brakeman 2.5.0 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +14 -0
- data/README.md +6 -28
- data/lib/brakeman/checks/base_check.rb +5 -4
- data/lib/brakeman/checks/check_basic_auth.rb +1 -2
- data/lib/brakeman/checks/check_default_routes.rb +65 -15
- data/lib/brakeman/checks/check_detailed_exceptions.rb +5 -4
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -9
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +3 -3
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +27 -6
- data/lib/brakeman/checks/check_render.rb +2 -2
- data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
- data/lib/brakeman/checks/check_sql.rb +2 -1
- data/lib/brakeman/file_parser.rb +49 -0
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +88 -0
- data/lib/brakeman/processors/alias_processor.rb +25 -2
- data/lib/brakeman/processors/controller_alias_processor.rb +3 -3
- data/lib/brakeman/processors/controller_processor.rb +106 -54
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +27 -12
- data/lib/brakeman/processors/lib/route_helper.rb +1 -1
- data/lib/brakeman/processors/library_processor.rb +37 -28
- data/lib/brakeman/processors/model_processor.rb +117 -34
- data/lib/brakeman/report/report_base.rb +1 -1
- data/lib/brakeman/rescanner.rb +84 -35
- data/lib/brakeman/scanner.rb +84 -148
- data/lib/brakeman/tracker.rb +32 -12
- data/lib/brakeman/util.rb +13 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -1
- metadata +6 -4
- metadata.gz.sig +0 -0
data/lib/brakeman/tracker.rb
CHANGED
@@ -37,7 +37,8 @@ class Brakeman::Tracker
|
|
37
37
|
:public => {},
|
38
38
|
:private => {},
|
39
39
|
:protected => {},
|
40
|
-
:options => {}
|
40
|
+
:options => {},
|
41
|
+
:files => [] } }
|
41
42
|
@routes = {}
|
42
43
|
@initializers = {}
|
43
44
|
@errors = []
|
@@ -82,11 +83,12 @@ class Brakeman::Tracker
|
|
82
83
|
set.each do |set_name, info|
|
83
84
|
[:private, :public, :protected].each do |visibility|
|
84
85
|
info[visibility].each do |method_name, definition|
|
85
|
-
|
86
|
-
|
86
|
+
src = definition[:src]
|
87
|
+
if src.node_type == :selfdef
|
88
|
+
method_name = "#{src[1]}.#{method_name}"
|
87
89
|
end
|
88
90
|
|
89
|
-
yield
|
91
|
+
yield src, set_name, method_name, definition[:file]
|
90
92
|
|
91
93
|
end
|
92
94
|
end
|
@@ -218,11 +220,12 @@ class Brakeman::Tracker
|
|
218
220
|
set.each do |set_name, info|
|
219
221
|
[:private, :public, :protected].each do |visibility|
|
220
222
|
info[visibility].each do |method_name, definition|
|
221
|
-
|
222
|
-
|
223
|
+
src = definition[:src]
|
224
|
+
if src.node_type == :selfdef
|
225
|
+
method_name = "#{src[1]}.#{method_name}"
|
223
226
|
end
|
224
227
|
|
225
|
-
finder.process_source
|
228
|
+
finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
|
226
229
|
|
227
230
|
end
|
228
231
|
end
|
@@ -268,7 +271,7 @@ class Brakeman::Tracker
|
|
268
271
|
model_name = nil
|
269
272
|
|
270
273
|
@models.each do |name, model|
|
271
|
-
if model[:
|
274
|
+
if model[:files].include?(path)
|
272
275
|
model_name = name
|
273
276
|
break
|
274
277
|
end
|
@@ -277,10 +280,27 @@ class Brakeman::Tracker
|
|
277
280
|
@models.delete model_name
|
278
281
|
end
|
279
282
|
|
283
|
+
#Clear information related to model
|
284
|
+
def reset_lib path
|
285
|
+
lib_name = nil
|
286
|
+
|
287
|
+
@libs.each do |name, lib|
|
288
|
+
if lib[:files].include?(path)
|
289
|
+
lib_name = name
|
290
|
+
break
|
291
|
+
end
|
292
|
+
end
|
293
|
+
|
294
|
+
@libs.delete lib_name
|
295
|
+
end
|
296
|
+
|
280
297
|
def reset_controller path
|
298
|
+
controller_name = nil
|
299
|
+
|
281
300
|
#Remove from controller
|
282
|
-
@controllers.
|
283
|
-
if controller[:
|
301
|
+
@controllers.each do |name, controller|
|
302
|
+
if controller[:files].include?(path)
|
303
|
+
controller_name = name
|
284
304
|
template_matcher = /^#{name}#/
|
285
305
|
|
286
306
|
#Remove templates rendered from this controller
|
@@ -293,10 +313,10 @@ class Brakeman::Tracker
|
|
293
313
|
|
294
314
|
#Remove calls indexed from this controller
|
295
315
|
@call_index.remove_indexes_by_class [name]
|
296
|
-
|
297
|
-
true
|
316
|
+
break
|
298
317
|
end
|
299
318
|
end
|
319
|
+
@controllers.delete controller_name
|
300
320
|
end
|
301
321
|
|
302
322
|
#Clear information about routes
|
data/lib/brakeman/util.rb
CHANGED
@@ -318,14 +318,14 @@ module Brakeman::Util
|
|
318
318
|
|
319
319
|
case type
|
320
320
|
when :controller
|
321
|
-
if tracker.controllers[name] and tracker.controllers[name][:
|
322
|
-
path = tracker.controllers[name][:
|
321
|
+
if tracker.controllers[name] and tracker.controllers[name][:files]
|
322
|
+
path = tracker.controllers[name][:files].first
|
323
323
|
else
|
324
324
|
path += "/app/controllers/#{underscore(string_name)}.rb"
|
325
325
|
end
|
326
326
|
when :model
|
327
|
-
if tracker.models[name] and tracker.models[name][:
|
328
|
-
path = tracker.models[name][:
|
327
|
+
if tracker.models[name] and tracker.models[name][:files]
|
328
|
+
path = tracker.models[name][:files].first
|
329
329
|
else
|
330
330
|
path += "/app/models/#{underscore(string_name)}.rb"
|
331
331
|
end
|
@@ -383,6 +383,15 @@ module Brakeman::Util
|
|
383
383
|
end
|
384
384
|
end
|
385
385
|
|
386
|
+
#Convert path/filename to view name
|
387
|
+
#
|
388
|
+
# views/test/something.html.erb -> test/something
|
389
|
+
def template_path_to_name path
|
390
|
+
names = path.split("/")
|
391
|
+
names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
|
392
|
+
names[(names.index("views") + 1)..-1].join("/").to_sym
|
393
|
+
end
|
394
|
+
|
386
395
|
def github_url file, line=nil
|
387
396
|
if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
|
388
397
|
url = "#{repo_url}/#{relative_path(file)}"
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.6.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -35,7 +35,7 @@ cert_chain:
|
|
35
35
|
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
36
36
|
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
37
37
|
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
38
|
-
date: 2014-
|
38
|
+
date: 2014-06-06 00:00:00.000000000 Z
|
39
39
|
dependencies:
|
40
40
|
- !ruby/object:Gem::Dependency
|
41
41
|
name: ruby_parser
|
@@ -43,14 +43,14 @@ dependencies:
|
|
43
43
|
requirements:
|
44
44
|
- - ~>
|
45
45
|
- !ruby/object:Gem::Version
|
46
|
-
version: 3.
|
46
|
+
version: 3.5.0
|
47
47
|
type: :runtime
|
48
48
|
prerelease: false
|
49
49
|
version_requirements: !ruby/object:Gem::Requirement
|
50
50
|
requirements:
|
51
51
|
- - ~>
|
52
52
|
- !ruby/object:Gem::Version
|
53
|
-
version: 3.
|
53
|
+
version: 3.5.0
|
54
54
|
- !ruby/object:Gem::Dependency
|
55
55
|
name: ruby2ruby
|
56
56
|
requirement: !ruby/object:Gem::Requirement
|
@@ -261,11 +261,13 @@ files:
|
|
261
261
|
- lib/brakeman/checks/check_without_protection.rb
|
262
262
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
263
263
|
- lib/brakeman/differ.rb
|
264
|
+
- lib/brakeman/file_parser.rb
|
264
265
|
- lib/brakeman/format/style.css
|
265
266
|
- lib/brakeman/options.rb
|
266
267
|
- lib/brakeman/parsers/rails2_erubis.rb
|
267
268
|
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
268
269
|
- lib/brakeman/parsers/rails3_erubis.rb
|
270
|
+
- lib/brakeman/parsers/template_parser.rb
|
269
271
|
- lib/brakeman/processor.rb
|
270
272
|
- lib/brakeman/processors/alias_processor.rb
|
271
273
|
- lib/brakeman/processors/base_processor.rb
|
metadata.gz.sig
CHANGED
Binary file
|