brakeman 1.9.4 → 1.9.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +15 -0
- data/README.md +6 -0
- data/lib/brakeman.rb +7 -2
- data/lib/brakeman/checks/check_link_to.rb +59 -67
- data/lib/brakeman/checks/check_mass_assignment.rb +5 -1
- data/lib/brakeman/checks/check_session_settings.rb +18 -7
- data/lib/brakeman/checks/check_symbol_dos.rb +50 -3
- data/lib/brakeman/processors/alias_processor.rb +116 -42
- data/lib/brakeman/processors/controller_processor.rb +5 -0
- data/lib/brakeman/processors/erb_template_processor.rb +2 -1
- data/lib/brakeman/processors/erubis_template_processor.rb +2 -1
- data/lib/brakeman/processors/haml_template_processor.rb +2 -1
- data/lib/brakeman/processors/lib/find_all_calls.rb +17 -0
- data/lib/brakeman/processors/lib/find_return_value.rb +3 -3
- data/lib/brakeman/processors/lib/render_helper.rb +1 -1
- data/lib/brakeman/processors/slim_template_processor.rb +1 -1
- data/lib/brakeman/processors/template_processor.rb +1 -1
- data/lib/brakeman/report.rb +60 -151
- data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
- data/lib/brakeman/report/initializers/multi_json.rb +29 -0
- data/lib/brakeman/report/renderer.rb +22 -0
- data/lib/brakeman/{templates → report/templates}/controller_overview.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/controller_warnings.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/error_overview.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/header.html.erb +2 -2
- data/lib/brakeman/{templates → report/templates}/model_warnings.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/overview.html.erb +2 -2
- data/lib/brakeman/{templates → report/templates}/security_warnings.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/template_overview.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/view_warnings.html.erb +0 -0
- data/lib/brakeman/{templates → report/templates}/warning_overview.html.erb +0 -0
- data/lib/brakeman/scanner.rb +3 -0
- data/lib/brakeman/util.rb +6 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +1 -0
- data/lib/ruby_parser/bm_sexp.rb +14 -39
- metadata +17 -14
@@ -0,0 +1,29 @@
|
|
1
|
+
#MultiJson interface changed in 1.3.0, but need
|
2
|
+
#to support older MultiJson for Rails 3.1.
|
3
|
+
mj_engine = nil
|
4
|
+
|
5
|
+
if MultiJson.respond_to? :default_adapter
|
6
|
+
mj_engine = MultiJson.default_adapter
|
7
|
+
else
|
8
|
+
mj_engine = MultiJson.default_engine
|
9
|
+
|
10
|
+
module MultiJson
|
11
|
+
def self.dump *args
|
12
|
+
encode *args
|
13
|
+
end
|
14
|
+
|
15
|
+
def self.load *args
|
16
|
+
decode *args
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
#This is so OkJson will work with symbol values
|
22
|
+
if mj_engine == :ok_json
|
23
|
+
class Symbol
|
24
|
+
def to_json
|
25
|
+
self.to_s.inspect
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
@@ -0,0 +1,22 @@
|
|
1
|
+
class Brakeman::Report
|
2
|
+
class Renderer
|
3
|
+
def initialize(template_file, hash = {})
