brakeman 2.6.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. checksums.yaml +5 -13
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/CHANGES +19 -0
  5. data/bin/brakeman +1 -1
  6. data/lib/brakeman.rb +4 -2
  7. data/lib/brakeman/app_tree.rb +1 -1
  8. data/lib/brakeman/checks/base_check.rb +9 -7
  9. data/lib/brakeman/checks/check_create_with.rb +1 -1
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +46 -42
  11. data/lib/brakeman/checks/check_digest_dos.rb +1 -1
  12. data/lib/brakeman/checks/check_escape_function.rb +3 -3
  13. data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
  14. data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
  15. data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
  16. data/lib/brakeman/checks/check_header_dos.rb +1 -1
  17. data/lib/brakeman/checks/check_i18n_xss.rb +2 -3
  18. data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
  19. data/lib/brakeman/checks/check_json_parsing.rb +9 -4
  20. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  21. data/lib/brakeman/checks/check_nested_attributes.rb +1 -1
  22. data/lib/brakeman/checks/check_number_to_currency.rb +1 -1
  23. data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
  24. data/lib/brakeman/checks/check_render.rb +3 -3
  25. data/lib/brakeman/checks/check_render_dos.rb +1 -1
  26. data/lib/brakeman/checks/check_render_inline.rb +42 -0
  27. data/lib/brakeman/checks/check_response_splitting.rb +1 -1
  28. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
  29. data/lib/brakeman/checks/check_simple_format.rb +2 -2
  30. data/lib/brakeman/checks/check_single_quotes.rb +1 -1
  31. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  32. data/lib/brakeman/checks/check_sql_cves.rb +2 -2
  33. data/lib/brakeman/checks/check_strip_tags.rb +2 -2
  34. data/lib/brakeman/checks/check_symbol_dos.rb +2 -23
  35. data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
  36. data/lib/brakeman/checks/check_translate_bug.rb +1 -1
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
  38. data/lib/brakeman/options.rb +6 -2
  39. data/lib/brakeman/parsers/rails3_erubis.rb +2 -2
  40. data/lib/brakeman/processors/alias_processor.rb +54 -1
  41. data/lib/brakeman/processors/base_processor.rb +0 -8
  42. data/lib/brakeman/processors/controller_alias_processor.rb +40 -2
  43. data/lib/brakeman/processors/controller_processor.rb +5 -3
  44. data/lib/brakeman/processors/gem_processor.rb +13 -9
  45. data/lib/brakeman/processors/lib/basic_processor.rb +17 -0
  46. data/lib/brakeman/processors/lib/find_all_calls.rb +2 -2
  47. data/lib/brakeman/processors/lib/find_call.rb +2 -2
  48. data/lib/brakeman/processors/lib/processor_helper.rb +9 -0
  49. data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -1
  50. data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
  51. data/lib/brakeman/processors/lib/rails3_config_processor.rb +4 -1
  52. data/lib/brakeman/processors/lib/rails3_route_processor.rb +4 -2
  53. data/lib/brakeman/processors/output_processor.rb +1 -7
  54. data/lib/brakeman/report/report_json.rb +1 -1
  55. data/lib/brakeman/tracker.rb +7 -1
  56. data/lib/brakeman/version.rb +1 -1
  57. data/lib/brakeman/warning.rb +15 -1
  58. data/lib/brakeman/warning_codes.rb +3 -0
  59. data/lib/ruby_parser/bm_sexp.rb +17 -5
  60. metadata +55 -56
  61. metadata.gz.sig +0 -0
@@ -67,7 +67,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
67
67
  :public => {},
68
68
  :private => {},
69
69
  :protected => {},
70
- :options => {:before_filters => []},
70
+ :options => {:before_filters => [], :skip_filters => []},
71
71
  :src => { @file_name => exp },
72
72
  :files => [ @file_name ]
73
73
  }
@@ -158,9 +158,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
158
158
  when :include
159
159
  @current_class[:includes] << class_name(first_arg) if @current_class
160
160
  when :before_filter, :append_before_filter, :before_action, :append_before_action
161
- @current_class[:options][:before_filters] << exp.args
161
+ @current_class[:options][:before_filters] << exp
162
162
  when :prepend_before_filter, :prepend_before_action
163
- @current_class[:options][:before_filters].unshift exp.args
163
+ @current_class[:options][:before_filters].unshift exp
164
+ when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
165
+ @current_class[:options][:skip_filters] << exp
164
166
  when :layout
165
167
  if string? last_arg
166
168
  #layout "some_layout"
@@ -1,7 +1,7 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Processes Gemfile and Gemfile.lock
4
- class Brakeman::GemProcessor < Brakeman::BaseProcessor
4
+ class Brakeman::GemProcessor < Brakeman::BasicProcessor
5
5
 
6
6
  def initialize *args
7
7
  super
@@ -14,9 +14,11 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
14
14
 
