RubyGems - brakeman - Versions diffs - 1.5.0 → 1.5.1 - Mend

brakeman 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data/README.md +3 -2
data/bin/brakeman +3 -0
data/lib/brakeman/checks/base_check.rb +24 -4
data/lib/brakeman/checks/check_cross_site_scripting.rb +1 -1
data/lib/brakeman/processors/base_processor.rb +23 -2
data/lib/brakeman/processors/controller_processor.rb +1 -1
data/lib/brakeman/processors/lib/find_call.rb +1 -1
data/lib/brakeman/processors/lib/render_helper.rb +1 -0
data/lib/brakeman/scanner.rb +4 -5
data/lib/brakeman/version.rb +1 -1
metadata +72 -115

data/README.md CHANGED Viewed

@@ -39,7 +39,7 @@ To specify an output file for the results:
     brakeman -o output_file
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `csv`, and `tabs`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json` and `csv`.
 To suppress informational warnings and just output the report:
@@ -103,7 +103,7 @@ Brakeman will raise warnings on models that use `attr_protected`. To suppress th
 # Warning information
-See WARNING_TYPES for more information on the warnings reported by this tool.
+See WARNING\_TYPES for more information on the warnings reported by this tool.
 # Warning context
@@ -140,6 +140,7 @@ The `-c` option can be used to specify a configuration file to use.
 The MIT License
 Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
 Copyright (c) 2012, Twitter, Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy

data/bin/brakeman CHANGED Viewed

@@ -8,6 +8,9 @@ require 'brakeman/version'
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
+  if RUBY_VERSION.include? "1.9"
+    $stderr.puts Thread.current.backtrace
+  end
   exit!
 end

data/lib/brakeman/checks/base_check.rb CHANGED Viewed

@@ -21,6 +21,7 @@ class Brakeman::BaseCheck < SexpProcessor
     @string_interp = false
     @current_set = nil
     @current_template = @current_module = @current_class = @current_method = nil
+    @mass_assign_disabled = nil
     self.strict = false
     self.auto_shift_type = false
     self.require_empty = false
@@ -119,23 +120,42 @@ class Brakeman::BaseCheck < SexpProcessor
   #Checks if mass assignment is disabled globally in an initializer.
   def mass_assign_disabled?
+    return @mass_assign_disabled unless @mass_assign_disabled.nil?
+    @mass_assign_disabled = false
     if version_between?("3.1.0", "4.0.0") and
       tracker.config[:rails][:active_record] and
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
-      return true
+      @mass_assign_disabled = true
     else
       matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
       if matches.empty?
-        false
+        matches = tracker.check_initializers([], :attr_accessible)
+        matches.each do |result|
+          if result[1] == :ActiveRecord and result[2] == :Base
+            arg = result[-1][3][1]
+            if arg.nil? or node_type? arg, :nil
+              @mass_assign_disabled = true
+              break
+            end
+          end
+        end
       else
         matches.each do |result|
-          if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
-            return true
+          if result[-1][3] == Sexp.new(:arglist, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
+            @mass_assign_disabled = true
+            break
           end
         end
       end
     end
+    @mass_assign_disabled
   end
   #This is to avoid reporting duplicates. Checks if the result has been

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -54,7 +54,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
-    if tracker.config[:rails3]
+    if tracker.options[:rails3]
       @ignore_methods << :select
     end

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -24,6 +24,22 @@ class Brakeman::BaseProcessor < SexpProcessor
     @current_template = @current_module = @current_class = @current_method = nil
   end
+  def process_class exp
+    current_class = @current_class
+    @current_class = class_name exp[1]
+    process exp[3]
+    @current_class = current_class
+    exp
+  end
+  def process_module exp
+    current_module = @current_module
+    @current_module = class_name exp[1]
+    process exp[2]
+    @current_module = current_module
+    exp
+  end
   #Process a new scope. Removes expressions that are set to nil.
   def process_scope exp
     exp = exp.dup
@@ -219,8 +235,13 @@ class Brakeman::BaseProcessor < SexpProcessor
     #Look for render :action, ... or render "action", ...
     if string? args[1] or symbol? args[1]
-      type = :action
-      value = args[1]
+      if @current_template and @tracker.options[:rails3]
+        type = :partial
+        value = args[1]
+      else
+        type = :action
+        value = args[1]
+      end
     elsif args[1].is_a? Symbol or args[1].is_a? String
       type = :action
       value = Sexp.new(:lit, args[1].to_sym)

