brakeman-min 5.0.0.pre1 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +23 -0
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/file_parser.rb +5 -0
- data/lib/brakeman/processors/alias_processor.rb +20 -4
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/scanner.rb +3 -1
- data/lib/brakeman/tracker/config.rb +73 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/util.rb +2 -2
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b3d0b0856b2f8155f922380024dd8055b7a670779da0e2b0fe537296284eedb3
|
4
|
+
data.tar.gz: d53d4b2c2d115e9a37d7f13213d36ea0ee6d74d89f8ff9fa859d769c98335d87
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0e2a7a095d2cf2becccd75bb34e3c60924116f91d42bd82ea9327bbdf2ccbc14f27ec735d871ffb4e04ada389a801c54b282029b4b160a75e1cffa5eac0c7812
|
7
|
+
data.tar.gz: 7e8a88f62a20bfbff098321310aa29d901460a91977c0604b4a90b9767447fda738d8604ac72a4ee486d32c250e5fb1f3ad590385d8006a62dd84a2d74948bb0
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,26 @@
|
|
1
|
+
# 5.0.0 - 2021-01-26
|
2
|
+
|
3
|
+
* Ignore `uuid` as a safe attribute
|
4
|
+
* Collapse `__send__` calls
|
5
|
+
* Ignore `Tempfile#path` in shell commands
|
6
|
+
* Ignore development environment
|
7
|
+
* Revamp CSV report to a CSV list of warnings
|
8
|
+
* Set Rails configuration defaults based on `load_defaults` version
|
9
|
+
* Add check for (more) unsafe method reflection
|
10
|
+
* Suggest using `--force` if no Rails application is detected
|
11
|
+
* Add Sonarqube report format (Adam England)
|
12
|
+
* Add check for potential HTTP verb confusion
|
13
|
+
* Add `--[no-]skip-vendor` option
|
14
|
+
* Scan (almost) all Ruby files in project
|
15
|
+
|
16
|
+
# 4.10.1 - 2020-12-24
|
17
|
+
|
18
|
+
* Declare REXML as a dependency (Ruby 3.0 compatibility)
|
19
|
+
* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
|
20
|
+
* Prevent render loops when template names are absolute paths
|
21
|
+
* Ensure RubyParser is passed file path as a String
|
22
|
+
* Support new Haml 5.2.0 escaping method
|
23
|
+
|
1
24
|
# 5.0.0.pre1 - 2020-11-17
|
2
25
|
|
3
26
|
* Add check for (more) unsafe method reflection
|
@@ -40,7 +40,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
40
40
|
@mass_assign_disabled = nil
|
41
41
|
@has_user_input = nil
|
42
42
|
@in_array = false
|
43
|
-
@safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
|
43
|
+
@safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
|
44
44
|
@comparison_ops = Set[:==, :!=, :>, :<, :>=, :<=]
|
45
45
|
end
|
46
46
|
|
@@ -151,6 +151,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
151
151
|
method[-1] == "?"
|
152
152
|
end
|
153
153
|
|
154
|
+
TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
|
155
|
+
|
156
|
+
def temp_file_path? exp
|
157
|
+
exp == TEMP_FILE_PATH
|
158
|
+
end
|
159
|
+
|
154
160
|
#Report a warning
|
155
161
|
def warn options
|
156
162
|
extra_opts = { :check => self.class.to_s }
|
@@ -204,11 +204,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
204
204
|
next if node_type? e, :lit, :str
|
205
205
|
next if SAFE_VALUES.include? e
|
206
206
|
next if shell_escape? e
|
207
|
+
next if temp_file_path? e
|
207
208
|
|
208
209
|
if node_type? e, :if
|
209
210
|
# If we're in a conditional, evaluate the `then` and `else` clauses to
|
210
211
|
# see if they're dangerous.
|
211
|
-
if res = dangerous?(e.
|
212
|
+
if res = dangerous?(e.sexp_body.sexp_body)
|
212
213
|
return res
|
213
214
|
end
|
214
215
|
elsif node_type? e, :or, :evstr, :dstr
|
@@ -576,7 +576,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
576
576
|
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
|
577
577
|
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
578
578
|
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
|
579
|
-
:where_values_hash, :foreign_key
|
579
|
+
:where_values_hash, :foreign_key, :uuid
|
580
580
|
]
|
581
581
|
|
582
582
|
def safe_value? exp
|
data/lib/brakeman/file_parser.rb
CHANGED
@@ -32,7 +32,12 @@ module Brakeman
|
|
32
32
|
end
|
33
33
|
end
|
34
34
|
|
35
|
+
# _path_ can be a string or a Brakeman::FilePath
|
35
36
|
def parse_ruby input, path
|
37
|
+
if path.is_a? Brakeman::FilePath
|
38
|
+
path = path.relative
|
39
|
+
end
|
40
|
+
|
36
41
|
begin
|
37
42
|
Brakeman.debug "Parsing #{path}"
|
38
43
|
RubyParser.new.parse input, path, @timeout
|
@@ -161,6 +161,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
161
161
|
ARRAY_CONST = s(:const, :Array)
|
162
162
|
HASH_CONST = s(:const, :Hash)
|
163
163
|
RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
|
164
|
+
RAILS_DEV = s(:call, s(:call, s(:const, :Rails), :env), :development?)
|
164
165
|
|
165
166
|
#Process a method call.
|
166
167
|
def process_call exp
|
@@ -186,7 +187,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
186
187
|
method = exp.method
|
187
188
|
first_arg = exp.first_arg
|
188
189
|
|
189
|
-
if method == :send or method == :try
|
190
|
+
if method == :send or method == :__send__ or method == :try
|
190
191
|
collapse_send_call exp, first_arg
|
191
192
|
end
|
192
193
|
|
@@ -197,7 +198,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
197
198
|
return Sexp.new(:array, *exp.args)
|
198
199
|
elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
|
199
200
|
return Sexp.new(:hash)
|
200
|
-
elsif exp == RAILS_TEST
|
201
|
+
elsif exp == RAILS_TEST or exp == RAILS_DEV
|
201
202
|
return Sexp.new(:false)
|
202
203
|
end
|
203
204
|
|
@@ -236,7 +237,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
236
237
|
env[target_var] = target
|
237
238
|
return target
|
238
239
|
elsif string? target and string_interp? first_arg
|
239
|
-
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg
|
240
|
+
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
|
240
241
|
env[target_var] = exp
|
241
242
|
elsif string? first_arg and string_interp? target
|
242
243
|
if string? target.last
|
@@ -346,6 +347,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
346
347
|
end
|
347
348
|
end
|
348
349
|
|
350
|
+
TEMP_FILE_CLASS = s(:const, :Tempfile)
|
351
|
+
|
352
|
+
def temp_file_open? exp
|
353
|
+
call? exp and
|
354
|
+
exp.target == TEMP_FILE_CLASS and
|
355
|
+
exp.method == :open
|
356
|
+
end
|
357
|
+
|
358
|
+
def temp_file_new line
|
359
|
+
s(:call, TEMP_FILE_CLASS, :new).line(line)
|
360
|
+
end
|
361
|
+
|
349
362
|
def process_iter exp
|
350
363
|
@exp_context.push exp
|
351
364
|
exp[1] = process exp.block_call
|
@@ -363,6 +376,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
363
376
|
# Iterating over an array of all literal values
|
364
377
|
local = Sexp.new(:lvar, block_args.last)
|
365
378
|
env.current[local] = safe_literal(exp.line)
|
379
|
+
elsif temp_file_open? call
|
380
|
+
local = Sexp.new(:lvar, block_args.last)
|
381
|
+
env.current[local] = temp_file_new(exp.line)
|
366
382
|
else
|
367
383
|
block_args.each do |e|
|
368
384
|
#Force block arg(s) to be local
|
@@ -941,7 +957,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
941
957
|
args = exp.args
|
942
958
|
exp.pop # remove last arg
|
943
959
|
if args.length > 1
|
944
|
-
exp.arglist = args
|
960
|
+
exp.arglist = args.sexp_body
|
945
961
|
end
|
946
962
|
end
|
947
963
|
|
@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
57
57
|
exp
|
58
58
|
end
|
59
59
|
|
60
|
+
#Look for configuration settings that
|
61
|
+
#are just a call like
|
62
|
+
#
|
63
|
+
# config.load_defaults 5.2
|
64
|
+
def process_call exp
|
65
|
+
return exp unless @inside_config
|
66
|
+
|
67
|
+
if exp.target == RAILS_CONFIG and exp.first_arg
|
68
|
+
@tracker.config.rails[exp.method] = exp.first_arg
|
69
|
+
end
|
70
|
+
|
71
|
+
exp
|
72
|
+
end
|
73
|
+
|
60
74
|
#Look for configuration settings
|
61
75
|
def process_attrasgn exp
|
62
76
|
return exp unless @inside_config
|
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
71
85
|
@tracker.config.rails[attribute] = exp.first_arg
|
72
86
|
end
|
73
87
|
elsif include_rails_config? exp
|
74
|
-
|
75
|
-
|
76
|
-
options[0..-2].each do |o|
|
77
|
-
level[o] ||= {}
|
78
|
-
|
79
|
-
option = level[o]
|
80
|
-
|
81
|
-
if not option.is_a? Hash
|
82
|
-
Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
|
83
|
-
return exp
|
84
|
-
end
|
85
|
-
|
86
|
-
level = level[o]
|
87
|
-
end
|
88
|
-
|
89
|
-
level[options.last] = exp.first_arg
|
88
|
+
options_path = get_rails_config exp
|
89
|
+
@tracker.config.set_rails_config(exp.first_arg, *options_path)
|
90
90
|
end
|
91
91
|
|
92
92
|
exp
|
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
20
20
|
|
21
21
|
#Process template
|
22
22
|
def process_template name, args, _, line = nil
|
23
|
+
# Strip forward slash from beginning of template path.
|
24
|
+
# This also happens in RenderHelper#process_template but
|
25
|
+
# we need it here too to accurately avoid circular renders below.
|
26
|
+
name = name.to_s.gsub(/^\//, "")
|
27
|
+
|
23
28
|
if @called_from
|
24
29
|
if @called_from.include_template? name
|
25
30
|
Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
|
@@ -1,72 +1,49 @@
|
|
1
1
|
require 'csv'
|
2
|
-
require "brakeman/report/report_table"
|
3
2
|
|
4
|
-
class Brakeman::Report::CSV < Brakeman::Report::
|
3
|
+
class Brakeman::Report::CSV < Brakeman::Report::Base
|
5
4
|
def generate_report
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
output << "TEMPLATES\n\n"
|
25
|
-
output << table_to_csv(generate_templates) << "\n"
|
5
|
+
headers = [
|
6
|
+
"Confidence",
|
7
|
+
"Warning Type",
|
8
|
+
"File",
|
9
|
+
"Line",
|
10
|
+
"Message",
|
11
|
+
"Code",
|
12
|
+
"User Input",
|
13
|
+
"Check Name",
|
14
|
+
"Warning Code",
|
15
|
+
"Fingerprint",
|
16
|
+
"Link"
|
17
|
+
]
|
18
|
+
|
19
|
+
rows = tracker.filtered_warnings.sort_by do |w|
|
20
|
+
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
21
|
+
end.map do |warning|
|
22
|
+
generate_row(headers, warning)
|
26
23
|
end
|
27
24
|
|
28
|
-
|
29
|
-
output << "ERRORS\n" << table_to_csv(res) << "\n" if res
|
30
|
-
|
31
|
-
res = generate_warnings
|
32
|
-
output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
|
25
|
+
table = CSV::Table.new(rows)
|
33
26
|
|
34
|
-
|
35
|
-
res = generate_controller_warnings
|
36
|
-
output << table_to_csv(res) << "\n" if res
|
37
|
-
|
38
|
-
output << "Model Warnings\n"
|
39
|
-
res = generate_model_warnings
|
40
|
-
output << table_to_csv(res) << "\n" if res
|
41
|
-
|
42
