2
25
 
3
26
  * Ignore `Object#freeze`, use the target instead
@@ -8,7 +31,7 @@
8
31
  * Use safe literal when accessing literal hash with unknown key
9
32
  * Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
10
33
  * Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
11
- * Improve handling of conditionals in shell commands (Jacob Evenlyn)
34
+ * Improve handling of conditionals in shell commands (Jacob Evelyn)
12
35
  * Fix error when setting line number in implicit renders
13
36
 
14
37
  # 4.3.0
data/README.md CHANGED
@@ -1,5 +1,4 @@
1
1
  [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
2
- [![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
3
2
 
4
3
  [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
5
4
  [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
@@ -8,9 +7,7 @@
8
7
 
9
8
  # Brakeman
10
9
 
11
- Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
12
-
13
- Check out [Brakeman Pro](https://brakemanpro.com/) if you are looking for a commercially-supported version with a GUI and advanced features.
10
+ Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
14
11
 
15
12
  # Installation
16
13
 
@@ -21,11 +18,23 @@ Using RubyGems:
21
18
  Using Bundler:
22
19
 
23
20
  group :development do
24
- gem 'brakeman', :require => false
21
+ gem 'brakeman'
25
22
  end
26
23
 
24
+ Using Docker:
25
+
26
+ docker pull presidentbeef/brakeman
27
+
28
+ Using Docker to build from source:
29
+
30
+ git clone https://github.com/presidentbeef/brakeman.git
31
+ cd brakeman
32
+ docker build . -t brakeman
33
+
27
34
  # Usage
28
35
 
36
+ #### Running locally
37
+
29
38
  From a Rails application's root directory:
30
39
 
31
40
  brakeman
@@ -34,6 +43,24 @@ Outside of Rails root:
34
43
 
35
44
  brakeman /path/to/rails/application
36
45
 
46
+ #### Running with Docker
47
+
48
+ From a Rails application's root directory:
49
+
50
+ docker run -v "$(pwd)":/code brakeman
51
+
52
+ With a little nicer color:
53
+
54
+ docker run -v "$(pwd)":/code brakeman --color
55
+
56
+ For an HTML report:
57
+
58
+ docker run -v "$(pwd)":/code brakeman -o brakeman_results.html
59
+
60
+ Outside of Rails root (note that the output file is relative to path/to/rails/application):
61
+
62
+ docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html
63
+
37
64
  # Compatibility
38
65
 
39
66
  Brakeman should work with any version of Rails from 2.3.x to 5.x.
@@ -168,4 +195,6 @@ Chat: https://gitter.im/presidentbeef/brakeman
168
195
 
169
196
  # License
170
197
 
171
- see [MIT-LICENSE](MIT-LICENSE)
198
+ Brakeman is free for non-commercial use.
199
+
200
+ See [COPYING](COPYING.md) for details.
@@ -2,6 +2,8 @@
2
2
  #Adjust path in case called directly and not through gem
3
3
  $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
4
4
 
5
+ Encoding.default_external = 'UTF-8'
6
+
5
7
  require 'brakeman'
6
8
  require 'brakeman/commandline'
7
9
 
@@ -348,7 +348,7 @@ module Brakeman
348
348
  scanner = Scanner.new options
349
349
  tracker = scanner.tracker
350
350
 
351
- check_for_missing_checks options[:run_checks], options[:skip_checks]
351
+ check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
352
352
 
353
353
  notify "Processing application in #{tracker.app_path}"
354
354
  scanner.process
@@ -521,8 +521,10 @@ module Brakeman
521
521
  end if options[:additional_checks_path]
522
522
  end
523
523
 
524
- def self.check_for_missing_checks included_checks, excluded_checks
525
- missing = Brakeman::Checks.missing_checks(included_checks || Set.new, excluded_checks || Set.new)
524
+ def self.check_for_missing_checks included_checks, excluded_checks, enabled_checks
525
+ checks = included_checks.to_a + excluded_checks.to_a + enabled_checks.to_a
526
+
527
+ missing = Brakeman::Checks.missing_checks(checks)
526
528
 
527
529
  unless missing.empty?
528
530
  raise MissingChecksError, "Could not find specified check#{missing.length > 1 ? 's' : ''}: #{missing.map {|c| "`#{c}`"}.join(', ')}"
@@ -61,6 +61,7 @@ module Brakeman
61
61
  @engine_paths = init_options[:engine_paths] || []
62
62
  @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
63
63
  @relative_engine_paths = @engine_paths - @absolute_engine_paths
64
+ @gemspec = nil
64
65
  end
65
66
 
66
67
  def expand_path(path)
@@ -116,6 +117,18 @@ module Brakeman
116
117
  find_job_paths
117
118
  end
118
119
 
120
+ def gemspec
121
+ return @gemspec unless @gemspec.nil?
122
+
123
+ gemspecs = Dir.glob(File.join(@root, "*.gemspec"))
124
+
125
+ if gemspecs.length > 1 or gemspecs.empty?
126
+ @gemspec = false
127
+ else
128
+ @gemspec = File.basename(gemspecs.first)
129
+ end
130
+ end
131
+
119
132
  private
120
133
 
121
134
  def find_helper_paths
@@ -176,12 +189,13 @@ module Brakeman
176
189
 
177
190
  def root_search_pattern
178
191
  return @root_search_pattern if @root_search_pattern
192
+
179
193
  abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
180
194
  rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
181
195
 
182
196
  roots = ([@root] + abs).join(",")
183
197
  rel_engines = (rel + [""]).join("/,")
184
- @root_search_patrern = "{#{roots}}/{#{rel_engines}}"
198
+ @root_search_pattern = "{#{roots}}/{#{rel_engines}}"
185
199
  end
186
200
 
187
201
  def prioritize_concerns paths
@@ -5,8 +5,8 @@ class Brakeman::CallIndex
5
5
 
6
6
  #Initialize index with calls from FindAllCalls
7
7
  def initialize calls
8
- @calls_by_method = Hash.new { |h, k| h[k] = [] }
9
- @calls_by_target = Hash.new { |h, k| h[k] = [] }
8
+ @calls_by_method = {}
9
+ @calls_by_target = {}
10
10
 
11
11
  index_calls calls
12
12
  end
@@ -87,13 +87,16 @@ class Brakeman::CallIndex
87
87
 
88
88
  def index_calls calls
89
89
  calls.each do |call|
90
+ @calls_by_method[call[:method]] ||= []
90
91
  @calls_by_method[call[:method]] << call
91
92
 
92
93
  target = call[:target]
93
94
 
94
95
  if not target.is_a? Sexp
96
+ @calls_by_target[target] ||= []
95
97
  @calls_by_target[target] << call
96
98
  elsif target.node_type == :params or target.node_type == :session
99
+ @calls_by_target[target.node_type] ||= []
97
100
  @calls_by_target[target.node_type] << call
98
101
  end
99
102
  end
@@ -116,7 +119,7 @@ class Brakeman::CallIndex
116
119
  if target.is_a? Array
117
120
  calls_by_targets target
118
121
  else
119
- @calls_by_target[target]
122
+ @calls_by_target[target] || []
120
123
  end
121
124
  end
122
125
 
@@ -136,7 +139,7 @@ class Brakeman::CallIndex
136
139
  elsif method.is_a? Regexp
137
140
  calls_by_methods_regex method
138
141
  else
139
- @calls_by_method[method.to_sym]
142
+ @calls_by_method[method.to_sym] || []
140
143
  end
141
144
  end
142
145
 
@@ -37,15 +37,14 @@ class Brakeman::Checks
37
37
  end
38
38
  end
39
39
 
40
- def self.missing_checks included_checks, excluded_checks
41
- included_checks = included_checks.map(&:to_s).to_set
42
- excluded_checks = excluded_checks.map(&:to_s).to_set
40
+ def self.missing_checks check_args
41
+ check_args = check_args.to_a.map(&:to_s).to_set
43
42
 
44
- if included_checks == Set['CheckNone']
43
+ if check_args == Set['CheckNone']
45
44
  return []
46
45
  else
47
46
  loaded = self.checks.map { |name| name.to_s.gsub('Brakeman::', '') }.to_set
48
- missing = (included_checks - loaded) + (excluded_checks - loaded)
47
+ missing = check_args - loaded
49
48
 
50
49
  unless missing.empty?
51
50
  return missing
@@ -170,8 +169,16 @@ class Brakeman::Checks
170
169
  to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
171
170
  @checks + @optional_checks
172
171
  else
173
- @checks
174
- end
172
+ @checks.dup
173
+ end.to_set
174
+
175
+ if enabled_checks = tracker.options[:enable_checks]
176
+ @optional_checks.each do |c|
177
+ if enabled_checks.include? self.get_check_name(c)
178
+ to_run << c
179
+ end
180
+ end
181
+ end
175
182
 
176
183
  self.filter_checks to_run, tracker
177
184
  end
@@ -179,12 +186,13 @@ class Brakeman::Checks
179
186
  def self.filter_checks checks, tracker
180
187
  skipped = tracker.options[:skip_checks]
181
188
  explicit = tracker.options[:run_checks]
189
+ enabled = tracker.options[:enable_checks] || []
182
190
 
183
191
  checks.reject do |c|
184
192
  check_name = self.get_check_name(c)
185
193
 
186
194
  skipped.include? check_name or
187
- (explicit and not explicit.include? check_name)
195
+ (explicit and not explicit.include? check_name and not enabled.include? check_name)
188
196
  end
189
197
  end
190
198
 
@@ -2,12 +2,14 @@ require 'brakeman/processors/output_processor'
2
2
  require 'brakeman/processors/lib/processor_helper'
3
3
  require 'brakeman/warning'
4
4
  require 'brakeman/util'
5
+ require 'brakeman/messages'
5
6
 
6
7
  #Basis of vulnerability checks.
7
8
  class Brakeman::BaseCheck < Brakeman::SexpProcessor
8
9
  include Brakeman::ProcessorHelper
9
10
  include Brakeman::SafeCallHelper
10
11
  include Brakeman::Util
12
+ include Brakeman::Messages
11
13
  attr_reader :tracker, :warnings
12
14
 
13
15
  # This is for legacy support.
@@ -483,23 +485,4 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
483
485
 
484
486
  @active_record_models
485
487
  end
486
-
487
- def friendly_type_of input_type
488
- if input_type.is_a? Match
489
- input_type = input_type.type
490
- end
491
-
492
- case input_type
493
- when :params
494
- "parameter value"
495
- when :cookies
496
- "cookie value"
497
- when :request
498
- "request value"
499
- when :model
500
- "model attribute"
501
- else
502
- "user input"
503
- end
504
- end
505
488
  end
@@ -25,7 +25,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
25
25
  warn :result => result,
26
26
  :warning_type => "Timing Attack",
27
27
  :warning_code => :CVE_2015_7576,
28
- :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
28
+ :message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
29
29
  :confidence => :high,
30
30
  :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
31
31
  end
@@ -96,7 +96,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
96
96
  end
97
97
 
98
98
  if input = has_immediate_user_input?(arg)
99
- message = "Unescaped #{friendly_type_of input} in content_tag"
99
+ message = msg("Unescaped ", msg_input(input), " in ", msg_code("content_tag"))
100
100
 