data/lib/brakeman/processors/controller_processor.rb CHANGED Viewed

@@ -28,7 +28,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     name = class_name(exp[1])
     if @current_module
-      name = (@current_module + "::" + name.to_s).to_sym
+      name = (@current_module.to_s + "::" + name.to_s).to_sym
     end
     @controller = { :name => name,
                     :parent => class_name(exp[2]),

data/lib/brakeman/processors/lib/find_call.rb CHANGED Viewed

@@ -96,7 +96,7 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
       if @current_template
         @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
       else
-        @calls << Sexp.new(:result, @current_class, @current_method, exp).line(exp.line)
+        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
       end
     end

data/lib/brakeman/processors/lib/render_helper.rb CHANGED Viewed

@@ -49,6 +49,7 @@ module Brakeman::RenderHelper
   #Processes a template, adding any instance variables
   #to its environment.
   def process_template name, args, called_from = nil
+    Brakeman.debug "Rendering #{name} (#{called_from})"
     #Get scanned source for this template
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -229,6 +229,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in controllers..."
     tracker.controllers.each do |name, controller|
+      Brakeman.debug "Processing #{name}"
       if @report_progress
         $stderr.print " #{current}/#{total} controllers processed\r"
         current += 1
@@ -266,6 +267,7 @@ class Brakeman::Scanner
     total = template_files.length
     template_files.each do |path|
+      Brakeman.debug "Processing #{path}"
       if @report_progress
         $stderr.print " #{count}/#{total} files processed\r"
         count += 1
@@ -280,6 +282,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in templates..."
     tracker.templates.keys.dup.each do |name|
+      Brakeman.debug "Processing #{name}"
       if @report_progress
         count += 1
         $stderr.print " #{count}/#{total} templates processed\r"
@@ -352,6 +355,7 @@ class Brakeman::Scanner
     current = 0
     model_files.each do |f|
+      Brakeman.debug "Processing #{f}"
       if @report_progress
         $stderr.print " #{current}/#{total} files processed\r"
         current += 1
@@ -448,11 +452,6 @@ class Brakeman::Rails2XSSErubis < ::Erubis::Eruby
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end
-  def add_text(src, text)
-    return if text.empty?
-    src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-  end
   #This is different from rails_xss - fixes some line number issues
   def add_text(src, text)
     if text == "\n"

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.5.0"
+  Version = "1.5.1"
 end

metadata CHANGED Viewed

@@ -1,134 +1,101 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version
-  hash: 3
+version: !ruby/object:Gem::Version
+  version: 1.5.1
   prerelease:
-  segments:
-  - 1
-  - 5
-  - 0
-  version: 1.5.0
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-03-02 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2012-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
+  requirement: &72282300 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: i18n
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
+  version_requirements: *72282300
+- !ruby/object:Gem::Dependency
+  name: i18n
+  requirement: &72282080 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: ruby2ruby
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
+  version_requirements: *72282080
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: &72281550 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 11
-        segments:
-        - 1
-        - 2
-        version: "1.2"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency
-  name: ruport
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement
+  version_requirements: *72281550
+- !ruby/object:Gem::Dependency
+  name: ruport
+  requirement: &72280450 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 1
-        - 6
-        version: "1.6"
+      - !ruby/object:Gem::Version
+        version: '1.6'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency
-  name: erubis
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement
+  version_requirements: *72280450
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: &72280190 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 15
-        segments:
-        - 2
-        - 6
-        version: "2.6"
+      - !ruby/object:Gem::Version
+        version: '2.6'
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency
-  name: haml
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement
+  version_requirements: *72280190
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: &72279750 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency
-  name: sass
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement
+  version_requirements: *72279750
+- !ruby/object:Gem::Dependency
+  name: sass
+  requirement: &72279400 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id007
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
+  prerelease: false
+  version_requirements: *72279400
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis.
 email:
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -208,36 +175,26 @@ files:
 - lib/brakeman/format/style.css
 homepage: http://brakemanscanner.org
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.15
 signing_key:
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []