brakeman 2.6.3 → 3.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (61) hide show
  1. checksums.yaml +5 -13
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/CHANGES +19 -0
  5. data/bin/brakeman +1 -1
  6. data/lib/brakeman.rb +4 -2
  7. data/lib/brakeman/app_tree.rb +1 -1
  8. data/lib/brakeman/checks/base_check.rb +9 -7
  9. data/lib/brakeman/checks/check_create_with.rb +1 -1
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +46 -42
  11. data/lib/brakeman/checks/check_digest_dos.rb +1 -1
  12. data/lib/brakeman/checks/check_escape_function.rb +3 -3
  13. data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
  14. data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
  15. data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
  16. data/lib/brakeman/checks/check_header_dos.rb +1 -1
  17. data/lib/brakeman/checks/check_i18n_xss.rb +2 -3
  18. data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
  19. data/lib/brakeman/checks/check_json_parsing.rb +9 -4
  20. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  21. data/lib/brakeman/checks/check_nested_attributes.rb +1 -1
  22. data/lib/brakeman/checks/check_number_to_currency.rb +1 -1
  23. data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
  24. data/lib/brakeman/checks/check_render.rb +3 -3
  25. data/lib/brakeman/checks/check_render_dos.rb +1 -1
  26. data/lib/brakeman/checks/check_render_inline.rb +42 -0
  27. data/lib/brakeman/checks/check_response_splitting.rb +1 -1
  28. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
  29. data/lib/brakeman/checks/check_simple_format.rb +2 -2
  30. data/lib/brakeman/checks/check_single_quotes.rb +1 -1
  31. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  32. data/lib/brakeman/checks/check_sql_cves.rb +2 -2
  33. data/lib/brakeman/checks/check_strip_tags.rb +2 -2
  34. data/lib/brakeman/checks/check_symbol_dos.rb +2 -23
  35. data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
  36. data/lib/brakeman/checks/check_translate_bug.rb +1 -1
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
  38. data/lib/brakeman/options.rb +6 -2
  39. data/lib/brakeman/parsers/rails3_erubis.rb +2 -2
  40. data/lib/brakeman/processors/alias_processor.rb +54 -1
  41. data/lib/brakeman/processors/base_processor.rb +0 -8
  42. data/lib/brakeman/processors/controller_alias_processor.rb +40 -2
  43. data/lib/brakeman/processors/controller_processor.rb +5 -3
  44. data/lib/brakeman/processors/gem_processor.rb +13 -9
  45. data/lib/brakeman/processors/lib/basic_processor.rb +17 -0
  46. data/lib/brakeman/processors/lib/find_all_calls.rb +2 -2
  47. data/lib/brakeman/processors/lib/find_call.rb +2 -2
  48. data/lib/brakeman/processors/lib/processor_helper.rb +9 -0
  49. data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -1
  50. data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
  51. data/lib/brakeman/processors/lib/rails3_config_processor.rb +4 -1
  52. data/lib/brakeman/processors/lib/rails3_route_processor.rb +4 -2
  53. data/lib/brakeman/processors/output_processor.rb +1 -7
  54. data/lib/brakeman/report/report_json.rb +1 -1
  55. data/lib/brakeman/tracker.rb +7 -1
  56. data/lib/brakeman/version.rb +1 -1
  57. data/lib/brakeman/warning.rb +15 -1
  58. data/lib/brakeman/warning_codes.rb +3 -0
  59. data/lib/ruby_parser/bm_sexp.rb +17 -5
  60. metadata +55 -56
  61. metadata.gz.sig +0 -0
@@ -67,7 +67,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
67
67
  :public => {},
68
68
  :private => {},
69
69
  :protected => {},
70
- :options => {:before_filters => []},
70
+ :options => {:before_filters => [], :skip_filters => []},
71
71
  :src => { @file_name => exp },
72
72
  :files => [ @file_name ]
73
73
  }
@@ -158,9 +158,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
158
158
  when :include
159
159
  @current_class[:includes] << class_name(first_arg) if @current_class
160
160
  when :before_filter, :append_before_filter, :before_action, :append_before_action
161
- @current_class[:options][:before_filters] << exp.args
161
+ @current_class[:options][:before_filters] << exp
162
162
  when :prepend_before_filter, :prepend_before_action
163
- @current_class[:options][:before_filters].unshift exp.args
163
+ @current_class[:options][:before_filters].unshift exp
164
+ when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
165
+ @current_class[:options][:skip_filters] << exp
164
166
  when :layout
165
167
  if string? last_arg
166
168
  #layout "some_layout"
@@ -1,7 +1,7 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Processes Gemfile and Gemfile.lock
4
- class Brakeman::GemProcessor < Brakeman::BaseProcessor
4
+ class Brakeman::GemProcessor < Brakeman::BasicProcessor
5
5
 
6
6
  def initialize *args
7
7
  super
@@ -14,9 +14,11 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
14
14
 
15
15
  if gem_lock
16
16
  process_gem_lock gem_lock
17
- @tracker.config[:rails_version] = @tracker.config[:gems][:rails]
18
- elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
17
+ @tracker.config[:rails_version] = @tracker.config[:gems][:rails][:version] if @tracker.config[:gems][:rails]
18
+ elsif @tracker.config[:gems] && @tracker.config[:gems][:rails] && @tracker.config[:gems][:rails][:version] =~ /(\d+.\d+.\d+)/
19
19
  @tracker.config[:rails_version] = $1
20
+ else
21
+ @tracker.config[:rails_version] = nil
20
22
  end
21
23
 
22
24
  if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
@@ -45,9 +47,9 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
45
47
  gem_version = exp.second_arg
46
48
 
47
49
  if string? gem_version
48
- @tracker.config[:gems][gem_name.value.to_sym] = gem_version.value
50
+ @tracker.config[:gems][gem_name.value.to_sym] = { :version => gem_version.value.to_s, :file => 'Gemfile', :line => exp.line }
49
51
  else
50
- @tracker.config[:gems][gem_name.value.to_sym] = ">=0.0.0"
52
+ @tracker.config[:gems][gem_name.value.to_sym] = { :version => nil, :file => 'Gemfile' , :line => exp.line }
51
53
  end
52
54
  end
53
55
 
@@ -55,15 +57,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
55
57
  end
56
58
 
57
59
  def process_gem_lock gem_lock
60
+ line_num = 1
58
61
  gem_lock.each_line do |line|
59
- set_gem_version line
62
+ set_gem_version_and_file line, 'Gemfile.lock', line_num
63
+ line_num += 1
60
64
  end
61
65
  end
62
66
 
63
67
  # Supports .rc2 but not ~>, >=, or <=
64
- def set_gem_version line
68
+ def set_gem_version_and_file line, file, line_num
65
69
  if line =~ @gem_name_version
66
- @tracker.config[:gems][$1.to_sym] = $2
70
+ @tracker.config[:gems][$1.to_sym] = { :version => $2, :file => file, :line => line_num }
67
71
  end
68
72
  end
69
73
  end
@@ -0,0 +1,17 @@
1
+ require 'brakeman/processors/lib/processor_helper'
2
+ require 'brakeman/util'
3
+
4
+ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
5
+ include Brakeman::ProcessorHelper
6
+ include Brakeman::Util
7
+
8
+ def initialize tracker
9
+ super()
10
+ @tracker = tracker
11
+ @current_template = @current_module = @current_class = @current_method = nil
12
+ end
13
+
14
+ def process_default exp
15
+ process_all exp
16
+ end
17
+ end
@@ -1,6 +1,6 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
- class Brakeman::FindAllCalls < Brakeman::BaseProcessor
3
+ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
4
4
  attr_reader :calls
5
5
 
6
6
  def initialize tracker
@@ -1,4 +1,4 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Finds method calls matching the given target(s).
4
4
  # #-- This should be deprecated --#
@@ -31,7 +31,7 @@ require 'brakeman/processors/base_processor'
31
31
  #
32
32
  # #Find all calls to sub, sub!, gsub, or gsub!
33
33
  # FindCall.new nil, /^g?sub!?$/
34
- class Brakeman::FindCall < Brakeman::BaseProcessor
34
+ class Brakeman::FindCall < Brakeman::BasicProcessor
35
35
 