|
4
|
+
hash[:locals] ||= {}
|
5
|
+
singleton = class << self; self end
|
6
|
+
|
7
|
+
hash[:locals].each do |attribute_name, attribute_value|
|
8
|
+
singleton.send(:define_method, attribute_name) { attribute_value }
|
9
|
+
end
|
10
|
+
|
11
|
+
# There are last, so as to make overwriting these using locals impossible.
|
12
|
+
singleton.send(:define_method, 'template_file') { template_file }
|
13
|
+
singleton.send(:define_method, 'template') {
|
14
|
+
File.read(File.expand_path("templates/#{template_file}.html.erb", File.dirname(__FILE__)))
|
15
|
+
}
|
16
|
+
end
|
17
|
+
|
18
|
+
def render
|
19
|
+
ERB.new(template).result(binding)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
File without changes
|
File without changes
|
File without changes
|
@@ -11,7 +11,7 @@
|
|
11
11
|
elem.style.display = "block";
|
12
12
|
else
|
13
13
|
elem.style.display = "none";
|
14
|
-
|
14
|
+
|
15
15
|
elem.parentNode.scrollIntoView();
|
16
16
|
}
|
17
17
|
</script>
|
@@ -33,7 +33,7 @@
|
|
33
33
|
<tr>
|
34
34
|
<td><%= File.expand_path tracker.options[:app_path] %></td>
|
35
35
|
<td><%= rails_version %></td>
|
36
|
-
<td><%=
|
36
|
+
<td><%= brakeman_version %>
|
37
37
|
<td>
|
38
38
|
<%= tracker.start_time %><br><br>
|
39
39
|
<%= tracker.duration %> seconds
|
File without changes
|
@@ -1,4 +1,4 @@
|
|
1
|
-
<h2 id='summary'>Summary</h2>
|
1
|
+
<h2 id='summary'>Summary</h2>
|
2
2
|
<table>
|
3
3
|
<tr>
|
4
4
|
<th>Scanned/Reported</th>
|
@@ -14,7 +14,7 @@
|
|
14
14
|
</tr>
|
15
15
|
<tr>
|
16
16
|
<td>Templates</td>
|
17
|
-
<td><%= number_of_templates
|
17
|
+
<td><%= number_of_templates %></td>
|
18
18
|
</tr>
|
19
19
|
<tr>
|
20
20
|
<td>Errors</td>
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -39,6 +39,9 @@ class Brakeman::Scanner
|
|
39
39
|
if @app_tree.exists?("script/rails")
|
40
40
|
options[:rails3] = true
|
41
41
|
Brakeman.notify "[Notice] Detected Rails 3 application"
|
42
|
+
elsif not @app_tree.exists?("script")
|
43
|
+
options[:rails3] = true # Probably need to do some refactoring
|
44
|
+
Brakeman.notify "[Notice] Detected Rails 4 application"
|
42
45
|
end
|
43
46
|
|
44
47
|
@ruby_parser = ::RubyParser
|
data/lib/brakeman/util.rb
CHANGED
@@ -172,6 +172,12 @@ module Brakeman::Util
|
|
172
172
|
exp.node_type == :nil)
|
173
173
|
end
|
174
174
|
|
175
|
+
#Check if _exp_ represents a block of code
|
176
|
+
def block? exp
|
177
|
+
exp.is_a? Sexp and (exp.node_type == :block or
|
178
|
+
exp.node_type == :rlist)
|
179
|
+
end
|
180
|
+
|
175
181
|
#Check if _exp_ is a params hash
|
176
182
|
def params? exp
|
177
183
|
if exp.is_a? Sexp
|
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -3,6 +3,7 @@
|
|
3
3
|
#of a Sexp.
