brakeman 2.4.3 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,6 +3,8 @@ require 'brakeman/checks/base_check'
3
3
  class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
4
4
  Brakeman::Checks.add self
5
5
 
6
+ UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
7
+
6
8
  @description = "Checks for versions with ActiveRecord symbol denial of service, or code with a similar vulnerability"
7
9
 
8
10
  def run_check
@@ -26,7 +28,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
26
28
  :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
27
29
  end
28
30
 
29
- tracker.find_call(:methods => [:to_sym, :literal_to_sym], :nested => true).each do |result|
31
+ tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
30
32
  check_unsafe_symbol_creation(result)
31
33
  end
32
34
 
@@ -39,10 +41,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
39
41
 
40
42
  call = result[:call]
41
43
 
42
- if result[:method] == :to_sym
43
- args = [call.target]
44
- else
44
+ if result[:method] == :literal_to_sym
45
45
  args = call.select { |e| sexp? e }
46
+ else
47
+ args = [call.target]
46
48
  end
47
49
 
48
50
  if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
@@ -142,7 +142,7 @@ module Brakeman::Options
142
142
 
143
143
  opts.on "-f",
144
144
  "--format TYPE",
145
- [:pdf, :text, :html, :csv, :tabs, :json],
145
+ [:pdf, :text, :html, :csv, :tabs, :json, :markdown],
146
146
  "Specify output formats. Default is text" do |type|
147
147
 
148
148
  type = "s" if type == :text
@@ -158,7 +158,7 @@ module Brakeman::Options
158
158
  end
159
159
 
160
160
  opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
161
- options[:interactive_ignore] = true
161
+ options[:interactive_ignore] = true
162
162
  end
163
163
 
164
164
  opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
@@ -198,6 +198,10 @@ module Brakeman::Options
198
198
  options[:absolute_paths] = true
199
199
  end
200
200
 
201
+ opts.on "--github-repo USER/REPO[/PATH][@REF]", "Output links to GitHub in markdown and HTML reports using specified repo" do |repo|
202
+ options[:github_repo] = repo
203
+ end
204
+
201
205
  opts.on "-w",
202
206
  "--confidence-level LEVEL",
203
207
  ["1", "2", "3"],
@@ -116,9 +116,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
116
116
  case method
117
117
  when :include
118
118
  @controller[:includes] << class_name(first_arg) if @controller
119
- when :before_filter, :append_before_filter
119
+ when :before_filter, :append_before_filter, :before_action, :append_before_action
120
120
  @controller[:options][:before_filters] << exp.args
121
- when :prepend_before_filter
121
+ when :prepend_before_filter, :prepend_before_action
122
122
  @controller[:options][:before_filters].unshift exp.args
123
123
  when :layout
124
124
  if string? last_arg
@@ -196,7 +196,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
196
196
 
197
197
  #Look for before_filters and add fake ones if necessary
198
198
  def process_iter exp
199
- if exp.block_call.method == :before_filter
199
+ block_call_name = exp.block_call.method
200
+ if block_call_name == :before_filter or block_call_name == :before_action
200
201
  add_fake_filter exp
201
202
  else
202
203
  super
@@ -106,6 +106,19 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
106
106
  exp
107
107
  end
108
108
 
109
+ # Process a dynamic regex like a call
110
+ def process_dregx exp
111
+ exp.each { |arg| process arg if sexp? arg }
112
+
113
+ @calls << { :target => nil,
114
+ :method => :brakeman_regex_interp,
115
+ :call => exp,
116
+ :nested => false,
117
+ :location => make_location }
118
+
119
+ exp
120
+ end
121
+
109
122
  #Process an assignment like a call
110
123
  def process_attrasgn exp
111
124
  process_call exp
@@ -58,7 +58,10 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
58
58
  end
59
59
 
60
60
  def process_namespace exp
61
- name = exp.block_call.first_arg.value
61
+ arg = exp.block_call.first_arg
62
+ return exp unless symbol? arg or string? arg
63
+
64
+ name = arg.value
62
65
  block = exp.block
63
66
 
64
67
  @prefix << camelize(name)
@@ -197,6 +200,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
197
200
  first_arg = exp.first_arg
198
201
  second_arg = exp.second_arg
199
202
 
203
+ return exp unless symbol? first_arg or string? first_arg
204
+
200
205
  if second_arg and second_arg.node_type == :hash
201
206
  self.current_controller = first_arg.value
202
207
  #handle hash
@@ -1,3 +1,10 @@
1
+ #Temporary fix for https://github.com/seattlerb/ruby_parser/issues/154
2
+ class Regexp
3
+ [:ENC_NONE, :ENC_EUC, :ENC_SJIS, :ENC_UTF8].each do |enc|
4
+ remove_const enc if const_defined? enc
5
+ end
6
+ end
7
+
1
8
  require 'ruby2ruby'
2
9
  require 'brakeman/util'
3
10
 
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
6
6
  class Brakeman::Report
7
7
  attr_reader :tracker
8
8
 
9
- VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s]
9
+ VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown]
10
10
 
11
11
  def initialize app_tree, tracker
12
12
  @app_tree = app_tree
@@ -29,6 +29,8 @@ class Brakeman::Report
29
29
  when :to_hash
30
30
  require_report 'hash'
31
31
  Brakeman::Report::Hash
32
+ when :to_markdown
33
+ return self.to_markdown
32
34
  when :to_s
33
35
  return self.to_s
34
36
  when :to_pdf
@@ -62,6 +64,11 @@ class Brakeman::Report
62
64
  generate Brakeman::Report::Table
63
65
  end
64
66
 
67
+ def to_markdown
68
+ require_report 'markdown'
69
+ generate Brakeman::Report::Markdown
70
+ end
71
+
65
72
  def generate reporter
66
73
  reporter.new(@app_tree, @tracker).generate_report
67
74
  end
@@ -139,7 +139,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
139
139
  message
140
140
  end <<
141
141
  "<table id='#{code_id}' class='context' style='display:none'>" <<
142
- "<caption>#{warning_file(warning) || ''}</caption>"
142
+ "<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
143
143
 
144
144
  unless context.empty?
145
145
  if warning.line - 1 == 1 or warning.line + 1 == 1
@@ -193,6 +193,11 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
193
193
  def html_message warning, message
194
194
  message = CGI.escapeHTML(message)
195
195
 
196
+ if warning.file
197
+ github_url = github_url warning.file, warning.line
198
+ message.gsub!(/(near line \d+)/, "<a href='#{URI.escape github_url, /'/}' target='_blank'>\\1</a>") if github_url
199
+ end
200
+
196
201
  if @highlight_user_input and warning.user_input
197
202
  user_input = CGI.escapeHTML(warning.format_user_input)
198
203
  message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
@@ -0,0 +1,158 @@
1
+ Brakeman.load_brakeman_dependency 'terminal-table'
2
+
3
+ class Brakeman::Report::Markdown < Brakeman::Report::Base
4
+
5
+ class MarkdownTable < Terminal::Table
6
+
7
+ def initialize options = {}, &block
8
+ options[:style] ||= {}
9
+ options[:style].merge!({
10
+ :border_x => '-',
11
+ :border_y => '|',
12
+ :border_i => '|'
13
+ })
14
+ super options, &block
15
+ end
16
+
17
+ def render
18
+ super.split("\n")[1...-1].join("\n")
19
+ end
20
+ alias :to_s :render
21
+
22
+ end
23
+
24
+ def generate_report
25
+ out = "# BRAKEMAN REPORT\n\n" <<
26
+ generate_metadata.to_s << "\n\n" <<
27
+ generate_checks.to_s << "\n\n" <<
28
+ "### SUMMARY\n\n" <<
29
+ generate_overview.to_s << "\n\n" <<
30
+ generate_warning_overview.to_s << "\n\n"
31
+
32
+ #Return output early if only summarizing
33
+ return out if tracker.options[:summary_only]
34
+
35
+ if tracker.options[:report_routes] or tracker.options[:debug]
36
+ out << "### CONTROLLERS" << "\n\n" <<
37
+ generate_controllers.to_s << "\n\n"
38
+ end
39
+
40
+ if tracker.options[:debug]
41
+ out << "### TEMPLATES\n\n" <<
42
+ generate_templates.to_s << "\n\n"
43
+ end
44
+
45
+ res = generate_errors
46
+ out << "### Errors\n\n" << res.to_s << "\n\n" if res
47
+
48
+ res = generate_warnings
49
+ out << "### SECURITY WARNINGS\n\n" << res.to_s << "\n\n" if res
50
+
51
+ res = generate_controller_warnings
52
+ out << "### Controller Warnings:\n\n" << res.to_s << "\n\n" if res
53
+
54
+ res = generate_model_warnings
55
+ out << "### Model Warnings:\n\n" << res.to_s << "\n\n" if res
56
+
57
+ res = generate_template_warnings
58
+ out << "### View Warnings:\n\n" << res.to_s << "\n\n" if res
59
+
60
+ out
61
+ end
62
+
63
+ def generate_metadata
64
+ MarkdownTable.new(
65
+ :headings =>
66
+ ['Application path', 'Rails version', 'Brakeman version', 'Started at', 'Duration']
67
+ ) do |t|
68
+ t.add_row([
69
+ File.expand_path(tracker.options[:app_path]),
70
+ rails_version,
71
+ Brakeman::Version,
72
+ tracker.start_time,
73
+ "#{tracker.duration} seconds",
74
+ ])
75
+ end
76
+ end
77
+
78
+ def generate_checks
79
+ MarkdownTable.new(:headings => ['Checks performed']) do |t|
80
+ t.add_row([checks.checks_run.sort.join(", ")])
81
+ end
82
+ end
83
+
84
+ def generate_overview
85
+ num_warnings = all_warnings.length
86
+
87
+ MarkdownTable.new(:headings => ['Scanned/Reported', 'Total']) do |t|
88
+ t.add_row ['Controllers', tracker.controllers.length]
89
+ t.add_row ['Models', tracker.models.length - 1]
90
+ t.add_row ['Templates', number_of_templates(@tracker)]
91
+ t.add_row ['Errors', tracker.errors.length]
92
+ t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
93
+ t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
94
+ end
95
+ end
96
+
97
+ #Generate listings of templates and their output
98
+ def generate_templates
99
+ out_processor = Brakeman::OutputProcessor.new
100
+ template_rows = {}
101
+ tracker.templates.each do |name, template|
102
+ unless template[:outputs].empty?
103
+ template[:outputs].each do |out|
104
+ out = out_processor.format out
105
+ template_rows[name] ||= []
106
+ template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
107
+ end
108
+ end
109
+ end
110
+
111
+ template_rows = template_rows.sort_by{|name, value| name.to_s}
112
+
113
+ output = ''
114
+ template_rows.each do |template|
115
+ output << template.first.to_s << "\n\n"
116
+ table = MarkdownTable.new(:headings => ['Output']) do |t|
117
+ # template[1] is an array of calls
118
+ template[1].each do |v|
119
+ t.add_row [v]
120
+ end
121
+ end
122
+
123
+ output << table.to_s << "\n\n"
124
+ end
125
+
126
+ output
127
+ end
128
+
129
+ def render_array template, headings, value_array, locals
130
+ return if value_array.empty?
131
+
132
+ MarkdownTable.new(:headings => headings) do |t|
133
+ value_array.each { |value_row| t.add_row value_row }
134
+ end
135
+ end
136
+
137
+ def convert_warning warning, original
138
+ warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
139
+ warning["Message"] = markdown_message original, warning["Message"]
140
+ warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
141
+ warning
142
+ end
143
+
144
+ # Escape and code format warning message
145
+ def markdown_message warning, message
146
+ if warning.file
147
+ github_url = github_url warning.file, warning.line
148
+ message.gsub!(/(near line \d+)/, "[\\1](#{github_url})") if github_url
149
+ end
150
+ if warning.code
151
+ code = warning.format_code
152
+ message.gsub(code, "`#{code.gsub('`','``').gsub(/\A``|``\z/, '` `')}`")
153
+ else
154
+ message
155
+ end
156
+ end
157
+
158
+ end
@@ -383,6 +383,15 @@ module Brakeman::Util
383
383
  end
384
384
  end
385
385
 
386
+ def github_url file, line=nil
387
+ if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
388
+ url = "#{repo_url}/#{relative_path(file)}"
389
+ url << "#L#{line}" if line
390
+ else
391
+ nil
392
+ end
393
+ end
394
+
386
395
  def truncate_table str
387
396
  @terminal_width ||= if @tracker.options[:table_width]
388
397
  @tracker.options[:table_width]
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.4.3"
2
+ Version = "2.5.0"
3
3
  end
@@ -76,6 +76,7 @@ module Brakeman::WarningCodes
76
76
  :CVE_2014_0081 => 73,
77
77
  :CVE_2014_0081_call => 74,
78
78
  :CVE_2014_0082 => 75,
79
+ :regex_dos => 76
79
80
  }
80
81
 
81
82
  def self.code name
metadata CHANGED
@@ -1,228 +1,212 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
- version: !ruby/object:Gem::Version
4
- hash: 25
5
- prerelease:
6
- segments:
7
- - 2
8
- - 4
9
- - 3
10
- version: 2.4.3
3
+ version: !ruby/object:Gem::Version
4
+ version: 2.5.0
11
5
  platform: ruby
12
- authors:
6
+ authors:
13
7
  - Justin Collins
14
8
  autorequire:
15
9
  bindir: bin
16
- cert_chain:
17
- - |
18
- -----BEGIN CERTIFICATE-----
19
- MIIDLjCCAhagAwIBAgIBADANBgkqhkiG9w0BAQUFADA9MQwwCgYDVQQDDANnZW0x
20
- GDAWBgoJkiaJk/IsZAEZFghicmFrZW1hbjETMBEGCgmSJomT8ixkARkWA29yZzAe
21
- Fw0xMzEyMTIwMDMxNTdaFw0xNDEyMTIwMDMxNTdaMD0xDDAKBgNVBAMMA2dlbTEY
22
- MBYGCgmSJomT8ixkARkWCGJyYWtlbWFuMRMwEQYKCZImiZPyLGQBGRYDb3JnMIIB
23
- IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCHmXCaAcZ4bVjijKoyQFx4N
24
- dyN7B7bqY8wOXy6f/UZ6mdC8IRAj82KaWQjNE2LT/ObFUWpCRyLdrwjkDjdFDyOT
25
- mZCZkiOeEy2ZxYGfxXMI/xg24c8r5Xmh16ErsYuprRcg+/KZ6s4UjseBNTARmBK4
26
- IHcqIdnoWbYa3BWHoflJPaJUIaU+/yTclzFQHpswU7ka8ftIAWeoDQo22gasP/4N
27
- HtJvAIyg1DcWPLcn0qbZmdehg8HZv8C+2MuLKX/2qZG9eseegMqMlHHabwwEy9Vv
28
- f/t/+ltLjC0CRa2TqZ2EuQ5EEzbOsqAftaZJFmwv9Ut1UhjmdvR5RfN6dWMQ5QID
29
- AQABozkwNzALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFPyEKeRy09i8qSr+9KFbeTqw
30
- kMCSMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBALEk8/Wnl2VAqchxWlbg
31
- RN0MkVUWMf8L0xxUiVKo5QeL4NBViALMBrU6IS4y6zyn+FoULAMEawUjZlZf4Hcg
32
- S9unev3p+RTWUyksAnA27wHZs/NRIkW34s1ZI5NNE/xyu4ULOQjfh1wOjlWzyHu9
33
- 0t41/CtpgNPM2uAjG3RIqlp7QKXlby50cQqWJQCgTH3JNjMhmROEhTsI6COoApvd
34
- Ce7Br39yjeoarvekq0wCXBYakUBw/DdZCG7mFZ6xgh01eqnZUsNd8vM+6V6v23Vu
35
- jk2tMjFT4L1dA3MEsz3+MP144PDhPCh7tPe6yy81BOvyYTVkKzrAkgKwHD1CuvsH
36
- bdw=
37
- -----END CERTIFICATE-----
38
-
39
- date: 2014-03-23 00:00:00 Z
40
- dependencies:
41
- - !ruby/object:Gem::Dependency
10
+ cert_chain:
11
+ - !binary |-
12
+ LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJB
13
+ Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREE5TVF3d0NnWURWUVFEREFOblpX
14
+ MHgKR0RBV0Jnb0praWFKay9Jc1pBRVpGZ2hpY21GclpXMWhiakVUTUJFR0Nn
15
+ bVNKb21UOGl4a0FSa1dBMjl5WnpBZQpGdzB4TXpFeU1USXdNRE14TlRkYUZ3
16
+ MHhOREV5TVRJd01ETXhOVGRhTUQweEREQUtCZ05WQkFNTUEyZGxiVEVZCk1C
17
+ WUdDZ21TSm9tVDhpeGtBUmtXQ0dKeVlXdGxiV0Z1TVJNd0VRWUtDWkltaVpQ
18
+ eUxHUUJHUllEYjNKbk1JSUIKSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4
19
+ QU1JSUJDZ0tDQVFFQXhDSG1YQ2FBY1o0YlZqaWpLb3lRRng0TgpkeU43Qjdi
20
+ cVk4d09YeTZmL1VaNm1kQzhJUkFqODJLYVdRak5FMkxUL09iRlVXcENSeUxk
21
+ cndqa0RqZEZEeU9UCm1aQ1praU9lRXkyWnhZR2Z4WE1JL3hnMjRjOHI1WG1o
22
+ MTZFcnNZdXByUmNnKy9LWjZzNFVqc2VCTlRBUm1CSzQKSUhjcUlkbm9XYllh
23
+ M0JXSG9mbEpQYUpVSWFVKy95VGNsekZRSHBzd1U3a2E4ZnRJQVdlb0RRbzIy
24
+ Z2FzUC80TgpIdEp2QUl5ZzFEY1dQTGNuMHFiWm1kZWhnOEhadjhDKzJNdUxL
25
+ WC8ycVpHOWVzZWVnTXFNbEhIYWJ3d0V5OVZ2CmYvdC8rbHRMakMwQ1JhMlRx
26
+ WjJFdVE1RUV6Yk9zcUFmdGFaSkZtd3Y5VXQxVWhqbWR2UjVSZk42ZFdNUTVR
27
+ SUQKQVFBQm96a3dOekFMQmdOVkhROEVCQU1DQkxBd0hRWURWUjBPQkJZRUZQ
28
+ eUVLZVJ5MDlpOHFTcis5S0ZiZVRxdwprTUNTTUFrR0ExVWRFd1FDTUFBd0RR
29
+ WUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFMRWs4L1dubDJWQXFjaHhXbGJnClJO
30
+ ME1rVlVXTWY4TDB4eFVpVktvNVFlTDROQlZpQUxNQnJVNklTNHk2enluK0Zv
31
+ VUxBTUVhd1VqWmxaZjRIY2cKUzl1bmV2M3ArUlRXVXlrc0FuQTI3d0hacy9O
32
+ UklrVzM0czFaSTVOTkUveHl1NFVMT1FqZmgxd09qbFd6eUh1OQowdDQxL0N0
33
+ cGdOUE0ydUFqRzNSSXFscDdRS1hsYnk1MGNRcVdKUUNnVEgzSk5qTWhtUk9F
34
+ aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
35
+ Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
36
+ QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
37
+ RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
38
+ date: 2014-04-30 00:00:00.000000000 Z
39
+ dependencies:
40
+ - !ruby/object:Gem::Dependency
42
41
  name: ruby_parser
43
- prerelease: false
44
- requirement: &id001 !ruby/object:Gem::Requirement
45
- none: false
46
- requirements:
42
+ requirement: !ruby/object:Gem::Requirement
43
+ requirements:
47
44
  - - ~>
48
- - !ruby/object:Gem::Version
49
- hash: 23
50
- segments:
51
- - 3
52
- - 4
53
- - 0
45
+ - !ruby/object:Gem::Version
54
46
  version: 3.4.0
55
47
  type: :runtime
56
- version_requirements: *id001
57
- - !ruby/object:Gem::Dependency
58
- name: ruby2ruby
59
48
  prerelease: false
60
- requirement: &id002 !ruby/object:Gem::Requirement
61
- none: false
62
- requirements:
49
+ version_requirements: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - ~>
52
+ - !ruby/object:Gem::Version
53
+ version: 3.4.0
54
+ - !ruby/object:Gem::Dependency
55
+ name: ruby2ruby
56
+ requirement: !ruby/object:Gem::Requirement
57
+ requirements:
63
58
  - - ~>
64
- - !ruby/object:Gem::Version
65
- hash: 5
66
- segments:
67
- - 2
68
- - 0
69
- - 5
59
+ - !ruby/object:Gem::Version
70
60
  version: 2.0.5
71
61
  type: :runtime
72
- version_requirements: *id002
73
- - !ruby/object:Gem::Dependency
74
- name: terminal-table
75
62
  prerelease: false
76
- requirement: &id003 !ruby/object:Gem::Requirement
77
- none: false
78
- requirements:
63
+ version_requirements: !ruby/object:Gem::Requirement
64
+ requirements:
79
65
  - - ~>
80
- - !ruby/object:Gem::Version
81
- hash: 7
82
- segments:
83
- - 1
84
- - 4
85
- version: "1.4"
66
+ - !ruby/object:Gem::Version
67
+ version: 2.0.5
68
+ - !ruby/object:Gem::Dependency
69
+ name: terminal-table
70
+ requirement: !ruby/object:Gem::Requirement
71
+ requirements:
72
+ - - ~>
73
+ - !ruby/object:Gem::Version
74
+ version: '1.4'
86
75
  type: :runtime
87
- version_requirements: *id003
88
- - !ruby/object:Gem::Dependency
89
- name: fastercsv
90
76
  prerelease: false
91
- requirement: &id004 !ruby/object:Gem::Requirement
92
- none: false
93
- requirements:
77
+ version_requirements: !ruby/object:Gem::Requirement
78
+ requirements:
79
+ - - ~>
80
+ - !ruby/object:Gem::Version
81
+ version: '1.4'
82
+ - !ruby/object:Gem::Dependency
83
+ name: fastercsv
84
+ requirement: !ruby/object:Gem::Requirement
85
+ requirements:
94
86
  - - ~>
95
- - !ruby/object:Gem::Version
96
- hash: 5
97
- segments:
98
- - 1
99
- - 5
100
- version: "1.5"
87
+ - !ruby/object:Gem::Version
88
+ version: '1.5'
101
89
  type: :runtime
102
- version_requirements: *id004
103
- - !ruby/object:Gem::Dependency
104
- name: highline
105
90
  prerelease: false
106
- requirement: &id005 !ruby/object:Gem::Requirement
107
- none: false
108
- requirements:
91
+ version_requirements: !ruby/object:Gem::Requirement
92
+ requirements:
93
+ - - ~>
94
+ - !ruby/object:Gem::Version
95
+ version: '1.5'
96
+ - !ruby/object:Gem::Dependency
97
+ name: highline
98
+ requirement: !ruby/object:Gem::Requirement
99
+ requirements:
109
100
  - - ~>
110
- - !ruby/object:Gem::Version
111
- hash: 39
112
- segments:
113
- - 1
114
- - 6
115
- - 20
101
+ - !ruby/object:Gem::Version
116
102
  version: 1.6.20
117
103
  type: :runtime
118
- version_requirements: *id005
119
- - !ruby/object:Gem::Dependency
120
- name: erubis
121
104
  prerelease: false
122
- requirement: &id006 !ruby/object:Gem::Requirement
123
- none: false
124
- requirements:
105
+ version_requirements: !ruby/object:Gem::Requirement
106
+ requirements:
125
107
  - - ~>
126
- - !ruby/object:Gem::Version
127
- hash: 15
128
- segments:
129
- - 2
130
- - 6
131
- version: "2.6"
108
+ - !ruby/object:Gem::Version
109
+ version: 1.6.20
110
+ - !ruby/object:Gem::Dependency
111
+ name: erubis
112
+ requirement: !ruby/object:Gem::Requirement
113
+ requirements:
114
+ - - ~>
115
+ - !ruby/object:Gem::Version
116
+ version: '2.6'
132
117
  type: :runtime
133
- version_requirements: *id006
134
- - !ruby/object:Gem::Dependency
135
- name: haml
136
118
  prerelease: false
137
- requirement: &id007 !ruby/object:Gem::Requirement
138
- none: false
139
- requirements:
140
- - - ">="
141
- - !ruby/object:Gem::Version
142
- hash: 7
143
- segments:
144
- - 3
145
- - 0
146
- version: "3.0"
119
+ version_requirements: !ruby/object:Gem::Requirement
120
+ requirements:
121
+ - - ~>
122
+ - !ruby/object:Gem::Version
123
+ version: '2.6'
124
+ - !ruby/object:Gem::Dependency
125
+ name: haml
126
+ requirement: !ruby/object:Gem::Requirement
127
+ requirements:
128
+ - - ! '>='
129
+ - !ruby/object:Gem::Version
130
+ version: '3.0'
147
131
  - - <
148
- - !ruby/object:Gem::Version
149
- hash: 31
150
- segments:
151
- - 5
152
- - 0
153
- version: "5.0"
132
+ - !ruby/object:Gem::Version
133
+ version: '5.0'
154
134
  type: :runtime
155
- version_requirements: *id007
156
- - !ruby/object:Gem::Dependency
157
- name: sass
158
135
  prerelease: false
159
- requirement: &id008 !ruby/object:Gem::Requirement
160
- none: false
161
- requirements:
136
+ version_requirements: !ruby/object:Gem::Requirement
137
+ requirements:
138
+ - - ! '>='
139
+ - !ruby/object:Gem::Version
140
+ version: '3.0'
141
+ - - <
142
+ - !ruby/object:Gem::Version
143
+ version: '5.0'
144
+ - !ruby/object:Gem::Dependency
145
+ name: sass
146
+ requirement: !ruby/object:Gem::Requirement
147
+ requirements:
162
148
  - - ~>
163
- - !ruby/object:Gem::Version
164
- hash: 7
165
- segments:
166
- - 3
167
- - 0
168
- version: "3.0"
149
+ - !ruby/object:Gem::Version
150
+ version: '3.0'
169
151
  type: :runtime
170
- version_requirements: *id008
171
- - !ruby/object:Gem::Dependency
172
- name: slim
173
152
  prerelease: false
174
- requirement: &id009 !ruby/object:Gem::Requirement
175
- none: false
176
- requirements:
177
- - - ">="
178
- - !ruby/object:Gem::Version
179
- hash: 23
180
- segments:
181
- - 1
182
- - 3
183
- - 6
153
+ version_requirements: !ruby/object:Gem::Requirement
154
+ requirements:
155
+ - - ~>
156
+ - !ruby/object:Gem::Version
157
+ version: '3.0'
158
+ - !ruby/object:Gem::Dependency
159
+ name: slim
160
+ requirement: !ruby/object:Gem::Requirement
161
+ requirements:
162
+ - - ! '>='
163
+ - !ruby/object:Gem::Version
184
164
  version: 1.3.6
185
165
  - - <
186
- - !ruby/object:Gem::Version
187
- hash: 7
188
- segments:
189
- - 3
190
- - 0
191
- version: "3.0"
166
+ - !ruby/object:Gem::Version
167
+ version: '3.0'
192
168
  type: :runtime
193
- version_requirements: *id009
194
- - !ruby/object:Gem::Dependency
195
- name: multi_json
196
169
  prerelease: false
197
- requirement: &id010 !ruby/object:Gem::Requirement
198
- none: false
199
- requirements:
170
+ version_requirements: !ruby/object:Gem::Requirement
171
+ requirements:
172
+ - - ! '>='
173
+ - !ruby/object:Gem::Version
174
+ version: 1.3.6
175
+ - - <
176
+ - !ruby/object:Gem::Version
177
+ version: '3.0'
178
+ - !ruby/object:Gem::Dependency
179
+ name: multi_json
180
+ requirement: !ruby/object:Gem::Requirement
181
+ requirements:
200
182
  - - ~>
201
- - !ruby/object:Gem::Version
202
- hash: 11
203
- segments:
204
- - 1
205
- - 2
206
- version: "1.2"
183
+ - !ruby/object:Gem::Version
184
+ version: '1.2'
207
185
  type: :runtime
208
- version_requirements: *id010
209
- description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
186
+ prerelease: false
187
+ version_requirements: !ruby/object:Gem::Requirement
188
+ requirements:
189
+ - - ~>
190
+ - !ruby/object:Gem::Version
191
+ version: '1.2'
192
+ description: Brakeman detects security vulnerabilities in Ruby on Rails applications
193
+ via static analysis.
210
194
  email: gem@brakeman.org
211
- executables:
195
+ executables:
212
196
  - brakeman
213
197
  extensions: []
214
-
215
198
  extra_rdoc_files: []
216
-
217
- files:
218
- - bin/brakeman
199
+ files:
219
200
  - CHANGES
220
- - WARNING_TYPES
221
201
  - FEATURES
222
202
  - README.md
203
+ - WARNING_TYPES
204
+ - bin/brakeman
205
+ - lib/brakeman.rb
223
206
  - lib/brakeman/app_tree.rb
224
207
  - lib/brakeman/brakeman.rake
225
208
  - lib/brakeman/call_index.rb
209
+ - lib/brakeman/checks.rb
226
210
  - lib/brakeman/checks/base_check.rb
227
211
  - lib/brakeman/checks/check_basic_auth.rb
228
212
  - lib/brakeman/checks/check_content_tag.rb
@@ -252,6 +236,7 @@ files:
252
236
  - lib/brakeman/checks/check_number_to_currency.rb
253
237
  - lib/brakeman/checks/check_quote_table_name.rb
254
238
  - lib/brakeman/checks/check_redirect.rb
239
+ - lib/brakeman/checks/check_regex_dos.rb
255
240
  - lib/brakeman/checks/check_render.rb
256
241
  - lib/brakeman/checks/check_render_dos.rb
257
242
  - lib/brakeman/checks/check_response_splitting.rb
@@ -266,6 +251,7 @@ files:
266
251
  - lib/brakeman/checks/check_single_quotes.rb
267
252
  - lib/brakeman/checks/check_skip_before_filter.rb
268
253
  - lib/brakeman/checks/check_sql.rb
254
+ - lib/brakeman/checks/check_sql_cves.rb
269
255
  - lib/brakeman/checks/check_ssl_verify.rb
