brakeman 0.9.0 → 0.9.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. data/lib/checks/check_translate_bug.rb +40 -0
  2. data/lib/version.rb +1 -1
  3. metadata +62 -100
data/lib/checks/check_translate_bug.rb ADDED
@@ -0,0 +1,40 @@
1
+ require 'checks/base_check'
2
+ require 'processors/lib/find_call'
3
+
4
+ #Check for vulnerability in translate() helper that allows cross-site scripting
5
+ #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5
6
+ class CheckTranslateBug < BaseCheck
7
+ Checks.add self
8
+
9
+ def run_check
10
+ if (version_between?('2.3.0', '2.3.99') and OPTIONS[:escape_html]) or
11
+ version_between?('3.0.0', '3.0.10') or
12
+ version_between?('3.1.0', '3.1.1')
13
+
14
+ if uses_translate?
15
+ confidence = CONFIDENCE[:high]
16
+ else
17
+ confidence = CONFIDENCE[:med]
18
+ end
19
+
20
+ version = tracker.config[:rails_version]
21
+
22
+ if version =~ /^3\.1/
23
+ message = "Versions before 3.1.2 have a vulnerability in the translate helper."
24
+ elsif version =~ /^3\.0/
25
+ message = "Versions before 3.0.11 have a vulnerability in translate helper."
26
+ else
27
+ message = "Rails 2.3.x using the rails_xss plugin have a vulnerability in translate helper."
28
+ end
29
+
30
+ warn :warning_type => "Cross Site Scripting",
31
+ :message => message,
32
+ :confidence => confidence,
33
+ :file => gemfile_or_environment
34
+ end
35
+ end
36
+
37
+ def uses_translate?
38
+ not tracker.find_call([], :translate).empty?
39
+ end
40
+ end
data/lib/version.rb CHANGED
@@ -1 +1 @@
1
- Version = "0.9.0"
1
+ Version = "0.9.1"
metadata CHANGED
@@ -1,120 +1,90 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
- version: !ruby/object:Gem::Version
4
- prerelease: false
5
- segments:
6
- - 0
7
- - 9
8
- - 0
9
- version: 0.9.0
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.9.1
5
+ prerelease:
10
6
  platform: ruby
11
- authors:
7
+ authors:
12
8
  - Justin Collins
13
9
  autorequire:
14
10
  bindir: bin
15
11
  cert_chain: []
16
-
17
- date: 2011-11-16 00:00:00 -08:00
18
- default_executable:
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
12
+ date: 2011-11-18 00:00:00.000000000Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
21
15
  name: activesupport
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: &74757330 !ruby/object:Gem::Requirement
24
17
  none: false
25
- requirements:
18
+ requirements:
26
19
  - - ~>
27
- - !ruby/object:Gem::Version
28
- segments:
29
- - 2
30
- - 2
31
- version: "2.2"
20
+ - !ruby/object:Gem::Version
21
+ version: '2.2'
32
22
  type: :runtime
33
- version_requirements: *id001
34
- - !ruby/object:Gem::Dependency
35
- name: ruby2ruby
36
23
  prerelease: false
37
- requirement: &id002 !ruby/object:Gem::Requirement
24
+ version_requirements: *74757330
25
+ - !ruby/object:Gem::Dependency
26
+ name: ruby2ruby
27
+ requirement: &74757080 !ruby/object:Gem::Requirement
38
28
  none: false
39
- requirements:
29
+ requirements:
40
30
  - - ~>
41
- - !ruby/object:Gem::Version
42
- segments:
43
- - 1
44
- - 2
45
- - 4
31
+ - !ruby/object:Gem::Version
46
32
  version: 1.2.4
47
33
  type: :runtime
48
- version_requirements: *id002
49
- - !ruby/object:Gem::Dependency
50
- name: ruby_parser
51
34
  prerelease: false
52
- requirement: &id003 !ruby/object:Gem::Requirement
35
+ version_requirements: *74757080
36
+ - !ruby/object:Gem::Dependency
37
+ name: ruby_parser
38
+ requirement: &74756850 !ruby/object:Gem::Requirement
53
39
  none: false
54
- requirements:
55
- - - ">="
56
- - !ruby/object:Gem::Version
57
- segments:
58
- - 2
59
- - 3
60
- - 0
40
+ requirements:
41
+ - - ! '>='
42
+ - !ruby/object:Gem::Version
61
43
  version: 2.3.0
62
44
  type: :runtime
63
- version_requirements: *id003
64
- - !ruby/object:Gem::Dependency
65
- name: ruport
66
45
  prerelease: false
67
- requirement: &id004 !ruby/object:Gem::Requirement
46
+ version_requirements: *74756850
47
+ - !ruby/object:Gem::Dependency
48
+ name: ruport
49
+ requirement: &74756620 !ruby/object:Gem::Requirement
68
50
  none: false
69
- requirements:
51
+ requirements:
70
52
  - - ~>
71
- - !ruby/object:Gem::Version
72
- segments:
73
- - 1
74
- - 6
75
- - 3
53
+ - !ruby/object:Gem::Version
76
54
  version: 1.6.3
77
55
  type: :runtime
78
- version_requirements: *id004
79
- - !ruby/object:Gem::Dependency
80
- name: erubis
81
56
  prerelease: false
82
- requirement: &id005 !ruby/object:Gem::Requirement
57
+ version_requirements: *74756620
58
+ - !ruby/object:Gem::Dependency
59
+ name: erubis
60
+ requirement: &74756390 !ruby/object:Gem::Requirement
83
61
  none: false
84
- requirements:
62
+ requirements:
85
63
  - - ~>
86
- - !ruby/object:Gem::Version
87
- segments:
88
- - 2
89
- - 6
90
- - 5
64
+ - !ruby/object:Gem::Version
91
65
  version: 2.6.5
92
66
  type: :runtime
93
- version_requirements: *id005
94
- - !ruby/object:Gem::Dependency
95
- name: haml
96
67
  prerelease: false
97
- requirement: &id006 !ruby/object:Gem::Requirement
68
+ version_requirements: *74756390
69
+ - !ruby/object:Gem::Dependency
70
+ name: haml
71
+ requirement: &74756160 !ruby/object:Gem::Requirement
98
72
  none: false
99
- requirements:
73
+ requirements:
100
74
  - - ~>
101
- - !ruby/object:Gem::Version
102
- segments:
103
- - 3
104
- - 0
105
- - 12
75
+ - !ruby/object:Gem::Version
106
76
  version: 3.0.12
107
77
  type: :runtime
108
- version_requirements: *id006
109
- description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
78
+ prerelease: false
79
+ version_requirements: *74756160
80
+ description: Brakeman detects security vulnerabilities in Ruby on Rails applications
81
+ via static analysis.
110
82
  email:
111
- executables:
83
+ executables:
112
84
  - brakeman
113
85
  extensions: []
114
-
115
86
  extra_rdoc_files: []
116
-
117
- files:
87
+ files:
118
88
  - bin/brakeman
119
89
  - WARNING_TYPES
120
90
  - FEATURES
@@ -146,6 +116,7 @@ files:
146
116
  - lib/processors/erubis_template_processor.rb
147
117
  - lib/processors/template_processor.rb
148
118
  - lib/checks/check_send_file.rb
119
+ - lib/checks/check_translate_bug.rb
149
120
  - lib/checks/check_session_settings.rb
150
121
  - lib/checks/check_nested_attributes.rb
151
122
  - lib/checks/check_strip_tags.rb
@@ -180,37 +151,28 @@ files:
180
151
  - lib/checks.rb
181
152
  - lib/processor.rb
182
153
  - lib/format/style.css
183
- has_rdoc: true
184
154
  homepage: http://brakemanscanner.org
185
155
  licenses: []
186
-
187
156
  post_install_message:
188
157
  rdoc_options: []
189
-
190
- require_paths:
158
+ require_paths:
191
159
  - lib
192
- required_ruby_version: !ruby/object:Gem::Requirement
160
+ required_ruby_version: !ruby/object:Gem::Requirement
193
161
  none: false
194
- requirements:
195
- - - ">="
196
- - !ruby/object:Gem::Version
197
- segments:
198
- - 0
199
- version: "0"
200
- required_rubygems_version: !ruby/object:Gem::Requirement
162
+ requirements:
163
+ - - ! '>='
164
+ - !ruby/object:Gem::Version
165
+ version: '0'
166
+ required_rubygems_version: !ruby/object:Gem::Requirement
201
167
  none: false
202
- requirements:
203
- - - ">="
204
- - !ruby/object:Gem::Version
205
- segments:
206
- - 0
207
- version: "0"
168
+ requirements:
169
+ - - ! '>='
170
+ - !ruby/object:Gem::Version
171
+ version: '0'
208
172
  requirements: []
209
-
210
173
  rubyforge_project:
211
- rubygems_version: 1.3.7
174
+ rubygems_version: 1.8.6
212
175
  signing_key:
213
176
  specification_version: 3
214
177
  summary: Security vulnerability scanner for Ruby on Rails.
215
178
  test_files: []
216
-