brakeman-min 4.7.1 → 4.7.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +8 -0
- data/README.md +1 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +24 -22
- data/lib/brakeman/processor.rb +1 -1
- data/lib/brakeman/util.rb +5 -3
- data/lib/brakeman/version.rb +1 -1
- metadata +11 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4a6cc961dcc300bf0fd78eeee53b715dc62ae4d7d0e1d27320cc6a6ef00ff5e3
|
|
4
|
+
data.tar.gz: 0ba044de5c3a3274b90ed2da001914ffa26aa74fd6b2c7d4b15d7b3d120b5c7d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ba6ea029432adb3c9c56fa53fc11292f8d71b857eeb03bbacc2ae9f349cfbedfa13c13a74be732616844e5243d8d3bc3690a776e056a9e9f4441f7e0a9d61637
|
|
7
|
+
data.tar.gz: ba2cf378cc029a7b583b47f69715897012ddc5d07b39749638128ea8cfc92e190b05bb6ea919d68d62c91bfb80ca7ee95d293f7c3b16096d204d15f11d13f197
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
# 4.7.2 - 2019-11-25
|
|
2
|
+
|
|
3
|
+
* Remove version guard for `named_scope` vs. `scope`
|
|
4
|
+
* Find SQL injection in `String#strip_heredoc` target
|
|
5
|
+
* Handle more `permit!` cases
|
|
6
|
+
* Ensure file name is set when processing model
|
|
7
|
+
* Add `request.params` as query parameters
|
|
8
|
+
|
|
1
9
|
# 4.7.1 - 2019-10-29
|
|
2
10
|
|
|
3
11
|
* Check string length against limit before joining
|
data/README.md
CHANGED
|
@@ -62,7 +62,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
|
62
62
|
|
|
63
63
|
# Compatibility
|
|
64
64
|
|
|
65
|
-
Brakeman should work with any version of Rails from 2.3.x to
|
|
65
|
+
Brakeman should work with any version of Rails from 2.3.x to 6.x.
|
|
66
66
|
|
|
67
67
|
Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
|
|
68
68
|
|
|
@@ -158,7 +158,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
|
158
158
|
|
|
159
159
|
# Look for and warn about uses of Parameters#permit! for mass assignment
|
|
160
160
|
def check_permit!
|
|
161
|
-
tracker.find_call(:method => :permit
|
|
161
|
+
tracker.find_call(:method => :permit!, :nested => true).each do |result|
|
|
162
162
|
if params? result[:call].target and not result[:chain].include? :slice
|
|
163
163
|
warn_on_permit! result
|
|
164
164
|
end
|
|
@@ -71,32 +71,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
71
71
|
def find_scope_calls
|
|
72
72
|
scope_calls = []
|
|
73
73
|
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
74
|
+
# Used in pre-3.1.0 versions of Rails
|
|
75
|
+
ar_scope_calls(:named_scope) do |model, args|
|
|
76
|
+
call = make_call(nil, :named_scope, args).line(args.line)
|
|
77
|
+
scope_calls << scope_call_hash(call, model, :named_scope)
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
# Use in 3.1.0 and later
|
|
81
|
+
ar_scope_calls(:scope) do |model, args|
|
|
82
|
+
second_arg = args[2]
|
|
83
|
+
next unless sexp? second_arg
|
|
84
|
+
|
|
85
|
+
if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
|
|
86
|
+
process_scope_with_block(model, args)
|
|
87
|
+
elsif call? second_arg
|
|
88
|
+
call = second_arg
|
|
89
|
+
scope_calls << scope_call_hash(call, model, call.method)
|
|
90
|
+
else
|
|
91
|
+
call = make_call(nil, :scope, args).line(args.line)
|
|
92
|
+
scope_calls << scope_call_hash(call, model, :scope)
|
|
93
93
|
end
|
|
94
94
|
end
|
|
95
95
|
|
|
96
96
|
scope_calls
|
|
97
97
|
end
|
|
98
98
|
|
|
99
|
-
def ar_scope_calls(symbol_name
|
|
99
|
+
def ar_scope_calls(symbol_name, &block)
|
|
100
100
|
active_record_models.each do |name, model|
|
|
101
101
|
model_args = model.options[symbol_name]
|
|
102
102
|
if model_args
|
|
@@ -393,6 +393,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