|
4
4
|
class Sexp
|
5
5
|
attr_reader :paren
|
6
|
+
attr_accessor :original_line
|
6
7
|
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
|
7
8
|
|
8
9
|
def method_missing name, *args
|
@@ -28,10 +29,10 @@ class Sexp
|
|
28
29
|
end
|
29
30
|
|
30
31
|
if line
|
31
|
-
s.original_line
|
32
|
+
s.original_line = self.original_line || self.line
|
32
33
|
s.line(line)
|
33
34
|
else
|
34
|
-
s.original_line
|
35
|
+
s.original_line = self.original_line
|
35
36
|
s.line(self.line)
|
36
37
|
end
|
37
38
|
|
@@ -62,6 +63,7 @@ class Sexp
|
|
62
63
|
end
|
63
64
|
|
64
65
|
def node_type= type
|
66
|
+
@my_hash_value = nil
|
65
67
|
self[0] = type
|
66
68
|
end
|
67
69
|
|
@@ -69,22 +71,13 @@ class Sexp
|
|
69
71
|
alias :values :sexp_body # TODO: retire
|
70
72
|
|
71
73
|
alias :old_push :<<
|
72
|
-
alias :old_line :line
|
73
|
-
alias :old_line_set :line=
|
74
|
-
alias :old_file_set :file=
|
75
|
-
alias :old_comments_set :comments=
|
76
74
|
alias :old_compact :compact
|
77
75
|
alias :old_fara :find_and_replace_all
|
78
76
|
alias :old_find_node :find_node
|
79
77
|
|
80
|
-
def
|
81
|
-
|
82
|
-
|
83
|
-
@original_line = line
|
84
|
-
self
|
85
|
-
else
|
86
|
-
@original_line ||= nil
|
87
|
-
end
|
78
|
+
def << arg
|
79
|
+
@my_hash_value = nil
|
80
|
+
old_push arg
|
88
81
|
end
|
89
82
|
|
90
83
|
def hash
|
@@ -95,21 +88,6 @@ class Sexp
|
|
95
88
|
@my_hash_value ||= super
|
96
89
|
end
|
97
90
|
|
98
|
-
def line num = nil
|
99
|
-
@my_hash_value = nil if num
|
100
|
-
old_line(num)
|
101
|
-
end
|
102
|
-
|
103
|
-
def line= *args
|
104
|
-
@my_hash_value = nil
|
105
|
-
old_line_set(*args)
|
106
|
-
end
|
107
|
-
|
108
|
-
def file= *args
|
109
|
-
@my_hash_value = nil
|
110
|
-
old_file_set(*args)
|
111
|
-
end
|
112
|
-
|
113
91
|
def compact
|
114
92
|
@my_hash_value = nil
|
115
93
|
old_compact
|
@@ -125,16 +103,6 @@ class Sexp
|
|
125
103
|
old_find_node(*args)
|
126
104
|
end
|
127
105
|
|
128
|
-
def paren= arg
|
129
|
-
@my_hash_value = nil
|
130
|
-
@paren = arg
|
131
|
-
end
|
132
|
-
|
133
|
-
def comments= *args
|
134
|
-
@my_hash_value = nil
|
135
|
-
old_comments_set(*args)
|
136
|
-
end
|
137
|
-
|
138
106
|
#Iterates over the Sexps in an Sexp, skipping values that are not
|
139
107
|
#an Sexp.
|
140
108
|
def each_sexp
|
@@ -163,6 +131,7 @@ class Sexp
|
|
163
131
|
#Sets the target of a method call:
|
164
132
|
def target= exp
|
165
133
|
expect :call, :attrasgn
|
134
|
+
@my_hash_value = nil
|
166
135
|
self[1] = exp
|
167
136
|
end
|
168
137
|
|
@@ -186,6 +155,7 @@ class Sexp
|
|
186
155
|
#Sets the arglist in a method call.
|
187
156
|
def arglist= exp
|
188
157
|
expect :call, :attrasgn
|
158
|
+
@my_hash_value = nil
|
189
159
|
start_index = 3
|
190
160
|
|
191
161
|
if exp.is_a? Sexp and exp.node_type == :arglist
|
@@ -271,6 +241,7 @@ class Sexp
|
|
271
241
|
end
|
272
242
|
|
273
243
|
def each_arg! &block
|
244
|
+
@my_hash_value = nil
|
274
245
|
self.each_arg true, &block
|
275
246
|
end
|
276
247
|
|
@@ -283,6 +254,7 @@ class Sexp
|
|
283
254
|
#Sets first argument of a method call.
|
284
255
|
def first_arg= exp
|
285
256
|
expect :call, :attrasgn
|
257
|
+
@my_hash_value = nil
|
286
258
|
self[3] = exp
|
287
259
|
end
|
288
260
|
|
@@ -295,6 +267,7 @@ class Sexp
|
|
295
267
|
#Sets second argument of a method call.
|
296
268
|
def second_arg= exp
|
297
269
|
expect :call, :attrasgn
|
270
|
+
@my_hash_value = nil
|
298
271
|
self[4] = exp
|
299
272
|
end
|
300
273
|
|
@@ -305,6 +278,7 @@ class Sexp
|
|
305
278
|
|
306
279
|
def third_arg= exp
|
307
280
|
expect :call, :attrasgn
|
281
|
+
@my_hash_value = nil
|
308
282
|
self[5] = exp
|
309
283
|
end
|
310
284
|
|
@@ -462,6 +436,7 @@ class Sexp
|
|
462
436
|
#a separate Sexp, but just a list of Sexps.
|
463
437
|
def body= exp
|
464
438
|
expect :defn, :defs, :methdef, :selfdef, :class, :module
|
439
|
+
@my_hash_value = nil
|
465
440
|
|
466
441
|
case self.node_type
|
467
442
|
when :defn, :methdef, :class
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.9.
|
4
|
+
version: 1.9.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
11
|
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-04-05 00:00:00 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: ruby_parser
|
@@ -26,9 +26,9 @@ dependencies:
|
|
26
26
|
prerelease: false
|
27
27
|
requirement: &id002 !ruby/object:Gem::Requirement
|
28
28
|
requirements:
|
29
|
-
- -
|
29
|
+
- - "="
|
30
30
|
- !ruby/object:Gem::Version
|
31
|
-
version:
|
31
|
+
version: 2.0.3
|
32
32
|
type: :runtime
|
33
33
|
version_requirements: *id002
|
34
34
|
- !ruby/object:Gem::Dependency
|
@@ -133,6 +133,19 @@ files:
|
|
133
133
|
- lib/brakeman/util.rb
|
134
134
|
- lib/brakeman/brakeman.rake
|
135
135
|
- lib/brakeman/call_index.rb
|
136
|
+
- lib/brakeman/report/renderer.rb
|
137
|
+
- lib/brakeman/report/templates/controller_overview.html.erb
|
138
|
+
- lib/brakeman/report/templates/model_warnings.html.erb
|
139
|
+
- lib/brakeman/report/templates/template_overview.html.erb
|
140
|
+
- lib/brakeman/report/templates/view_warnings.html.erb
|
141
|
+
- lib/brakeman/report/templates/overview.html.erb
|
142
|
+
- lib/brakeman/report/templates/controller_warnings.html.erb
|
143
|
+
- lib/brakeman/report/templates/header.html.erb
|
144
|
+
- lib/brakeman/report/templates/error_overview.html.erb
|
145
|
+
- lib/brakeman/report/templates/security_warnings.html.erb
|
146
|
+
- lib/brakeman/report/templates/warning_overview.html.erb
|
147
|
+
- lib/brakeman/report/initializers/faster_csv.rb
|
148
|
+
- lib/brakeman/report/initializers/multi_json.rb
|
136
149
|
- lib/brakeman/tracker.rb
|
137
150
|
- lib/brakeman/report.rb
|
138
151
|
- lib/brakeman/scanner.rb
|
@@ -184,16 +197,6 @@ files:
|
|
184
197
|
- lib/brakeman/checks/check_nested_attributes.rb
|
185
198
|
- lib/brakeman/checks/check_without_protection.rb
|
186
199
|
- lib/brakeman/checks.rb
|
187
|
-
- lib/brakeman/templates/controller_overview.html.erb
|
188
|
-
- lib/brakeman/templates/model_warnings.html.erb
|
189
|
-
- lib/brakeman/templates/template_overview.html.erb
|
190
|
-
- lib/brakeman/templates/view_warnings.html.erb
|
191
|
-
- lib/brakeman/templates/overview.html.erb
|
192
|
-
- lib/brakeman/templates/controller_warnings.html.erb
|
193
|
-
- lib/brakeman/templates/header.html.erb
|
194
|
-
- lib/brakeman/templates/error_overview.html.erb
|
195
|
-
- lib/brakeman/templates/security_warnings.html.erb
|
196
|
-
- lib/brakeman/templates/warning_overview.html.erb
|
197
200
|
- lib/brakeman/processors/controller_alias_processor.rb
|
198
201
|
- lib/brakeman/processors/lib/find_return_value.rb
|
199
202
|
- lib/brakeman/processors/lib/route_helper.rb
|