|
-
res = generate_template_warnings
|
43
|
-
output << "Template Warnings\n"
|
44
|
-
output << table_to_csv(res) << "\n" if res
|
45
|
-
|
46
|
-
output
|
27
|
+
table.to_csv
|
47
28
|
end
|
48
29
|
|
49
|
-
|
50
|
-
|
51
|
-
header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
|
52
|
-
header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
|
53
|
-
"BRAKEMAN REPORT\n\n" + header
|
30
|
+
def generate_row headers, warning
|
31
|
+
CSV::Row.new headers, warning_row(warning)
|
54
32
|
end
|
55
33
|
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
output
|
34
|
+
def warning_row warning
|
35
|
+
[
|
36
|
+
warning.confidence_name,
|
37
|
+
warning.warning_type,
|
38
|
+
warning_file(warning),
|
39
|
+
warning.line,
|
40
|
+
warning.message,
|
41
|
+
warning.code && warning.format_code(false),
|
42
|
+
warning.user_input && warning.format_user_input(false),
|
43
|
+
warning.check_name,
|
44
|
+
warning.warning_code,
|
45
|
+
warning.fingerprint,
|
46
|
+
warning.link,
|
47
|
+
]
|
71
48
|
end
|
72
49
|
end
|
@@ -47,7 +47,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
|
|
47
47
|
warning.add_attribute 'brakeman:file', warning_file(w)
|
48
48
|
warning.add_attribute 'brakeman:line', w.line
|
49
49
|
warning.add_attribute 'brakeman:fingerprint', w.fingerprint
|
50
|
-
warning.add_attribute 'brakeman:confidence',
|
50
|
+
warning.add_attribute 'brakeman:confidence', w.confidence_name
|
51
51
|
warning.add_attribute 'brakeman:code', w.format_code
|
52
52
|
warning.add_text w.to_s
|
53
53
|
}
|
@@ -88,7 +88,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
|
|
88
88
|
failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
|
89
89
|
failure.add_attribute 'brakeman:file', warning_file(warning)
|
90
90
|
failure.add_attribute 'brakeman:line', warning.line
|
91
|
-
failure.add_attribute 'brakeman:confidence',
|
91
|
+
failure.add_attribute 'brakeman:confidence', warning.confidence_name
|
92
92
|
failure.add_attribute 'brakeman:code', warning.format_code
|
93
93
|
failure.add_text warning.to_s
|
94
94
|
}
|
@@ -27,7 +27,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
|
|
27
27
|
def rules
|
28
28
|
@rules ||= unique_warnings_by_warning_code.map do |warning|
|
29
29
|
rule_id = render_id warning
|
30
|
-
check_name = warning.
|
30
|
+
check_name = warning.check_name
|
31
31
|
check_description = render_message check_descriptions[check_name]
|
32
32
|
{
|
33
33
|
:id => rule_id,
|
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
|
|
10
10
|
self.send(meth).map do |w|
|
11
11
|
line = w.line || 0
|
12
12
|
w.warning_type.gsub!(/[^\w\s]/, ' ')
|
13
|
-
"#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{
|
13
|
+
"#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
|
14
14
|
end.join "\n"
|
15
15
|
|
16
16
|
end.join "\n"
|
@@ -160,7 +160,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
160
160
|
when :category
|
161
161
|
label('Category', w.warning_type.to_s)
|
162
162
|
when :check
|
163
|
-
label('Check', w.
|
163
|
+
label('Check', w.check_name)
|
164
164
|
when :message
|
165
165
|
label('Message', w.message)
|
166
166
|
when :code
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -25,7 +25,7 @@ class Brakeman::Scanner
|
|
25
25
|
|
26
26
|
if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
|
27
27
|
message = "Please supply the path to a Rails application (looking in #{@app_tree.root}).\n" <<
|
28
|
-
" Use `--force` to run a scan anyway
|
28
|
+
" Use `--force` to run a scan anyway."
|
29
29
|
|
30
30
|
raise Brakeman::NoApplication, message
|
31
31
|
end
|
@@ -139,6 +139,8 @@ class Brakeman::Scanner
|
|
139
139
|
if @app_tree.exists? ".ruby-version"
|
140
140
|
tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
|
141
141
|
end
|
142
|
+
|
143
|
+
tracker.config.load_rails_defaults
|
142
144
|
end
|
143
145
|
|
144
146
|
def process_config_file file
|
@@ -149,5 +149,78 @@ module Brakeman
|
|
149
149
|
def session_settings
|
150
150
|
@rails.dig(:action_controller, :session)
|
151
151
|
end
|
152
|
+
|
153
|
+
|
154
|
+
# Set Rails config option value
|
155
|
+
# where path is an array of attributes, e.g.
|
156
|
+
#
|
157
|
+
# :action_controller, :perform_caching
|
158
|
+
#
|
159
|
+
# then this will set
|
160
|
+
#
|
161
|
+
# rails[:action_controller][:perform_caching] = value
|
162
|
+
def set_rails_config value, *path
|
163
|
+
config = self.rails
|
164
|
+
|
165
|
+
path[0..-2].each do |o|
|
166
|
+
config[o] ||= {}
|
167
|
+
|
168
|
+
option = config[o]
|
169
|
+
|
170
|
+
if not option.is_a? Hash
|
171
|
+
Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
|
172
|
+
return
|
173
|
+
end
|
174
|
+
|
175
|
+
config = option
|
176
|
+
end
|
177
|
+
|
178
|
+
config[path.last] = value
|
179
|
+
end
|
180
|
+
|
181
|
+
# Load defaults based on config.load_defaults value
|
182
|
+
# as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
|
183
|
+
def load_rails_defaults
|
184
|
+
return unless number? tracker.config.rails[:load_defaults]
|
185
|
+
|
186
|
+
version = tracker.config.rails[:load_defaults].value
|
187
|
+
true_value = Sexp.new(:true)
|
188
|
+
false_value = Sexp.new(:false)
|
189
|
+
|
190
|
+
if version >= 5.0
|
191
|
+
set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
|
192
|
+
set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
|
193
|
+
set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
|
194
|
+
# Note: this may need to be changed, because ssl_options is a Hash
|
195
|
+
set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
|
196
|
+
end
|
197
|
+
|
198
|
+
if version >= 5.1
|
199
|
+
set_rails_config(false_value, :assets, :unknown_asset_fallback)
|
200
|
+
set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
|
201
|
+
end
|
202
|
+
|
203
|
+
if version >= 5.2
|
204
|
+
set_rails_config(true_value, :active_record, :cache_versioning)
|
205
|
+
set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
|
206
|
+
set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
|
207
|
+
set_rails_config(true_value, :active_support, :use_sha1_digests)
|
208
|
+
set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
|
209
|
+
set_rails_config(true_value, :action_view, :form_with_generates_ids)
|
210
|
+
end
|
211
|
+
|
212
|
+
if version >= 6.0
|
213
|
+
set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
|
214
|
+
set_rails_config(false_value, :action_view, :default_enforce_utf8)
|
215
|
+
set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
|
216
|
+
set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
|
217
|
+
set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
|
218
|
+
set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
|
219
|
+
set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
|
220
|
+
set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
|
221
|
+
set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
|
222
|
+
set_rails_config(true_value, :active_record, :collection_cache_versioning)
|
223
|
+
end
|
224
|
+
end
|
152
225
|
end
|
153
226
|
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -321,7 +321,7 @@ module Brakeman::Util
|
|
321
321
|
if node_type? current, :class
|
322
322
|
return true
|
323
323
|
elsif sexp? current
|
324
|
-
todo = current
|
324
|
+
todo = current.sexp_body.concat todo
|
325
325
|
end
|
326
326
|
end
|
327
327
|
|
@@ -334,7 +334,7 @@ module Brakeman::Util
|
|
334
334
|
if args.empty? or args.first.empty?
|
335
335
|
#nothing to do
|
336
336
|
elsif node_type? args.first, :arglist
|
337
|
-
call.concat args.first
|
337
|
+
call.concat args.first.sexp_body
|
338
338
|
elsif args.first.node_type.is_a? Sexp #just a list of args
|
339
339
|
call.concat args.first
|
340
340
|
else
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
@@ -275,6 +275,14 @@ class Brakeman::Warning
|
|
275
275
|
self.file.relative
|
276
276
|
end
|
277
277
|
|
278
|
+
def check_name
|
279
|
+
@check_name ||= self.check.sub(/^Brakeman::Check/, '')
|
280
|
+
end
|
281
|
+
|
282
|
+
def confidence_name
|
283
|
+
TEXT_CONFIDENCE[self.confidence]
|
284
|
+
end
|
285
|
+
|
278
286
|
def to_hash absolute_paths: true
|
279
287
|
if self.called_from and not absolute_paths
|
280
288
|
render_path = self.called_from.with_relative_paths
|
@@ -285,7 +293,7 @@ class Brakeman::Warning
|
|
285
293
|
{ :warning_type => self.warning_type,
|
286
294
|
:warning_code => @warning_code,
|
287
295
|
:fingerprint => self.fingerprint,
|
288
|
-
:check_name => self.
|
296
|
+
:check_name => self.check_name,
|
289
297
|
:message => self.message.to_s,
|
290
298
|
:file => (absolute_paths ? self.file.absolute : self.file.relative),
|
291
299
|
:line => self.line,
|
@@ -294,7 +302,7 @@ class Brakeman::Warning
|
|
294
302
|
:render_path => render_path,
|
295
303
|
:location => self.location(false),
|
296
304
|
:user_input => (@user_input && self.format_user_input(false)),
|
297
|
-
:confidence =>
|
305
|
+
:confidence => self.confidence_name
|
298
306
|
}
|
299
307
|
end
|
300
308
|
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -175,7 +175,7 @@ class Sexp
|
|
175
175
|
start_index = 3
|
176
176
|
|
177
177
|
if exp.is_a? Sexp and exp.node_type == :arglist
|
178
|
-
exp = exp
|
178
|
+
exp = exp.sexp_body
|
179
179
|
end
|
180
180
|
|
181
181
|
exp.each_with_index do |e, i|
|
@@ -198,10 +198,10 @@ class Sexp
|
|
198
198
|
|
199
199
|
case self.node_type
|
200
200
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
201
|
-
self
|
201
|
+
self.sexp_body(3).unshift :arglist
|
202
202
|
when :super, :zsuper
|
203
203
|
if self[1]
|
204
|
-
self
|
204
|
+
self.sexp_body.unshift :arglist
|
205
205
|
else
|
206
206
|
Sexp.new(:arglist)
|
207
207
|
end
|
@@ -218,13 +218,13 @@ class Sexp
|
|
218
218
|
case self.node_type
|
219
219
|
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
220
220
|
if self[3]
|
221
|
-
self
|
221
|
+
self.sexp_body(3)
|
222
222
|
else
|
223
223
|
Sexp.new
|
224
224
|
end
|
225
225
|
when :super, :zsuper
|
226
226
|
if self[1]
|
227
|
-
self
|
227
|
+
self.sexp_body
|
228
228
|
else
|
229
229
|
Sexp.new
|
230
230
|
end
|
@@ -512,7 +512,7 @@ class Sexp
|
|
512
512
|
self.slice!(index..-1) #Remove old body
|
513
513
|
|
514
514
|
if exp.first == :rlist
|
515
|
-
exp = exp
|
515
|
+
exp = exp.sexp_body
|
516
516
|
end
|
517
517
|
|
518
518
|
#Insert new body
|
@@ -529,11 +529,11 @@ class Sexp
|
|
529
529
|
|
530
530
|
case self.node_type
|
531
531
|
when :defn, :class
|
532
|
-
self
|
532
|
+
self.sexp_body(3)
|
533
533
|
when :defs
|
534
|
-
self
|
534
|
+
self.sexp_body(4)
|
535
535
|
when :module
|
536
|
-
self
|
536
|
+
self.sexp_body(2)
|
537
537
|
end
|
538
538
|
end
|
539
539
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-min
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.0
|
4
|
+
version: 5.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-01-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -349,9 +349,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
349
349
|
version: 2.4.0
|
350
350
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
351
351
|
requirements:
|
352
|
-
- - "
|
352
|
+
- - ">="
|
353
353
|
- !ruby/object:Gem::Version
|
354
|
-
version:
|
354
|
+
version: '0'
|
355
355
|
requirements: []
|
356
356
|
rubygems_version: 3.1.2
|
357
357
|
signing_key:
|