brakeman 2.6.3 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -13
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +19 -0
- data/bin/brakeman +1 -1
- data/lib/brakeman.rb +4 -2
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/base_check.rb +9 -7
- data/lib/brakeman/checks/check_create_with.rb +1 -1
- data/lib/brakeman/checks/check_cross_site_scripting.rb +46 -42
- data/lib/brakeman/checks/check_digest_dos.rb +1 -1
- data/lib/brakeman/checks/check_escape_function.rb +3 -3
- data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
- data/lib/brakeman/checks/check_header_dos.rb +1 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -3
- data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
- data/lib/brakeman/checks/check_json_parsing.rb +9 -4
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +1 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +1 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
- data/lib/brakeman/checks/check_render.rb +3 -3
- data/lib/brakeman/checks/check_render_dos.rb +1 -1
- data/lib/brakeman/checks/check_render_inline.rb +42 -0
- data/lib/brakeman/checks/check_response_splitting.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
- data/lib/brakeman/checks/check_simple_format.rb +2 -2
- data/lib/brakeman/checks/check_single_quotes.rb +1 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql_cves.rb +2 -2
- data/lib/brakeman/checks/check_strip_tags.rb +2 -2
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -23
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
- data/lib/brakeman/checks/check_translate_bug.rb +1 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
- data/lib/brakeman/options.rb +6 -2
- data/lib/brakeman/parsers/rails3_erubis.rb +2 -2
- data/lib/brakeman/processors/alias_processor.rb +54 -1
- data/lib/brakeman/processors/base_processor.rb +0 -8
- data/lib/brakeman/processors/controller_alias_processor.rb +40 -2
- data/lib/brakeman/processors/controller_processor.rb +5 -3
- data/lib/brakeman/processors/gem_processor.rb +13 -9
- data/lib/brakeman/processors/lib/basic_processor.rb +17 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +2 -2
- data/lib/brakeman/processors/lib/find_call.rb +2 -2
- data/lib/brakeman/processors/lib/processor_helper.rb +9 -0
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -1
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +4 -1
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +4 -2
- data/lib/brakeman/processors/output_processor.rb +1 -7
- data/lib/brakeman/report/report_json.rb +1 -1
- data/lib/brakeman/tracker.rb +7 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +15 -1
- data/lib/brakeman/warning_codes.rb +3 -0
- data/lib/ruby_parser/bm_sexp.rb +17 -5
- metadata +55 -56
- metadata.gz.sig +0 -0
|
@@ -67,7 +67,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
67
67
|
:public => {},
|
|
68
68
|
:private => {},
|
|
69
69
|
:protected => {},
|
|
70
|
-
:options => {:before_filters => []},
|
|
70
|
+
:options => {:before_filters => [], :skip_filters => []},
|
|
71
71
|
:src => { @file_name => exp },
|
|
72
72
|
:files => [ @file_name ]
|
|
73
73
|
}
|
|
@@ -158,9 +158,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
158
158
|
when :include
|
|
159
159
|
@current_class[:includes] << class_name(first_arg) if @current_class
|
|
160
160
|
when :before_filter, :append_before_filter, :before_action, :append_before_action
|
|
161
|
-
@current_class[:options][:before_filters] << exp
|
|
161
|
+
@current_class[:options][:before_filters] << exp
|
|
162
162
|
when :prepend_before_filter, :prepend_before_action
|
|
163
|
-
@current_class[:options][:before_filters].unshift exp
|
|
163
|
+
@current_class[:options][:before_filters].unshift exp
|
|
164
|
+
when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
|
|
165
|
+
@current_class[:options][:skip_filters] << exp
|
|
164
166
|
when :layout
|
|
165
167
|
if string? last_arg
|
|
166
168
|
#layout "some_layout"
|
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Processes Gemfile and Gemfile.lock
|
|
4
|
-
class Brakeman::GemProcessor < Brakeman::
|
|
4
|
+
class Brakeman::GemProcessor < Brakeman::BasicProcessor
|
|
5
5
|
|
|
6
6
|
def initialize *args
|
|
7
7
|
super
|
|
@@ -14,9 +14,11 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
14
14
|
|
|
15
15
|
if gem_lock
|
|
16
16
|
process_gem_lock gem_lock
|
|
17
|
-
@tracker.config[:rails_version] = @tracker.config[:gems][:rails]
|
|
18
|
-
elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
|
|
17
|
+
@tracker.config[:rails_version] = @tracker.config[:gems][:rails][:version] if @tracker.config[:gems][:rails]
|
|
18
|
+
elsif @tracker.config[:gems] && @tracker.config[:gems][:rails] && @tracker.config[:gems][:rails][:version] =~ /(\d+.\d+.\d+)/
|
|
19
19
|
@tracker.config[:rails_version] = $1
|
|
20
|
+
else
|
|
21
|
+
@tracker.config[:rails_version] = nil
|
|
20
22
|
end
|
|
21
23
|
|
|
22
24
|
if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
|
|
@@ -45,9 +47,9 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
45
47
|
gem_version = exp.second_arg
|
|
46
48
|
|
|
47
49
|
if string? gem_version
|
|
48
|
-
@tracker.config[:gems][gem_name.value.to_sym] = gem_version.value
|
|
50
|
+
@tracker.config[:gems][gem_name.value.to_sym] = { :version => gem_version.value.to_s, :file => 'Gemfile', :line => exp.line }
|
|
49
51
|
else
|
|
50
|
-
@tracker.config[:gems][gem_name.value.to_sym] =
|
|
52
|
+
@tracker.config[:gems][gem_name.value.to_sym] = { :version => nil, :file => 'Gemfile' , :line => exp.line }
|
|
51
53
|
end
|
|
52
54
|
end
|
|
53
55
|
|
|
@@ -55,15 +57,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
55
57
|
end
|
|
56
58
|
|
|
57
59
|
def process_gem_lock gem_lock
|
|
60
|
+
line_num = 1
|
|
58
61
|
gem_lock.each_line do |line|
|
|
59
|
-
|
|
62
|
+
set_gem_version_and_file line, 'Gemfile.lock', line_num
|
|
63
|
+
line_num += 1
|
|
60
64
|
end
|
|
61
65
|
end
|
|
62
66
|
|
|
63
67
|
# Supports .rc2 but not ~>, >=, or <=
|
|
64
|
-
def
|
|
68
|
+
def set_gem_version_and_file line, file, line_num
|
|
65
69
|
if line =~ @gem_name_version
|
|
66
|
-
@tracker.config[:gems][$1.to_sym] = $2
|
|
70
|
+
@tracker.config[:gems][$1.to_sym] = { :version => $2, :file => file, :line => line_num }
|
|
67
71
|
end
|
|
68
72
|
end
|
|
69
73
|
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/processor_helper'
|
|
2
|
+
require 'brakeman/util'
|
|
3
|
+
|
|
4
|
+
class Brakeman::BasicProcessor < Brakeman::SexpProcessor
|
|
5
|
+
include Brakeman::ProcessorHelper
|
|
6
|
+
include Brakeman::Util
|
|
7
|
+
|
|
8
|
+
def initialize tracker
|
|
9
|
+
super()
|
|
10
|
+
@tracker = tracker
|
|
11
|
+
@current_template = @current_module = @current_class = @current_method = nil
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def process_default exp
|
|
15
|
+
process_all exp
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Finds method calls matching the given target(s).
|
|
4
4
|
# #-- This should be deprecated --#
|
|
@@ -31,7 +31,7 @@ require 'brakeman/processors/base_processor'
|
|
|
31
31
|
#
|
|
32
32
|
# #Find all calls to sub, sub!, gsub, or gsub!
|
|
33
33
|
# FindCall.new nil, /^g?sub!?$/
|
|
34
|
-
class Brakeman::FindCall < Brakeman::
|
|
34
|
+
class Brakeman::FindCall < Brakeman::BasicProcessor
|
|
35
35
|
|
|
36
36
|
def initialize targets, methods, tracker, in_depth = false
|
|
37
37
|
super tracker
|
|
@@ -29,6 +29,15 @@ module Brakeman::ProcessorHelper
|
|
|
29
29
|
|
|
30
30
|
exp
|
|
31
31
|
end
|
|
32
|
+
|
|
33
|
+
def process_class exp
|
|
34
|
+
current_class = @current_class
|
|
35
|
+
@current_class = class_name exp[1]
|
|
36
|
+
process_all exp.body
|
|
37
|
+
@current_class = current_class
|
|
38
|
+
exp
|
|
39
|
+
end
|
|
40
|
+
|
|
32
41
|
#Sets the current module.
|
|
33
42
|
def process_module exp
|
|
34
43
|
module_name = class_name(exp.class_name).to_s
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
|
+
|
|
1
3
|
#Processes configuration. Results are put in tracker.config.
|
|
2
4
|
#
|
|
3
5
|
#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
|
|
@@ -12,7 +14,7 @@
|
|
|
12
14
|
# tracker.config[:rails][:action_controller][:session_store]
|
|
13
15
|
#
|
|
14
16
|
#Values for tracker.config[:rails] will still be Sexps.
|
|
15
|
-
class Brakeman::Rails2ConfigProcessor < Brakeman::
|
|
17
|
+
class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
|
|
16
18
|
#Replace block variable in
|
|
17
19
|
#
|
|
18
20
|
# Rails::Initializer.run |config|
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
require 'brakeman/processors/
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
2
|
|
|
3
3
|
#Processes the Sexp from routes.rb. Stores results in tracker.routes.
|
|
4
4
|
#
|
|
5
5
|
#Note that it is only interested in determining what methods on which
|
|
6
6
|
#controllers are used as routes, not the generated URLs for routes.
|
|
7
|
-
class Brakeman::Rails2RoutesProcessor < Brakeman::
|
|
7
|
+
class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
|
|
8
8
|
include Brakeman::RouteHelper
|
|
9
9
|
|
|
10
10
|
attr_reader :map, :nested, :current_controller
|
|
@@ -76,7 +76,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
|
|
|
76
76
|
end
|
|
77
77
|
exp
|
|
78
78
|
else
|
|
79
|
-
|
|
79
|
+
process_default exp
|
|
80
80
|
end
|
|
81
81
|
end
|
|
82
82
|
|
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
|
|
2
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
3
|
+
|
|
1
4
|
#Processes configuration. Results are put in tracker.config.
|
|
2
5
|
#
|
|
3
6
|
#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
|
|
@@ -12,7 +15,7 @@
|
|
|
12
15
|
# tracker.config[:rails][:active_record][:whitelist_attributes]
|
|
13
16
|
#
|
|
14
17
|
#Values for tracker.config[:rails] will still be Sexps.
|
|
15
|
-
class Brakeman::Rails3ConfigProcessor < Brakeman::
|
|
18
|
+
class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
16
19
|
RAILS_CONFIG = Sexp.new(:call, nil, :config)
|
|
17
20
|
|
|
18
21
|
def initialize *args
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
require 'brakeman/processors/lib/basic_processor'
|
|
2
|
+
|
|
1
3
|
#Processes the Sexp from routes.rb. Stores results in tracker.routes.
|
|
2
4
|
#
|
|
3
5
|
#Note that it is only interested in determining what methods on which
|
|
4
6
|
#controllers are used as routes, not the generated URLs for routes.
|
|
5
|
-
class Brakeman::Rails3RoutesProcessor < Brakeman::
|
|
7
|
+
class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
|
|
6
8
|
include Brakeman::RouteHelper
|
|
7
9
|
|
|
8
10
|
attr_reader :map, :nested, :current_controller
|
|
@@ -53,7 +55,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
|
|
|
53
55
|
when :controller
|
|
54
56
|
process_controller_block exp
|
|
55
57
|
else
|
|
56
|
-
|
|
58
|
+
process_default exp
|
|
57
59
|
end
|
|
58
60
|
end
|
|
59
61
|
|
|
@@ -23,12 +23,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
|
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
-
def process_lvar exp
|
|
27
|
-
out = "(local #{exp[0]})"
|
|
28
|
-
exp.clear
|
|
29
|
-
out
|
|
30
|
-
end
|
|
31
|
-
|
|
32
26
|
def process_ignore exp
|
|
33
27
|
exp.clear
|
|
34
28
|
"[ignored]"
|
|
@@ -78,7 +72,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
|
|
|
78
72
|
elsif string? e
|
|
79
73
|
e[1]
|
|
80
74
|
else
|
|
81
|
-
process e
|
|
75
|
+
"\#{#{process e}}"
|
|
82
76
|
end
|
|
83
77
|
end.join
|
|
84
78
|
exp.clear
|
data/lib/brakeman/tracker.rb
CHANGED
|
@@ -83,7 +83,13 @@ class Brakeman::Tracker
|
|
|
83
83
|
|
|
84
84
|
#Iterate over all methods in controllers and models.
|
|
85
85
|
def each_method
|
|
86
|
-
[self.controllers, self.models]
|
|
86
|
+
classes = [self.controllers, self.models]
|
|
87
|
+
|
|
88
|
+
if @options[:index_libs]
|
|
89
|
+
classes << self.libs
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
classes.each do |set|
|
|
87
93
|
set.each do |set_name, info|
|
|
88
94
|
[:private, :public, :protected].each do |visibility|
|
|
89
95
|
info[visibility].each do |method_name, definition|
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman/warning.rb
CHANGED
|
@@ -16,7 +16,7 @@ class Brakeman::Warning
|
|
|
16
16
|
def initialize options = {}
|
|
17
17
|
@view_name = nil
|
|
18
18
|
|
|
19
|
-
[:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
|
|
19
|
+
[:called_from, :check, :class, :code, :confidence, :controller, :file, :gem_info, :line, :link_path,
|
|
20
20
|
:message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
|
|
21
21
|
|
|
22
22
|
self.instance_variable_set("@#{option}", options[option])
|
|
@@ -35,6 +35,10 @@ class Brakeman::Warning
|
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
+
if @method.to_s =~ /^fake_filter\d+/
|
|
39
|
+
@method = :before_filter
|
|
40
|
+
end
|
|
41
|
+
|
|
38
42
|
if not @line
|
|
39
43
|
if @user_input and @user_input.respond_to? :line
|
|
40
44
|
@line = @user_input.line
|
|
@@ -43,6 +47,16 @@ class Brakeman::Warning
|
|
|
43
47
|
end
|
|
44
48
|
end
|
|
45
49
|
|
|
50
|
+
if @gem_info
|
|
51
|
+
if @gem_info.is_a? Hash
|
|
52
|
+
@line ||= @gem_info[:line]
|
|
53
|
+
@file ||= @gem_info[:file]
|
|
54
|
+
else
|
|
55
|
+
# Fallback behavior returns just a string for the file name
|
|
56
|
+
@file ||= @gem_info
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
46
60
|
unless @warning_set
|
|
47
61
|
if self.model
|
|
48
62
|
@warning_set = :model
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
class Sexp
|
|
5
5
|
attr_reader :paren
|
|
6
6
|
attr_accessor :original_line, :or_depth
|
|
7
|
-
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
|
|
7
|
+
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
|
|
8
8
|
|
|
9
9
|
def method_missing name, *args
|
|
10
10
|
#Brakeman does not use this functionality,
|
|
@@ -419,6 +419,7 @@ class Sexp
|
|
|
419
419
|
#Sets the left hand side of assignment or boolean.
|
|
420
420
|
def lhs= exp
|
|
421
421
|
expect *ASSIGNMENT_BOOL
|
|
422
|
+
@my_hash_value = nil
|
|
422
423
|
self[1] = exp
|
|
423
424
|
end
|
|
424
425
|
|
|
@@ -427,14 +428,25 @@ class Sexp
|
|
|
427
428
|
# s(:lasgn, :x, s(:lit, 1))
|
|
428
429
|
# ^--rhs---^
|
|
429
430
|
def rhs
|
|
430
|
-
expect *ASSIGNMENT_BOOL
|
|
431
|
-
|
|
431
|
+
expect :attrasgn, *ASSIGNMENT_BOOL
|
|
432
|
+
|
|
433
|
+
if self.node_type == :attrasgn
|
|
434
|
+
self[3]
|
|
435
|
+
else
|
|
436
|
+
self[2]
|
|
437
|
+
end
|
|
432
438
|
end
|
|
433
439
|
|
|
434
440
|
#Sets the right hand side of assignment or boolean.
|
|
435
441
|
def rhs= exp
|
|
436
|
-
expect *ASSIGNMENT_BOOL
|
|
437
|
-
|
|
442
|
+
expect :attrasgn, *ASSIGNMENT_BOOL
|
|
443
|
+
@my_hash_value = nil
|
|
444
|
+
|
|
445
|
+
if self.node_type == :attrasgn
|
|
446
|
+
self[3] = exp
|
|
447
|
+
else
|
|
448
|
+
self[2] = exp
|
|
449
|
+
end
|
|
438
450
|
end
|
|
439
451
|
|
|
440
452
|
#Returns name of method being defined in a method definition.
|
metadata
CHANGED
|
@@ -1,192 +1,187 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 3.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain:
|
|
11
|
-
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
|
|
35
|
-
Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
|
|
36
|
-
QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
|
|
37
|
-
RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
|
38
|
-
date: 2014-10-14 00:00:00.000000000 Z
|
|
11
|
+
- |
|
|
12
|
+
-----BEGIN CERTIFICATE-----
|
|
13
|
+
MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
|
|
14
|
+
aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
|
|
15
|
+
GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
|
|
16
|
+
AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
|
|
17
|
+
JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
|
|
18
|
+
xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
|
|
19
|
+
cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
|
|
20
|
+
HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
|
|
21
|
+
kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
|
|
22
|
+
f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
|
|
23
|
+
CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
|
|
24
|
+
sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
|
|
25
|
+
dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
|
|
26
|
+
bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
|
|
27
|
+
gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
|
|
28
|
+
VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
|
|
29
|
+
fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
|
|
30
|
+
bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
|
|
31
|
+
mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
|
|
32
|
+
-----END CERTIFICATE-----
|
|
33
|
+
date: 2015-01-03 00:00:00.000000000 Z
|
|
39
34
|
dependencies:
|
|
40
35
|
- !ruby/object:Gem::Dependency
|
|
41
36
|
name: ruby_parser
|
|
42
37
|
requirement: !ruby/object:Gem::Requirement
|
|
43
38
|
requirements:
|
|
44
|
-
- - ~>
|
|
39
|
+
- - "~>"
|
|
45
40
|
- !ruby/object:Gem::Version
|
|
46
41
|
version: 3.5.0
|
|
47
42
|
type: :runtime
|
|
48
43
|
prerelease: false
|
|
49
44
|
version_requirements: !ruby/object:Gem::Requirement
|
|
50
45
|
requirements:
|
|
51
|
-
- - ~>
|
|
46
|
+
- - "~>"
|
|
52
47
|
- !ruby/object:Gem::Version
|
|
53
48
|
version: 3.5.0
|
|
54
49
|
- !ruby/object:Gem::Dependency
|
|
55
50
|
name: ruby2ruby
|
|
56
51
|
requirement: !ruby/object:Gem::Requirement
|
|
57
52
|
requirements:
|
|
58
|
-
- - ~>
|
|
53
|
+
- - "~>"
|
|
59
54
|
- !ruby/object:Gem::Version
|
|
60
55
|
version: 2.1.1
|
|
61
56
|
type: :runtime
|
|
62
57
|
prerelease: false
|
|
63
58
|
version_requirements: !ruby/object:Gem::Requirement
|
|
64
59
|
requirements:
|
|
65
|
-
- - ~>
|
|
60
|
+
- - "~>"
|
|
66
61
|
- !ruby/object:Gem::Version
|
|
67
62
|
version: 2.1.1
|
|
68
63
|
- !ruby/object:Gem::Dependency
|
|
69
64
|
name: terminal-table
|
|
70
65
|
requirement: !ruby/object:Gem::Requirement
|
|
71
66
|
requirements:
|
|
72
|
-
- - ~>
|
|
67
|
+
- - "~>"
|
|
73
68
|
- !ruby/object:Gem::Version
|
|
74
69
|
version: '1.4'
|
|
75
70
|
type: :runtime
|
|
76
71
|
prerelease: false
|
|
77
72
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
73
|
requirements:
|
|
79
|
-
- - ~>
|
|
74
|
+
- - "~>"
|
|
80
75
|
- !ruby/object:Gem::Version
|
|
81
76
|
version: '1.4'
|
|
82
77
|
- !ruby/object:Gem::Dependency
|
|
83
78
|
name: fastercsv
|
|
84
79
|
requirement: !ruby/object:Gem::Requirement
|
|
85
80
|
requirements:
|
|
86
|
-
- - ~>
|
|
81
|
+
- - "~>"
|
|
87
82
|
- !ruby/object:Gem::Version
|
|
88
83
|
version: '1.5'
|
|
89
84
|
type: :runtime
|
|
90
85
|
prerelease: false
|
|
91
86
|
version_requirements: !ruby/object:Gem::Requirement
|
|
92
87
|
requirements:
|
|
93
|
-
- - ~>
|
|
88
|
+
- - "~>"
|
|
94
89
|
- !ruby/object:Gem::Version
|
|
95
90
|
version: '1.5'
|
|
96
91
|
- !ruby/object:Gem::Dependency
|
|
97
92
|
name: highline
|
|
98
93
|
requirement: !ruby/object:Gem::Requirement
|
|
99
94
|
requirements:
|
|
100
|
-
- - ~>
|
|
95
|
+
- - "~>"
|
|
101
96
|
- !ruby/object:Gem::Version
|
|
102
97
|
version: 1.6.20
|
|
103
98
|
type: :runtime
|
|
104
99
|
prerelease: false
|
|
105
100
|
version_requirements: !ruby/object:Gem::Requirement
|
|
106
101
|
requirements:
|
|
107
|
-
- - ~>
|
|
102
|
+
- - "~>"
|
|
108
103
|
- !ruby/object:Gem::Version
|
|
109
104
|
version: 1.6.20
|
|
110
105
|
- !ruby/object:Gem::Dependency
|
|
111
106
|
name: erubis
|
|
112
107
|
requirement: !ruby/object:Gem::Requirement
|
|
113
108
|
requirements:
|
|
114
|
-
- - ~>
|
|
109
|
+
- - "~>"
|
|
115
110
|
- !ruby/object:Gem::Version
|
|
116
111
|
version: '2.6'
|
|
117
112
|
type: :runtime
|
|
118
113
|
prerelease: false
|
|
119
114
|
version_requirements: !ruby/object:Gem::Requirement
|
|
120
115
|
requirements:
|
|
121
|
-
- - ~>
|
|
116
|
+
- - "~>"
|
|
122
117
|
- !ruby/object:Gem::Version
|
|
123
118
|
version: '2.6'
|
|
124
119
|
- !ruby/object:Gem::Dependency
|
|
125
120
|
name: haml
|
|
126
121
|
requirement: !ruby/object:Gem::Requirement
|
|
127
122
|
requirements:
|
|
128
|
-
- -
|
|
123
|
+
- - ">="
|
|
129
124
|
- !ruby/object:Gem::Version
|
|
130
125
|
version: '3.0'
|
|
131
|
-
- - <
|
|
126
|
+
- - "<"
|
|
132
127
|
- !ruby/object:Gem::Version
|
|
133
128
|
version: '5.0'
|
|
134
129
|
type: :runtime
|
|
135
130
|
prerelease: false
|
|
136
131
|
version_requirements: !ruby/object:Gem::Requirement
|
|
137
132
|
requirements:
|
|
138
|
-
- -
|
|
133
|
+
- - ">="
|
|
139
134
|
- !ruby/object:Gem::Version
|
|
140
135
|
version: '3.0'
|
|
141
|
-
- - <
|
|
136
|
+
- - "<"
|
|
142
137
|
- !ruby/object:Gem::Version
|
|
143
138
|
version: '5.0'
|
|
144
139
|
- !ruby/object:Gem::Dependency
|
|
145
140
|
name: sass
|
|
146
141
|
requirement: !ruby/object:Gem::Requirement
|
|
147
142
|
requirements:
|
|
148
|
-
- - ~>
|
|
143
|
+
- - "~>"
|
|
149
144
|
- !ruby/object:Gem::Version
|
|
150
145
|
version: '3.0'
|
|
151
146
|
type: :runtime
|
|
152
147
|
prerelease: false
|
|
153
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
154
149
|
requirements:
|
|
155
|
-
- - ~>
|
|
150
|
+
- - "~>"
|
|
156
151
|
- !ruby/object:Gem::Version
|
|
157
152
|
version: '3.0'
|
|
158
153
|
- !ruby/object:Gem::Dependency
|
|
159
154
|
name: slim
|
|
160
155
|
requirement: !ruby/object:Gem::Requirement
|
|
161
156
|
requirements:
|
|
162
|
-
- -
|
|
157
|
+
- - ">="
|
|
163
158
|
- !ruby/object:Gem::Version
|
|
164
159
|
version: 1.3.6
|
|
165
|
-
- - <
|
|
160
|
+
- - "<"
|
|
166
161
|
- !ruby/object:Gem::Version
|
|
167
162
|
version: '3.0'
|
|
168
163
|
type: :runtime
|
|
169
164
|
prerelease: false
|
|
170
165
|
version_requirements: !ruby/object:Gem::Requirement
|
|
171
166
|
requirements:
|
|
172
|
-
- -
|
|
167
|
+
- - ">="
|
|
173
168
|
- !ruby/object:Gem::Version
|
|
174
169
|
version: 1.3.6
|
|
175
|
-
- - <
|
|
170
|
+
- - "<"
|
|
176
171
|
- !ruby/object:Gem::Version
|
|
177
172
|
version: '3.0'
|
|
178
173
|
- !ruby/object:Gem::Dependency
|
|
179
174
|
name: multi_json
|
|
180
175
|
requirement: !ruby/object:Gem::Requirement
|
|
181
176
|
requirements:
|
|
182
|
-
- - ~>
|
|
177
|
+
- - "~>"
|
|
183
178
|
- !ruby/object:Gem::Version
|
|
184
179
|
version: '1.2'
|
|
185
180
|
type: :runtime
|
|
186
181
|
prerelease: false
|
|
187
182
|
version_requirements: !ruby/object:Gem::Requirement
|
|
188
183
|
requirements:
|
|
189
|
-
- - ~>
|
|
184
|
+
- - "~>"
|
|
190
185
|
- !ruby/object:Gem::Version
|
|
191
186
|
version: '1.2'
|
|
192
187
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
|
@@ -220,6 +215,7 @@ files:
|
|
|
220
215
|
- lib/brakeman/checks/check_evaluation.rb
|
|
221
216
|
- lib/brakeman/checks/check_execute.rb
|
|
222
217
|
- lib/brakeman/checks/check_file_access.rb
|
|
218
|
+
- lib/brakeman/checks/check_file_disclosure.rb
|
|
223
219
|
- lib/brakeman/checks/check_filter_skipping.rb
|
|
224
220
|
- lib/brakeman/checks/check_forgery_setting.rb
|
|
225
221
|
- lib/brakeman/checks/check_header_dos.rb
|
|
@@ -240,6 +236,7 @@ files:
|
|
|
240
236
|
- lib/brakeman/checks/check_regex_dos.rb
|
|
241
237
|
- lib/brakeman/checks/check_render.rb
|
|
242
238
|
- lib/brakeman/checks/check_render_dos.rb
|
|
239
|
+
- lib/brakeman/checks/check_render_inline.rb
|
|
243
240
|
- lib/brakeman/checks/check_response_splitting.rb
|
|
244
241
|
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
|
245
242
|
- lib/brakeman/checks/check_sanitize_methods.rb
|
|
@@ -256,6 +253,7 @@ files:
|
|
|
256
253
|
- lib/brakeman/checks/check_ssl_verify.rb
|
|
257
254
|
- lib/brakeman/checks/check_strip_tags.rb
|
|
258
255
|
- lib/brakeman/checks/check_symbol_dos.rb
|
|
256
|
+
- lib/brakeman/checks/check_symbol_dos_cve.rb
|
|
259
257
|
- lib/brakeman/checks/check_translate_bug.rb
|
|
260
258
|
- lib/brakeman/checks/check_unsafe_reflection.rb
|
|
261
259
|
- lib/brakeman/checks/check_unscoped_find.rb
|
|
@@ -280,6 +278,7 @@ files:
|
|
|
280
278
|
- lib/brakeman/processors/erubis_template_processor.rb
|
|
281
279
|
- lib/brakeman/processors/gem_processor.rb
|
|
282
280
|
- lib/brakeman/processors/haml_template_processor.rb
|
|
281
|
+
- lib/brakeman/processors/lib/basic_processor.rb
|
|
283
282
|
- lib/brakeman/processors/lib/find_all_calls.rb
|
|
284
283
|
- lib/brakeman/processors/lib/find_call.rb
|
|
285
284
|
- lib/brakeman/processors/lib/find_return_value.rb
|
|
@@ -341,17 +340,17 @@ require_paths:
|
|
|
341
340
|
- lib
|
|
342
341
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
343
342
|
requirements:
|
|
344
|
-
- -
|
|
343
|
+
- - ">="
|
|
345
344
|
- !ruby/object:Gem::Version
|
|
346
345
|
version: '0'
|
|
347
346
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
348
347
|
requirements:
|
|
349
|
-
- -
|
|
348
|
+
- - ">="
|
|
350
349
|
- !ruby/object:Gem::Version
|
|
351
350
|
version: '0'
|
|
352
351
|
requirements: []
|
|
353
352
|
rubyforge_project:
|
|
354
|
-
rubygems_version: 2.
|
|
353
|
+
rubygems_version: 2.4.5
|
|
355
354
|
signing_key:
|
|
356
355
|
specification_version: 4
|
|
357
356
|
summary: Security vulnerability scanner for Ruby on Rails.
|