brakeman 2.1.1 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/CHANGES CHANGED
@@ -1,3 +1,10 @@
1
+ # 2.1.2
2
+
3
+ * Do not attempt to load custom Haml filters
4
+ * Do not warn about `to_json` XSS in Rails 4
5
+ * Add --table-width option to set width of text reports (ssendev)
6
+ * Remove fuzzy matching on dangerous attr_accessible values
7
+
1
8
  # 2.1.1
2
9
 
3
10
  * New warning code for dangerous attributes in attr_accessible
@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
66
66
  true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
67
67
 
68
68
  json_escape_on = true
69
+ elsif version_between? "4.0.0", "5.0.0"
70
+ json_escape_on = true
69
71
  end
70
72
 
71
73
  if !json_escape_on or version_between? "0.0.0", "2.0.99"
@@ -11,9 +11,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
11
11
  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
12
12
 
13
13
  SUSP_ATTRS = [
14
- [/admin/, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
15
- [/role/, CONFIDENCE[:med]],
16
- [/banned/, CONFIDENCE[:med]],
14
+ [:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
15
+ [:role, CONFIDENCE[:med]],
16
+ [:banned, CONFIDENCE[:med]],
17
17
  [:account_id, CONFIDENCE[:high]],
18
18
  [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
19
19
  ]
@@ -29,7 +29,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
29
29
  :file => model[:file],
30
30
  :warning_type => "Mass Assignment",
31
31
  :warning_code => :dangerous_attr_accessible,
32
- :message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
32
+ :message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
33
33
  :confidence => confidence
34
34
  break # Prevent from matching single attr multiple times
35
35
  end
@@ -177,6 +177,10 @@ module Brakeman::Options
177
177
  options[:message_limit] = limit.to_i
178
178
  end
179
179
 
180
+ opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
181
+ options[:table_width] = width.to_i
182
+ end
183
+
180
184
  opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
181
185
  options[:output_files] ||= []
182
186
  options[:output_files].push(file)
@@ -4,22 +4,6 @@ require 'brakeman/processors/template_processor'
4
4
  class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
5
5
  HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
6
6
 
7
- def initialize *args
8
- super
9
-
10
- @tracker.libs.each do |name, lib|
11
- if name.to_s =~ /^Haml::Filters/
12
- begin
13
- require lib[:file]
14
- rescue Exception => e
15
- if @tracker.options[:debug]
16
- raise e
17
- end
18
- end
19
- end
20
- end
21
- end
22
-
23
7
  #Processes call, looking for template output
24
8
  def process_call exp
25
9
  target = exp.target
data/lib/brakeman/util.rb CHANGED
@@ -384,7 +384,9 @@ module Brakeman::Util
384
384
  end
385
385
 
386
386
  def truncate_table str
387
- @terminal_width ||= if $stdin && $stdin.tty?
387
+ @terminal_width ||= if @tracker.options[:table_width]
388
+ @tracker.options[:table_width]
389
+ elsif $stdin && $stdin.tty?
388
390
  Brakeman.load_brakeman_dependency 'highline'
389
391
  ::HighLine.new.terminal_size[0]
390
392
  else
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.1.1"
2
+ Version = "2.1.2"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 9
4
+ hash: 15
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 1
9
- - 1
10
- version: 2.1.1
9
+ - 2
10
+ version: 2.1.2
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2013-08-21 00:00:00 Z
18
+ date: 2013-09-18 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: ruby_parser
@@ -199,121 +199,121 @@ files:
199
199
  - WARNING_TYPES
200
200
  - FEATURES
201
201
  - README.md
202
- - lib/brakeman/app_tree.rb
202
+ - lib/brakeman/version.rb
203
+ - lib/brakeman/differ.rb
204
+ - lib/brakeman/util.rb
203
205
  - lib/brakeman/brakeman.rake
204
206
  - lib/brakeman/call_index.rb
205
- - lib/brakeman/checks/base_check.rb
207
+ - lib/brakeman/report/report_json.rb
208
+ - lib/brakeman/report/report_hash.rb
209
+ - lib/brakeman/report/report_base.rb
210
+ - lib/brakeman/report/report_tabs.rb
211
+ - lib/brakeman/report/report_html.rb
212
+ - lib/brakeman/report/report_table.rb
213
+ - lib/brakeman/report/renderer.rb
214
+ - lib/brakeman/report/templates/controller_overview.html.erb
215
+ - lib/brakeman/report/templates/model_warnings.html.erb
216
+ - lib/brakeman/report/templates/template_overview.html.erb
217
+ - lib/brakeman/report/templates/view_warnings.html.erb
218
+ - lib/brakeman/report/templates/overview.html.erb
219
+ - lib/brakeman/report/templates/controller_warnings.html.erb
220
+ - lib/brakeman/report/templates/header.html.erb
221
+ - lib/brakeman/report/templates/error_overview.html.erb
222
+ - lib/brakeman/report/templates/security_warnings.html.erb
223
+ - lib/brakeman/report/templates/warning_overview.html.erb
224
+ - lib/brakeman/report/templates/ignored_warnings.html.erb
225
+ - lib/brakeman/report/report_csv.rb
226
+ - lib/brakeman/report/initializers/faster_csv.rb
227
+ - lib/brakeman/report/initializers/multi_json.rb
228
+ - lib/brakeman/report/ignore/interactive.rb
229
+ - lib/brakeman/report/ignore/config.rb
230
+ - lib/brakeman/tracker.rb
231
+ - lib/brakeman/report.rb
232
+ - lib/brakeman/scanner.rb
233
+ - lib/brakeman/processor.rb
234
+ - lib/brakeman/format/style.css
235
+ - lib/brakeman/warning_codes.rb
236
+ - lib/brakeman/app_tree.rb
237
+ - lib/brakeman/checks/check_select_vulnerability.rb
238
+ - lib/brakeman/checks/check_escape_function.rb
239
+ - lib/brakeman/checks/check_single_quotes.rb
240
+ - lib/brakeman/checks/check_model_serialize.rb
206
241
  - lib/brakeman/checks/check_basic_auth.rb
242
+ - lib/brakeman/checks/check_safe_buffer_manipulation.rb
243
+ - lib/brakeman/checks/check_forgery_setting.rb
244
+ - lib/brakeman/checks/check_session_settings.rb
245
+ - lib/brakeman/checks/check_model_attributes.rb
246
+ - lib/brakeman/checks/check_redirect.rb
247
+ - lib/brakeman/checks/check_yaml_parsing.rb
248
+ - lib/brakeman/checks/check_skip_before_filter.rb
249
+ - lib/brakeman/checks/check_response_splitting.rb
250
+ - lib/brakeman/checks/check_mail_to.rb
207
251
  - lib/brakeman/checks/check_content_tag.rb
208
- - lib/brakeman/checks/check_cross_site_scripting.rb
209
- - lib/brakeman/checks/check_default_routes.rb
252
+ - lib/brakeman/checks/check_unsafe_reflection.rb
253
+ - lib/brakeman/checks/check_sql.rb
254
+ - lib/brakeman/checks/check_select_tag.rb
255
+ - lib/brakeman/checks/check_model_attr_accessible.rb
256
+ - lib/brakeman/checks/check_mass_assignment.rb
257