101
101
  add_result result
102
102
 
@@ -121,7 +121,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
121
121
  warn :result => result,
122
122
  :warning_type => "Cross-Site Scripting",
123
123
  :warning_code => :xss_content_tag,
124
- :message => "Unescaped model attribute in content_tag",
124
+ :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
125
125
  :user_input => match,
126
126
  :confidence => confidence,
127
127
  :link_path => "content_tag"
@@ -130,7 +130,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
130
130
  elsif @matched
131
131
  return if @matched.type == :model and tracker.options[:ignore_model_output]
132
132
 
133
- message = "Unescaped #{friendly_type_of @matched} in content_tag"
133
+ message = msg("Unescaped ", msg_input(@matched), " in ", msg_code("content_tag"))
134
134
 
135
135
  add_result result
136
136
 
@@ -181,7 +181,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
181
181
 
182
182
  warn :warning_type => "Cross-Site Scripting",
183
183
  :warning_code => :CVE_2016_6316,
184
- :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
184
+ :message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
185
185
  :confidence => confidence,
186
186
  :gem_info => gemfile_or_environment,
187
187
  :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
@@ -16,7 +16,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
16
16
  return
17
17
  end
18
18
 
19
- @message = "create_with is vulnerable to strong params bypass. Upgrade to Rails #{suggested_version} or patch"
19
+ @message = msg(msg_code("create_with"), " is vulnerable to strong params bypass. Upgrade to ", msg_version(suggested_version), " or patch")
20
20
 
21
21
  tracker.find_call(:method => :create_with, :nested => true).each do |result|
22
22
  process_result result
@@ -70,7 +70,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
70
70
  if input = has_immediate_user_input?(out)
71
71
  add_result exp
72
72
 
73
- message = "Unescaped #{friendly_type_of input}"
73
+ message = msg("Unescaped ", msg_input(input))
74
74
 
75
75
  warn :template => @current_template,
76
76
  :warning_type => "Cross-Site Scripting",
@@ -168,7 +168,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
168
168
 
169
169
  if @matched
170
170
  unless @matched.type and tracker.options[:ignore_model_output]
171
- message = "Unescaped #{friendly_type_of @matched}"
171
+ message = msg("Unescaped ", msg_input(@matched))
172
172
  end
173
173
 
174
174
  if message and not duplicate? exp
@@ -180,7 +180,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
180
180
  if @known_dangerous.include? exp.method
181
181
  confidence = :high
182
182
  if exp.method == :to_json
183
- message += " in JSON hash"
183
+ message << msg_plain(" in JSON hash")
184
184
  link_path += "_to_json"
185
185
  warning_code = :xss_to_json
186
186
  end
@@ -19,7 +19,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
19
19
  #Default routes are enabled globally
20
20
  warn :warning_type => "Default Routes",
21
21
  :warning_code => :all_default_routes,
22
- :message => "All public methods in controllers are available as actions in routes.rb",
22
+ :message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
23
23
  :line => tracker.routes[:allow_all_actions].line,
24
24
  :confidence => :high,
25
25
  :file => "#{tracker.app_path}/config/routes.rb"
@@ -41,7 +41,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
41
41
  warn :controller => name,
42
42
  :warning_type => "Default Routes",
43
43
  :warning_code => :controller_default_routes,
44
- :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
44
+ :message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
45
45
  :line => actions[2],
46
46
  :confidence => :medium,
47
47
  :file => "#{tracker.app_path}/config/routes.rb"
@@ -74,7 +74,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
74
74
 
75
75
  warn :warning_type => "Remote Code Execution",
76
76
  :warning_code => :CVE_2014_0130,
77
- :message => "Rails #{rails_version} with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to #{upgrade}",
77
+ :message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
78
78
  :confidence => confidence,
79
79
  :file => "#{tracker.app_path}/config/routes.rb",
80
80
  :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
@@ -42,7 +42,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
42
42
  end
43
43
 
44
44
  if confidence
45
- message = "#{target}.#{method} called with #{friendly_type_of input}"
45
+ message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
46
46
 
47
47
  warn :result => result,
48
48
  :warning_type => "Remote Code Execution",