393
393
|
nil
|
|
394
394
|
end
|
|
395
395
|
|
|
396
|
+
TO_STRING_METHODS = [:to_s, :strip_heredoc]
|
|
397
|
+
|
|
396
398
|
#Returns value if interpolated value is not something safe
|
|
397
399
|
def unsafe_string_interp? exp
|
|
398
400
|
if node_type? exp, :evstr
|
|
@@ -403,7 +405,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
403
405
|
|
|
404
406
|
if not sexp? value
|
|
405
407
|
nil
|
|
406
|
-
elsif call? value and value.method
|
|
408
|
+
elsif call? value and TO_STRING_METHODS.include? value.method
|
|
407
409
|
unsafe_string_interp? value.target
|
|
408
410
|
elsif call? value and safe_literal_target? value
|
|
409
411
|
nil
|
|
@@ -466,7 +468,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
466
468
|
unless IGNORE_METHODS_IN_SQL.include? exp.method
|
|
467
469
|
if has_immediate_user_input? exp
|
|
468
470
|
exp
|
|
469
|
-
elsif exp.method
|
|
471
|
+
elsif TO_STRING_METHODS.include? exp.method
|
|
470
472
|
find_dangerous_value exp.target, ignore_hash
|
|
471
473
|
else
|
|
472
474
|
check_call exp
|
data/lib/brakeman/processor.rb
CHANGED
|
@@ -53,7 +53,7 @@ module Brakeman
|
|
|
53
53
|
#Process a model source
|
|
54
54
|
def process_model src, file_name
|
|
55
55
|
result = ModelProcessor.new(@tracker).process_model src, file_name
|
|
56
|
-
AliasProcessor.new(@tracker).process result if result
|
|
56
|
+
AliasProcessor.new(@tracker, file_name).process result if result
|
|
57
57
|
end
|
|
58
58
|
|
|
59
59
|
#Process either an ERB or HAML template
|
data/lib/brakeman/util.rb
CHANGED
|
@@ -8,9 +8,11 @@ module Brakeman::Util
|
|
|
8
8
|
|
|
9
9
|
PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
REQUEST_REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
|
|
14
|
+
|
|
15
|
+
REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :params)
|
|
14
16
|
|
|
15
17
|
REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
|
|
16
18
|
|
|
@@ -22,7 +24,7 @@ module Brakeman::Util
|
|
|
22
24
|
|
|
23
25
|
SESSION = Sexp.new(:call, nil, :session)
|
|
24
26
|
|
|
25
|
-
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
|
27
|
+
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_REQUEST_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
|
|
26
28
|
|
|
27
29
|
ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
|
|
28
30
|
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,15 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-min
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.7.
|
|
4
|
+
version: 4.7.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
|
-
cert_chain:
|
|
11
|
-
-
|
|
12
|
-
date: 2019-10-29 00:00:00.000000000 Z
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2019-11-25 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: minitest
|
|
@@ -307,7 +306,14 @@ files:
|
|
|
307
306
|
homepage: http://brakemanscanner.org
|
|
308
307
|
licenses:
|
|
309
308
|
- Brakeman Public Use License
|
|
310
|
-
metadata:
|
|
309
|
+
metadata:
|
|
310
|
+
bug_tracker_uri: https://github.com/presidentbeef/brakeman/issues
|
|
311
|
+
changelog_uri: https://github.com/presidentbeef/brakeman/releases
|
|
312
|
+
documentation_uri: https://brakemanscanner.org/docs/
|
|
313
|
+
homepage_uri: https://brakemanscanner.org/
|
|
314
|
+
mailing_list_uri: https://gitter.im/presidentbeef/brakeman
|
|
315
|
+
source_code_uri: https://github.com/presidentbeef/brakeman
|
|
316
|
+
wiki_uri: https://github.com/presidentbeef/brakeman/wiki
|
|
311
317
|
post_install_message:
|
|
312
318
|
rdoc_options: []
|
|
313
319
|
require_paths:
|