brakeman 2.4.3 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +15 -0
- data/lib/brakeman.rb +22 -0
- data/lib/brakeman/checks/base_check.rb +1 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +2 -0
- data/lib/brakeman/checks/check_redirect.rb +15 -1
- data/lib/brakeman/checks/check_regex_dos.rb +69 -0
- data/lib/brakeman/checks/check_select_vulnerability.rb +3 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +10 -89
- data/lib/brakeman/checks/check_sql_cves.rb +89 -0
- data/lib/brakeman/checks/check_symbol_dos.rb +6 -4
- data/lib/brakeman/options.rb +6 -2
- data/lib/brakeman/processors/controller_processor.rb +4 -3
- data/lib/brakeman/processors/lib/find_all_calls.rb +13 -0
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +6 -1
- data/lib/brakeman/processors/output_processor.rb +7 -0
- data/lib/brakeman/report.rb +8 -1
- data/lib/brakeman/report/report_html.rb +6 -1
- data/lib/brakeman/report/report_markdown.rb +158 -0
- data/lib/brakeman/util.rb +9 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +179 -204
- metadata.gz.sig +0 -0
@@ -3,6 +3,8 @@ require 'brakeman/checks/base_check'
|
|
3
3
|
class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
4
4
|
Brakeman::Checks.add self
|
5
5
|
|
6
|
+
UNSAFE_METHODS = [:to_sym, :literal_to_sym, :intern, :symbolize_keys, :symbolize_keys!]
|
7
|
+
|
6
8
|
@description = "Checks for versions with ActiveRecord symbol denial of service, or code with a similar vulnerability"
|
7
9
|
|
8
10
|
def run_check
|
@@ -26,7 +28,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
|
26
28
|
:link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
|
27
29
|
end
|
28
30
|
|
29
|
-
tracker.find_call(:methods =>
|
31
|
+
tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
|
30
32
|
check_unsafe_symbol_creation(result)
|
31
33
|
end
|
32
34
|
|
@@ -39,10 +41,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
|
|
39
41
|
|
40
42
|
call = result[:call]
|
41
43
|
|
42
|
-
if result[:method] == :
|
43
|
-
args = [call.target]
|
44
|
-
else
|
44
|
+
if result[:method] == :literal_to_sym
|
45
45
|
args = call.select { |e| sexp? e }
|
46
|
+
else
|
47
|
+
args = [call.target]
|
46
48
|
end
|
47
49
|
|
48
50
|
if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
|
data/lib/brakeman/options.rb
CHANGED
@@ -142,7 +142,7 @@ module Brakeman::Options
|
|
142
142
|
|
143
143
|
opts.on "-f",
|
144
144
|
"--format TYPE",
|
145
|
-
[:pdf, :text, :html, :csv, :tabs, :json],
|
145
|
+
[:pdf, :text, :html, :csv, :tabs, :json, :markdown],
|
146
146
|
"Specify output formats. Default is text" do |type|
|
147
147
|
|
148
148
|
type = "s" if type == :text
|
@@ -158,7 +158,7 @@ module Brakeman::Options
|
|
158
158
|
end
|
159
159
|
|
160
160
|
opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
|
161
|
-
options[:interactive_ignore] = true
|
161
|
+
options[:interactive_ignore] = true
|
162
162
|
end
|
163
163
|
|
164
164
|
opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
|
@@ -198,6 +198,10 @@ module Brakeman::Options
|
|
198
198
|
options[:absolute_paths] = true
|
199
199
|
end
|
200
200
|
|
201
|
+
opts.on "--github-repo USER/REPO[/PATH][@REF]", "Output links to GitHub in markdown and HTML reports using specified repo" do |repo|
|
202
|
+
options[:github_repo] = repo
|
203
|
+
end
|
204
|
+
|
201
205
|
opts.on "-w",
|
202
206
|
"--confidence-level LEVEL",
|
203
207
|
["1", "2", "3"],
|
@@ -116,9 +116,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
116
116
|
case method
|
117
117
|
when :include
|
118
118
|
@controller[:includes] << class_name(first_arg) if @controller
|
119
|
-
when :before_filter, :append_before_filter
|
119
|
+
when :before_filter, :append_before_filter, :before_action, :append_before_action
|
120
120
|
@controller[:options][:before_filters] << exp.args
|
121
|
-
when :prepend_before_filter
|
121
|
+
when :prepend_before_filter, :prepend_before_action
|
122
122
|
@controller[:options][:before_filters].unshift exp.args
|
123
123
|
when :layout
|
124
124
|
if string? last_arg
|
@@ -196,7 +196,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
196
196
|
|
197
197
|
#Look for before_filters and add fake ones if necessary
|
198
198
|
def process_iter exp
|
199
|
-
|
199
|
+
block_call_name = exp.block_call.method
|
200
|
+
if block_call_name == :before_filter or block_call_name == :before_action
|
200
201
|
add_fake_filter exp
|
201
202
|
else
|
202
203
|
super
|
@@ -106,6 +106,19 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
|
|
106
106
|
exp
|
107
107
|
end
|
108
108
|
|
109
|
+
# Process a dynamic regex like a call
|
110
|
+
def process_dregx exp
|
111
|
+
exp.each { |arg| process arg if sexp? arg }
|
112
|
+
|
113
|
+
@calls << { :target => nil,
|
114
|
+
:method => :brakeman_regex_interp,
|
115
|
+
:call => exp,
|
116
|
+
:nested => false,
|
117
|
+
:location => make_location }
|
118
|
+
|
119
|
+
exp
|
120
|
+
end
|
121
|
+
|
109
122
|
#Process an assignment like a call
|
110
123
|
def process_attrasgn exp
|
111
124
|
process_call exp
|
@@ -58,7 +58,10 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
|
|
58
58
|
end
|
59
59
|
|
60
60
|
def process_namespace exp
|
61
|
-
|
61
|
+
arg = exp.block_call.first_arg
|
62
|
+
return exp unless symbol? arg or string? arg
|
63
|
+
|
64
|
+
name = arg.value
|
62
65
|
block = exp.block
|
63
66
|
|
64
67
|
@prefix << camelize(name)
|
@@ -197,6 +200,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
|
|
197
200
|
first_arg = exp.first_arg
|
198
201
|
second_arg = exp.second_arg
|
199
202
|
|
203
|
+
return exp unless symbol? first_arg or string? first_arg
|
204
|
+
|
200
205
|
if second_arg and second_arg.node_type == :hash
|
201
206
|
self.current_controller = first_arg.value
|
202
207
|
#handle hash
|
data/lib/brakeman/report.rb
CHANGED
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
|
|
6
6
|
class Brakeman::Report
|
7
7
|
attr_reader :tracker
|
8
8
|
|
9
|
-
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s]
|
9
|
+
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown]
|
10
10
|
|
11
11
|
def initialize app_tree, tracker
|
12
12
|
@app_tree = app_tree
|
@@ -29,6 +29,8 @@ class Brakeman::Report
|
|
29
29
|
when :to_hash
|
30
30
|
require_report 'hash'
|
31
31
|
Brakeman::Report::Hash
|
32
|
+
when :to_markdown
|
33
|
+
return self.to_markdown
|
32
34
|
when :to_s
|
33
35
|
return self.to_s
|
34
36
|
when :to_pdf
|
@@ -62,6 +64,11 @@ class Brakeman::Report
|
|
62
64
|
generate Brakeman::Report::Table
|
63
65
|
end
|
64
66
|
|
67
|
+
def to_markdown
|
68
|
+
require_report 'markdown'
|
69
|
+
generate Brakeman::Report::Markdown
|
70
|
+
end
|
71
|
+
|
65
72
|
def generate reporter
|
66
73
|
reporter.new(@app_tree, @tracker).generate_report
|
67
74
|
end
|
@@ -139,7 +139,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
|
|
139
139
|
message
|
140
140
|
end <<
|
141
141
|
"<table id='#{code_id}' class='context' style='display:none'>" <<
|
142
|
-
"<caption>#{warning_file(warning) || ''}</caption>"
|
142
|
+
"<caption>#{CGI.escapeHTML warning_file(warning) || ''}</caption>"
|
143
143
|
|
144
144
|
unless context.empty?
|
145
145
|
if warning.line - 1 == 1 or warning.line + 1 == 1
|
@@ -193,6 +193,11 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
|
|
193
193
|
def html_message warning, message
|
194
194
|
message = CGI.escapeHTML(message)
|
195
195
|
|
196
|
+
if warning.file
|
197
|
+
github_url = github_url warning.file, warning.line
|
198
|
+
message.gsub!(/(near line \d+)/, "<a href='#{URI.escape github_url, /'/}' target='_blank'>\\1</a>") if github_url
|
199
|
+
end
|
200
|
+
|
196
201
|
if @highlight_user_input and warning.user_input
|
197
202
|
user_input = CGI.escapeHTML(warning.format_user_input)
|
198
203
|
message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
|
@@ -0,0 +1,158 @@
|
|
1
|
+
Brakeman.load_brakeman_dependency 'terminal-table'
|
2
|
+
|
3
|
+
class Brakeman::Report::Markdown < Brakeman::Report::Base
|
4
|
+
|
5
|
+
class MarkdownTable < Terminal::Table
|
6
|
+
|
7
|
+
def initialize options = {}, &block
|
8
|
+
options[:style] ||= {}
|
9
|
+
options[:style].merge!({
|
10
|
+
:border_x => '-',
|
11
|
+
:border_y => '|',
|
12
|
+
:border_i => '|'
|
13
|
+
})
|
14
|
+
super options, &block
|
15
|
+
end
|
16
|
+
|
17
|
+
def render
|
18
|
+
super.split("\n")[1...-1].join("\n")
|
19
|
+
end
|
20
|
+
alias :to_s :render
|
21
|
+
|
22
|
+
end
|
23
|
+
|
24
|
+
def generate_report
|
25
|
+
out = "# BRAKEMAN REPORT\n\n" <<
|
26
|
+
generate_metadata.to_s << "\n\n" <<
|
27
|
+
generate_checks.to_s << "\n\n" <<
|
28
|
+
"### SUMMARY\n\n" <<
|
29
|
+
generate_overview.to_s << "\n\n" <<
|
30
|
+
generate_warning_overview.to_s << "\n\n"
|
31
|
+
|
32
|
+
#Return output early if only summarizing
|
33
|
+
return out if tracker.options[:summary_only]
|
34
|
+
|
35
|
+
if tracker.options[:report_routes] or tracker.options[:debug]
|
36
|
+
out << "### CONTROLLERS" << "\n\n" <<
|
37
|
+
generate_controllers.to_s << "\n\n"
|
38
|
+
end
|
39
|
+
|
40
|
+
if tracker.options[:debug]
|
41
|
+
out << "### TEMPLATES\n\n" <<
|
42
|
+
generate_templates.to_s << "\n\n"
|
43
|
+
end
|
44
|
+
|
45
|
+
res = generate_errors
|
46
|
+
out << "### Errors\n\n" << res.to_s << "\n\n" if res
|
47
|
+
|
48
|
+
res = generate_warnings
|
49
|
+
out << "### SECURITY WARNINGS\n\n" << res.to_s << "\n\n" if res
|
50
|
+
|
51
|
+
res = generate_controller_warnings
|
52
|
+
out << "### Controller Warnings:\n\n" << res.to_s << "\n\n" if res
|
53
|
+
|
54
|
+
res = generate_model_warnings
|
55
|
+
out << "### Model Warnings:\n\n" << res.to_s << "\n\n" if res
|
56
|
+
|
57
|
+
res = generate_template_warnings
|
58
|
+
out << "### View Warnings:\n\n" << res.to_s << "\n\n" if res
|
59
|
+
|
60
|
+
out
|
61
|
+
end
|
62
|
+
|
63
|
+
def generate_metadata
|
64
|
+
MarkdownTable.new(
|
65
|
+
:headings =>
|
66
|
+
['Application path', 'Rails version', 'Brakeman version', 'Started at', 'Duration']
|
67
|
+
) do |t|
|
68
|
+
t.add_row([
|
69
|
+
File.expand_path(tracker.options[:app_path]),
|
70
|
+
rails_version,
|
71
|
+
Brakeman::Version,
|
72
|
+
tracker.start_time,
|
73
|
+
"#{tracker.duration} seconds",
|
74
|
+
])
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
def generate_checks
|
79
|
+
MarkdownTable.new(:headings => ['Checks performed']) do |t|
|
80
|
+
t.add_row([checks.checks_run.sort.join(", ")])
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
def generate_overview
|
85
|
+
num_warnings = all_warnings.length
|
86
|
+
|
87
|
+
MarkdownTable.new(:headings => ['Scanned/Reported', 'Total']) do |t|
|
88
|
+
t.add_row ['Controllers', tracker.controllers.length]
|
89
|
+
t.add_row ['Models', tracker.models.length - 1]
|
90
|
+
t.add_row ['Templates', number_of_templates(@tracker)]
|
91
|
+
t.add_row ['Errors', tracker.errors.length]
|
92
|
+
t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
|
93
|
+
t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
#Generate listings of templates and their output
|
98
|
+
def generate_templates
|
99
|
+
out_processor = Brakeman::OutputProcessor.new
|
100
|
+
template_rows = {}
|
101
|
+
tracker.templates.each do |name, template|
|
102
|
+
unless template[:outputs].empty?
|
103
|
+
template[:outputs].each do |out|
|
104
|
+
out = out_processor.format out
|
105
|
+
template_rows[name] ||= []
|
106
|
+
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
template_rows = template_rows.sort_by{|name, value| name.to_s}
|
112
|
+
|
113
|
+
output = ''
|
114
|
+
template_rows.each do |template|
|
115
|
+
output << template.first.to_s << "\n\n"
|
116
|
+
table = MarkdownTable.new(:headings => ['Output']) do |t|
|
117
|
+
# template[1] is an array of calls
|
118
|
+
template[1].each do |v|
|
119
|
+
t.add_row [v]
|
120
|
+
end
|
121
|
+
end
|
122
|
+
|
123
|
+
output << table.to_s << "\n\n"
|
124
|
+
end
|
125
|
+
|
126
|
+
output
|
127
|
+
end
|
128
|
+
|
129
|
+
def render_array template, headings, value_array, locals
|
130
|
+
return if value_array.empty?
|
131
|
+
|
132
|
+
MarkdownTable.new(:headings => headings) do |t|
|
133
|
+
value_array.each { |value_row| t.add_row value_row }
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
def convert_warning warning, original
|
138
|
+
warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
|
139
|
+
warning["Message"] = markdown_message original, warning["Message"]
|
140
|
+
warning["Warning Type"] = "[#{warning['Warning Type']}](#{original.link})" if original.link
|
141
|
+
warning
|
142
|
+
end
|
143
|
+
|
144
|
+
# Escape and code format warning message
|
145
|
+
def markdown_message warning, message
|
146
|
+
if warning.file
|
147
|
+
github_url = github_url warning.file, warning.line
|
148
|
+
message.gsub!(/(near line \d+)/, "[\\1](#{github_url})") if github_url
|
149
|
+
end
|
150
|
+
if warning.code
|
151
|
+
code = warning.format_code
|
152
|
+
message.gsub(code, "`#{code.gsub('`','``').gsub(/\A``|``\z/, '` `')}`")
|
153
|
+
else
|
154
|
+
message
|
155
|
+
end
|
156
|
+
end
|
157
|
+
|
158
|
+
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -383,6 +383,15 @@ module Brakeman::Util
|
|
383
383
|
end
|
384
384
|
end
|
385
385
|
|
386
|
+
def github_url file, line=nil
|
387
|
+
if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
|
388
|
+
url = "#{repo_url}/#{relative_path(file)}"
|
389
|
+
url << "#L#{line}" if line
|
390
|
+
else
|
391
|
+
nil
|
392
|
+
end
|
393
|
+
end
|
394
|
+
|
386
395
|
def truncate_table str
|
387
396
|
@terminal_width ||= if @tracker.options[:table_width]
|
388
397
|
@tracker.options[:table_width]
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,228 +1,212 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
5
|
-
prerelease:
|
6
|
-
segments:
|
7
|
-
- 2
|
8
|
-
- 4
|
9
|
-
- 3
|
10
|
-
version: 2.4.3
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 2.5.0
|
11
5
|
platform: ruby
|
12
|
-
authors:
|
6
|
+
authors:
|
13
7
|
- Justin Collins
|
14
8
|
autorequire:
|
15
9
|
bindir: bin
|
16
|
-
cert_chain:
|
17
|
-
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
10
|
+
cert_chain:
|
11
|
+
- !binary |-
|
12
|
+
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJB
|
13
|
+
Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREE5TVF3d0NnWURWUVFEREFOblpX
|
14
|
+
MHgKR0RBV0Jnb0praWFKay9Jc1pBRVpGZ2hpY21GclpXMWhiakVUTUJFR0Nn
|
15
|
+
bVNKb21UOGl4a0FSa1dBMjl5WnpBZQpGdzB4TXpFeU1USXdNRE14TlRkYUZ3
|
16
|
+
MHhOREV5TVRJd01ETXhOVGRhTUQweEREQUtCZ05WQkFNTUEyZGxiVEVZCk1C
|
17
|
+
WUdDZ21TSm9tVDhpeGtBUmtXQ0dKeVlXdGxiV0Z1TVJNd0VRWUtDWkltaVpQ
|
18
|
+
eUxHUUJHUllEYjNKbk1JSUIKSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4
|
19
|
+
QU1JSUJDZ0tDQVFFQXhDSG1YQ2FBY1o0YlZqaWpLb3lRRng0TgpkeU43Qjdi
|
20
|
+
cVk4d09YeTZmL1VaNm1kQzhJUkFqODJLYVdRak5FMkxUL09iRlVXcENSeUxk
|
21
|
+
cndqa0RqZEZEeU9UCm1aQ1praU9lRXkyWnhZR2Z4WE1JL3hnMjRjOHI1WG1o
|
22
|
+
MTZFcnNZdXByUmNnKy9LWjZzNFVqc2VCTlRBUm1CSzQKSUhjcUlkbm9XYllh
|
23
|
+
M0JXSG9mbEpQYUpVSWFVKy95VGNsekZRSHBzd1U3a2E4ZnRJQVdlb0RRbzIy
|
24
|
+
Z2FzUC80TgpIdEp2QUl5ZzFEY1dQTGNuMHFiWm1kZWhnOEhadjhDKzJNdUxL
|
25
|
+
WC8ycVpHOWVzZWVnTXFNbEhIYWJ3d0V5OVZ2CmYvdC8rbHRMakMwQ1JhMlRx
|
26
|
+
WjJFdVE1RUV6Yk9zcUFmdGFaSkZtd3Y5VXQxVWhqbWR2UjVSZk42ZFdNUTVR
|
27
|
+
SUQKQVFBQm96a3dOekFMQmdOVkhROEVCQU1DQkxBd0hRWURWUjBPQkJZRUZQ
|
28
|
+
eUVLZVJ5MDlpOHFTcis5S0ZiZVRxdwprTUNTTUFrR0ExVWRFd1FDTUFBd0RR
|
29
|
+
WUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFMRWs4L1dubDJWQXFjaHhXbGJnClJO
|
30
|
+
ME1rVlVXTWY4TDB4eFVpVktvNVFlTDROQlZpQUxNQnJVNklTNHk2enluK0Zv
|
31
|
+
VUxBTUVhd1VqWmxaZjRIY2cKUzl1bmV2M3ArUlRXVXlrc0FuQTI3d0hacy9O
|
32
|
+
UklrVzM0czFaSTVOTkUveHl1NFVMT1FqZmgxd09qbFd6eUh1OQowdDQxL0N0
|
33
|
+
cGdOUE0ydUFqRzNSSXFscDdRS1hsYnk1MGNRcVdKUUNnVEgzSk5qTWhtUk9F
|
34
|
+
aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
|
35
|
+
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
36
|
+
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
37
|
+
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
38
|
+
date: 2014-04-30 00:00:00.000000000 Z
|
39
|
+
dependencies:
|
40
|
+
- !ruby/object:Gem::Dependency
|
42
41
|
name: ruby_parser
|
43
|
-
|
44
|
-
|
45
|
-
none: false
|
46
|
-
requirements:
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
47
44
|
- - ~>
|
48
|
-
- !ruby/object:Gem::Version
|
49
|
-
hash: 23
|
50
|
-
segments:
|
51
|
-
- 3
|
52
|
-
- 4
|
53
|
-
- 0
|
45
|
+
- !ruby/object:Gem::Version
|
54
46
|
version: 3.4.0
|
55
47
|
type: :runtime
|
56
|
-
version_requirements: *id001
|
57
|
-
- !ruby/object:Gem::Dependency
|
58
|
-
name: ruby2ruby
|
59
48
|
prerelease: false
|
60
|
-
|
61
|
-
|
62
|
-
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - ~>
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: 3.4.0
|
54
|
+
- !ruby/object:Gem::Dependency
|
55
|
+
name: ruby2ruby
|
56
|
+
requirement: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
63
58
|
- - ~>
|
64
|
-
- !ruby/object:Gem::Version
|
65
|
-
hash: 5
|
66
|
-
segments:
|
67
|
-
- 2
|
68
|
-
- 0
|
69
|
-
- 5
|
59
|
+
- !ruby/object:Gem::Version
|
70
60
|
version: 2.0.5
|
71
61
|
type: :runtime
|
72
|
-
version_requirements: *id002
|
73
|
-
- !ruby/object:Gem::Dependency
|
74
|
-
name: terminal-table
|
75
62
|
prerelease: false
|
76
|
-
|
77
|
-
|
78
|
-
requirements:
|
63
|
+
version_requirements: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
79
65
|
- - ~>
|
80
|
-
- !ruby/object:Gem::Version
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: 2.0.5
|
68
|
+
- !ruby/object:Gem::Dependency
|
69
|
+
name: terminal-table
|
70
|
+
requirement: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - ~>
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: '1.4'
|
86
75
|
type: :runtime
|
87
|
-
version_requirements: *id003
|
88
|
-
- !ruby/object:Gem::Dependency
|
89
|
-
name: fastercsv
|
90
76
|
prerelease: false
|
91
|
-
|
92
|
-
|
93
|
-
|
77
|
+
version_requirements: !ruby/object:Gem::Requirement
|
78
|
+
requirements:
|
79
|
+
- - ~>
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
version: '1.4'
|
82
|
+
- !ruby/object:Gem::Dependency
|
83
|
+
name: fastercsv
|
84
|
+
requirement: !ruby/object:Gem::Requirement
|
85
|
+
requirements:
|
94
86
|
- - ~>
|
95
|
-
- !ruby/object:Gem::Version
|
96
|
-
|
97
|
-
segments:
|
98
|
-
- 1
|
99
|
-
- 5
|
100
|
-
version: "1.5"
|
87
|
+
- !ruby/object:Gem::Version
|
88
|
+
version: '1.5'
|
101
89
|
type: :runtime
|
102
|
-
version_requirements: *id004
|
103
|
-
- !ruby/object:Gem::Dependency
|
104
|
-
name: highline
|
105
90
|
prerelease: false
|
106
|
-
|
107
|
-
|
108
|
-
|
91
|
+
version_requirements: !ruby/object:Gem::Requirement
|
92
|
+
requirements:
|
93
|
+
- - ~>
|
94
|
+
- !ruby/object:Gem::Version
|
95
|
+
version: '1.5'
|
96
|
+
- !ruby/object:Gem::Dependency
|
97
|
+
name: highline
|
98
|
+
requirement: !ruby/object:Gem::Requirement
|
99
|
+
requirements:
|
109
100
|
- - ~>
|
110
|
-
- !ruby/object:Gem::Version
|
111
|
-
hash: 39
|
112
|
-
segments:
|
113
|
-
- 1
|
114
|
-
- 6
|
115
|
-
- 20
|
101
|
+
- !ruby/object:Gem::Version
|
116
102
|
version: 1.6.20
|
117
103
|
type: :runtime
|
118
|
-
version_requirements: *id005
|
119
|
-
- !ruby/object:Gem::Dependency
|
120
|
-
name: erubis
|
121
104
|
prerelease: false
|
122
|
-
|
123
|
-
|
124
|
-
requirements:
|
105
|
+
version_requirements: !ruby/object:Gem::Requirement
|
106
|
+
requirements:
|
125
107
|
- - ~>
|
126
|
-
- !ruby/object:Gem::Version
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
108
|
+
- !ruby/object:Gem::Version
|
109
|
+
version: 1.6.20
|
110
|
+
- !ruby/object:Gem::Dependency
|
111
|
+
name: erubis
|
112
|
+
requirement: !ruby/object:Gem::Requirement
|
113
|
+
requirements:
|
114
|
+
- - ~>
|
115
|
+
- !ruby/object:Gem::Version
|
116
|
+
version: '2.6'
|
132
117
|
type: :runtime
|
133
|
-
version_requirements: *id006
|
134
|
-
- !ruby/object:Gem::Dependency
|
135
|
-
name: haml
|
136
118
|
prerelease: false
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
119
|
+
version_requirements: !ruby/object:Gem::Requirement
|
120
|
+
requirements:
|
121
|
+
- - ~>
|
122
|
+
- !ruby/object:Gem::Version
|
123
|
+
version: '2.6'
|
124
|
+
- !ruby/object:Gem::Dependency
|
125
|
+
name: haml
|
126
|
+
requirement: !ruby/object:Gem::Requirement
|
127
|
+
requirements:
|
128
|
+
- - ! '>='
|
129
|
+
- !ruby/object:Gem::Version
|
130
|
+
version: '3.0'
|
147
131
|
- - <
|
148
|
-
- !ruby/object:Gem::Version
|
149
|
-
|
150
|
-
segments:
|
151
|
-
- 5
|
152
|
-
- 0
|
153
|
-
version: "5.0"
|
132
|
+
- !ruby/object:Gem::Version
|
133
|
+
version: '5.0'
|
154
134
|
type: :runtime
|
155
|
-
version_requirements: *id007
|
156
|
-
- !ruby/object:Gem::Dependency
|
157
|
-
name: sass
|
158
135
|
prerelease: false
|
159
|
-
|
160
|
-
|
161
|
-
|
136
|
+
version_requirements: !ruby/object:Gem::Requirement
|
137
|
+
requirements:
|
138
|
+
- - ! '>='
|
139
|
+
- !ruby/object:Gem::Version
|
140
|
+
version: '3.0'
|
141
|
+
- - <
|
142
|
+
- !ruby/object:Gem::Version
|
143
|
+
version: '5.0'
|
144
|
+
- !ruby/object:Gem::Dependency
|
145
|
+
name: sass
|
146
|
+
requirement: !ruby/object:Gem::Requirement
|
147
|
+
requirements:
|
162
148
|
- - ~>
|
163
|
-
- !ruby/object:Gem::Version
|
164
|
-
|
165
|
-
segments:
|
166
|
-
- 3
|
167
|
-
- 0
|
168
|
-
version: "3.0"
|
149
|
+
- !ruby/object:Gem::Version
|
150
|
+
version: '3.0'
|
169
151
|
type: :runtime
|
170
|
-
version_requirements: *id008
|
171
|
-
- !ruby/object:Gem::Dependency
|
172
|
-
name: slim
|
173
152
|
prerelease: false
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
153
|
+
version_requirements: !ruby/object:Gem::Requirement
|
154
|
+
requirements:
|
155
|
+
- - ~>
|
156
|
+
- !ruby/object:Gem::Version
|
157
|
+
version: '3.0'
|
158
|
+
- !ruby/object:Gem::Dependency
|
159
|
+
name: slim
|
160
|
+
requirement: !ruby/object:Gem::Requirement
|
161
|
+
requirements:
|
162
|
+
- - ! '>='
|
163
|
+
- !ruby/object:Gem::Version
|
184
164
|
version: 1.3.6
|
185
165
|
- - <
|
186
|
-
- !ruby/object:Gem::Version
|
187
|
-
|
188
|
-
segments:
|
189
|
-
- 3
|
190
|
-
- 0
|
191
|
-
version: "3.0"
|
166
|
+
- !ruby/object:Gem::Version
|
167
|
+
version: '3.0'
|
192
168
|
type: :runtime
|
193
|
-
version_requirements: *id009
|
194
|
-
- !ruby/object:Gem::Dependency
|
195
|
-
name: multi_json
|
196
169
|
prerelease: false
|
197
|
-
|
198
|
-
|
199
|
-
|
170
|
+
version_requirements: !ruby/object:Gem::Requirement
|
171
|
+
requirements:
|
172
|
+
- - ! '>='
|
173
|
+
- !ruby/object:Gem::Version
|
174
|
+
version: 1.3.6
|
175
|
+
- - <
|
176
|
+
- !ruby/object:Gem::Version
|
177
|
+
version: '3.0'
|
178
|
+
- !ruby/object:Gem::Dependency
|
179
|
+
name: multi_json
|
180
|
+
requirement: !ruby/object:Gem::Requirement
|
181
|
+
requirements:
|
200
182
|
- - ~>
|
201
|
-
- !ruby/object:Gem::Version
|
202
|
-
|
203
|
-
segments:
|
204
|
-
- 1
|
205
|
-
- 2
|
206
|
-
version: "1.2"
|
183
|
+
- !ruby/object:Gem::Version
|
184
|
+
version: '1.2'
|
207
185
|
type: :runtime
|
208
|
-
|
209
|
-
|
186
|
+
prerelease: false
|
187
|
+
version_requirements: !ruby/object:Gem::Requirement
|
188
|
+
requirements:
|
189
|
+
- - ~>
|
190
|
+
- !ruby/object:Gem::Version
|
191
|
+
version: '1.2'
|
192
|
+
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
193
|
+
via static analysis.
|
210
194
|
email: gem@brakeman.org
|
211
|
-
executables:
|
195
|
+
executables:
|
212
196
|
- brakeman
|
213
197
|
extensions: []
|
214
|
-
|
215
198
|
extra_rdoc_files: []
|
216
|
-
|
217
|
-
files:
|
218
|
-
- bin/brakeman
|
199
|
+
files:
|
219
200
|
- CHANGES
|
220
|
-
- WARNING_TYPES
|
221
201
|
- FEATURES
|
222
202
|
- README.md
|
203
|
+
- WARNING_TYPES
|
204
|
+
- bin/brakeman
|
205
|
+
- lib/brakeman.rb
|
223
206
|
- lib/brakeman/app_tree.rb
|
224
207
|
- lib/brakeman/brakeman.rake
|
225
208
|
- lib/brakeman/call_index.rb
|
209
|
+
- lib/brakeman/checks.rb
|
226
210
|
- lib/brakeman/checks/base_check.rb
|
227
211
|
- lib/brakeman/checks/check_basic_auth.rb
|
228
212
|
- lib/brakeman/checks/check_content_tag.rb
|
@@ -252,6 +236,7 @@ files:
|
|
252
236
|
- lib/brakeman/checks/check_number_to_currency.rb
|
253
237
|
- lib/brakeman/checks/check_quote_table_name.rb
|
254
238
|
- lib/brakeman/checks/check_redirect.rb
|
239
|
+
- lib/brakeman/checks/check_regex_dos.rb
|
255
240
|
- lib/brakeman/checks/check_render.rb
|
256
241
|
- lib/brakeman/checks/check_render_dos.rb
|
257
242
|
- lib/brakeman/checks/check_response_splitting.rb
|
@@ -266,6 +251,7 @@ files:
|
|
266
251
|
- lib/brakeman/checks/check_single_quotes.rb
|
267
252
|
- lib/brakeman/checks/check_skip_before_filter.rb
|
268
253
|
- lib/brakeman/checks/check_sql.rb
|
254
|
+
- lib/brakeman/checks/check_sql_cves.rb
|
269
255
|
- lib/brakeman/checks/check_ssl_verify.rb
|
270
256
|
- lib/brakeman/checks/check_strip_tags.rb
|
271
257
|
- lib/brakeman/checks/check_symbol_dos.rb
|
@@ -274,7 +260,6 @@ files:
|
|
274
260
|
- lib/brakeman/checks/check_validation_regex.rb
|
275
261
|
- lib/brakeman/checks/check_without_protection.rb
|
276
262
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
277
|
-
- lib/brakeman/checks.rb
|
278
263
|
- lib/brakeman/differ.rb
|
279
264
|
- lib/brakeman/format/style.css
|
280
265
|
- lib/brakeman/options.rb
|
@@ -308,6 +293,7 @@ files:
|
|
308
293
|
- lib/brakeman/processors/slim_template_processor.rb
|
309
294
|
- lib/brakeman/processors/template_alias_processor.rb
|
310
295
|
- lib/brakeman/processors/template_processor.rb
|
296
|
+
- lib/brakeman/report.rb
|
311
297
|
- lib/brakeman/report/ignore/config.rb
|
312
298
|
- lib/brakeman/report/ignore/interactive.rb
|
313
299
|
- lib/brakeman/report/initializers/faster_csv.rb
|
@@ -318,6 +304,7 @@ files:
|
|
318
304
|
- lib/brakeman/report/report_hash.rb
|
319
305
|
- lib/brakeman/report/report_html.rb
|
320
306
|
- lib/brakeman/report/report_json.rb
|
307
|
+
- lib/brakeman/report/report_markdown.rb
|
321
308
|
- lib/brakeman/report/report_table.rb
|
322
309
|
- lib/brakeman/report/report_tabs.rb
|
323
310
|
- lib/brakeman/report/templates/controller_overview.html.erb
|
@@ -331,7 +318,6 @@ files:
|
|
331
318
|
- lib/brakeman/report/templates/template_overview.html.erb
|
332
319
|
- lib/brakeman/report/templates/view_warnings.html.erb
|
333
320
|
- lib/brakeman/report/templates/warning_overview.html.erb
|
334
|
-
- lib/brakeman/report.rb
|
335
321
|
- lib/brakeman/rescanner.rb
|
336
322
|
- lib/brakeman/scanner.rb
|
337
323
|
- lib/brakeman/tracker.rb
|
@@ -339,41 +325,30 @@ files:
|
|
339
325
|
- lib/brakeman/version.rb
|
340
326
|
- lib/brakeman/warning.rb
|
341
327
|
- lib/brakeman/warning_codes.rb
|
342
|
-
- lib/brakeman.rb
|
343
328
|
- lib/ruby_parser/bm_sexp.rb
|
344
329
|
- lib/ruby_parser/bm_sexp_processor.rb
|
345
330
|
homepage: http://brakemanscanner.org
|
346
|
-
licenses:
|
331
|
+
licenses:
|
347
332
|
- MIT
|
333
|
+
metadata: {}
|
348
334
|
post_install_message:
|
349
335
|
rdoc_options: []
|
350
|
-
|
351
|
-
require_paths:
|
336
|
+
require_paths:
|
352
337
|
- lib
|
353
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
363
|
-
none: false
|
364
|
-
requirements:
|
365
|
-
- - ">="
|
366
|
-
- !ruby/object:Gem::Version
|
367
|
-
hash: 3
|
368
|
-
segments:
|
369
|
-
- 0
|
370
|
-
version: "0"
|
338
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
339
|
+
requirements:
|
340
|
+
- - ! '>='
|
341
|
+
- !ruby/object:Gem::Version
|
342
|
+
version: '0'
|
343
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
344
|
+
requirements:
|
345
|
+
- - ! '>='
|
346
|
+
- !ruby/object:Gem::Version
|
347
|
+
version: '0'
|
371
348
|
requirements: []
|
372
|
-
|
373
349
|
rubyforge_project:
|
374
|
-
rubygems_version:
|
350
|
+
rubygems_version: 2.2.2
|
375
351
|
signing_key:
|
376
|
-
specification_version:
|
352
|
+
specification_version: 4
|
377
353
|
summary: Security vulnerability scanner for Ruby on Rails.
|
378
354
|
test_files: []
|
379
|
-
|