brakeman 2.1.1 → 2.1.2

data/CHANGES

@@ -1,3 +1,10 @@
+# 2.1.2
+
+ * Do not attempt to load custom Haml filters
+ * Do not warn about `to_json` XSS in Rails 4
+ * Add --table-width option to set width of text reports (ssendev)
+ * Remove fuzzy matching on dangerous attr_accessible values
+
 # 2.1.1
 
  * New warning code for dangerous attributes in attr_accessible

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
 
         json_escape_on = true
+    elsif version_between? "4.0.0", "5.0.0"
+      json_escape_on = true
     end
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -11,9 +11,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
   @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
 
   SUSP_ATTRS = [
-    [/admin/, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
-    [/role/, CONFIDENCE[:med]],
-    [/banned/, CONFIDENCE[:med]],
+    [:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
+    [:role, CONFIDENCE[:med]],
+    [:banned, CONFIDENCE[:med]],
     [:account_id, CONFIDENCE[:high]],
     [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
   ]
@@ -29,7 +29,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
               :file => model[:file],
               :warning_type => "Mass Assignment",
               :warning_code => :dangerous_attr_accessible,
-              :message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
+              :message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
               :confidence => confidence
             break # Prevent from matching single attr multiple times
           end

data/lib/brakeman/options.rb

@@ -177,6 +177,10 @@ module Brakeman::Options
           options[:message_limit] = limit.to_i
         end
 
+        opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
+          options[:table_width] = width.to_i
+        end
+
         opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
           options[:output_files] ||= []
           options[:output_files].push(file)

data/lib/brakeman/processors/haml_template_processor.rb

@@ -4,22 +4,6 @@ require 'brakeman/processors/template_processor'
 class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   
-  def initialize *args
-    super
-
-    @tracker.libs.each do |name, lib|
-      if name.to_s =~ /^Haml::Filters/
-        begin
-          require lib[:file]
-        rescue Exception => e
-          if @tracker.options[:debug]
-            raise e
-          end
-        end
-      end
-    end
-  end
-
   #Processes call, looking for template output
   def process_call exp
     target = exp.target

data/lib/brakeman/util.rb

@@ -384,7 +384,9 @@ module Brakeman::Util
   end
 
   def truncate_table str
-    @terminal_width ||= if $stdin && $stdin.tty?
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
                           Brakeman.load_brakeman_dependency 'highline'
                           ::HighLine.new.terminal_size[0]
                         else

