brakeman 2.5.0 → 2.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +14 -0
- data/README.md +6 -28
- data/lib/brakeman/checks/base_check.rb +5 -4
- data/lib/brakeman/checks/check_basic_auth.rb +1 -2
- data/lib/brakeman/checks/check_default_routes.rb +65 -15
- data/lib/brakeman/checks/check_detailed_exceptions.rb +5 -4
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -9
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +3 -3
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +27 -6
- data/lib/brakeman/checks/check_render.rb +2 -2
- data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
- data/lib/brakeman/checks/check_sql.rb +2 -1
- data/lib/brakeman/file_parser.rb +49 -0
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +88 -0
- data/lib/brakeman/processors/alias_processor.rb +25 -2
- data/lib/brakeman/processors/controller_alias_processor.rb +3 -3
- data/lib/brakeman/processors/controller_processor.rb +106 -54
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +27 -12
- data/lib/brakeman/processors/lib/route_helper.rb +1 -1
- data/lib/brakeman/processors/library_processor.rb +37 -28
- data/lib/brakeman/processors/model_processor.rb +117 -34
- data/lib/brakeman/report/report_base.rb +1 -1
- data/lib/brakeman/rescanner.rb +84 -35
- data/lib/brakeman/scanner.rb +84 -148
- data/lib/brakeman/tracker.rb +32 -12
- data/lib/brakeman/util.rb +13 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -1
- metadata +6 -4
- metadata.gz.sig +0 -0
data/lib/brakeman/tracker.rb
CHANGED
@@ -37,7 +37,8 @@ class Brakeman::Tracker
|
|
37
37
|
:public => {},
|
38
38
|
:private => {},
|
39
39
|
:protected => {},
|
40
|
-
:options => {}
|
40
|
+
:options => {},
|
41
|
+
:files => [] } }
|
41
42
|
@routes = {}
|
42
43
|
@initializers = {}
|
43
44
|
@errors = []
|
@@ -82,11 +83,12 @@ class Brakeman::Tracker
|
|
82
83
|
set.each do |set_name, info|
|
83
84
|
[:private, :public, :protected].each do |visibility|
|
84
85
|
info[visibility].each do |method_name, definition|
|
85
|
-
|
86
|
-
|
86
|
+
src = definition[:src]
|
87
|
+
if src.node_type == :selfdef
|
88
|
+
method_name = "#{src[1]}.#{method_name}"
|
87
89
|
end
|
88
90
|
|
89
|
-
yield
|
91
|
+
yield src, set_name, method_name, definition[:file]
|
90
92
|
|
91
93
|
end
|
92
94
|
end
|
@@ -218,11 +220,12 @@ class Brakeman::Tracker
|
|
218
220
|
set.each do |set_name, info|
|
219
221
|
[:private, :public, :protected].each do |visibility|
|
220
222
|
info[visibility].each do |method_name, definition|
|
221
|
-
|
222
|
-
|
223
|
+
src = definition[:src]
|
224
|
+
if src.node_type == :selfdef
|
225
|
+
method_name = "#{src[1]}.#{method_name}"
|
223
226
|
end
|
224
227
|
|
225
|
-
finder.process_source
|
228
|
+
finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
|
226
229
|
|
227
230
|
end
|
228
231
|
end
|
@@ -268,7 +271,7 @@ class Brakeman::Tracker
|
|
268
271
|
model_name = nil
|
269
272
|
|
270
273
|
@models.each do |name, model|
|
271
|
-
if model[:
|
274
|
+
if model[:files].include?(path)
|
272
275
|
model_name = name
|
273
276
|
break
|
274
277
|
end
|
@@ -277,10 +280,27 @@ class Brakeman::Tracker
|
|
277
280
|
@models.delete model_name
|
278
281
|
end
|
279
282
|
|
283
|
+
#Clear information related to model
|
284
|
+
def reset_lib path
|
285
|
+
lib_name = nil
|
286
|
+
|
287
|
+
@libs.each do |name, lib|
|
288
|
+
if lib[:files].include?(path)
|
289
|
+
lib_name = name
|
290
|
+
break
|
291
|
+
end
|
292
|
+
end
|
293
|
+
|
294
|
+
@libs.delete lib_name
|
295
|
+
end
|
296
|
+
|
280
297
|
def reset_controller path
|
298
|
+
controller_name = nil
|
299
|
+
|
281
300
|
#Remove from controller
|
282
|
-
@controllers.
|
283
|
-
if controller[:
|
301
|
+
@controllers.each do |name, controller|
|
302
|
+
if controller[:files].include?(path)
|
303
|
+
controller_name = name
|
284
304
|
template_matcher = /^#{name}#/
|
285
305
|
|
286
306
|
#Remove templates rendered from this controller
|
@@ -293,10 +313,10 @@ class Brakeman::Tracker
|
|
293
313
|
|
294
314
|
#Remove calls indexed from this controller
|
295
315
|
@call_index.remove_indexes_by_class [name]
|
296
|
-
|
297
|
-
true
|
316
|
+
break
|
298
317
|
end
|
299
318
|
end
|
319
|
+
@controllers.delete controller_name
|
300
320
|
end
|
301
321
|
|
302
322
|
#Clear information about routes
|
data/lib/brakeman/util.rb
CHANGED
@@ -318,14 +318,14 @@ module Brakeman::Util
|
|
318
318
|
|
319
319
|
case type
|
320
320
|
when :controller
|
321
|
-
if tracker.controllers[name] and tracker.controllers[name][:
|
322
|
-
path = tracker.controllers[name][:
|
321
|
+
if tracker.controllers[name] and tracker.controllers[name][:files]
|
322
|
+
path = tracker.controllers[name][:files].first
|
323
323
|
else
|
324
324
|
path += "/app/controllers/#{underscore(string_name)}.rb"
|
325
325
|
end
|
326
326
|
when :model
|
327
|
-
if tracker.models[name] and tracker.models[name][:
|
328
|
-
path = tracker.models[name][:
|
327
|
+
if tracker.models[name] and tracker.models[name][:files]
|
328
|
+
path = tracker.models[name][:files].first
|
329
329
|
else
|
330
330
|
path += "/app/models/#{underscore(string_name)}.rb"
|
331
331
|
end
|
@@ -383,6 +383,15 @@ module Brakeman::Util
|
|
383
383
|
end
|
384
384
|
end
|
385
385
|
|
386
|
+
#Convert path/filename to view name
|
387
|
+
#
|
388
|
+
# views/test/something.html.erb -> test/something
|
389
|
+
def template_path_to_name path
|
390
|
+
names = path.split("/")
|
391
|
+
names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
|
392
|
+
names[(names.index("views") + 1)..-1].join("/").to_sym
|
393
|
+
end
|
394
|
+
|
386
395
|
def github_url file, line=nil
|
387
396
|
if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
|
388
397
|
url = "#{repo_url}/#{relative_path(file)}"
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.6.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -35,7 +35,7 @@ cert_chain:
|
|
35
35
|
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
36
36
|
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
37
37
|
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
38
|
-
date: 2014-
|
38
|
+
date: 2014-06-06 00:00:00.000000000 Z
|
39
39
|
dependencies:
|
40
40
|
- !ruby/object:Gem::Dependency
|
41
41
|
name: ruby_parser
|
@@ -43,14 +43,14 @@ dependencies:
|
|
43
43
|
requirements:
|
44
44
|
- - ~>
|
45
45
|
- !ruby/object:Gem::Version
|
46
|
-
version: 3.
|
46
|
+
version: 3.5.0
|
47
47
|
type: :runtime
|
48
48
|
prerelease: false
|
49
49
|
version_requirements: !ruby/object:Gem::Requirement
|
50
50
|
requirements:
|
51
51
|
- - ~>
|
52
52
|
- !ruby/object:Gem::Version
|
53
|
-
version: 3.
|
53
|
+
version: 3.5.0
|
54
54
|
- !ruby/object:Gem::Dependency
|
55
55
|
name: ruby2ruby
|
56
56
|
requirement: !ruby/object:Gem::Requirement
|
@@ -261,11 +261,13 @@ files:
|
|
261
261
|
- lib/brakeman/checks/check_without_protection.rb
|
262
262
|
- lib/brakeman/checks/check_yaml_parsing.rb
|
263
263
|
- lib/brakeman/differ.rb
|
264
|
+
- lib/brakeman/file_parser.rb
|
264
265
|
- lib/brakeman/format/style.css
|
265
266
|
- lib/brakeman/options.rb
|
266
267
|
- lib/brakeman/parsers/rails2_erubis.rb
|
267
268
|
- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
|
268
269
|
- lib/brakeman/parsers/rails3_erubis.rb
|
270
|
+
- lib/brakeman/parsers/template_parser.rb
|
269
271
|
- lib/brakeman/processor.rb
|
270
272
|
- lib/brakeman/processors/alias_processor.rb
|
271
273
|
- lib/brakeman/processors/base_processor.rb
|
metadata.gz.sig
CHANGED
Binary file
|