RubyGems - brakeman - Versions diffs - 0.6.0 → 0.6.1 - Mend

brakeman 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/lib/checks/check_cross_site_scripting.rb +11 -6
data/lib/checks/check_session_settings.rb +4 -6
data/lib/checks/check_validation_regex.rb +8 -6
data/lib/version.rb +1 -1
metadata +3 -3

data/lib/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -16,11 +16,13 @@ class CheckCrossSiteScripting < BaseCheck
   #Ignore these methods and their arguments.
   #It is assumed they will take care of escaping their output.
-  IGNORE_METHODS = Set.new([:h, :escapeHTML, :link_to, :text_field_tag, :hidden_field_tag,
-                           :image_tag, :select, :submit_tag, :hidden_field, :url_encode,
-                           :radio_button, :will_paginate, :button_to, :url_for, :mail_to,
-                           :fields_for, :label, :text_area, :text_field, :hidden_field, :check_box,
-                           :field_field])
+  IGNORE_METHODS = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] )
   #Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
@@ -150,6 +152,8 @@ class CheckCrossSiteScripting < BaseCheck
         message = "Unescaped model attribute"
       elsif @matched == :params
         message = "Unescaped parameter value"
+      elsif @matched == :cookies
+        message = "Unescaped cookie value"
       end
       if message and not duplicate? exp
@@ -197,8 +201,9 @@ class CheckCrossSiteScripting < BaseCheck
       exp[0] = :ignore
       @matched = false
     elsif sexp? exp[1] and model_name? exp[1][1]
       @matched = :model
+    elsif cookies? exp or cookies? target or COOKIES == exp or COOKIES == target
+      @matched = :cookies
     elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
       @matched = :params
     elsif @inspect_arguments

data/lib/checks/check_session_settings.rb CHANGED Viewed

@@ -27,10 +27,9 @@ class CheckSessionSettings < BaseCheck
   def process_attrasgn exp
     if not OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session=
       check_for_issues exp[3][1], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
-      exp
-    else
-      super
     end
+    exp
   end
   #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
@@ -38,10 +37,9 @@ class CheckSessionSettings < BaseCheck
   def process_call exp
     if OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session_store
         check_for_issues exp[3][2], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
-      exp
-    else
-      super
     end
+    exp
   end
   private

data/lib/checks/check_validation_regex.rb CHANGED Viewed

@@ -39,12 +39,14 @@ class CheckValidationRegex < BaseCheck
     return unless regexp? value
     regex = value[1].inspect
-    if regex =~ /[^\A].*[^\z]\/(m|i|x|n|e|u|s|o)*\z/
-      warn :model => @current_model,
-        :warning_type => "Format Validation",
-        :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
-        :line => value.line,
-        :confidence => CONFIDENCE[:high]
+    if regex =~ /^\/(.{2}).*(.{2})\/(m|i|x|n|e|u|s|o)*\z/
+      if $1 != "\\A" or ($2 != "\\Z" and $2 != "\\z")
+        warn :model => @current_model,
+          :warning_type => "Format Validation",
+          :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
+          :line => value.line,
+          :confidence => CONFIDENCE[:high]
+      end
     end
   end

data/lib/version.rb CHANGED Viewed

	@@ -1 +1 @@
1	- Version = "0.6.0"
1	+ Version = "0.6.1"

metadata CHANGED Viewed

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments:
   - 0
   - 6
-  - 0
-  version: 0.6.0
+  - 1
+  version: 0.6.1
 platform: ruby
 authors:
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-07-20 00:00:00 -07:00
+date: 2011-07-29 00:00:00 -07:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency