RubyGems - brakeman - Versions diffs - 1.5.0 → 1.5.1 - Mend

brakeman 1.5.0 → 1.5.1

Files changed (11) hide show

data/README.md +3 -2
data/bin/brakeman +3 -0
data/lib/brakeman/checks/base_check.rb +24 -4
data/lib/brakeman/checks/check_cross_site_scripting.rb +1 -1
data/lib/brakeman/processors/base_processor.rb +23 -2
data/lib/brakeman/processors/controller_processor.rb +1 -1
data/lib/brakeman/processors/lib/find_call.rb +1 -1
data/lib/brakeman/processors/lib/render_helper.rb +1 -0
data/lib/brakeman/scanner.rb +4 -5
data/lib/brakeman/version.rb +1 -1
metadata +72 -115

data/README.md CHANGED Viewed

@@ -39,7 +39,7 @@ To specify an output file for the results:
     brakeman -o output_file
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `csv`, and `tabs`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json` and `csv`.
 To suppress informational warnings and just output the report:
@@ -103,7 +103,7 @@ Brakeman will raise warnings on models that use `attr_protected`. To suppress th
 # Warning information
-See WARNING_TYPES for more information on the warnings reported by this tool.
+See WARNING\_TYPES for more information on the warnings reported by this tool.
 # Warning context
@@ -140,6 +140,7 @@ The `-c` option can be used to specify a configuration file to use.
 The MIT License
 Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
 Copyright (c) 2012, Twitter, Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy

data/bin/brakeman CHANGED Viewed

@@ -8,6 +8,9 @@ require 'brakeman/version'
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
+  if RUBY_VERSION.include? "1.9"
+    $stderr.puts Thread.current.backtrace
+  end
   exit!
 end

data/lib/brakeman/checks/base_check.rb CHANGED Viewed

@@ -21,6 +21,7 @@ class Brakeman::BaseCheck < SexpProcessor
     @string_interp = false
     @current_set = nil
     @current_template = @current_module = @current_class = @current_method = nil
+    @mass_assign_disabled = nil
     self.strict = false
     self.auto_shift_type = false
     self.require_empty = false
@@ -119,23 +120,42 @@ class Brakeman::BaseCheck < SexpProcessor
   #Checks if mass assignment is disabled globally in an initializer.
   def mass_assign_disabled?
+    return @mass_assign_disabled unless @mass_assign_disabled.nil?
+    @mass_assign_disabled = false
     if version_between?("3.1.0", "4.0.0") and
       tracker.config[:rails][:active_record] and
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
-      return true
+      @mass_assign_disabled = true
     else
       matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
       if matches.empty?
-        false
+        matches = tracker.check_initializers([], :attr_accessible)
+        matches.each do |result|
+          if result[1] == :ActiveRecord and result[2] == :Base
+            arg = result[-1][3][1]
+            if arg.nil? or node_type? arg, :nil
+              @mass_assign_disabled = true
+              break
+            end
+          end
+        end
       else
         matches.each do |result|
-          if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
-            return true
+          if result[-1][3] == Sexp.new(:arglist, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
+            @mass_assign_disabled = true
+            break
           end
         end
       end
     end
+    @mass_assign_disabled
   end
   #This is to avoid reporting duplicates. Checks if the result has been

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -54,7 +54,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @ignore_methods << :auto_link
     end
-    if tracker.config[:rails3]
+    if tracker.options[:rails3]
       @ignore_methods << :select
     end

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -24,6 +24,22 @@ class Brakeman::BaseProcessor < SexpProcessor
     @current_template = @current_module = @current_class = @current_method = nil
   end
+  def process_class exp
+    current_class = @current_class
+    @current_class = class_name exp[1]
+    process exp[3]
+    @current_class = current_class
+    exp
+  end
+  def process_module exp
+    current_module = @current_module
+    @current_module = class_name exp[1]
+    process exp[2]
+    @current_module = current_module
+    exp
+  end
   #Process a new scope. Removes expressions that are set to nil.
   def process_scope exp
     exp = exp.dup
@@ -219,8 +235,13 @@ class Brakeman::BaseProcessor < SexpProcessor
     #Look for render :action, ... or render "action", ...
     if string? args[1] or symbol? args[1]
-      type = :action
-      value = args[1]
+      if @current_template and @tracker.options[:rails3]
+        type = :partial
+        value = args[1]
+      else
+        type = :action
+        value = args[1]
+      end
     elsif args[1].is_a? Symbol or args[1].is_a? String
       type = :action
       value = Sexp.new(:lit, args[1].to_sym)

data/lib/brakeman/processors/controller_processor.rb CHANGED Viewed

@@ -28,7 +28,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     name = class_name(exp[1])
     if @current_module
-      name = (@current_module + "::" + name.to_s).to_sym
+      name = (@current_module.to_s + "::" + name.to_s).to_sym
     end
     @controller = { :name => name,
                     :parent => class_name(exp[2]),

data/lib/brakeman/processors/lib/find_call.rb CHANGED Viewed

@@ -96,7 +96,7 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
       if @current_template
         @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
       else
-        @calls << Sexp.new(:result, @current_class, @current_method, exp).line(exp.line)
+        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
       end
     end

data/lib/brakeman/processors/lib/render_helper.rb CHANGED Viewed

@@ -49,6 +49,7 @@ module Brakeman::RenderHelper
   #Processes a template, adding any instance variables
   #to its environment.
   def process_template name, args, called_from = nil
+    Brakeman.debug "Rendering #{name} (#{called_from})"
     #Get scanned source for this template
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -229,6 +229,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in controllers..."
     tracker.controllers.each do |name, controller|
+      Brakeman.debug "Processing #{name}"
       if @report_progress
         $stderr.print " #{current}/#{total} controllers processed\r"
         current += 1
@@ -266,6 +267,7 @@ class Brakeman::Scanner
     total = template_files.length
     template_files.each do |path|
+      Brakeman.debug "Processing #{path}"
       if @report_progress
         $stderr.print " #{count}/#{total} files processed\r"
         count += 1
@@ -280,6 +282,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in templates..."
     tracker.templates.keys.dup.each do |name|
+      Brakeman.debug "Processing #{name}"
       if @report_progress
         count += 1
         $stderr.print " #{count}/#{total} templates processed\r"
@@ -352,6 +355,7 @@ class Brakeman::Scanner
     current = 0
     model_files.each do |f|
+      Brakeman.debug "Processing #{f}"
       if @report_progress
         $stderr.print " #{current}/#{total} files processed\r"
         current += 1
@@ -448,11 +452,6 @@ class Brakeman::Rails2XSSErubis < ::Erubis::Eruby
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end
-  def add_text(src, text)
-    return if text.empty?
-    src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-  end
   #This is different from rails_xss - fixes some line number issues
   def add_text(src, text)
     if text == "\n"

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.5.0"
+  Version = "1.5.1"
 end

metadata CHANGED Viewed

@@ -1,134 +1,101 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version
-  hash: 3
+version: !ruby/object:Gem::Version
+  version: 1.5.1
   prerelease:
-  segments:
-  - 1
-  - 5
-  - 0
-  version: 1.5.0
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-03-02 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2012-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
+  requirement: &72282300 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: i18n
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
+  version_requirements: *72282300
+- !ruby/object:Gem::Dependency
+  name: i18n
+  requirement: &72282080 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: ruby2ruby
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
+  version_requirements: *72282080
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: &72281550 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 11
-        segments:
-        - 1
-        - 2
-        version: "1.2"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency
-  name: ruport
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement
+  version_requirements: *72281550
+- !ruby/object:Gem::Dependency
+  name: ruport
+  requirement: &72280450 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 1
-        - 6
-        version: "1.6"
+      - !ruby/object:Gem::Version
+        version: '1.6'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency
-  name: erubis
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement
+  version_requirements: *72280450
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: &72280190 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 15
-        segments:
-        - 2
-        - 6
-        version: "2.6"
+      - !ruby/object:Gem::Version
+        version: '2.6'
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency
-  name: haml
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement
+  version_requirements: *72280190
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: &72279750 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency
-  name: sass
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement
+  version_requirements: *72279750
+- !ruby/object:Gem::Dependency
+  name: sass
+  requirement: &72279400 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id007
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
+  prerelease: false
+  version_requirements: *72279400
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis.
 email:
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -208,36 +175,26 @@ files:
 - lib/brakeman/format/style.css
 homepage: http://brakemanscanner.org
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.15
 signing_key:
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []