brakeman-min 6.2.1 → 6.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +6 -0
  3. data/README.md +0 -1
  4. data/lib/brakeman/checks/check_eol_rails.rb +6 -0
  5. data/lib/brakeman/checks/check_execute.rb +28 -0
  6. data/lib/brakeman/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ece525fc06c4479c6a04e17d7e2b52d067cb63202c9a18a33cae12e972bd72bc
4
- data.tar.gz: c4bd2918a3446c76cae053d9cf861b3229fa960a7be84659f2111925a594c41c
3
+ metadata.gz: c7523d5074d9d9352e585ad32ec90148c7a66452610d27bc29b7de5fe6770df9
4
+ data.tar.gz: db9859643a7a8ed60a3bb721614fc4a8a2cf2910dcfb5e4b89b32bf20e2af75e
5
5
  SHA512:
6
- metadata.gz: 2669bbdd7dae63586cc805e012ce8fd7630c243691e43b4bc83c45a05ace92bbf58a98971556f9a444b622e6f5a5fcd4cabe8362359388990a9dbb1863ea40df
7
- data.tar.gz: 7837535a3dcfbec38ec65dc4899668c5daa2409657948b034bcc5a46ca6c67ed206580839ff1f04f18ee821efd2bcebbefcef199961abd0b0c3995b7cb5b7c28
6
+ metadata.gz: 536df54884f0d9b9dba43be944335119b4fb75cd4096b69cdcec15b1058cb039985cd8923542f5d0df667d5609813fac1c1a0f511ee8169d4f0771bebb3be5b0
7
+ data.tar.gz: 782ec2ca43bb670743915f255510182bc6399bae367aba68cdad17508916b16abddda1bd6d5874c168d690ef67909495e25289a680a69fb921d9a4dcffdb6a2d
data/CHANGES.md CHANGED
@@ -1,3 +1,9 @@
1
+ # 6.2.2 - 2024-10-15
2
+
3
+ * Ignore more native gems when building gem
4
+ * Revamp command injection in `pipeline*` calls
5
+ * New end-of-support dates for Rails
6
+
1
7
  # 6.2.1 - 2024-08-22
2
8
 
3
9
  Just a packaging fix for brakeman.gem
data/README.md CHANGED
@@ -2,7 +2,6 @@
2
2
 
3
3
  [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
4
4
  [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
5
- [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
6
5
 
7
6
  # Brakeman
8
7
 
data/lib/brakeman/checks/check_eol_rails.rb CHANGED
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
11
11
  check_eol_version :rails, RAILS_EOL_DATES
12
12
  end
13
13
 
14
+ # https://rubyonrails.org/maintenance
15
+ # https://endoflife.date/rails
14
16
  RAILS_EOL_DATES = {
15
17
  ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
16
18
  ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
19
21
  ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
20
22
  ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
21
23
  ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
24
+ ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
25
+ ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
26
+ ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
27
+ ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
22
28
  }
23
29
  end
data/lib/brakeman/checks/check_execute.rb CHANGED
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
53
53
  call = result[:call]
54
54
  args = call.arglist
55
55
  first_arg = call.first_arg
56
+ failure = nil
56
57
 
57
58
  case call.method
58
59
  when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
71
72
  dangerous_interp?(first_arg[3]) ||
72
73
  dangerous_string_building?(first_arg[3])
73
74
  end
75
+ when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
76
+ # Since these pipeline commands pipe together several commands,
77
+ # need to check each argument. If it's an array, check first argument
78
+ # (the command) and also check for `bash -c`. Otherwise check the argument
79
+ # as a unit.
80
+
81
+ args.each do |arg|
82
+ next unless sexp? arg
83
+
84
+ if array?(arg)
85
+ # Check first element of array
86
+ failure = include_user_input?(arg[1]) ||
87
+ dangerous_interp?(arg[1]) ||
88
+ dangerous_string_building?(arg[1])
89
+
90
+ # Check for ['bash', '-c', user_input]
91
+ if dash_c_shell_command?(arg[1], arg[2])
92
+ failure = include_user_input?(arg[3]) ||
93
+ dangerous_interp?(arg[3]) ||
94
+ dangerous_string_building?(arg[3])
95
+ end
96
+ else
97
+ failure = include_user_input?(arg)
98
+ end
99
+
100
+ break if failure
101
+ end
74
102
  when :system, :exec
75
103
  # Normally, if we're in a `system` or `exec` call, we only are worried
76
104
  # about shell injection when there's a single argument, because comma-
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.2.1"
2
+ Version = "6.2.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.2.1
4
+ version: 6.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-22 00:00:00.000000000 Z
11
+ date: 2024-10-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: csv
@@ -377,7 +377,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
377
377
  - !ruby/object:Gem::Version
378
378
  version: '0'
379
379
  requirements: []
380
- rubygems_version: 3.5.11
380
+ rubygems_version: 3.3.27
381
381
  signing_key:
382
382
  specification_version: 4
383
383
  summary: Security vulnerability scanner for Ruby on Rails.