brakeman 2.1.1 → 2.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGES +7 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +2 -0
- data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
- data/lib/brakeman/options.rb +4 -0
- data/lib/brakeman/processors/haml_template_processor.rb +0 -16
- data/lib/brakeman/util.rb +3 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +94 -94
data/CHANGES
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
# 2.1.2
|
2
|
+
|
3
|
+
* Do not attempt to load custom Haml filters
|
4
|
+
* Do not warn about `to_json` XSS in Rails 4
|
5
|
+
* Add --table-width option to set width of text reports (ssendev)
|
6
|
+
* Remove fuzzy matching on dangerous attr_accessible values
|
7
|
+
|
1
8
|
# 2.1.1
|
2
9
|
|
3
10
|
* New warning code for dangerous attributes in attr_accessible
|
@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
66
66
|
true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
|
67
67
|
|
68
68
|
json_escape_on = true
|
69
|
+
elsif version_between? "4.0.0", "5.0.0"
|
70
|
+
json_escape_on = true
|
69
71
|
end
|
70
72
|
|
71
73
|
if !json_escape_on or version_between? "0.0.0", "2.0.99"
|
@@ -11,9 +11,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
11
11
|
@description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
|
12
12
|
|
13
13
|
SUSP_ATTRS = [
|
14
|
-
[
|
15
|
-
[
|
16
|
-
[
|
14
|
+
[:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
|
15
|
+
[:role, CONFIDENCE[:med]],
|
16
|
+
[:banned, CONFIDENCE[:med]],
|
17
17
|
[:account_id, CONFIDENCE[:high]],
|
18
18
|
[/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
|
19
19
|
]
|
@@ -29,7 +29,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
29
29
|
:file => model[:file],
|
30
30
|
:warning_type => "Mass Assignment",
|
31
31
|
:warning_code => :dangerous_attr_accessible,
|
32
|
-
:message => "Potentially dangerous attribute #{attribute} available for mass assignment
|
32
|
+
:message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
|
33
33
|
:confidence => confidence
|
34
34
|
break # Prevent from matching single attr multiple times
|
35
35
|
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -177,6 +177,10 @@ module Brakeman::Options
|
|
177
177
|
options[:message_limit] = limit.to_i
|
178
178
|
end
|
179
179
|
|
180
|
+
opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
|
181
|
+
options[:table_width] = width.to_i
|
182
|
+
end
|
183
|
+
|
180
184
|
opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
|
181
185
|
options[:output_files] ||= []
|
182
186
|
options[:output_files].push(file)
|
@@ -4,22 +4,6 @@ require 'brakeman/processors/template_processor'
|
|
4
4
|
class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
5
5
|
HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
|
6
6
|
|
7
|
-
def initialize *args
|
8
|
-
super
|
9
|
-
|
10
|
-
@tracker.libs.each do |name, lib|
|
11
|
-
if name.to_s =~ /^Haml::Filters/
|
12
|
-
begin
|
13
|
-
require lib[:file]
|
14
|
-
rescue Exception => e
|
15
|
-
if @tracker.options[:debug]
|
16
|
-
raise e
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|
22
|
-
|
23
7
|
#Processes call, looking for template output
|
24
8
|
def process_call exp
|
25
9
|
target = exp.target
|
data/lib/brakeman/util.rb
CHANGED
@@ -384,7 +384,9 @@ module Brakeman::Util
|
|
384
384
|
end
|
385
385
|
|
386
386
|
def truncate_table str
|
387
|
-
@terminal_width ||= if
|
387
|
+
@terminal_width ||= if @tracker.options[:table_width]
|
388
|
+
@tracker.options[:table_width]
|
389
|
+
elsif $stdin && $stdin.tty?
|
388
390
|
Brakeman.load_brakeman_dependency 'highline'
|
389
391
|
::HighLine.new.terminal_size[0]
|
390
392
|
else
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 15
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 2
|
8
8
|
- 1
|
9
|
-
-
|
10
|
-
version: 2.1.
