brakeman 2.6.3 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -13
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +19 -0
- data/bin/brakeman +1 -1
- data/lib/brakeman.rb +4 -2
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/base_check.rb +9 -7
- data/lib/brakeman/checks/check_create_with.rb +1 -1
- data/lib/brakeman/checks/check_cross_site_scripting.rb +46 -42
- data/lib/brakeman/checks/check_digest_dos.rb +1 -1
- data/lib/brakeman/checks/check_escape_function.rb +3 -3
- data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
- data/lib/brakeman/checks/check_header_dos.rb +1 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -3
- data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
- data/lib/brakeman/checks/check_json_parsing.rb +9 -4
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +1 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +1 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
- data/lib/brakeman/checks/check_render.rb +3 -3
- data/lib/brakeman/checks/check_render_dos.rb +1 -1
- data/lib/brakeman/checks/check_render_inline.rb +42 -0
- data/lib/brakeman/checks/check_response_splitting.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
- data/lib/brakeman/checks/check_simple_format.rb +2 -2
- data/lib/brakeman/checks/check_single_quotes.rb +1 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql_cves.rb +2 -2
- data/lib/brakeman/checks/check_strip_tags.rb +2 -2
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -23
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
- data/lib/brakeman/checks/check_translate_bug.rb +1 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
- data/lib/brakeman/options.rb +6 -2
- data/lib/brakeman/parsers/rails3_erubis.rb +2 -2
- data/lib/brakeman/processors/alias_processor.rb +54 -1
- data/lib/brakeman/processors/base_processor.rb +0 -8
- data/lib/brakeman/processors/controller_alias_processor.rb +40 -2
- data/lib/brakeman/processors/controller_processor.rb +5 -3
- data/lib/brakeman/processors/gem_processor.rb +13 -9
- data/lib/brakeman/processors/lib/basic_processor.rb +17 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +2 -2
- data/lib/brakeman/processors/lib/find_call.rb +2 -2
- data/lib/brakeman/processors/lib/processor_helper.rb +9 -0
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -1
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +4 -1
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +4 -2
- data/lib/brakeman/processors/output_processor.rb +1 -7
- data/lib/brakeman/report/report_json.rb +1 -1
- data/lib/brakeman/tracker.rb +7 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +15 -1
- data/lib/brakeman/warning_codes.rb +3 -0
- data/lib/ruby_parser/bm_sexp.rb +17 -5
- metadata +55 -56
- metadata.gz.sig +0 -0
|
@@ -67,7 +67,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
67
67
|
:public => {},
|
|
68
68
|
:private => {},
|
|
69
69
|
:protected => {},
|
|
70
|
-
:options => {:before_filters => []},
|
|
70
|
+
:options => {:before_filters => [], :skip_filters => []},
|
|
71
71
|
:src => { @file_name => exp },
|
|
72
72
|
:files => [ @file_name ]
|
|
73
73
|
}
|
|
@@ -158,9 +158,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
158
158
|
when :include
|
|
159
159
|
@current_class[:includes] << class_name(first_arg) if @current_class
|
|
160
160
|
when :before_filter, :append_before_filter, :before_action, :append_before_action
|
|
161
|
-
@current_class[:options][:before_filters] << exp
|
|
161
|
+
@current_class[:options][:before_filters] << exp
|
|
162
162
|
when :prepend_before_filter, :prepend_before_action
|
|
163
|
-
@current_class[:options][:before_filters].unshift exp
|
|
163
|
+
@current_class[:options][:before_filters].unshift exp
|
|
164
|
+
when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
|
|
165
|
+
@current_class[:options][:skip_filters] << exp
|
|
164
166
|
when :layout
|
|
165
167
|
if string? last_arg
|
|
166
168
|
#layout "some_layout"
|
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Processes Gemfile and Gemfile.lock
|
|
4
|
-
class Brakeman::GemProcessor < Brakeman::
|
|
4
|
+
class Brakeman::GemProcessor < Brakeman::BasicProcessor
|
|
5
5
|
|
|
6
6
|
def initialize *args
|
|
7
7
|
super
|
|
@@ -14,9 +14,11 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
14
14
|
|
|
15
15
|
if gem_lock
|
|
16
16
|
process_gem_lock gem_lock
|
|
17
|
-
@tracker.config[:rails_version] = @tracker.config[:gems][:rails]
|
|
18
|
-
elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
|
|
17
|
+
@tracker.config[:rails_version] = @tracker.config[:gems][:rails][:version] if @tracker.config[:gems][:rails]
|
|
18
|
+
elsif @tracker.config[:gems] && @tracker.config[:gems][:rails] && @tracker.config[:gems][:rails][:version] =~ /(\d+.\d+.\d+)/
|
|
19
19
|
@tracker.config[:rails_version] = $1
|
|
20
|
+
else
|
|
21
|
+
@tracker.config[:rails_version] = nil
|
|
20
22
|
end
|
|
21
23
|
|
|
22
24
|
if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
|
|
@@ -45,9 +47,9 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
45
47
|
gem_version = exp.second_arg
|
|
46
48
|
|
|
47
49
|
if string? gem_version
|
|
48
|
-
@tracker.config[:gems][gem_name.value.to_sym] = gem_version.value
|
|
50
|
+
@tracker.config[:gems][gem_name.value.to_sym] = { :version => gem_version.value.to_s, :file => 'Gemfile', :line => exp.line }
|
|
49
51
|
else
|
|
50
|
-
@tracker.config[:gems][gem_name.value.to_sym] =
|
|
52
|
+
@tracker.config[:gems][gem_name.value.to_sym] = { :version => nil, :file => 'Gemfile' , :line => exp.line }
|
|
51
53
|
end
|
|
52
54
|
end
|
|
53
55
|
|
|
@@ -55,15 +57,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
55
57
|
end
|
|
56
58
|
|
|
57
59
|
def process_gem_lock gem_lock
|
|
60
|
+
line_num = 1
|
|
58
61
|
gem_lock.each_line do |line|
|
|
59
|
-
|
|
62
|
+
set_gem_version_and_file line, 'Gemfile.lock', line_num
|
|
63
|
+
line_num += 1
|
|
60
64
|
end
|
|
61
65
|
end
|
|
62
66
|
|
|
63
67
|
# Supports .rc2 but not ~>, >=, or <=
|
|
64
|
-
def
|
|
68
|
+
def set_gem_version_and_file line, file, line_num
|
|
65
69
|
if line =~ @gem_name_version
|
|
66
|
-
@tracker.config[:gems][$1.to_sym] = $2
|
|
70
|
+
@tracker.config[:gems][$1.to_sym] = { :version => $2, :file => file, :line => line_num }
|
|
67
71
|
end
|
|
68
72
|
end
|
|
69
73
|
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/processor_helper'
|
|
2
|
+
require 'brakeman/util'
|
|
3
|
+
|
|
4
|
+
class Brakeman::BasicProcessor < Brakeman::SexpProcessor
|
|
5
|
+
include Brakeman::ProcessorHelper
|
|
6
|
+
include Brakeman::Util
|
|
7
|
+
|
|
8
|
+
def initialize tracker
|
|
9
|
+
super()
|
|
10
|
+
@tracker = tracker
|
|
11
|
+
@current_template = @current_module = @current_class = @current_method = nil
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def process_default exp
|
|
15
|
+
process_all exp
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Finds method calls matching the given target(s).
|
|
4
4
|
# #-- This should be deprecated --#
|
|
@@ -31,7 +31,7 @@ require 'brakeman/processors/base_processor'
|
|
|
31
31
|
#
|
|
32
32
|
# #Find all calls to sub, sub!, gsub, or gsub!
|
|
33
33
|
# FindCall.new nil, /^g?sub!?$/
|
|
34
|
-
class Brakeman::FindCall < Brakeman::
|
|
34
|
+
class Brakeman::FindCall < Brakeman::BasicProcessor
|
|
35
35
|
|
|
36
36
|
def initialize targets, methods, tracker, in_depth = false
|
|
37
37
|
super tracker
|
|
@@ -29,6 +29,15 @@ module Brakeman::ProcessorHelper
|
|
|
29
29
|
|
|
30
30
|
exp
|
|
31
31
|
end
|
|
32
|
+
|
|
33
|
+
def process_class exp
|
|
34
|
+
current_class = @current_class
|
|
35
|
+
@current_class = class_name exp[1]
|
|
36
|
+
process_all exp.body
|
|
37
|
+
@current_class = current_class
|
|
38
|
+
exp
|
|
39
|
+
end
|
|
40
|
+
|
|
32
41
|
#Sets the current module.
|
|
33
42
|
def process_module exp
|
|
34
43
|
module_name = class_name(exp.class_name).to_s
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
|
+
|
|
1
3
|
#Processes configuration. Results are put in tracker.config.
|
|
2
4
|
#
|
|
3
5
|
#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
|
|
@@ -12,7 +14,7 @@
|
|
|
12
14
|
# tracker.config[:rails][:action_controller][:session_store]
|
|
13
15
|
#
|
|
14
16
|
#Values for tracker.config[:rails] will still be Sexps.
|
|
15
|
-
class Brakeman::Rails2ConfigProcessor < Brakeman::
|
|
17
|
+
class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
|
|
16
18
|
#Replace block variable in
|
|
17
19
|
#
|
|
18
20
|
# Rails::Initializer.run |config|
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Processes the Sexp from routes.rb. Stores results in tracker.routes.
|
|
4
4
|
#
|
|
5
5
|
#Note that it is only interested in determining what methods on which
|
|
6
6
|
#controllers are used as routes, not the generated URLs for routes.
|
|
7
|
-
class Brakeman::Rails2RoutesProcessor < Brakeman::
|
|
7
|
+
class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
|
|
8
8
|
include Brakeman::RouteHelper
|
|
9
9
|
|
|
10
10
|
attr_reader :map, :nested, :current_controller
|
|
@@ -76,7 +76,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
|
|
|
76
76
|
end
|
|
77
77
|
exp
|
|
78
78
|
else
|
|
79
|
-
|
|
79
|
+
process_default exp
|
|
80
80
|
end
|
|
81
81
|
end
|
|
82
82
|
|
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
|
|
2
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
3
|
+
|
|
1
4
|
#Processes configuration. Results are put in tracker.config.
|
|
2
5
|
#
|
|
3
6
|
#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
|
|
@@ -12,7 +15,7 @@
|
|
|
12
15
|
# tracker.config[:rails][:active_record][:whitelist_attributes]
|
|
13
16
|
#
|
|
14
17
|
#Values for tracker.config[:rails] will still be Sexps.
|
|
15
|
-
class Brakeman::Rails3ConfigProcessor < Brakeman::
|
|
18
|
+
class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
16
19
|
RAILS_CONFIG = Sexp.new(:call, nil, :config)
|
|
17
20
|
|
|
18
21
|
def initialize *args
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
|
+
|
|
1
3
|
#Processes the Sexp from routes.rb. Stores results in tracker.routes.
|
|
2
4
|
#
|
|
3
5
|
#Note that it is only interested in determining what methods on which
|
|
4
6
|
#controllers are used as routes, not the generated URLs for routes.
|
|
5
|
-
class Brakeman::Rails3RoutesProcessor < Brakeman::
|
|
7
|
+
class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
|
|
6
8
|
include Brakeman::RouteHelper
|
|
7
9
|
|
|
8
10
|
attr_reader :map, :nested, :current_controller
|
|
@@ -53,7 +55,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
|
|
|
53
55
|
when :controller
|
|
54
56
|
process_controller_block exp
|
|
55
57
|
else
|
|
56
|
-
|
|
58
|
+
process_default exp
|
|
57
59
|
end
|
|
58
60
|
end
|
|
59
61
|
|
|
@@ -23,12 +23,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
|
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
-
def process_lvar exp
|
|
27
|
-
out = "(local #{exp[0]})"
|
|
28
|
-
exp.clear
|
|
29
|
-
out
|
|
30
|
-
end
|
|
31
|
-
|
|
32
26
|
def process_ignore exp
|
|
33
27
|
exp.clear
|
|
34
28
|
"[ignored]"
|
|
@@ -78,7 +72,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
|
|
|
78
72
|
elsif string? e
|
|
79
73
|
e[1]
|
|
80
74
|
else
|
|
81
|
-
process e
|
|
75
|
+
"\#{#{process e}}"
|
|
82
76
|
end
|
|
83
77
|
end.join
|
|
84
78
|
exp.clear
|
data/lib/brakeman/tracker.rb
CHANGED
|
@@ -83,7 +83,13 @@ class Brakeman::Tracker
|
|
|
83
83
|
|
|
84
84
|
#Iterate over all methods in controllers and models.
|
|
85
85
|
def each_method
|
|
86
|
-
[self.controllers, self.models]
|
|
86
|
+
classes = [self.controllers, self.models]
|
|
87
|
+
|
|
88
|
+
if @options[:index_libs]
|
|
89
|
+
classes << self.libs
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
classes.each do |set|
|
|
87
93
|
set.each do |set_name, info|
|
|
88
94
|
[:private, :public, :protected].each do |visibility|
|
|
89
95
|
info[visibility].each do |method_name, definition|
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
|
@@ -16,7 +16,7 @@ class Brakeman::Warning
|
|
|
16
16
|
def initialize options = {}
|
|
17
17
|
@view_name = nil
|
|
18
18
|
|
|
19
|
-
[:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
|
|
19
|
+
[:called_from, :check, :class, :code, :confidence, :controller, :file, :gem_info, :line, :link_path,
|
|
20
20
|
:message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
|
|
21
21
|
|
|
22
22
|
self.instance_variable_set("@#{option}", options[option])
|
|
@@ -35,6 +35,10 @@ class Brakeman::Warning
|
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
+
if @method.to_s =~ /^fake_filter\d+/
|
|
39
|
+
@method = :before_filter
|
|
40
|
+
end
|
|
41
|
+
|
|
38
42
|
if not @line
|
|
39
43
|
if @user_input and @user_input.respond_to? :line
|
|
40
44
|
@line = @user_input.line
|
|
@@ -43,6 +47,16 @@ class Brakeman::Warning
|
|
|
43
47
|
end
|
|
44
48
|
end
|
|
45
49
|
|
|
50
|
+
if @gem_info
|
|
51
|
+
if @gem_info.is_a? Hash
|
|
52
|
+
@line ||= @gem_info[:line]
|
|
53
|
+
@file ||= @gem_info[:file]
|
|
54
|
+
else
|
|
55
|
+
# Fallback behavior returns just a string for the file name
|
|
56
|
+
@file ||= @gem_info
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
46
60
|
unless @warning_set
|
|
47
61
|
if self.model
|
|
48
62
|
@warning_set = :model
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
class Sexp
|
|
5
5
|
attr_reader :paren
|
|
6
6
|
attr_accessor :original_line, :or_depth
|
|
7
|
-
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
|
|
7
|
+
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
|
|
8
8
|
|
|
9
9
|
def method_missing name, *args
|
|
10
10
|
#Brakeman does not use this functionality,
|
|
@@ -419,6 +419,7 @@ class Sexp
|
|
|
419
419
|
#Sets the left hand side of assignment or boolean.
|
|
420
420
|
def lhs= exp
|
|
421
421
|
expect *ASSIGNMENT_BOOL
|
|
422
|
+
@my_hash_value = nil
|
|
422
423
|
self[1] = exp
|
|
423
424
|
end
|
|
424
425
|
|
|
@@ -427,14 +428,25 @@ class Sexp
|
|
|
427
428
|
# s(:lasgn, :x, s(:lit, 1))
|
|
428
429
|
# ^--rhs---^
|
|
429
430
|
def rhs
|
|
430
|
-
expect *ASSIGNMENT_BOOL
|
|
431
|
-
|
|
431
|
+
expect :attrasgn, *ASSIGNMENT_BOOL
|
|
432
|
+
|
|
433
|
+
if self.node_type == :attrasgn
|
|
434
|
+
self[3]
|
|
435
|
+
else
|
|
436
|
+
self[2]
|
|
437
|
+
end
|
|
432
438
|
end
|
|
433
439
|
|
|
434
440
|
#Sets the right hand side of assignment or boolean.
|
|
435
441
|
def rhs= exp
|
|
436
|
-
expect *ASSIGNMENT_BOOL
|
|
437
|
-
|
|
442
|
+
expect :attrasgn, *ASSIGNMENT_BOOL
|
|
443
|
+
@my_hash_value = nil
|
|
444
|
+
|
|
445
|
+
if self.node_type == :attrasgn
|
|
446
|
+
self[3] = exp
|
|
447
|
+
else
|
|
448
|
+
self[2] = exp
|
|
449
|
+
end
|
|
438
450
|
end
|
|
439
451
|
|
|
440
452
|
#Returns name of method being defined in a method definition.
|
metadata
CHANGED
|
@@ -1,192 +1,187 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 3.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain:
|
|
11
|
-
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
|
|
35
|
-
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
|
36
|
-
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
|
37
|
-
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
|
38
|
-
date: 2014-10-14 00:00:00.000000000 Z
|
|
11
|
+
- |
|
|
12
|
+
-----BEGIN CERTIFICATE-----
|
|
13
|
+
MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
|
|
14
|
+
aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
|
|
15
|
+
GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
|
|
16
|
+
AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
|
|
17
|
+
JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
|
|
18
|
+
xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
|
|
19
|
+
cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
|
|
20
|
+
HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
|
|
21
|
+
kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
|
|
22
|
+
f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
|
|
23
|
+
CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
|
|
24
|
+
sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
|
|
25
|
+
dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
|
|
26
|
+
bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
|
|
27
|
+
gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
|
|
28
|
+
VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
|
|
29
|
+
fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
|
|
30
|
+
bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
|
|
31
|
+
mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
|
|
32
|
+
-----END CERTIFICATE-----
|
|
33
|
+
date: 2015-01-03 00:00:00.000000000 Z
|
|
39
34
|
dependencies:
|
|
40
35
|
- !ruby/object:Gem::Dependency
|
|
41
36
|
name: ruby_parser
|
|
42
37
|
requirement: !ruby/object:Gem::Requirement
|
|
43
38
|
requirements:
|
|
44
|
-
- - ~>
|
|
39
|
+
- - "~>"
|
|
45
40
|
- !ruby/object:Gem::Version
|
|
46
41
|
version: 3.5.0
|
|
47
42
|
type: :runtime
|
|
48
43
|
prerelease: false
|
|
49
44
|
version_requirements: !ruby/object:Gem::Requirement
|
|
50
45
|
requirements:
|
|
51
|
-
- - ~>
|
|
46
|
+
- - "~>"
|
|
52
47
|
- !ruby/object:Gem::Version
|
|
53
48
|
version: 3.5.0
|
|
54
49
|
- !ruby/object:Gem::Dependency
|
|
55
50
|
name: ruby2ruby
|
|
56
51
|
requirement: !ruby/object:Gem::Requirement
|
|
57
52
|
requirements:
|
|
58
|
-
- - ~>
|
|
53
|
+
- - "~>"
|
|
59
54
|
- !ruby/object:Gem::Version
|
|
60
55
|
version: 2.1.1
|
|
61
56
|
type: :runtime
|
|
62
57
|
prerelease: false
|
|
63
58
|
version_requirements: !ruby/object:Gem::Requirement
|
|
64
59
|
requirements:
|
|
65
|
-
- - ~>
|
|
60
|
+
- - "~>"
|
|
66
61
|
- !ruby/object:Gem::Version
|
|
67
62
|
version: 2.1.1
|
|
68
63
|
- !ruby/object:Gem::Dependency
|
|
69
64
|
name: terminal-table
|
|
70
65
|
requirement: !ruby/object:Gem::Requirement
|
|
71
66
|
requirements:
|
|
72
|
-
- - ~>
|
|
67
|
+
- - "~>"
|
|
73
68
|
- !ruby/object:Gem::Version
|
|
74
69
|
version: '1.4'
|
|
75
70
|
type: :runtime
|
|
76
71
|
prerelease: false
|
|
77
72
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
73
|
requirements:
|
|
79
|
-
- - ~>
|
|
74
|
+
- - "~>"
|
|
80
75
|
- !ruby/object:Gem::Version
|
|
81
76
|
version: '1.4'
|
|
82
77
|
- !ruby/object:Gem::Dependency
|
|
83
78
|
name: fastercsv
|
|
84
79
|
requirement: !ruby/object:Gem::Requirement
|
|
85
80
|
requirements:
|
|
86
|
-
- - ~>
|
|
81
|
+
- - "~>"
|
|
87
82
|
- !ruby/object:Gem::Version
|
|
88
83
|
version: '1.5'
|
|
89
84
|
type: :runtime
|
|
90
85
|
prerelease: false
|
|
91
86
|
version_requirements: !ruby/object:Gem::Requirement
|
|
92
87
|
requirements:
|
|
93
|
-
- - ~>
|
|
88
|
+
- - "~>"
|
|
94
89
|
- !ruby/object:Gem::Version
|
|
95
90
|
version: '1.5'
|
|
96
91
|
- !ruby/object:Gem::Dependency
|
|
97
92
|
name: highline
|
|
98
93
|
requirement: !ruby/object:Gem::Requirement
|
|
99
94
|
requirements:
|
|
100
|
-
- - ~>
|
|
95
|
+
- - "~>"
|
|
101
96
|
- !ruby/object:Gem::Version
|
|
102
97
|
version: 1.6.20
|
|
103
98
|
type: :runtime
|
|
104
99
|
prerelease: false
|
|
105
100
|
version_requirements: !ruby/object:Gem::Requirement
|
|
106
101
|
requirements:
|
|
107
|
-
- - ~>
|
|
102
|
+
- - "~>"
|
|
108
103
|
- !ruby/object:Gem::Version
|
|
109
104
|
version: 1.6.20
|
|
110
105
|
- !ruby/object:Gem::Dependency
|
|
111
106
|
name: erubis
|
|
112
107
|
requirement: !ruby/object:Gem::Requirement
|
|
113
108
|
requirements:
|
|
114
|
-
- - ~>
|
|
109
|
+
- - "~>"
|
|
115
110
|
- !ruby/object:Gem::Version
|
|
116
111
|
version: '2.6'
|
|
117
112
|
type: :runtime
|
|
118
113
|
prerelease: false
|
|
119
114
|
version_requirements: !ruby/object:Gem::Requirement
|
|
120
115
|
requirements:
|
|
121
|
-
- - ~>
|
|
116
|
+
- - "~>"
|
|
122
117
|
- !ruby/object:Gem::Version
|
|
123
118
|
version: '2.6'
|
|
124
119
|
- !ruby/object:Gem::Dependency
|
|
125
120
|
name: haml
|
|
126
121
|
requirement: !ruby/object:Gem::Requirement
|
|
127
122
|
requirements:
|
|
128
|
-
- -
|
|
123
|
+
- - ">="
|
|
129
124
|
- !ruby/object:Gem::Version
|
|
130
125
|
version: '3.0'
|
|
131
|
-
- - <
|
|
126
|
+
- - "<"
|
|
132
127
|
- !ruby/object:Gem::Version
|
|
133
128
|
version: '5.0'
|
|
134
129
|
type: :runtime
|
|
135
130
|
prerelease: false
|
|
136
131
|
version_requirements: !ruby/object:Gem::Requirement
|
|
137
132
|
requirements:
|
|
138
|
-
- -
|
|
133
|
+
- - ">="
|
|
139
134
|
- !ruby/object:Gem::Version
|
|
140
135
|
version: '3.0'
|
|
141
|
-
- - <
|
|
136
|
+
- - "<"
|
|
142
137
|
- !ruby/object:Gem::Version
|
|
143
138
|
version: '5.0'
|
|
144
139
|
- !ruby/object:Gem::Dependency
|
|
145
140
|
name: sass
|
|
146
141
|
requirement: !ruby/object:Gem::Requirement
|
|
147
142
|
requirements:
|
|
148
|
-
- - ~>
|
|
143
|
+
- - "~>"
|
|
149
144
|
- !ruby/object:Gem::Version
|
|
150
145
|
version: '3.0'
|
|
151
146
|
type: :runtime
|
|
152
147
|
prerelease: false
|
|
153
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
154
149
|
requirements:
|
|
155
|
-
- - ~>
|
|
150
|
+
- - "~>"
|
|
156
151
|
- !ruby/object:Gem::Version
|
|
157
152
|
version: '3.0'
|
|
158
153
|
- !ruby/object:Gem::Dependency
|
|
159
154
|
name: slim
|
|
160
155
|
requirement: !ruby/object:Gem::Requirement
|
|
161
156
|
requirements:
|
|
162
|
-
- -
|
|
157
|
+
- - ">="
|
|
163
158
|
- !ruby/object:Gem::Version
|
|
164
159
|
version: 1.3.6
|
|
165
|
-
- - <
|
|
160
|
+
- - "<"
|
|
166
161
|
- !ruby/object:Gem::Version
|
|
167
162
|
version: '3.0'
|
|
168
163
|
type: :runtime
|
|
169
164
|
prerelease: false
|
|
170
165
|
version_requirements: !ruby/object:Gem::Requirement
|
|
171
166
|
requirements:
|
|
172
|
-
- -
|
|
167
|
+
- - ">="
|
|
173
168
|
- !ruby/object:Gem::Version
|
|
174
169
|
version: 1.3.6
|
|
175
|
-
- - <
|
|
170
|
+
- - "<"
|
|
176
171
|
- !ruby/object:Gem::Version
|
|
177
172
|
version: '3.0'
|
|
178
173
|
- !ruby/object:Gem::Dependency
|
|
179
174
|
name: multi_json
|
|
180
175
|
requirement: !ruby/object:Gem::Requirement
|
|
181
176
|
requirements:
|
|
182
|
-
- - ~>
|
|
177
|
+
- - "~>"
|
|
183
178
|
- !ruby/object:Gem::Version
|
|
184
179
|
version: '1.2'
|
|
185
180
|
type: :runtime
|
|
186
181
|
prerelease: false
|
|
187
182
|
version_requirements: !ruby/object:Gem::Requirement
|
|
188
183
|
requirements:
|
|
189
|
-
- - ~>
|
|
184
|
+
- - "~>"
|
|
190
185
|
- !ruby/object:Gem::Version
|
|
191
186
|
version: '1.2'
|
|
192
187
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
|
@@ -220,6 +215,7 @@ files:
|
|
|
220
215
|
- lib/brakeman/checks/check_evaluation.rb
|
|
221
216
|
- lib/brakeman/checks/check_execute.rb
|
|
222
217
|
- lib/brakeman/checks/check_file_access.rb
|
|
218
|
+
- lib/brakeman/checks/check_file_disclosure.rb
|
|
223
219
|
- lib/brakeman/checks/check_filter_skipping.rb
|
|
224
220
|
- lib/brakeman/checks/check_forgery_setting.rb
|
|
225
221
|
- lib/brakeman/checks/check_header_dos.rb
|
|
@@ -240,6 +236,7 @@ files:
|
|
|
240
236
|
- lib/brakeman/checks/check_regex_dos.rb
|
|
241
237
|
- lib/brakeman/checks/check_render.rb
|
|
242
238
|
- lib/brakeman/checks/check_render_dos.rb
|
|
239
|
+
- lib/brakeman/checks/check_render_inline.rb
|
|
243
240
|
- lib/brakeman/checks/check_response_splitting.rb
|
|
244
241
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
|
245
242
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
|
@@ -256,6 +253,7 @@ files:
|
|
|
256
253
|
- lib/brakeman/checks/check_ssl_verify.rb
|
|
257
254
|
- lib/brakeman/checks/check_strip_tags.rb
|
|
258
255
|
- lib/brakeman/checks/check_symbol_dos.rb
|
|
256
|
+
- lib/brakeman/checks/check_symbol_dos_cve.rb
|
|
259
257
|
- lib/brakeman/checks/check_translate_bug.rb
|
|
260
258
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
|
261
259
|
- lib/brakeman/checks/check_unscoped_find.rb
|
|
@@ -280,6 +278,7 @@ files:
|
|
|
280
278
|
- lib/brakeman/processors/erubis_template_processor.rb
|
|
281
279
|
- lib/brakeman/processors/gem_processor.rb
|
|
282
280
|
- lib/brakeman/processors/haml_template_processor.rb
|
|
281
|
+
- lib/brakeman/processors/lib/basic_processor.rb
|
|
283
282
|
- lib/brakeman/processors/lib/find_all_calls.rb
|
|
284
283
|
- lib/brakeman/processors/lib/find_call.rb
|
|
285
284
|
- lib/brakeman/processors/lib/find_return_value.rb
|
|
@@ -341,17 +340,17 @@ require_paths:
|
|
|
341
340
|
- lib
|
|
342
341
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
343
342
|
requirements:
|
|
344
|
-
- -
|
|
343
|
+
- - ">="
|
|
345
344
|
- !ruby/object:Gem::Version
|
|
346
345
|
version: '0'
|
|
347
346
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
348
347
|
requirements:
|
|
349
|
-
- -
|
|
348
|
+
- - ">="
|
|
350
349
|
- !ruby/object:Gem::Version
|
|
351
350
|
version: '0'
|
|
352
351
|
requirements: []
|
|
353
352
|
rubyforge_project:
|
|
354
|
-
rubygems_version: 2.
|
|
353
|
+
rubygems_version: 2.4.5
|
|
355
354
|
signing_key:
|
|
356
355
|
specification_version: 4
|
|
357
356
|
summary: Security vulnerability scanner for Ruby on Rails.
|