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.1.1"
+  Version = "2.1.2"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 9
+  hash: 15
   prerelease: 
   segments: 
   - 2
   - 1
-  - 1
-  version: 2.1.1
+  - 2
+  version: 2.1.2
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-08-21 00:00:00 Z
+date: 2013-09-18 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -199,121 +199,121 @@ files:
 - WARNING_TYPES
 - FEATURES
 - README.md
-- lib/brakeman/app_tree.rb
+- lib/brakeman/version.rb
+- lib/brakeman/differ.rb
+- lib/brakeman/util.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
-- lib/brakeman/checks/base_check.rb
+- lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_hash.rb
+- lib/brakeman/report/report_base.rb
+- lib/brakeman/report/report_tabs.rb
+- lib/brakeman/report/report_html.rb
+- lib/brakeman/report/report_table.rb
+- lib/brakeman/report/renderer.rb
+- lib/brakeman/report/templates/controller_overview.html.erb
+- lib/brakeman/report/templates/model_warnings.html.erb
+- lib/brakeman/report/templates/template_overview.html.erb
+- lib/brakeman/report/templates/view_warnings.html.erb
+- lib/brakeman/report/templates/overview.html.erb
+- lib/brakeman/report/templates/controller_warnings.html.erb
+- lib/brakeman/report/templates/header.html.erb
+- lib/brakeman/report/templates/error_overview.html.erb
+- lib/brakeman/report/templates/security_warnings.html.erb
+- lib/brakeman/report/templates/warning_overview.html.erb
+- lib/brakeman/report/templates/ignored_warnings.html.erb
+- lib/brakeman/report/report_csv.rb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
+- lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/ignore/config.rb
+- lib/brakeman/tracker.rb
+- lib/brakeman/report.rb
+- lib/brakeman/scanner.rb
+- lib/brakeman/processor.rb
+- lib/brakeman/format/style.css
+- lib/brakeman/warning_codes.rb
+- lib/brakeman/app_tree.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
+- lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/checks/check_model_serialize.rb
 - lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
+- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/check_session_settings.rb
+- lib/brakeman/checks/check_model_attributes.rb
+- lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_content_tag.rb
-- lib/brakeman/checks/check_cross_site_scripting.rb
-- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_select_tag.rb
+- lib/brakeman/checks/check_model_attr_accessible.rb
+- lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_link_to_href.rb
+- lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_sanitize_methods.rb
+- lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_deserialize.rb
-- lib/brakeman/checks/check_digest_dos.rb
-- lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/base_check.rb
+- lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_evaluation.rb
+- lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_render.rb
+- lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_execute.rb
-- lib/brakeman/checks/check_file_access.rb
-- lib/brakeman/checks/check_filter_skipping.rb
-- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_jruby_xml.rb
-- lib/brakeman/checks/check_json_parsing.rb
+- lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_link_to.rb
-- lib/brakeman/checks/check_link_to_href.rb
-- lib/brakeman/checks/check_mail_to.rb
-- lib/brakeman/checks/check_mass_assignment.rb
-- lib/brakeman/checks/check_model_attr_accessible.rb
-- lib/brakeman/checks/check_model_attributes.rb
-- lib/brakeman/checks/check_model_serialize.rb
-- lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
-- lib/brakeman/checks/check_redirect.rb
-- lib/brakeman/checks/check_render.rb
-- lib/brakeman/checks/check_response_splitting.rb
-- lib/brakeman/checks/check_safe_buffer_manipulation.rb
-- lib/brakeman/checks/check_sanitize_methods.rb
-- lib/brakeman/checks/check_select_tag.rb
-- lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_send.rb
-- lib/brakeman/checks/check_send_file.rb
-- lib/brakeman/checks/check_session_settings.rb
-- lib/brakeman/checks/check_single_quotes.rb
-- lib/brakeman/checks/check_skip_before_filter.rb
-- lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_cross_site_scripting.rb
 - lib/brakeman/checks/check_strip_tags.rb
-- lib/brakeman/checks/check_symbol_dos.rb
-- lib/brakeman/checks/check_translate_bug.rb
-- lib/brakeman/checks/check_unsafe_reflection.rb
-- lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_without_protection.rb
-- lib/brakeman/checks/check_yaml_parsing.rb
 - lib/brakeman/checks.rb
-- lib/brakeman/differ.rb
-- lib/brakeman/format/style.css
-- lib/brakeman/options.rb
-- lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
-- lib/brakeman/parsers/rails3_erubis.rb
-- lib/brakeman/processor.rb
-- lib/brakeman/processors/alias_processor.rb
-- lib/brakeman/processors/base_processor.rb
-- lib/brakeman/processors/config_processor.rb
 - lib/brakeman/processors/controller_alias_processor.rb
-- lib/brakeman/processors/controller_processor.rb
-- lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
-- lib/brakeman/processors/gem_processor.rb
-- lib/brakeman/processors/haml_template_processor.rb
-- lib/brakeman/processors/lib/find_all_calls.rb
-- lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
-- lib/brakeman/processors/lib/processor_helper.rb
-- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/route_helper.rb
 - lib/brakeman/processors/lib/rails2_route_processor.rb
-- lib/brakeman/processors/lib/rails3_config_processor.rb
-- lib/brakeman/processors/lib/rails3_route_processor.rb
 - lib/brakeman/processors/lib/render_helper.rb
-- lib/brakeman/processors/lib/route_helper.rb
-- lib/brakeman/processors/library_processor.rb
+- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/processor_helper.rb
+- lib/brakeman/processors/lib/rails3_config_processor.rb
+- lib/brakeman/processors/lib/find_all_calls.rb
+- lib/brakeman/processors/lib/find_call.rb
+- lib/brakeman/processors/template_alias_processor.rb
 - lib/brakeman/processors/model_processor.rb
 - lib/brakeman/processors/output_processor.rb
+- lib/brakeman/processors/library_processor.rb
+- lib/brakeman/processors/erb_template_processor.rb
+- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/processors/alias_processor.rb
+- lib/brakeman/processors/config_processor.rb
+- lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/erubis_template_processor.rb
 - lib/brakeman/processors/route_processor.rb
+- lib/brakeman/processors/controller_processor.rb
 - lib/brakeman/processors/slim_template_processor.rb
-- lib/brakeman/processors/template_alias_processor.rb
-- lib/brakeman/processors/template_processor.rb
-- lib/brakeman/report/ignore/config.rb
-- lib/brakeman/report/ignore/interactive.rb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
-- lib/brakeman/report/renderer.rb
-- lib/brakeman/report/report_base.rb
-- lib/brakeman/report/report_csv.rb
-- lib/brakeman/report/report_hash.rb
-- lib/brakeman/report/report_html.rb
-- lib/brakeman/report/report_json.rb
-- lib/brakeman/report/report_table.rb
-- lib/brakeman/report/report_tabs.rb
-- lib/brakeman/report/templates/controller_overview.html.erb
-- lib/brakeman/report/templates/controller_warnings.html.erb
-- lib/brakeman/report/templates/error_overview.html.erb
-- lib/brakeman/report/templates/header.html.erb
-- lib/brakeman/report/templates/ignored_warnings.html.erb
-- lib/brakeman/report/templates/model_warnings.html.erb
-- lib/brakeman/report/templates/overview.html.erb
-- lib/brakeman/report/templates/security_warnings.html.erb
-- lib/brakeman/report/templates/template_overview.html.erb
-- lib/brakeman/report/templates/view_warnings.html.erb
-- lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report.rb
-- lib/brakeman/rescanner.rb
-- lib/brakeman/scanner.rb
-- lib/brakeman/tracker.rb
-- lib/brakeman/util.rb
-- lib/brakeman/version.rb
+- lib/brakeman/processors/haml_template_processor.rb
+- lib/brakeman/processors/base_processor.rb
 - lib/brakeman/warning.rb
-- lib/brakeman/warning_codes.rb
-- lib/brakeman.rb
+- lib/brakeman/options.rb
+- lib/brakeman/rescanner.rb
+- lib/brakeman/parsers/rails2_erubis.rb
+- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
+- lib/brakeman.rb
 homepage: http://brakemanscanner.org
 licenses: 
 - MIT