36
36
  def initialize targets, methods, tracker, in_depth = false
37
37
  super tracker
@@ -29,6 +29,15 @@ module Brakeman::ProcessorHelper
29
29
 
30
30
  exp
31
31
  end
32
+
33
+ def process_class exp
34
+ current_class = @current_class
35
+ @current_class = class_name exp[1]
36
+ process_all exp.body
37
+ @current_class = current_class
38
+ exp
39
+ end
40
+
32
41
  #Sets the current module.
33
42
  def process_module exp
34
43
  module_name = class_name(exp.class_name).to_s
@@ -1,3 +1,5 @@
1
+ require 'brakeman/processors/lib/basic_processor'
2
+
1
3
  #Processes configuration. Results are put in tracker.config.
2
4
  #
3
5
  #Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
@@ -12,7 +14,7 @@
12
14
  # tracker.config[:rails][:action_controller][:session_store]
13
15
  #
14
16
  #Values for tracker.config[:rails] will still be Sexps.
15
- class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
17
+ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
16
18
  #Replace block variable in
17
19
  #
18
20
  # Rails::Initializer.run |config|
@@ -1,10 +1,10 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Processes the Sexp from routes.rb. Stores results in tracker.routes.
4
4
  #
5
5
  #Note that it is only interested in determining what methods on which
6
6
  #controllers are used as routes, not the generated URLs for routes.
7
- class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
7
+ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
8
8
  include Brakeman::RouteHelper
9
9
 
10
10
  attr_reader :map, :nested, :current_controller
@@ -76,7 +76,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
76
76
  end
77
77
  exp
78
78
  else
79
- super
79
+ process_default exp
80
80
  end
81
81
  end
82
82
 
@@ -1,3 +1,6 @@
1
+
2
+ require 'brakeman/processors/lib/basic_processor'
3
+
1
4
  #Processes configuration. Results are put in tracker.config.
2
5
  #
3
6
  #Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
@@ -12,7 +15,7 @@
12
15
  # tracker.config[:rails][:active_record][:whitelist_attributes]
13
16
  #
14
17
  #Values for tracker.config[:rails] will still be Sexps.
15
- class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
18
+ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
16
19
  RAILS_CONFIG = Sexp.new(:call, nil, :config)
17
20
 
18
21
  def initialize *args
@@ -1,8 +1,10 @@
1
+ require 'brakeman/processors/lib/basic_processor'
2
+
1
3
  #Processes the Sexp from routes.rb. Stores results in tracker.routes.
2
4
  #
3
5
  #Note that it is only interested in determining what methods on which
4
6
  #controllers are used as routes, not the generated URLs for routes.
5
- class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
7
+ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
6
8
  include Brakeman::RouteHelper
7
9
 
8
10
  attr_reader :map, :nested, :current_controller
@@ -53,7 +55,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
53
55
  when :controller
54
56
  process_controller_block exp
55
57
  else
56
- super
58
+ process_default exp
57
59
  end
58
60
  end
59
61
 
@@ -23,12 +23,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
23
23
  end
24
24
  end
25
25
 
26
- def process_lvar exp
27
- out = "(local #{exp[0]})"
28
- exp.clear
29
- out
30
- end
31
-
32
26
  def process_ignore exp
33
27
  exp.clear
34
28
  "[ignored]"
@@ -78,7 +72,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
78
72
  elsif string? e
79
73
  e[1]
80
74
  else
81
- process e
75
+ "\#{#{process e}}"
82
76
  end
83
77
  end.join
84
78
  exp.clear
@@ -40,6 +40,6 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
40
40
  hash = w.to_hash
41
41
  hash[:file] = warning_file w
42
42
  hash
43
- end.sort_by { |w| w[:file] }
43
+ end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
44
44
  end
45
45
  end
@@ -83,7 +83,13 @@ class Brakeman::Tracker
83
83
 
84
84
  #Iterate over all methods in controllers and models.
85
85
  def each_method
86
- [self.controllers, self.models].each do |set|
86
+ classes = [self.controllers, self.models]
87
+
88
+ if @options[:index_libs]
89
+ classes << self.libs
90
+ end
91
+
92
+ classes.each do |set|
87
93
  set.each do |set_name, info|
88
94
  [:private, :public, :protected].each do |visibility|
89
95
  info[visibility].each do |method_name, definition|
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.6.3"
2
+ Version = "3.0.0"
3
3
  end
@@ -16,7 +16,7 @@ class Brakeman::Warning
16
16
  def initialize options = {}
17
17
  @view_name = nil
18
18
 
19
- [:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
19
+ [:called_from, :check, :class, :code, :confidence, :controller, :file, :gem_info, :line, :link_path,
20
20
  :message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
21
21
 
22
22
  self.instance_variable_set("@#{option}", options[option])
@@ -35,6 +35,10 @@ class Brakeman::Warning
35
35
  end
36
36
  end
37
37
 
38
+ if @method.to_s =~ /^fake_filter\d+/
39
+ @method = :before_filter
40
+ end
41
+
38
42
  if not @line
39
43
  if @user_input and @user_input.respond_to? :line
40
44
  @line = @user_input.line
@@ -43,6 +47,16 @@ class Brakeman::Warning
43
47
  end
44
48
  end
45
49
 
50
+ if @gem_info
51
+ if @gem_info.is_a? Hash
52
+ @line ||= @gem_info[:line]
53
+ @file ||= @gem_info[:file]
54
+ else
55
+ # Fallback behavior returns just a string for the file name
56
+ @file ||= @gem_info
57
+ end
58
+ end
59
+
46
60
  unless @warning_set
47
61
  if self.model
48
62
  @warning_set = :model
@@ -84,6 +84,9 @@ module Brakeman::WarningCodes
84
84
  :CVE_2014_3514 => 80,
85
85
  :CVE_2014_3514_call => 81,
86
86
  :unscoped_find => 82,
87
+ :CVE_2011_2932 => 83,
88
+ :cross_site_scripting_inline => 84,
89
+ :CVE_2014_7829 => 85,
87
90
  }
88
91
 
89
92
  def self.code name
@@ -4,7 +4,7 @@
4
4
  class Sexp
5
5
  attr_reader :paren
6
6
  attr_accessor :original_line, :or_depth
7
- ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
7
+ ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
8
8
 
9
9
  def method_missing name, *args
10
10
  #Brakeman does not use this functionality,
@@ -419,6 +419,7 @@ class Sexp
419
419
  #Sets the left hand side of assignment or boolean.
420
420
  def lhs= exp
421
421
  expect *ASSIGNMENT_BOOL
422
+ @my_hash_value = nil
422
423
  self[1] = exp
423
424
  end
424
425
 
@@ -427,14 +428,25 @@ class Sexp
427
428
  # s(:lasgn, :x, s(:lit, 1))
428
429
  # ^--rhs---^
429
430
  def rhs
430
- expect *ASSIGNMENT_BOOL
431
- self[2]
431
+ expect :attrasgn, *ASSIGNMENT_BOOL
432
+
433
+ if self.node_type == :attrasgn
434
+ self[3]
435
+ else
436
+ self[2]
437
+ end
432
438
  end
433
439
 
434
440
  #Sets the right hand side of assignment or boolean.
435
441
  def rhs= exp
436
- expect *ASSIGNMENT_BOOL
437
- self[2] = exp
442
+ expect :attrasgn, *ASSIGNMENT_BOOL
443
+ @my_hash_value = nil
444
+
445
+ if self.node_type == :attrasgn
446
+ self[3] = exp
447
+ else
448
+ self[2] = exp
449
+ end
438
450
  end
439
451
 
440
452
  #Returns name of method being defined in a method definition.
metadata CHANGED
@@ -1,192 +1,187 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.6.3
4
+ version: 3.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
- - !binary |-
12
- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJB
13
- Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREE5TVF3d0NnWURWUVFEREFOblpX
14
- MHgKR0RBV0Jnb0praWFKay9Jc1pBRVpGZ2hpY21GclpXMWhiakVUTUJFR0Nn
15
- bVNKb21UOGl4a0FSa1dBMjl5WnpBZQpGdzB4TXpFeU1USXdNRE14TlRkYUZ3
16
- MHhOREV5TVRJd01ETXhOVGRhTUQweEREQUtCZ05WQkFNTUEyZGxiVEVZCk1C
17
- WUdDZ21TSm9tVDhpeGtBUmtXQ0dKeVlXdGxiV0Z1TVJNd0VRWUtDWkltaVpQ
18
- eUxHUUJHUllEYjNKbk1JSUIKSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4
19
- QU1JSUJDZ0tDQVFFQXhDSG1YQ2FBY1o0YlZqaWpLb3lRRng0TgpkeU43Qjdi
20
- cVk4d09YeTZmL1VaNm1kQzhJUkFqODJLYVdRak5FMkxUL09iRlVXcENSeUxk
21
- cndqa0RqZEZEeU9UCm1aQ1praU9lRXkyWnhZR2Z4WE1JL3hnMjRjOHI1WG1o
22
- MTZFcnNZdXByUmNnKy9LWjZzNFVqc2VCTlRBUm1CSzQKSUhjcUlkbm9XYllh
23
- M0JXSG9mbEpQYUpVSWFVKy95VGNsekZRSHBzd1U3a2E4ZnRJQVdlb0RRbzIy
24
- Z2FzUC80TgpIdEp2QUl5ZzFEY1dQTGNuMHFiWm1kZWhnOEhadjhDKzJNdUxL
25
- WC8ycVpHOWVzZWVnTXFNbEhIYWJ3d0V5OVZ2CmYvdC8rbHRMakMwQ1JhMlRx
26
- WjJFdVE1RUV6Yk9zcUFmdGFaSkZtd3Y5VXQxVWhqbWR2UjVSZk42ZFdNUTVR
27
- SUQKQVFBQm96a3dOekFMQmdOVkhROEVCQU1DQkxBd0hRWURWUjBPQkJZRUZQ
28
- eUVLZVJ5MDlpOHFTcis5S0ZiZVRxdwprTUNTTUFrR0ExVWRFd1FDTUFBd0RR
29
- WUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFMRWs4L1dubDJWQXFjaHhXbGJnClJO
30
- ME1rVlVXTWY4TDB4eFVpVktvNVFlTDROQlZpQUxNQnJVNklTNHk2enluK0Zv
31
- VUxBTUVhd1VqWmxaZjRIY2cKUzl1bmV2M3ArUlRXVXlrc0FuQTI3d0hacy9O
32
- UklrVzM0czFaSTVOTkUveHl1NFVMT1FqZmgxd09qbFd6eUh1OQowdDQxL0N0
33
- cGdOUE0ydUFqRzNSSXFscDdRS1hsYnk1MGNRcVdKUUNnVEgzSk5qTWhtUk9F
34
- aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
35
- Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
36
- QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
37
- RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
38
- date: 2014-10-14 00:00:00.000000000 Z
11
+ - |
12
+ -----BEGIN CERTIFICATE-----
13
+ MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
14
+ aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
15
+ GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
16
+ AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
17
+ JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
18
+ xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
19
+ cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
20
+ HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
21
+ kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
22
+ f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
23
+ CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
24
+ sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
25
+ dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
26
+ bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
27
+ gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
28
+ VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
29
+ fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
30
+ bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
31
+ mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
32
+ -----END CERTIFICATE-----
33
+ date: 2015-01-03 00:00:00.000000000 Z
39
34
  dependencies:
40
35
  - !ruby/object:Gem::Dependency
41
36
  name: ruby_parser
42
37
  requirement: !ruby/object:Gem::Requirement
43
38
  requirements:
44
- - - ~>
39
+ - - "~>"
45
40
  - !ruby/object:Gem::Version
46
41
  version: 3.5.0
47
42
  type: :runtime
48
43
  prerelease: false
49
44
  version_requirements: !ruby/object:Gem::Requirement
50
45
  requirements:
51
- - - ~>
46
+ - - "~>"
52
47
  - !ruby/object:Gem::Version
53
48
  version: 3.5.0
54
49
  - !ruby/object:Gem::Dependency
55
50
  name: ruby2ruby
56
51
  requirement: !ruby/object:Gem::Requirement
57
52
  requirements:
58
- - - ~>
53
+ - - "~>"
59
54
  - !ruby/object:Gem::Version
60
55
  version: 2.1.1
61
56
  type: :runtime
62
57
  prerelease: false
63
58
  version_requirements: !ruby/object:Gem::Requirement
64
59
  requirements:
65
- - - ~>
60
+ - - "~>"
66
61
  - !ruby/object:Gem::Version
67
62
  version: 2.1.1
68
63
  - !ruby/object:Gem::Dependency
69
64
  name: terminal-table
70
65
  requirement: !ruby/object:Gem::Requirement
71
66
  requirements:
72
- - - ~>
67
+ - - "~>"
73
68
  - !ruby/object:Gem::Version
74
69
  version: '1.4'
75
70
  type: :runtime
76
71
  prerelease: false
77
72
  version_requirements: !ruby/object:Gem::Requirement
78
73
  requirements:
79
- - - ~>
74
+ - - "~>"
80
75
  - !ruby/object:Gem::Version
81
76
  version: '1.4'
82
77
  - !ruby/object:Gem::Dependency
83
78
  name: fastercsv
84
79
  requirement: !ruby/object:Gem::Requirement
85
80
  requirements:
86
- - - ~>
81
+ - - "~>"
87
82
  - !ruby/object:Gem::Version
88
83
  version: '1.5'
89
84
  type: :runtime
90
85
  prerelease: false
91
86
  version_requirements: !ruby/object:Gem::Requirement
92
87
  requirements:
93
- - - ~>
88
+ - - "~>"
94
89
  - !ruby/object:Gem::Version
95
90
  version: '1.5'
96
91
  - !ruby/object:Gem::Dependency
97
92
  name: highline
98
93
  requirement: !ruby/object:Gem::Requirement
99
94
  requirements:
100
- - - ~>
95
+ - - "~>"
101
96
  - !ruby/object:Gem::Version
102
97
  version: 1.6.20
103
98
  type: :runtime
104
99
  prerelease: false
105
100
  version_requirements: !ruby/object:Gem::Requirement
106
101
  requirements:
107
- - - ~>
102
+ - - "~>"
108
103
  - !ruby/object:Gem::Version
109
104
  version: 1.6.20
110
105
  - !ruby/object:Gem::Dependency
111
106
  name: erubis
112
107
  requirement: !ruby/object:Gem::Requirement
113
108
  requirements:
114
- - - ~>
109
+ - - "~>"
115
110
  - !ruby/object:Gem::Version
116
111
  version: '2.6'
117
112
  type: :runtime
118
113
  prerelease: false
119
114
  version_requirements: !ruby/object:Gem::Requirement
120
115
  requirements:
121
- - - ~>
116
+ - - "~>"
122
117
  - !ruby/object:Gem::Version
123
118
  version: '2.6'
124
119
  - !ruby/object:Gem::Dependency
125
120
  name: haml
126
121
  requirement: !ruby/object:Gem::Requirement
127
122
  requirements:
128
- - - ! '>='
123
+ - - ">="
129
124
  - !ruby/object:Gem::Version
130
125
  version: '3.0'
131
- - - <
126
+ - - "<"
132
127
  - !ruby/object:Gem::Version
133
128
  version: '5.0'
134
129
  type: :runtime
135
130
  prerelease: false
136
131
  version_requirements: !ruby/object:Gem::Requirement
137
132
  requirements:
138
- - - ! '>='
133
+ - - ">="
139
134
  - !ruby/object:Gem::Version
140
135
  version: '3.0'
141
- - - <
136
+ - - "<"
142
137
  - !ruby/object:Gem::Version
143
138
  version: '5.0'
144
139
  - !ruby/object:Gem::Dependency
145
140
  name: sass
146
141
  requirement: !ruby/object:Gem::Requirement
147
142
  requirements:
148
- - - ~>
143
+ - - "~>"
149
144
  - !ruby/object:Gem::Version
150
145
  version: '3.0'
151
146
  type: :runtime
152
147
  prerelease: false
153
148
  version_requirements: !ruby/object:Gem::Requirement
154
149
  requirements:
155
- - - ~>
150
+ - - "~>"
156
151
  - !ruby/object:Gem::Version
157
152
  version: '3.0'
158
153
  - !ruby/object:Gem::Dependency
159
154
  name: slim
160
155
  requirement: !ruby/object:Gem::Requirement
161
156
  requirements:
162
- - - ! '>='
157
+ - - ">="
163
158
  - !ruby/object:Gem::Version
164
159
  version: 1.3.6
165
- - - <
160
+ - - "<"
166
161
  - !ruby/object:Gem::Version
167
162
  version: '3.0'
168
163
  type: :runtime
169
164
  prerelease: false
170
165
  version_requirements: !ruby/object:Gem::Requirement
171
166
  requirements:
172
- - - ! '>='
167
+ - - ">="
173
168
  - !ruby/object:Gem::Version
174
169
  version: 1.3.6
175
- - - <
170
+ - - "<"
176
171
  - !ruby/object:Gem::Version
177
172
  version: '3.0'
178
173
  - !ruby/object:Gem::Dependency
179
174
  name: multi_json
180
175
  requirement: !ruby/object:Gem::Requirement
181
176
  requirements:
182
- - - ~>
177
+ - - "~>"
183
178
  - !ruby/object:Gem::Version
184
179
  version: '1.2'
185
180
  type: :runtime
186
181
  prerelease: false
187
182
  version_requirements: !ruby/object:Gem::Requirement
188
183
  requirements:
189
- - - ~>
184
+ - - "~>"
190
185
  - !ruby/object:Gem::Version
191
186
  version: '1.2'
192
187
  description: Brakeman detects security vulnerabilities in Ruby on Rails applications
@@ -220,6 +215,7 @@ files:
220
215
  - lib/brakeman/checks/check_evaluation.rb
221
216
  - lib/brakeman/checks/check_execute.rb
222
217
  - lib/brakeman/checks/check_file_access.rb
218
+ - lib/brakeman/checks/check_file_disclosure.rb
223
219
  - lib/brakeman/checks/check_filter_skipping.rb
224
220
  - lib/brakeman/checks/check_forgery_setting.rb
225
221
  - lib/brakeman/checks/check_header_dos.rb
@@ -240,6 +236,7 @@ files:
240
236
  - lib/brakeman/checks/check_regex_dos.rb
241
237
  - lib/brakeman/checks/check_render.rb
242
238
  - lib/brakeman/checks/check_render_dos.rb
239
+ - lib/brakeman/checks/check_render_inline.rb
243
240
  - lib/brakeman/checks/check_response_splitting.rb
244
241
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
245
242
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -256,6 +253,7 @@ files:
256
253
  - lib/brakeman/checks/check_ssl_verify.rb
257
254
  - lib/brakeman/checks/check_strip_tags.rb
258
255
  - lib/brakeman/checks/check_symbol_dos.rb
256
+ - lib/brakeman/checks/check_symbol_dos_cve.rb
259
257
  - lib/brakeman/checks/check_translate_bug.rb
260
258
  - lib/brakeman/checks/check_unsafe_reflection.rb
261
259
  - lib/brakeman/checks/check_unscoped_find.rb
@@ -280,6 +278,7 @@ files:
280
278
  - lib/brakeman/processors/erubis_template_processor.rb
281
279
  - lib/brakeman/processors/gem_processor.rb
282
280
  - lib/brakeman/processors/haml_template_processor.rb
281
+ - lib/brakeman/processors/lib/basic_processor.rb
283
282
  - lib/brakeman/processors/lib/find_all_calls.rb
284
283
  - lib/brakeman/processors/lib/find_call.rb
285
284
  - lib/brakeman/processors/lib/find_return_value.rb
@@ -341,17 +340,17 @@ require_paths:
341
340
  - lib
342
341
  required_ruby_version: !ruby/object:Gem::Requirement
343
342
  requirements:
344
- - - ! '>='
343
+ - - ">="
345
344
  - !ruby/object:Gem::Version
346
345
  version: '0'
347
346
  required_rubygems_version: !ruby/object:Gem::Requirement
348
347
  requirements:
349
- - - ! '>='
348
+ - - ">="
350
349
  - !ruby/object:Gem::Version
351
350
  version: '0'
352
351
  requirements: []
353
352
  rubyforge_project:
354
- rubygems_version: 2.3.0
353
+ rubygems_version: 2.4.5
355
354
  signing_key:
356
355
  specification_version: 4
357
356
  summary: Security vulnerability scanner for Ruby on Rails.