brakeman 2.1.1 → 2.1.2

Sign up to get free protection for your applications and to get access to all the features.
data/CHANGES CHANGED
@@ -1,3 +1,10 @@
1
+ # 2.1.2
2
+
3
+ * Do not attempt to load custom Haml filters
4
+ * Do not warn about `to_json` XSS in Rails 4
5
+ * Add --table-width option to set width of text reports (ssendev)
6
+ * Remove fuzzy matching on dangerous attr_accessible values
7
+
1
8
  # 2.1.1
2
9
 
3
10
  * New warning code for dangerous attributes in attr_accessible
@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
66
66
  true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
67
67
 
68
68
  json_escape_on = true
69
+ elsif version_between? "4.0.0", "5.0.0"
70
+ json_escape_on = true
69
71
  end
70
72
 
71
73
  if !json_escape_on or version_between? "0.0.0", "2.0.99"
@@ -11,9 +11,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
11
11
  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
12
12
 
13
13
  SUSP_ATTRS = [
14
- [/admin/, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
15
- [/role/, CONFIDENCE[:med]],
16
- [/banned/, CONFIDENCE[:med]],
14
+ [:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
15
+ [:role, CONFIDENCE[:med]],
16
+ [:banned, CONFIDENCE[:med]],
17
17
  [:account_id, CONFIDENCE[:high]],
18
18
  [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
19
19
  ]
@@ -29,7 +29,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
29
29
  :file => model[:file],
30
30
  :warning_type => "Mass Assignment",
31
31
  :warning_code => :dangerous_attr_accessible,
32
- :message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
32
+ :message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
33
33
  :confidence => confidence
34
34
  break # Prevent from matching single attr multiple times
35
35
  end
@@ -177,6 +177,10 @@ module Brakeman::Options
177
177
  options[:message_limit] = limit.to_i
178
178
  end
179
179
 
180
+ opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
181
+ options[:table_width] = width.to_i
182
+ end
183
+
180
184
  opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
181
185
  options[:output_files] ||= []
182
186
  options[:output_files].push(file)
@@ -4,22 +4,6 @@ require 'brakeman/processors/template_processor'
4
4
  class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
5
5
  HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
6
6
 
7
- def initialize *args
8
- super
9
-
10
- @tracker.libs.each do |name, lib|
11
- if name.to_s =~ /^Haml::Filters/
12
- begin
13
- require lib[:file]
14
- rescue Exception => e
15
- if @tracker.options[:debug]
16
- raise e
17
- end
18
- end
19
- end
20
- end
21
- end
22
-
23
7
  #Processes call, looking for template output
24
8
  def process_call exp
25
9
  target = exp.target
data/lib/brakeman/util.rb CHANGED
@@ -384,7 +384,9 @@ module Brakeman::Util
384
384
  end
385
385
 
386
386
  def truncate_table str
387
- @terminal_width ||= if $stdin && $stdin.tty?
387
+ @terminal_width ||= if @tracker.options[:table_width]
388
+ @tracker.options[:table_width]
389
+ elsif $stdin && $stdin.tty?
388
390
  Brakeman.load_brakeman_dependency 'highline'
389
391
  ::HighLine.new.terminal_size[0]
390
392
  else
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.1.1"
2
+ Version = "2.1.2"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 9
4
+ hash: 15
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 1
9
- - 1
10
- version: 2.1.1
9
+ - 2
10
+ version: 2.1.2
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2013-08-21 00:00:00 Z
18
+ date: 2013-09-18 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: ruby_parser
@@ -199,121 +199,121 @@ files:
199
199
  - WARNING_TYPES
200
200
  - FEATURES
201
201
  - README.md
202
- - lib/brakeman/app_tree.rb
202
+ - lib/brakeman/version.rb
203
+ - lib/brakeman/differ.rb
204
+ - lib/brakeman/util.rb
203
205
  - lib/brakeman/brakeman.rake
204
206
  - lib/brakeman/call_index.rb
205
- - lib/brakeman/checks/base_check.rb
207
+ - lib/brakeman/report/report_json.rb
208
+ - lib/brakeman/report/report_hash.rb
209
+ - lib/brakeman/report/report_base.rb
210
+ - lib/brakeman/report/report_tabs.rb
211
+ - lib/brakeman/report/report_html.rb
212
+ - lib/brakeman/report/report_table.rb
213
+ - lib/brakeman/report/renderer.rb
214
+ - lib/brakeman/report/templates/controller_overview.html.erb
215
+ - lib/brakeman/report/templates/model_warnings.html.erb
216
+ - lib/brakeman/report/templates/template_overview.html.erb
217
+ - lib/brakeman/report/templates/view_warnings.html.erb
218
+ - lib/brakeman/report/templates/overview.html.erb
219
+ - lib/brakeman/report/templates/controller_warnings.html.erb
220
+ - lib/brakeman/report/templates/header.html.erb
221
+ - lib/brakeman/report/templates/error_overview.html.erb
222
+ - lib/brakeman/report/templates/security_warnings.html.erb
223
+ - lib/brakeman/report/templates/warning_overview.html.erb
224
+ - lib/brakeman/report/templates/ignored_warnings.html.erb
225
+ - lib/brakeman/report/report_csv.rb
226
+ - lib/brakeman/report/initializers/faster_csv.rb
227
+ - lib/brakeman/report/initializers/multi_json.rb
228
+ - lib/brakeman/report/ignore/interactive.rb
229
+ - lib/brakeman/report/ignore/config.rb
230
+ - lib/brakeman/tracker.rb
231
+ - lib/brakeman/report.rb
232
+ - lib/brakeman/scanner.rb
233
+ - lib/brakeman/processor.rb
234
+ - lib/brakeman/format/style.css
235
+ - lib/brakeman/warning_codes.rb
236
+ - lib/brakeman/app_tree.rb
237
+ - lib/brakeman/checks/check_select_vulnerability.rb
238
+ - lib/brakeman/checks/check_escape_function.rb
239
+ - lib/brakeman/checks/check_single_quotes.rb
240
+ - lib/brakeman/checks/check_model_serialize.rb
206
241
  - lib/brakeman/checks/check_basic_auth.rb
242
+ - lib/brakeman/checks/check_safe_buffer_manipulation.rb
243
+ - lib/brakeman/checks/check_forgery_setting.rb
244
+ - lib/brakeman/checks/check_session_settings.rb
245
+ - lib/brakeman/checks/check_model_attributes.rb
246
+ - lib/brakeman/checks/check_redirect.rb
247
+ - lib/brakeman/checks/check_yaml_parsing.rb
248
+ - lib/brakeman/checks/check_skip_before_filter.rb
249
+ - lib/brakeman/checks/check_response_splitting.rb
250
+ - lib/brakeman/checks/check_mail_to.rb
207
251
  - lib/brakeman/checks/check_content_tag.rb
208
- - lib/brakeman/checks/check_cross_site_scripting.rb
209
- - lib/brakeman/checks/check_default_routes.rb
252
+ - lib/brakeman/checks/check_unsafe_reflection.rb
253
+ - lib/brakeman/checks/check_sql.rb
254
+ - lib/brakeman/checks/check_select_tag.rb
255
+ - lib/brakeman/checks/check_model_attr_accessible.rb
256
+ - lib/brakeman/checks/check_mass_assignment.rb
257
+ - lib/brakeman/checks/check_link_to_href.rb
258
+ - lib/brakeman/checks/check_filter_skipping.rb
259
+ - lib/brakeman/checks/check_symbol_dos.rb
260
+ - lib/brakeman/checks/check_sanitize_methods.rb
261
+ - lib/brakeman/checks/check_file_access.rb
210
262
  - lib/brakeman/checks/check_deserialize.rb
211
- - lib/brakeman/checks/check_digest_dos.rb
212
- - lib/brakeman/checks/check_escape_function.rb
263
+ - lib/brakeman/checks/base_check.rb
264
+ - lib/brakeman/checks/check_validation_regex.rb
213
265
  - lib/brakeman/checks/check_evaluation.rb
266
+ - lib/brakeman/checks/check_digest_dos.rb
267
+ - lib/brakeman/checks/check_render.rb
268
+ - lib/brakeman/checks/check_send_file.rb
269
+ - lib/brakeman/checks/check_json_parsing.rb
214
270
  - lib/brakeman/checks/check_execute.rb
215
- - lib/brakeman/checks/check_file_access.rb
216
- - lib/brakeman/checks/check_filter_skipping.rb
217
- - lib/brakeman/checks/check_forgery_setting.rb
271
+ - lib/brakeman/checks/check_translate_bug.rb
218
272
  - lib/brakeman/checks/check_jruby_xml.rb
219
- - lib/brakeman/checks/check_json_parsing.rb
273
+ - lib/brakeman/checks/check_default_routes.rb
220
274
  - lib/brakeman/checks/check_link_to.rb
221
- - lib/brakeman/checks/check_link_to_href.rb
222
- - lib/brakeman/checks/check_mail_to.rb
223
- - lib/brakeman/checks/check_mass_assignment.rb
224
- - lib/brakeman/checks/check_model_attr_accessible.rb
225
- - lib/brakeman/checks/check_model_attributes.rb
226
- - lib/brakeman/checks/check_model_serialize.rb
227
- - lib/brakeman/checks/check_nested_attributes.rb
228
275
  - lib/brakeman/checks/check_quote_table_name.rb
229
- - lib/brakeman/checks/check_redirect.rb
230
- - lib/brakeman/checks/check_render.rb
231
- - lib/brakeman/checks/check_response_splitting.rb
232
- - lib/brakeman/checks/check_safe_buffer_manipulation.rb
233
- - lib/brakeman/checks/check_sanitize_methods.rb
234
- - lib/brakeman/checks/check_select_tag.rb
235
- - lib/brakeman/checks/check_select_vulnerability.rb
236
276
  - lib/brakeman/checks/check_send.rb
237
- - lib/brakeman/checks/check_send_file.rb
238
- - lib/brakeman/checks/check_session_settings.rb
239
- - lib/brakeman/checks/check_single_quotes.rb
240
- - lib/brakeman/checks/check_skip_before_filter.rb
241
- - lib/brakeman/checks/check_sql.rb
277
+ - lib/brakeman/checks/check_cross_site_scripting.rb
242
278
  - lib/brakeman/checks/check_strip_tags.rb
243
- - lib/brakeman/checks/check_symbol_dos.rb
244
- - lib/brakeman/checks/check_translate_bug.rb
245
- - lib/brakeman/checks/check_unsafe_reflection.rb
246
- - lib/brakeman/checks/check_validation_regex.rb
279
+ - lib/brakeman/checks/check_nested_attributes.rb
247
280
  - lib/brakeman/checks/check_without_protection.rb
248
- - lib/brakeman/checks/check_yaml_parsing.rb
249
281
  - lib/brakeman/checks.rb
250
- - lib/brakeman/differ.rb
251
- - lib/brakeman/format/style.css
252
- - lib/brakeman/options.rb
253
- - lib/brakeman/parsers/rails2_erubis.rb
254
- - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
255
- - lib/brakeman/parsers/rails3_erubis.rb
256
- - lib/brakeman/processor.rb
257
- - lib/brakeman/processors/alias_processor.rb
258
- - lib/brakeman/processors/base_processor.rb
259
- - lib/brakeman/processors/config_processor.rb
260
282
  - lib/brakeman/processors/controller_alias_processor.rb
261
- - lib/brakeman/processors/controller_processor.rb
262
- - lib/brakeman/processors/erb_template_processor.rb
263
- - lib/brakeman/processors/erubis_template_processor.rb
264
- - lib/brakeman/processors/gem_processor.rb
265
- - lib/brakeman/processors/haml_template_processor.rb
266
- - lib/brakeman/processors/lib/find_all_calls.rb
267
- - lib/brakeman/processors/lib/find_call.rb
268
283
  - lib/brakeman/processors/lib/find_return_value.rb
269
- - lib/brakeman/processors/lib/processor_helper.rb
270
- - lib/brakeman/processors/lib/rails2_config_processor.rb
284
+ - lib/brakeman/processors/lib/route_helper.rb
271
285
  - lib/brakeman/processors/lib/rails2_route_processor.rb
272
- - lib/brakeman/processors/lib/rails3_config_processor.rb
273
- - lib/brakeman/processors/lib/rails3_route_processor.rb
274
286
  - lib/brakeman/processors/lib/render_helper.rb
275
- - lib/brakeman/processors/lib/route_helper.rb
276
- - lib/brakeman/processors/library_processor.rb
287
+ - lib/brakeman/processors/lib/rails2_config_processor.rb
288
+ - lib/brakeman/processors/lib/rails3_route_processor.rb
289
+ - lib/brakeman/processors/lib/processor_helper.rb
290
+ - lib/brakeman/processors/lib/rails3_config_processor.rb
291
+ - lib/brakeman/processors/lib/find_all_calls.rb
292
+ - lib/brakeman/processors/lib/find_call.rb
293
+ - lib/brakeman/processors/template_alias_processor.rb
277
294
  - lib/brakeman/processors/model_processor.rb
278
295
  - lib/brakeman/processors/output_processor.rb
296
+ - lib/brakeman/processors/library_processor.rb
297
+ - lib/brakeman/processors/erb_template_processor.rb
298
+ - lib/brakeman/processors/template_processor.rb
299
+ - lib/brakeman/processors/alias_processor.rb
300
+ - lib/brakeman/processors/config_processor.rb
301
+ - lib/brakeman/processors/gem_processor.rb
302
+ - lib/brakeman/processors/erubis_template_processor.rb
279
303
  - lib/brakeman/processors/route_processor.rb
304
+ - lib/brakeman/processors/controller_processor.rb
280
305
  - lib/brakeman/processors/slim_template_processor.rb
281
- - lib/brakeman/processors/template_alias_processor.rb
282
- - lib/brakeman/processors/template_processor.rb
283
- - lib/brakeman/report/ignore/config.rb
284
- - lib/brakeman/report/ignore/interactive.rb
285
- - lib/brakeman/report/initializers/faster_csv.rb
286
- - lib/brakeman/report/initializers/multi_json.rb
287
- - lib/brakeman/report/renderer.rb
288
- - lib/brakeman/report/report_base.rb
289
- - lib/brakeman/report/report_csv.rb
290
- - lib/brakeman/report/report_hash.rb
291
- - lib/brakeman/report/report_html.rb
292
- - lib/brakeman/report/report_json.rb
293
- - lib/brakeman/report/report_table.rb
294
- - lib/brakeman/report/report_tabs.rb
295
- - lib/brakeman/report/templates/controller_overview.html.erb
296
- - lib/brakeman/report/templates/controller_warnings.html.erb
297
- - lib/brakeman/report/templates/error_overview.html.erb
298
- - lib/brakeman/report/templates/header.html.erb
299
- - lib/brakeman/report/templates/ignored_warnings.html.erb
300
- - lib/brakeman/report/templates/model_warnings.html.erb
301
- - lib/brakeman/report/templates/overview.html.erb
302
- - lib/brakeman/report/templates/security_warnings.html.erb
303
- - lib/brakeman/report/templates/template_overview.html.erb
304
- - lib/brakeman/report/templates/view_warnings.html.erb
305
- - lib/brakeman/report/templates/warning_overview.html.erb
306
- - lib/brakeman/report.rb
307
- - lib/brakeman/rescanner.rb
308
- - lib/brakeman/scanner.rb
309
- - lib/brakeman/tracker.rb
310
- - lib/brakeman/util.rb
311
- - lib/brakeman/version.rb
306
+ - lib/brakeman/processors/haml_template_processor.rb
307
+ - lib/brakeman/processors/base_processor.rb
312
308
  - lib/brakeman/warning.rb
313
- - lib/brakeman/warning_codes.rb
314
- - lib/brakeman.rb
309
+ - lib/brakeman/options.rb
310
+ - lib/brakeman/rescanner.rb
311
+ - lib/brakeman/parsers/rails2_erubis.rb
312
+ - lib/brakeman/parsers/rails3_erubis.rb
313
+ - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
315
314
  - lib/ruby_parser/bm_sexp.rb
316
315
  - lib/ruby_parser/bm_sexp_processor.rb
316
+ - lib/brakeman.rb
317
317
  homepage: http://brakemanscanner.org
318
318
  licenses:
319
319
  - MIT