RubyGems - brakeman - Versions diffs - 1.2.1 → 1.2.2 - Mend

brakeman 1.2.1 → 1.2.2

Files changed (7) hide show

data/lib/brakeman.rb +3 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +0 -124
data/lib/brakeman/checks/check_link_to.rb +126 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
data/lib/brakeman/rescanner.rb +8 -0
data/lib/brakeman/version.rb +1 -1
metadata +110 -74

data/lib/brakeman.rb CHANGED Viewed

@@ -48,7 +48,9 @@ module Brakeman
     @quiet = !!options[:quiet]
     @debug = !!options[:debug]
-    options[:report_progress] = !@quiet
+    if @quiet
+      options[:report_progress] = false
+    end
     scan options
   end

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -44,12 +44,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
-    if version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
-      link_to_check = Brakeman::CheckLinkTo.new(tracker)
-      link_to_check.run_check
-      warnings.concat link_to_check.warnings unless link_to_check.warnings.empty?
-    end
     @known_dangerous = Set.new([:truncate, :concat])
     if version_between? "2.0.0", "3.0.5"
@@ -264,121 +258,3 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp[1].node_type == :call and exp[1][2] == :raw
   end
 end
-#This _only_ checks calls to link_to
-class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
-  def run_check
-    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
-                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :mail_to, :radio_button, :select,
-                           :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] ).merge tracker.options[:safe_methods]
-    @known_dangerous = []
-    #Ideally, I think this should also check to see if people are setting
-    #:escape => false
-    methods = tracker.find_call :target => false, :method => :link_to
-    @models = tracker.models.keys
-    @inspect_arguments = tracker.options[:check_arguments]
-    methods.each do |call|
-      process_result call
-    end
-  end
-  def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
-    @matched = false
-    return if call[3][1].nil?
-    #Only check first argument for +link_to+, as the second
-    #will *usually* be a record or escaped.
-    first_arg = process call[3][1]
-    type, match = has_immediate_user_input? first_arg
-    if type
-      case type
-      when :params
-        message = "Unescaped parameter value in link_to"
-      when :cookies
-        message = "Unescaped cookie value in link_to"
-      else
-        message = "Unescaped user input value in link_to"
-      end
-      unless duplicate? result
-        add_result result
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => message,
-          :confidence => CONFIDENCE[:high]
-      end
-    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
-      method = match[2]
-      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
-        add_result result
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-          confidence = CONFIDENCE[:high]
-        else
-          confidence = CONFIDENCE[:med]
-        end
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => "Unescaped model attribute in link_to",
-          :confidence => confidence
-      end
-    elsif @matched
-      if @matched == :model and not tracker.options[:ignore_model_output]
-        message = "Unescaped model attribute in link_to"
-      elsif @matched == :params
-        message = "Unescaped parameter value in link_to"
-      end
-      if message and not duplicate? result
-        add_result result
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => message,
-          :confidence => CONFIDENCE[:med]
-      end
-    end
-  end
-  def process_call exp
-    @mark = true
-    actually_process_call exp
-    exp
-  end
-  def actually_process_call exp
-    return if @matched
-    target = exp[1]
-    if sexp? target
-      target = process target.dup
-    end
-    #Bare records create links to the model resource,
-    #not a string that could have injection
-    if model_name? target and context == [:call, :arglist]
-      return exp
-    end
-    super
-  end
-end