+ - lib/brakeman/checks/check_link_to_href.rb
258
+ - lib/brakeman/checks/check_filter_skipping.rb
259
+ - lib/brakeman/checks/check_symbol_dos.rb
260
+ - lib/brakeman/checks/check_sanitize_methods.rb
261
+ - lib/brakeman/checks/check_file_access.rb
210
262
  - lib/brakeman/checks/check_deserialize.rb
211
- - lib/brakeman/checks/check_digest_dos.rb
212
- - lib/brakeman/checks/check_escape_function.rb
263
+ - lib/brakeman/checks/base_check.rb
264
+ - lib/brakeman/checks/check_validation_regex.rb
213
265
  - lib/brakeman/checks/check_evaluation.rb
266
+ - lib/brakeman/checks/check_digest_dos.rb
267
+ - lib/brakeman/checks/check_render.rb
268
+ - lib/brakeman/checks/check_send_file.rb
269
+ - lib/brakeman/checks/check_json_parsing.rb
214
270
  - lib/brakeman/checks/check_execute.rb
215
- - lib/brakeman/checks/check_file_access.rb
216
- - lib/brakeman/checks/check_filter_skipping.rb
217
- - lib/brakeman/checks/check_forgery_setting.rb
271
+ - lib/brakeman/checks/check_translate_bug.rb
218
272
  - lib/brakeman/checks/check_jruby_xml.rb
219
- - lib/brakeman/checks/check_json_parsing.rb
273
+ - lib/brakeman/checks/check_default_routes.rb
220
274
  - lib/brakeman/checks/check_link_to.rb
221
- - lib/brakeman/checks/check_link_to_href.rb
222
- - lib/brakeman/checks/check_mail_to.rb
223
- - lib/brakeman/checks/check_mass_assignment.rb
224
- - lib/brakeman/checks/check_model_attr_accessible.rb
225
- - lib/brakeman/checks/check_model_attributes.rb
226
- - lib/brakeman/checks/check_model_serialize.rb
227
- - lib/brakeman/checks/check_nested_attributes.rb
228
275
  - lib/brakeman/checks/check_quote_table_name.rb
229
- - lib/brakeman/checks/check_redirect.rb
230
- - lib/brakeman/checks/check_render.rb
231
- - lib/brakeman/checks/check_response_splitting.rb
232
- - lib/brakeman/checks/check_safe_buffer_manipulation.rb
233
- - lib/brakeman/checks/check_sanitize_methods.rb
234
- - lib/brakeman/checks/check_select_tag.rb
235
- - lib/brakeman/checks/check_select_vulnerability.rb
236
276
  - lib/brakeman/checks/check_send.rb
237
- - lib/brakeman/checks/check_send_file.rb
238
- - lib/brakeman/checks/check_session_settings.rb
239
- - lib/brakeman/checks/check_single_quotes.rb
240
- - lib/brakeman/checks/check_skip_before_filter.rb
241
- - lib/brakeman/checks/check_sql.rb
277
+ - lib/brakeman/checks/check_cross_site_scripting.rb
242
278
  - lib/brakeman/checks/check_strip_tags.rb
243
- - lib/brakeman/checks/check_symbol_dos.rb
244
- - lib/brakeman/checks/check_translate_bug.rb
245
- - lib/brakeman/checks/check_unsafe_reflection.rb
246
- - lib/brakeman/checks/check_validation_regex.rb
279
+ - lib/brakeman/checks/check_nested_attributes.rb
247
280
  - lib/brakeman/checks/check_without_protection.rb
248
- - lib/brakeman/checks/check_yaml_parsing.rb
249
281
  - lib/brakeman/checks.rb
250
- - lib/brakeman/differ.rb
251
- - lib/brakeman/format/style.css
252
- - lib/brakeman/options.rb
253
- - lib/brakeman/parsers/rails2_erubis.rb
254
- - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
255
- - lib/brakeman/parsers/rails3_erubis.rb
256
- - lib/brakeman/processor.rb
257
- - lib/brakeman/processors/alias_processor.rb
258
- - lib/brakeman/processors/base_processor.rb
259
- - lib/brakeman/processors/config_processor.rb
260
282
  - lib/brakeman/processors/controller_alias_processor.rb
261
- - lib/brakeman/processors/controller_processor.rb
262
- - lib/brakeman/processors/erb_template_processor.rb
263
- - lib/brakeman/processors/erubis_template_processor.rb
264
- - lib/brakeman/processors/gem_processor.rb
265
- - lib/brakeman/processors/haml_template_processor.rb
266
- - lib/brakeman/processors/lib/find_all_calls.rb
267
- - lib/brakeman/processors/lib/find_call.rb
268
283
  - lib/brakeman/processors/lib/find_return_value.rb
269
- - lib/brakeman/processors/lib/processor_helper.rb
270
- - lib/brakeman/processors/lib/rails2_config_processor.rb
284
+ - lib/brakeman/processors/lib/route_helper.rb
271
285
  - lib/brakeman/processors/lib/rails2_route_processor.rb
272
- - lib/brakeman/processors/lib/rails3_config_processor.rb
273
- - lib/brakeman/processors/lib/rails3_route_processor.rb
274
286
  - lib/brakeman/processors/lib/render_helper.rb
275
- - lib/brakeman/processors/lib/route_helper.rb
276
- - lib/brakeman/processors/library_processor.rb
287
+ - lib/brakeman/processors/lib/rails2_config_processor.rb
288
+ - lib/brakeman/processors/lib/rails3_route_processor.rb
289
+ - lib/brakeman/processors/lib/processor_helper.rb
290
+ - lib/brakeman/processors/lib/rails3_config_processor.rb
291
+ - lib/brakeman/processors/lib/find_all_calls.rb
292
+ - lib/brakeman/processors/lib/find_call.rb
293
+ - lib/brakeman/processors/template_alias_processor.rb
277
294
  - lib/brakeman/processors/model_processor.rb
278
295
  - lib/brakeman/processors/output_processor.rb
296
+ - lib/brakeman/processors/library_processor.rb
297
+ - lib/brakeman/processors/erb_template_processor.rb
298
+ - lib/brakeman/processors/template_processor.rb
299
+ - lib/brakeman/processors/alias_processor.rb
300
+ - lib/brakeman/processors/config_processor.rb
301
+ - lib/brakeman/processors/gem_processor.rb
302
+ - lib/brakeman/processors/erubis_template_processor.rb
279
303
  - lib/brakeman/processors/route_processor.rb
304
+ - lib/brakeman/processors/controller_processor.rb
280
305
  - lib/brakeman/processors/slim_template_processor.rb
281
- - lib/brakeman/processors/template_alias_processor.rb
282
- - lib/brakeman/processors/template_processor.rb
283
- - lib/brakeman/report/ignore/config.rb
284
- - lib/brakeman/report/ignore/interactive.rb
285
- - lib/brakeman/report/initializers/faster_csv.rb
286
- - lib/brakeman/report/initializers/multi_json.rb
287
- - lib/brakeman/report/renderer.rb
288
- - lib/brakeman/report/report_base.rb
289
- - lib/brakeman/report/report_csv.rb
290
- - lib/brakeman/report/report_hash.rb
291
- - lib/brakeman/report/report_html.rb
292
- - lib/brakeman/report/report_json.rb
293
- - lib/brakeman/report/report_table.rb
294
- - lib/brakeman/report/report_tabs.rb
295
- - lib/brakeman/report/templates/controller_overview.html.erb
296
- - lib/brakeman/report/templates/controller_warnings.html.erb
297
- - lib/brakeman/report/templates/error_overview.html.erb
298
- - lib/brakeman/report/templates/header.html.erb
299
- - lib/brakeman/report/templates/ignored_warnings.html.erb
300
- - lib/brakeman/report/templates/model_warnings.html.erb
301
- - lib/brakeman/report/templates/overview.html.erb
302
- - lib/brakeman/report/templates/security_warnings.html.erb
303
- - lib/brakeman/report/templates/template_overview.html.erb
304
- - lib/brakeman/report/templates/view_warnings.html.erb
305
- - lib/brakeman/report/templates/warning_overview.html.erb
306
- - lib/brakeman/report.rb
307
- - lib/brakeman/rescanner.rb
308
- - lib/brakeman/scanner.rb
309
- - lib/brakeman/tracker.rb
310
- - lib/brakeman/util.rb
311
- - lib/brakeman/version.rb
306
+ - lib/brakeman/processors/haml_template_processor.rb
307
+ - lib/brakeman/processors/base_processor.rb
312
308
  - lib/brakeman/warning.rb
313
- - lib/brakeman/warning_codes.rb
314
- - lib/brakeman.rb
309
+ - lib/brakeman/options.rb
310
+ - lib/brakeman/rescanner.rb
311
+ - lib/brakeman/parsers/rails2_erubis.rb
312
+ - lib/brakeman/parsers/rails3_erubis.rb
313
+ - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
315
314
  - lib/ruby_parser/bm_sexp.rb
316
315
  - lib/ruby_parser/bm_sexp_processor.rb
316
+ - lib/brakeman.rb
317
317
  homepage: http://brakemanscanner.org
318
318
  licenses:
319
319
  - MIT