RubyGems - brakeman - Versions diffs - 1.9.5 → 2.0.0.pre2 - Mend

brakeman 1.9.5 → 2.0.0.pre2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

checksums.yaml +4 -4
data/CHANGES +27 -0
data/README.md +5 -2
data/bin/brakeman +20 -15
data/lib/brakeman.rb +106 -80
data/lib/brakeman/app_tree.rb +22 -11
data/lib/brakeman/call_index.rb +4 -4
data/lib/brakeman/checks/base_check.rb +33 -5
data/lib/brakeman/checks/check_basic_auth.rb +2 -1
data/lib/brakeman/checks/check_content_tag.rb +8 -29
data/lib/brakeman/checks/check_cross_site_scripting.rb +10 -19
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_execute.rb +3 -11
data/lib/brakeman/checks/check_file_access.rb +1 -14
data/lib/brakeman/checks/check_forgery_setting.rb +5 -4
data/lib/brakeman/checks/check_link_to.rb +4 -15
data/lib/brakeman/checks/check_link_to_href.rb +1 -8
data/lib/brakeman/checks/check_mass_assignment.rb +6 -2
data/lib/brakeman/checks/check_model_attributes.rb +1 -0
data/lib/brakeman/checks/check_model_serialize.rb +2 -1
data/lib/brakeman/checks/check_render.rb +2 -15
data/lib/brakeman/checks/check_select_tag.rb +1 -1
data/lib/brakeman/checks/check_select_vulnerability.rb +2 -2
data/lib/brakeman/checks/check_send.rb +3 -0
data/lib/brakeman/checks/check_session_settings.rb +2 -3
data/lib/brakeman/checks/check_skip_before_filter.rb +5 -2
data/lib/brakeman/checks/check_sql.rb +59 -50
data/lib/brakeman/checks/check_symbol_dos.rb +5 -14
data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -15
data/lib/brakeman/options.rb +14 -9
data/lib/brakeman/processors/controller_alias_processor.rb +4 -10
data/lib/brakeman/processors/controller_processor.rb +53 -14
data/lib/brakeman/processors/lib/find_all_calls.rb +40 -40
data/lib/brakeman/processors/lib/processor_helper.rb +5 -1
data/lib/brakeman/processors/lib/rails3_config_processor.rb +8 -0
data/lib/brakeman/processors/output_processor.rb +23 -1
data/lib/brakeman/report.rb +28 -14
data/lib/brakeman/scanner.rb +5 -3
data/lib/brakeman/tracker.rb +7 -7
data/lib/brakeman/util.rb +5 -3
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +12 -9
data/lib/ruby_parser/bm_sexp.rb +5 -1
data/lib/tasks/brakeman.rake +10 -0
metadata +11 -9
data/lib/brakeman/checks/check_yaml_load.rb +0 -55

data/lib/tasks/brakeman.rake ADDED Viewed

@@ -0,0 +1,10 @@
+namespace :brakeman do
+  desc "Run Brakeman"
+  task :run, :output_files do |t, args|
+    require 'brakeman'
+    files = args[:output_files].split(' ') if args[:output_files]
+    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 1.9.5
+  version: 2.0.0.pre2
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-04-05 00:00:00 Z
+date: 2013-05-16 00:00:00 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_parser
@@ -26,9 +26,9 @@ dependencies:
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement
     requirements:
-    - - "="
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency
@@ -58,7 +58,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: "1.6"
+        version: 1.6.19
   type: :runtime
   version_requirements: *id005
 - !ruby/object:Gem::Dependency
@@ -177,6 +177,7 @@ files:
 - lib/brakeman/checks/check_symbol_dos.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
 - lib/brakeman/checks/check_file_access.rb
+- lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_evaluation.rb
@@ -188,7 +189,6 @@ files:
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_jruby_xml.rb
 - lib/brakeman/checks/check_default_routes.rb
-- lib/brakeman/checks/check_yaml_load.rb
 - lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_send.rb
@@ -232,6 +232,7 @@ files:
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
 - lib/brakeman.rb
+- lib/tasks/brakeman.rake
 homepage: http://brakemanscanner.org
 licenses:
 - MIT
@@ -244,13 +245,14 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - &id011
-    - ">="
+  - - ">="
     - !ruby/object:Gem::Version
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - *id011
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
 requirements: []
 rubyforge_project:

data/lib/brakeman/checks/check_yaml_load.rb DELETED Viewed

@@ -1,55 +0,0 @@
-require 'brakeman/checks/base_check'
-#YAML.load can be used for remote code execution
-class Brakeman::CheckYAMLLoad < Brakeman::BaseCheck
-  Brakeman::Checks.add self
-  @description = "Checks for uses of YAML.load"
-  def run_check
-    yaml_methods = [:load, :load_documents, :load_stream, :parse_documents, :parse_stream]
-    tracker.find_call(:target => :YAML, :methods => yaml_methods ).each do |result|
-      check_yaml_load result
-    end
-  end
-  def check_yaml_load result
-    return if duplicate? result
-    add_result result
-    arg = result[:call].first_arg
-    method = result[:call].method
-    if input = has_immediate_user_input?(arg)
-      confidence = CONFIDENCE[:high]
-    elsif input = include_user_input?(arg)
-      confidence = CONFIDENCE[:med]
-    end
-    if confidence
-      input_type = case input.type
-                   when :params
-                     "parameter value"
-                   when :cookies
-                     "cookies value"
-                   when :request
-                     "request value"
-                   when :model
-                     "model attribute"
-                   else
-                     "user input"
-                   end
-      message = "YAML.#{method} called with #{input_type}"
-      warn :result => result,
-        :warning_type => "Remote Code Execution",
-        :warning_code => :unsafe_deserialize,
-        :message => message,
-        :user_input => input.match,
-        :confidence => confidence,
-        :link_path => "remote_code_execution_yaml_load"
-    end
-  end
-end