data/lib/brakeman/checks/check_link_to.rb ADDED Viewed

@@ -0,0 +1,126 @@
+require 'brakeman/checks/check_cross_site_scripting'
+#Checks for calls to link_to in versions of Ruby where link_to did not
+#escape the first argument.
+#
+#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
+class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+  def run_check
+    return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
+    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] ).merge tracker.options[:safe_methods]
+    @known_dangerous = []
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    methods = tracker.find_call :target => false, :method => :link_to
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    methods.each do |call|
+      process_result call
+    end
+  end
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+    @matched = false
+    return if call[3][1].nil?
+    #Only check first argument for +link_to+, as the second
+    #will *usually* be a record or escaped.
+    first_arg = process call[3][1]
+    type, match = has_immediate_user_input? first_arg
+    if type
+      case type
+      when :params
+        message = "Unescaped parameter value in link_to"
+      when :cookies
+        message = "Unescaped cookie value in link_to"
+      else
+        message = "Unescaped user input value in link_to"
+      end
+      unless duplicate? result
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => message,
+          :confidence => CONFIDENCE[:high]
+      end
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
+      method = match[2]
+      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
+        add_result result
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => "Unescaped model attribute in link_to",
+          :confidence => confidence
+      end
+    elsif @matched
+      if @matched == :model and not tracker.options[:ignore_model_output]
+        message = "Unescaped model attribute in link_to"
+      elsif @matched == :params
+        message = "Unescaped parameter value in link_to"
+      end
+      if message and not duplicate? result
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => message,
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+  def actually_process_call exp
+    return if @matched
+    target = exp[1]
+    if sexp? target
+      target = process target.dup
+    end
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    if model_name? target and context == [:call, :arglist]
+      return exp
+    end
+    super
+  end
+end

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED Viewed

@@ -69,7 +69,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
         process_namespace exp
       when :resources, :resource
         process_resources exp[1][3][1..-1]
-        process_default exp[3]
+        process_default exp[3] if exp[3]
       when :with_options
         process_with_options exp
       end
@@ -111,7 +111,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     hash_iterate(exp) do |option, value|
       case option[1]
       when :controller, :requirements, :singular, :path_prefix, :as,
-        :path_names, :shallow, :name_prefix
+        :path_names, :shallow, :name_prefix, :member_path, :nested_member_path
         #should be able to skip
       when :collection, :member, :new
         process_collection value
@@ -128,7 +128,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
       when :except
         process_option_except value
       else
-        raise "Unhandled resource option: #{option}"
+        Brakeman.notify "[Notice] Unhandled resource option: #{option}"
       end
     end
   end

data/lib/brakeman/rescanner.rb CHANGED Viewed

@@ -245,6 +245,14 @@ class Brakeman::RescanReport
     @diff ||= @new_results.diff(@old_results)
   end
+  #Returns an array of warnings which were in the old report and the new report
+  def existing_warnings
+    @old ||= all_warnings.select do |w|
+      not new_warnings.include? w
+    end
+  end
+  #Output total, fixed, and new warnings
   def to_s
     <<-OUTPUT
 Total warnings: #{all_warnings.length}

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.2.1"
+  Version = "1.2.2"
 end

metadata CHANGED Viewed

@@ -1,101 +1,127 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version
-  version: 1.2.1
-  prerelease:
+version: !ruby/object:Gem::Version
+  prerelease: false
+  segments:
+  - 1
+  - 2
+  - 2
+  version: 1.2.2
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-01-20 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2012-01-26 00:00:00 -08:00
+default_executable:
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &76221240 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76221240
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency
   name: i18n
-  requirement: &76220920 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76220920
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency
   name: ruby2ruby
-  requirement: &76220320 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+      - !ruby/object:Gem::Version
+        segments:
+        - 1
+        - 2
+        version: "1.2"
   type: :runtime
-  prerelease: false
-  version_requirements: *76220320
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency
   name: ruport
-  requirement: &76219720 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.6'
+      - !ruby/object:Gem::Version
+        segments:
+        - 1
+        - 6
+        version: "1.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *76219720
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency
   name: erubis
-  requirement: &76943790 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.6'
+      - !ruby/object:Gem::Version
+        segments:
+        - 2
+        - 6
+        version: "2.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943790
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency
   name: haml
-  requirement: &76943560 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version
+        segments:
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943560
-- !ruby/object:Gem::Dependency
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency
   name: sass
-  requirement: &76943330 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version
+        segments:
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943330
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications
-  via static analysis.
+  version_requirements: *id007
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email:
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -147,6 +173,7 @@ files:
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_execute.rb
 - lib/brakeman/checks/check_filter_skipping.rb
 - lib/brakeman/checks/check_mail_to.rb
@@ -168,28 +195,37 @@ files:
 - lib/brakeman/processor.rb
 - lib/brakeman.rb
 - lib/brakeman/format/style.css
+has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      version: "0"
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.10
+rubygems_version: 1.3.7
 signing_key:
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []