brakeman 2.5.0 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. checksums.yaml +8 -8
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/CHANGES +14 -0
  5. data/README.md +6 -28
  6. data/lib/brakeman/checks/base_check.rb +5 -4
  7. data/lib/brakeman/checks/check_basic_auth.rb +1 -2
  8. data/lib/brakeman/checks/check_default_routes.rb +65 -15
  9. data/lib/brakeman/checks/check_detailed_exceptions.rb +5 -4
  10. data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
  11. data/lib/brakeman/checks/check_forgery_setting.rb +9 -9
  12. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  13. data/lib/brakeman/checks/check_model_attributes.rb +3 -3
  14. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  15. data/lib/brakeman/checks/check_redirect.rb +27 -6
  16. data/lib/brakeman/checks/check_render.rb +2 -2
  17. data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
  18. data/lib/brakeman/checks/check_sql.rb +2 -1
  19. data/lib/brakeman/file_parser.rb +49 -0
  20. data/lib/brakeman/options.rb +1 -1
  21. data/lib/brakeman/parsers/template_parser.rb +88 -0
  22. data/lib/brakeman/processors/alias_processor.rb +25 -2
  23. data/lib/brakeman/processors/controller_alias_processor.rb +3 -3
  24. data/lib/brakeman/processors/controller_processor.rb +106 -54
  25. data/lib/brakeman/processors/lib/rails3_route_processor.rb +27 -12
  26. data/lib/brakeman/processors/lib/route_helper.rb +1 -1
  27. data/lib/brakeman/processors/library_processor.rb +37 -28
  28. data/lib/brakeman/processors/model_processor.rb +117 -34
  29. data/lib/brakeman/report/report_base.rb +1 -1
  30. data/lib/brakeman/rescanner.rb +84 -35
  31. data/lib/brakeman/scanner.rb +84 -148
  32. data/lib/brakeman/tracker.rb +32 -12
  33. data/lib/brakeman/util.rb +13 -4
  34. data/lib/brakeman/version.rb +1 -1
  35. data/lib/brakeman/warning_codes.rb +2 -1
  36. metadata +6 -4
  37. metadata.gz.sig +0 -0
@@ -37,7 +37,8 @@ class Brakeman::Tracker
37
37
  :public => {},
38
38
  :private => {},
39
39
  :protected => {},
40
- :options => {} } }
40
+ :options => {},
41
+ :files => [] } }
41
42
  @routes = {}
42
43
  @initializers = {}
43
44
  @errors = []
@@ -82,11 +83,12 @@ class Brakeman::Tracker
82
83
  set.each do |set_name, info|
83
84
  [:private, :public, :protected].each do |visibility|
84
85
  info[visibility].each do |method_name, definition|
85
- if definition.node_type == :selfdef
86
- method_name = "#{definition[1]}.#{method_name}"
86
+ src = definition[:src]
87
+ if src.node_type == :selfdef
88
+ method_name = "#{src[1]}.#{method_name}"
87
89
  end
88
90
 
89
- yield definition, set_name, method_name, info[:file]
91
+ yield src, set_name, method_name, definition[:file]
90
92
 
91
93
  end
92
94
  end
@@ -218,11 +220,12 @@ class Brakeman::Tracker
218
220
  set.each do |set_name, info|
219
221
  [:private, :public, :protected].each do |visibility|
220
222
  info[visibility].each do |method_name, definition|
221
- if definition.node_type == :selfdef
222
- method_name = "#{definition[1]}.#{method_name}"
223
+ src = definition[:src]
224
+ if src.node_type == :selfdef
225
+ method_name = "#{src[1]}.#{method_name}"
223
226
  end
224
227
 
225
- finder.process_source definition, :class => set_name, :method => method_name, :file => info[:file]
228
+ finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
226
229
 
227
230
  end
228
231
  end
@@ -268,7 +271,7 @@ class Brakeman::Tracker
268
271
  model_name = nil
269
272
 
270
273
  @models.each do |name, model|
271
- if model[:file] == path
274
+ if model[:files].include?(path)
272
275
  model_name = name
273
276
  break
274
277
  end
@@ -277,10 +280,27 @@ class Brakeman::Tracker
277
280
  @models.delete model_name
278
281
  end
279
282
 
283
+ #Clear information related to model
284
+ def reset_lib path
285
+ lib_name = nil
286
+
287
+ @libs.each do |name, lib|
288
+ if lib[:files].include?(path)
289
+ lib_name = name
290
+ break
291
+ end
292
+ end
293
+
294
+ @libs.delete lib_name
295
+ end
296
+
280
297
  def reset_controller path
298
+ controller_name = nil
299
+
281
300
  #Remove from controller
282
- @controllers.delete_if do |name, controller|
283
- if controller[:file] == path
301
+ @controllers.each do |name, controller|
302
+ if controller[:files].include?(path)
303
+ controller_name = name
284
304
  template_matcher = /^#{name}#/
285
305
 
286
306
  #Remove templates rendered from this controller
@@ -293,10 +313,10 @@ class Brakeman::Tracker
293
313
 
294
314
  #Remove calls indexed from this controller
295
315
  @call_index.remove_indexes_by_class [name]
296
-
297
- true
316
+ break
298
317
  end
299
318
  end
319
+ @controllers.delete controller_name
300
320
  end
301
321
 
302
322
  #Clear information about routes
data/lib/brakeman/util.rb CHANGED
@@ -318,14 +318,14 @@ module Brakeman::Util
318
318
 
319
319
  case type
320
320
  when :controller
321
- if tracker.controllers[name] and tracker.controllers[name][:file]
322
- path = tracker.controllers[name][:file]
321
+ if tracker.controllers[name] and tracker.controllers[name][:files]
322
+ path = tracker.controllers[name][:files].first
323
323
  else
324
324
  path += "/app/controllers/#{underscore(string_name)}.rb"
325
325
  end
326
326
  when :model
327
- if tracker.models[name] and tracker.models[name][:file]
328
- path = tracker.models[name][:file]
327
+ if tracker.models[name] and tracker.models[name][:files]
328
+ path = tracker.models[name][:files].first
329
329
  else
330
330
  path += "/app/models/#{underscore(string_name)}.rb"
331
331
  end
@@ -383,6 +383,15 @@ module Brakeman::Util
383
383
  end
384
384
  end
385
385
 
386
+ #Convert path/filename to view name
387
+ #
388
+ # views/test/something.html.erb -> test/something
389
+ def template_path_to_name path
390
+ names = path.split("/")
391
+ names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
392
+ names[(names.index("views") + 1)..-1].join("/").to_sym
393
+ end
394
+
386
395
  def github_url file, line=nil
387
396
  if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
388
397
  url = "#{repo_url}/#{relative_path(file)}"
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.5.0"
2
+ Version = "2.6.0"
3
3
  end
@@ -76,7 +76,8 @@ module Brakeman::WarningCodes
76
76
  :CVE_2014_0081 => 73,
77
77
  :CVE_2014_0081_call => 74,
78
78
  :CVE_2014_0082 => 75,
79
- :regex_dos => 76
79
+ :regex_dos => 76,
80
+ :CVE_2014_0130 => 77,
80
81
  }
81
82
 
82
83
  def self.code name
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.5.0
4
+ version: 2.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -35,7 +35,7 @@ cert_chain:
35
35
  Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
36
36
  QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
37
37
  RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
38
- date: 2014-04-30 00:00:00.000000000 Z
38
+ date: 2014-06-06 00:00:00.000000000 Z
39
39
  dependencies:
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: ruby_parser
@@ -43,14 +43,14 @@ dependencies:
43
43
  requirements:
44
44
  - - ~>
45
45
  - !ruby/object:Gem::Version
46
- version: 3.4.0
46
+ version: 3.5.0
47
47
  type: :runtime
48
48
  prerelease: false
49
49
  version_requirements: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - ~>
52
52
  - !ruby/object:Gem::Version
53
- version: 3.4.0
53
+ version: 3.5.0
54
54
  - !ruby/object:Gem::Dependency
55
55
  name: ruby2ruby
56
56
  requirement: !ruby/object:Gem::Requirement
@@ -261,11 +261,13 @@ files:
261
261
  - lib/brakeman/checks/check_without_protection.rb
262
262
  - lib/brakeman/checks/check_yaml_parsing.rb
263
263
  - lib/brakeman/differ.rb
264
+ - lib/brakeman/file_parser.rb
264
265
  - lib/brakeman/format/style.css
265
266
  - lib/brakeman/options.rb
266
267
  - lib/brakeman/parsers/rails2_erubis.rb
267
268
  - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
268
269
  - lib/brakeman/parsers/rails3_erubis.rb
270
+ - lib/brakeman/parsers/template_parser.rb
269
271
  - lib/brakeman/processor.rb
270
272
  - lib/brakeman/processors/alias_processor.rb
271
273
  - lib/brakeman/processors/base_processor.rb
metadata.gz.sig CHANGED
Binary file