|
9
|
+
- 2
|
10
|
+
version: 2.1.2
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Justin Collins
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2013-
|
18
|
+
date: 2013-09-18 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: ruby_parser
|
@@ -199,121 +199,121 @@ files:
|
|
199
199
|
- WARNING_TYPES
|
200
200
|
- FEATURES
|
201
201
|
- README.md
|
202
|
-
- lib/brakeman/
|
202
|
+
- lib/brakeman/version.rb
|
203
|
+
- lib/brakeman/differ.rb
|
204
|
+
- lib/brakeman/util.rb
|
203
205
|
- lib/brakeman/brakeman.rake
|
204
206
|
- lib/brakeman/call_index.rb
|
205
|
-
- lib/brakeman/
|
207
|
+
- lib/brakeman/report/report_json.rb
|
208
|
+
- lib/brakeman/report/report_hash.rb
|
209
|
+
- lib/brakeman/report/report_base.rb
|
210
|
+
- lib/brakeman/report/report_tabs.rb
|
211
|
+
- lib/brakeman/report/report_html.rb
|
212
|
+
- lib/brakeman/report/report_table.rb
|
213
|
+
- lib/brakeman/report/renderer.rb
|
214
|
+
- lib/brakeman/report/templates/controller_overview.html.erb
|
215
|
+
- lib/brakeman/report/templates/model_warnings.html.erb
|
216
|
+
- lib/brakeman/report/templates/template_overview.html.erb
|
217
|
+
- lib/brakeman/report/templates/view_warnings.html.erb
|
218
|
+
- lib/brakeman/report/templates/overview.html.erb
|
219
|
+
- lib/brakeman/report/templates/controller_warnings.html.erb
|
220
|
+
- lib/brakeman/report/templates/header.html.erb
|
221
|
+
- lib/brakeman/report/templates/error_overview.html.erb
|
222
|
+
- lib/brakeman/report/templates/security_warnings.html.erb
|
223
|
+
- lib/brakeman/report/templates/warning_overview.html.erb
|
224
|
+
- lib/brakeman/report/templates/ignored_warnings.html.erb
|
225
|
+
- lib/brakeman/report/report_csv.rb
|
226
|
+
- lib/brakeman/report/initializers/faster_csv.rb
|
227
|
+
- lib/brakeman/report/initializers/multi_json.rb
|
228
|
+
- lib/brakeman/report/ignore/interactive.rb
|
229
|
+
- lib/brakeman/report/ignore/config.rb
|
230
|
+
- lib/brakeman/tracker.rb
|
231
|
+
- lib/brakeman/report.rb
|
232
|
+
- lib/brakeman/scanner.rb
|
233
|
+
- lib/brakeman/processor.rb
|
234
|
+
- lib/brakeman/format/style.css
|
235
|
+
- lib/brakeman/warning_codes.rb
|
236
|
+
- lib/brakeman/app_tree.rb
|
237
|
+
- lib/brakeman/checks/check_select_vulnerability.rb
|
238
|
+
- lib/brakeman/checks/check_escape_function.rb
|
239
|
+
- lib/brakeman/checks/check_single_quotes.rb
|
240
|
+
- lib/brakeman/checks/check_model_serialize.rb
|
206
241
|
- lib/brakeman/checks/check_basic_auth.rb
|
242
|
+
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
243
|
+
- lib/brakeman/checks/check_forgery_setting.rb
|
244
|
+
- lib/brakeman/checks/check_session_settings.rb
|
245
|
+
- lib/brakeman/checks/check_model_attributes.rb
|
246
|
+
- lib/brakeman/checks/check_redirect.rb
|
247
|
+
- lib/brakeman/checks/check_yaml_parsing.rb
|
248
|
+
- lib/brakeman/checks/check_skip_before_filter.rb
|
249
|
+
- lib/brakeman/checks/check_response_splitting.rb
|
250
|
+
- lib/brakeman/checks/check_mail_to.rb
|
207
251
|
- lib/brakeman/checks/check_content_tag.rb
|
208
|
-
- lib/brakeman/checks/
|
209
|
-
- lib/brakeman/checks/
|
252
|
+
- lib/brakeman/checks/check_unsafe_reflection.rb
|
253
|
+
- lib/brakeman/checks/check_sql.rb
|
254
|
+
- lib/brakeman/checks/check_select_tag.rb
|
255
|
+
- lib/brakeman/checks/check_model_attr_accessible.rb
|
256
|
+
- lib/brakeman/checks/check_mass_assignment.rb
|
257
|
+
- lib/brakeman/checks/check_link_to_href.rb
|
258
|
+
- lib/brakeman/checks/check_filter_skipping.rb
|
259
|
+
- lib/brakeman/checks/check_symbol_dos.rb
|
260
|
+
- lib/brakeman/checks/check_sanitize_methods.rb
|
261
|
+
- lib/brakeman/checks/check_file_access.rb
|
210
262
|
- lib/brakeman/checks/check_deserialize.rb
|
211
|
-
- lib/brakeman/checks/
|
212
|
-
- lib/brakeman/checks/
|
263
|
+
- lib/brakeman/checks/base_check.rb
|
264
|
+
- lib/brakeman/checks/check_validation_regex.rb
|
213
265
|
- lib/brakeman/checks/check_evaluation.rb
|
266
|
+
- lib/brakeman/checks/check_digest_dos.rb
|
267
|
+
- lib/brakeman/checks/check_render.rb
|
268
|
+
- lib/brakeman/checks/check_send_file.rb
|
269
|
+
- lib/brakeman/checks/check_json_parsing.rb
|
214
270
|
- lib/brakeman/checks/check_execute.rb
|
215
|
-
- lib/brakeman/checks/
|
216
|
-
- lib/brakeman/checks/check_filter_skipping.rb
|
217
|
-
- lib/brakeman/checks/check_forgery_setting.rb
|
271
|
+
- lib/brakeman/checks/check_translate_bug.rb
|
218
272
|
- lib/brakeman/checks/check_jruby_xml.rb
|
219
|
-
- lib/brakeman/checks/
|
273
|
+
- lib/brakeman/checks/check_default_routes.rb
|
220
274
|
- lib/brakeman/checks/check_link_to.rb
|
221
|
-
- lib/brakeman/checks/check_link_to_href.rb
|
222
|
-
- lib/brakeman/checks/check_mail_to.rb
|
223
|
-
- lib/brakeman/checks/check_mass_assignment.rb
|
224
|
-
- lib/brakeman/checks/check_model_attr_accessible.rb
|
225
|
-
- lib/brakeman/checks/check_model_attributes.rb
|
226
|
-
- lib/brakeman/checks/check_model_serialize.rb
|
227
|
-
- lib/brakeman/checks/check_nested_attributes.rb
|
228
275
|
- lib/brakeman/checks/check_quote_table_name.rb
|
229
|
-
- lib/brakeman/checks/check_redirect.rb
|
230
|
-
- lib/brakeman/checks/check_render.rb
|
231
|
-
- lib/brakeman/checks/check_response_splitting.rb
|
232
|
-
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
233
|
-
- lib/brakeman/checks/check_sanitize_methods.rb
|
234
|
-
- lib/brakeman/checks/check_select_tag.rb
|
235
|
-
- lib/brakeman/checks/check_select_vulnerability.rb
|
236
276
|
- lib/brakeman/checks/check_send.rb
|
237
|
-
- lib/brakeman/checks/
|
238
|
-
- lib/brakeman/checks/check_session_settings.rb
|
239
|
-
- lib/brakeman/checks/check_single_quotes.rb
|
240
|
-
- lib/brakeman/checks/check_skip_before_filter.rb
|
241
|
-
- lib/brakeman/checks/check_sql.rb
|
277
|
+
- lib/brakeman/checks/check_cross_site_scripting.rb
|
242
278
|
- lib/brakeman/checks/check_strip_tags.rb
|
243
|
-
- lib/brakeman/checks/
|
244
|
-
- lib/brakeman/checks/check_translate_bug.rb
|
245
|
-
- lib/brakeman/checks/check_unsafe_reflection.rb
|
246
|
-
- lib/brakeman/checks/check_validation_regex.rb
|
279
|
+
- lib/brakeman/checks/check_nested_attributes.rb
|
247
280
|
- lib/brakeman/checks/check_without_protection.rb
|
248
|
-
- lib/brakeman/checks/check_yaml_parsing.rb
|
249
281
|
- lib/brakeman/checks.rb
|
250
|
-
- lib/brakeman/differ.rb
|
251
|
-
- lib/brakeman/format/style.css
|
252
|
-
- lib/brakeman/options.rb
|
253
|
-
- lib/brakeman/parsers/rails2_erubis.rb
|
254
|
-
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
255
|
-
- lib/brakeman/parsers/rails3_erubis.rb
|
256
|
-
- lib/brakeman/processor.rb
|
257
|
-
- lib/brakeman/processors/alias_processor.rb
|
258
|
-
- lib/brakeman/processors/base_processor.rb
|
259
|
-
- lib/brakeman/processors/config_processor.rb
|
260
282
|
- lib/brakeman/processors/controller_alias_processor.rb
|
261
|
-
- lib/brakeman/processors/controller_processor.rb
|
262
|
-
- lib/brakeman/processors/erb_template_processor.rb
|
263
|
-
- lib/brakeman/processors/erubis_template_processor.rb
|
264
|
-
- lib/brakeman/processors/gem_processor.rb
|
265
|
-
- lib/brakeman/processors/haml_template_processor.rb
|
266
|
-
- lib/brakeman/processors/lib/find_all_calls.rb
|
267
|
-
- lib/brakeman/processors/lib/find_call.rb
|
268
283
|
- lib/brakeman/processors/lib/find_return_value.rb
|
269
|
-
- lib/brakeman/processors/lib/
|
270
|
-
- lib/brakeman/processors/lib/rails2_config_processor.rb
|
284
|
+
- lib/brakeman/processors/lib/route_helper.rb
|
271
285
|
- lib/brakeman/processors/lib/rails2_route_processor.rb
|
272
|
-
- lib/brakeman/processors/lib/rails3_config_processor.rb
|
273
|
-
- lib/brakeman/processors/lib/rails3_route_processor.rb
|
274
286
|
- lib/brakeman/processors/lib/render_helper.rb
|
275
|
-
- lib/brakeman/processors/lib/
|
276
|
-
- lib/brakeman/processors/
|
287
|
+
- lib/brakeman/processors/lib/rails2_config_processor.rb
|
288
|
+
- lib/brakeman/processors/lib/rails3_route_processor.rb
|
289
|
+
- lib/brakeman/processors/lib/processor_helper.rb
|
290
|
+
- lib/brakeman/processors/lib/rails3_config_processor.rb
|
291
|
+
- lib/brakeman/processors/lib/find_all_calls.rb
|
292
|
+
- lib/brakeman/processors/lib/find_call.rb
|
293
|
+
- lib/brakeman/processors/template_alias_processor.rb
|
277
294
|
- lib/brakeman/processors/model_processor.rb
|
278
295
|
- lib/brakeman/processors/output_processor.rb
|
296
|
+
- lib/brakeman/processors/library_processor.rb
|
297
|
+
- lib/brakeman/processors/erb_template_processor.rb
|
298
|
+
- lib/brakeman/processors/template_processor.rb
|
299
|
+
- lib/brakeman/processors/alias_processor.rb
|
300
|
+
- lib/brakeman/processors/config_processor.rb
|
301
|
+
- lib/brakeman/processors/gem_processor.rb
|
302
|
+
- lib/brakeman/processors/erubis_template_processor.rb
|
279
303
|
- lib/brakeman/processors/route_processor.rb
|
304
|
+
- lib/brakeman/processors/controller_processor.rb
|
280
305
|
- lib/brakeman/processors/slim_template_processor.rb
|
281
|
-
- lib/brakeman/processors/
|
282
|
-
- lib/brakeman/processors/
|
283
|
-
- lib/brakeman/report/ignore/config.rb
|
284
|
-
- lib/brakeman/report/ignore/interactive.rb
|
285
|
-
- lib/brakeman/report/initializers/faster_csv.rb
|
286
|
-
- lib/brakeman/report/initializers/multi_json.rb
|
287
|
-
- lib/brakeman/report/renderer.rb
|
288
|
-
- lib/brakeman/report/report_base.rb
|
289
|
-
- lib/brakeman/report/report_csv.rb
|
290
|
-
- lib/brakeman/report/report_hash.rb
|
291
|
-
- lib/brakeman/report/report_html.rb
|
292
|
-
- lib/brakeman/report/report_json.rb
|
293
|
-
- lib/brakeman/report/report_table.rb
|
294
|
-
- lib/brakeman/report/report_tabs.rb
|
295
|
-
- lib/brakeman/report/templates/controller_overview.html.erb
|
296
|
-
- lib/brakeman/report/templates/controller_warnings.html.erb
|
297
|
-
- lib/brakeman/report/templates/error_overview.html.erb
|
298
|
-
- lib/brakeman/report/templates/header.html.erb
|
299
|
-
- lib/brakeman/report/templates/ignored_warnings.html.erb
|
300
|
-
- lib/brakeman/report/templates/model_warnings.html.erb
|
301
|
-
- lib/brakeman/report/templates/overview.html.erb
|
302
|
-
- lib/brakeman/report/templates/security_warnings.html.erb
|
303
|
-
- lib/brakeman/report/templates/template_overview.html.erb
|
304
|
-
- lib/brakeman/report/templates/view_warnings.html.erb
|
305
|
-
- lib/brakeman/report/templates/warning_overview.html.erb
|
306
|
-
- lib/brakeman/report.rb
|
307
|
-
- lib/brakeman/rescanner.rb
|
308
|
-
- lib/brakeman/scanner.rb
|
309
|
-
- lib/brakeman/tracker.rb
|
310
|
-
- lib/brakeman/util.rb
|
311
|
-
- lib/brakeman/version.rb
|
306
|
+
- lib/brakeman/processors/haml_template_processor.rb
|
307
|
+
- lib/brakeman/processors/base_processor.rb
|
312
308
|
- lib/brakeman/warning.rb
|
313
|
-
- lib/brakeman/
|
314
|
-
- lib/brakeman.rb
|
309
|
+
- lib/brakeman/options.rb
|
310
|
+
- lib/brakeman/rescanner.rb
|
311
|
+
- lib/brakeman/parsers/rails2_erubis.rb
|
312
|
+
- lib/brakeman/parsers/rails3_erubis.rb
|
313
|
+
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
315
314
|
- lib/ruby_parser/bm_sexp.rb
|
316
315
|
- lib/ruby_parser/bm_sexp_processor.rb
|
316
|
+
- lib/brakeman.rb
|
317
317
|
homepage: http://brakemanscanner.org
|
318
318
|
licenses:
|
319
319
|
- MIT
|