brakeman 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. data/lib/checks/check_translate_bug.rb +40 -0
  2. data/lib/version.rb +1 -1
  3. metadata +62 -100
data/lib/checks/check_translate_bug.rb ADDED
@@ -0,0 +1,40 @@
1
+ require 'checks/base_check'
2
+ require 'processors/lib/find_call'
3
+
4
+ #Check for vulnerability in translate() helper that allows cross-site scripting
5
+ #http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5
6
+ class CheckTranslateBug < BaseCheck
7
+ Checks.add self
8
+
9
+ def run_check
10
+ if (version_between?('2.3.0', '2.3.99') and OPTIONS[:escape_html]) or
11
+ version_between?('3.0.0', '3.0.10') or
12
+ version_between?('3.1.0', '3.1.1')
13
+
14
+ if uses_translate?
15
+ confidence = CONFIDENCE[:high]
16
+ else
17
+ confidence = CONFIDENCE[:med]
18
+ end
19
+
20
+ version = tracker.config[:rails_version]
21
+
22
+ if version =~ /^3\.1/
23
+ message = "Versions before 3.1.2 have a vulnerability in the translate helper."
24
+ elsif version =~ /^3\.0/
25
+ message = "Versions before 3.0.11 have a vulnerability in translate helper."
26
+ else
27
+ message = "Rails 2.3.x using the rails_xss plugin have a vulnerability in translate helper."
28
+ end
29
+
30
+ warn :warning_type => "Cross Site Scripting",
31
+ :message => message,
32
+ :confidence => confidence,
33
+ :file => gemfile_or_environment
34
+ end
35
+ end
36
+
37
+ def uses_translate?
38
+ not tracker.find_call([], :translate).empty?
39
+ end
40
+ end
data/lib/version.rb CHANGED
@@ -1 +1 @@
1
- Version = "0.9.0"
1
+ Version = "0.9.1"
metadata CHANGED
@@ -1,120 +1,90 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
- version: !ruby/object:Gem::Version
4
- prerelease: false
5
- segments:
6
- - 0
7
- - 9
8
- - 0
9
- version: 0.9.0
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.9.1
5
+ prerelease:
10
6
  platform: ruby
11
- authors:
7
+ authors:
12
8
  - Justin Collins
13
9
  autorequire:
14
10
  bindir: bin
15
11
  cert_chain: []
16
-
17
- date: 2011-11-16 00:00:00 -08:00
18
- default_executable:
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
12
+ date: 2011-11-18 00:00:00.000000000Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
21
15
  name: activesupport
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: &74757330 !ruby/object:Gem::Requirement
24
17
  none: false
25
- requirements:
18
+ requirements:
26
19
  - - ~>
27
- - !ruby/object:Gem::Version
28
- segments:
29
- - 2
30
- - 2
31
- version: "2.2"
20
+ - !ruby/object:Gem::Version
21
+ version: '2.2'
32
22
  type: :runtime
33
- version_requirements: *id001
34
- - !ruby/object:Gem::Dependency
35
- name: ruby2ruby
36
23
  prerelease: false
37
- requirement: &id002 !ruby/object:Gem::Requirement
24
+ version_requirements: *74757330
25
+ - !ruby/object:Gem::Dependency
26
+ name: ruby2ruby
27
+ requirement: &74757080 !ruby/object:Gem::Requirement
38
28
  none: false
39
- requirements:
29
+ requirements:
40
30
  - - ~>
41
- - !ruby/object:Gem::Version
42
- segments:
43
- - 1
44
- - 2
45
- - 4
31
+ - !ruby/object:Gem::Version
46
32
  version: 1.2.4
47
33
  type: :runtime
48
- version_requirements: *id002
49
- - !ruby/object:Gem::Dependency
50
- name: ruby_parser
51
34
  prerelease: false
52
- requirement: &id003 !ruby/object:Gem::Requirement
35
+ version_requirements: *74757080
36
+ - !ruby/object:Gem::Dependency
37
+ name: ruby_parser
38
+ requirement: &74756850 !ruby/object:Gem::Requirement
53
39
  none: false
54
- requirements:
55
- - - ">="
56
- - !ruby/object:Gem::Version
57
- segments:
58
- - 2
59
- - 3
60
- - 0
40
+ requirements:
41
+ - - ! '>='
42
+ - !ruby/object:Gem::Version
61
43
  version: 2.3.0
62
44
  type: :runtime
63
- version_requirements: *id003
64
- - !ruby/object:Gem::Dependency
65
- name: ruport
66
45
  prerelease: false
67
- requirement: &id004 !ruby/object:Gem::Requirement
46
+ version_requirements: *74756850
47
+ - !ruby/object:Gem::Dependency
48
+ name: ruport
49
+ requirement: &74756620 !ruby/object:Gem::Requirement
68
50
  none: false
69
- requirements:
51
+ requirements:
70
52
  - - ~>
71
- - !ruby/object:Gem::Version
72
- segments:
73
- - 1
74
- - 6
75
- - 3
53
+ - !ruby/object:Gem::Version
76
54
  version: 1.6.3
77
55
  type: :runtime
78
- version_requirements: *id004
79
- - !ruby/object:Gem::Dependency
80
- name: erubis
81
56
  prerelease: false
82
- requirement: &id005 !ruby/object:Gem::Requirement
57
+ version_requirements: *74756620
58
+ - !ruby/object:Gem::Dependency
59
+ name: erubis
60
+ requirement: &74756390 !ruby/object:Gem::Requirement
83
61
  none: false
84
- requirements:
62
+ requirements:
85
63
  - - ~>
86
- - !ruby/object:Gem::Version
87
- segments:
88
- - 2
89
- - 6
90
- - 5
64
+ - !ruby/object:Gem::Version
91
65
  version: 2.6.5
92
66
  type: :runtime
93
- version_requirements: *id005
94
- - !ruby/object:Gem::Dependency
95
- name: haml
96
67
  prerelease: false
97
- requirement: &id006 !ruby/object:Gem::Requirement
68
+ version_requirements: *74756390
69
+ - !ruby/object:Gem::Dependency
70
+ name: haml
71
+ requirement: &74756160 !ruby/object:Gem::Requirement
98
72
  none: false
99
- requirements:
73
+ requirements:
100
74
  - - ~>
101
- - !ruby/object:Gem::Version
102
- segments:
103
- - 3
104
- - 0
105
- - 12
75
+ - !ruby/object:Gem::Version
106
76
  version: 3.0.12
107
77
  type: :runtime
108
- version_requirements: *id006
109
- description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
78
+ prerelease: false
79
+ version_requirements: *74756160
80
+ description: Brakeman detects security vulnerabilities in Ruby on Rails applications
81
+ via static analysis.
110
82
  email:
111
- executables:
83
+ executables:
112
84
  - brakeman
113
85
  extensions: []
114
-
115
86
  extra_rdoc_files: []
116
-
117
- files:
87
+ files:
118
88
  - bin/brakeman
119
89
  - WARNING_TYPES
120
90
  - FEATURES
@@ -146,6 +116,7 @@ files:
146
116
  - lib/processors/erubis_template_processor.rb
147
117
  - lib/processors/template_processor.rb
148
118
  - lib/checks/check_send_file.rb
119
+ - lib/checks/check_translate_bug.rb
149
120
  - lib/checks/check_session_settings.rb
150
121
  - lib/checks/check_nested_attributes.rb
151
122
  - lib/checks/check_strip_tags.rb
@@ -180,37 +151,28 @@ files:
180
151
  - lib/checks.rb
181
152
  - lib/processor.rb
182
153
  - lib/format/style.css
183
- has_rdoc: true
184
154
  homepage: http://brakemanscanner.org
185
155
  licenses: []
186
-
187
156
  post_install_message:
188
157
  rdoc_options: []
189
-
190
- require_paths:
158
+ require_paths:
191
159
  - lib
192
- required_ruby_version: !ruby/object:Gem::Requirement
160
+ required_ruby_version: !ruby/object:Gem::Requirement
193
161
  none: false
194
- requirements:
195
- - - ">="
196
- - !ruby/object:Gem::Version
197
- segments:
198
- - 0
199
- version: "0"
200
- required_rubygems_version: !ruby/object:Gem::Requirement
162
+ requirements:
163
+ - - ! '>='
164
+ - !ruby/object:Gem::Version
165
+ version: '0'
166
+ required_rubygems_version: !ruby/object:Gem::Requirement
201
167
  none: false
202
- requirements:
203
- - - ">="
204
- - !ruby/object:Gem::Version
205
- segments:
206
- - 0
207
- version: "0"
168
+ requirements:
169
+ - - ! '>='
170
+ - !ruby/object:Gem::Version
171
+ version: '0'
208
172
  requirements: []
209
-
210
173
  rubyforge_project:
211
- rubygems_version: 1.3.7
174
+ rubygems_version: 1.8.6
212
175
  signing_key:
213
176
  specification_version: 3
214
177
  summary: Security vulnerability scanner for Ruby on Rails.
215
178
  test_files: []
216
-