270
256
  - lib/brakeman/checks/check_strip_tags.rb
271
257
  - lib/brakeman/checks/check_symbol_dos.rb
@@ -274,7 +260,6 @@ files:
274
260
  - lib/brakeman/checks/check_validation_regex.rb
275
261
  - lib/brakeman/checks/check_without_protection.rb
276
262
  - lib/brakeman/checks/check_yaml_parsing.rb
277
- - lib/brakeman/checks.rb
278
263
  - lib/brakeman/differ.rb
279
264
  - lib/brakeman/format/style.css
280
265
  - lib/brakeman/options.rb
@@ -308,6 +293,7 @@ files:
308
293
  - lib/brakeman/processors/slim_template_processor.rb
309
294
  - lib/brakeman/processors/template_alias_processor.rb
310
295
  - lib/brakeman/processors/template_processor.rb
296
+ - lib/brakeman/report.rb
311
297
  - lib/brakeman/report/ignore/config.rb
312
298
  - lib/brakeman/report/ignore/interactive.rb
313
299
  - lib/brakeman/report/initializers/faster_csv.rb
@@ -318,6 +304,7 @@ files:
318
304
  - lib/brakeman/report/report_hash.rb
319
305
  - lib/brakeman/report/report_html.rb
320
306
  - lib/brakeman/report/report_json.rb
307
+ - lib/brakeman/report/report_markdown.rb
321
308
  - lib/brakeman/report/report_table.rb
322
309
  - lib/brakeman/report/report_tabs.rb
323
310
  - lib/brakeman/report/templates/controller_overview.html.erb
@@ -331,7 +318,6 @@ files:
331
318
  - lib/brakeman/report/templates/template_overview.html.erb
332
319
  - lib/brakeman/report/templates/view_warnings.html.erb
333
320
  - lib/brakeman/report/templates/warning_overview.html.erb
334
- - lib/brakeman/report.rb
335
321
  - lib/brakeman/rescanner.rb
336
322
  - lib/brakeman/scanner.rb
337
323
  - lib/brakeman/tracker.rb
@@ -339,41 +325,30 @@ files:
339
325
  - lib/brakeman/version.rb
340
326
  - lib/brakeman/warning.rb
341
327
  - lib/brakeman/warning_codes.rb
342
- - lib/brakeman.rb
343
328
  - lib/ruby_parser/bm_sexp.rb
344
329
  - lib/ruby_parser/bm_sexp_processor.rb
345
330
  homepage: http://brakemanscanner.org
346
- licenses:
331
+ licenses:
347
332
  - MIT
333
+ metadata: {}
348
334
  post_install_message:
349
335
  rdoc_options: []
350
-
351
- require_paths:
336
+ require_paths:
352
337
  - lib
353
- required_ruby_version: !ruby/object:Gem::Requirement
354
- none: false
355
- requirements:
356
- - - ">="
357
- - !ruby/object:Gem::Version
358
- hash: 3
359
- segments:
360
- - 0
361
- version: "0"
362
- required_rubygems_version: !ruby/object:Gem::Requirement
363
- none: false
364
- requirements:
365
- - - ">="
366
- - !ruby/object:Gem::Version
367
- hash: 3
368
- segments:
369
- - 0
370
- version: "0"
338
+ required_ruby_version: !ruby/object:Gem::Requirement
339
+ requirements:
340
+ - - ! '>='
341
+ - !ruby/object:Gem::Version
342
+ version: '0'
343
+ required_rubygems_version: !ruby/object:Gem::Requirement
344
+ requirements:
345
+ - - ! '>='
346
+ - !ruby/object:Gem::Version
347
+ version: '0'
371
348
  requirements: []
372
-
373
349
  rubyforge_project:
374
- rubygems_version: 1.8.15
350
+ rubygems_version: 2.2.2
375
351
  signing_key:
376
- specification_version: 3
352
+ specification_version: 4
377
353
  summary: Security vulnerability scanner for Ruby on Rails.
378
354
  test_files: []
379
-