15
15
  if gem_lock
16
16
  process_gem_lock gem_lock
17
- @tracker.config[:rails_version] = @tracker.config[:gems][:rails]
18
- elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
17
+ @tracker.config[:rails_version] = @tracker.config[:gems][:rails][:version] if @tracker.config[:gems][:rails]
18
+ elsif @tracker.config[:gems] && @tracker.config[:gems][:rails] && @tracker.config[:gems][:rails][:version] =~ /(\d+.\d+.\d+)/
19
19
  @tracker.config[:rails_version] = $1
20
+ else
21
+ @tracker.config[:rails_version] = nil
20
22
  end
21
23
 
22
24
  if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
@@ -45,9 +47,9 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
45
47
  gem_version = exp.second_arg
46
48
 
47
49
  if string? gem_version
48
- @tracker.config[:gems][gem_name.value.to_sym] = gem_version.value
50
+ @tracker.config[:gems][gem_name.value.to_sym] = { :version => gem_version.value.to_s, :file => 'Gemfile', :line => exp.line }
49
51
  else
50
- @tracker.config[:gems][gem_name.value.to_sym] = ">=0.0.0"
52
+ @tracker.config[:gems][gem_name.value.to_sym] = { :version => nil, :file => 'Gemfile' , :line => exp.line }
51
53
  end
52
54
  end
53
55
 
@@ -55,15 +57,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
55
57
  end
56
58
 
57
59
  def process_gem_lock gem_lock
60
+ line_num = 1
58
61
  gem_lock.each_line do |line|
59
- set_gem_version line
62
+ set_gem_version_and_file line, 'Gemfile.lock', line_num
63
+ line_num += 1
60
64
  end
61
65
  end
62
66
 
63
67
  # Supports .rc2 but not ~>, >=, or <=
64
- def set_gem_version line
68
+ def set_gem_version_and_file line, file, line_num
65
69
  if line =~ @gem_name_version
66
- @tracker.config[:gems][$1.to_sym] = $2
70
+ @tracker.config[:gems][$1.to_sym] = { :version => $2, :file => file, :line => line_num }
67
71
  end
68
72
  end
69
73
  end
@@ -0,0 +1,17 @@
1
+ require 'brakeman/processors/lib/processor_helper'
2
+ require 'brakeman/util'
3
+
4
+ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
5
+ include Brakeman::ProcessorHelper
6
+ include Brakeman::Util
7
+
8
+ def initialize tracker
9
+ super()
10
+ @tracker = tracker
11
+ @current_template = @current_module = @current_class = @current_method = nil
12
+ end
13
+
14
+ def process_default exp
15
+ process_all exp
16
+ end
17
+ end
@@ -1,6 +1,6 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
- class Brakeman::FindAllCalls < Brakeman::BaseProcessor
3
+ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
4
4
  attr_reader :calls
5
5
 
6
6
  def initialize tracker
@@ -1,4 +1,4 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Finds method calls matching the given target(s).
4
4
  # #-- This should be deprecated --#
@@ -31,7 +31,7 @@ require 'brakeman/processors/base_processor'
31
31
  #
32
32
  # #Find all calls to sub, sub!, gsub, or gsub!
33
33
  # FindCall.new nil, /^g?sub!?$/
34
- class Brakeman::FindCall < Brakeman::BaseProcessor
34
+ class Brakeman::FindCall < Brakeman::BasicProcessor
35
35
 
36
36
  def initialize targets, methods, tracker, in_depth = false
37
37
  super tracker
@@ -29,6 +29,15 @@ module Brakeman::ProcessorHelper
29
29
 
30
30
  exp
31
31
  end
32
+
33
+ def process_class exp
34
+ current_class = @current_class
35
+ @current_class = class_name exp[1]
36
+ process_all exp.body
37
+ @current_class = current_class
38
+ exp
39
+ end
40
+
32
41
  #Sets the current module.
33
42
  def process_module exp
34
43
  module_name = class_name(exp.class_name).to_s
@@ -1,3 +1,5 @@
1
+ require 'brakeman/processors/lib/basic_processor'
2
+
1
3
  #Processes configuration. Results are put in tracker.config.
2
4
  #
3
5
  #Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
@@ -12,7 +14,7 @@
12
14
  # tracker.config[:rails][:action_controller][:session_store]
13
15
  #
14
16
  #Values for tracker.config[:rails] will still be Sexps.
15
- class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
17
+ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
16
18
  #Replace block variable in
17
19
  #
18
20
  # Rails::Initializer.run |config|
@@ -1,10 +1,10 @@
1
- require 'brakeman/processors/base_processor'
1
+ require 'brakeman/processors/lib/basic_processor'
2
2
 
3
3
  #Processes the Sexp from routes.rb. Stores results in tracker.routes.
4
4
  #
5
5
  #Note that it is only interested in determining what methods on which
6
6
  #controllers are used as routes, not the generated URLs for routes.
7
- class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
7
+ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
8
8
  include Brakeman::RouteHelper
9
9
 
10
10
  attr_reader :map, :nested, :current_controller
@@ -76,7 +76,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
76
76
  end
77
77
  exp
78
78
  else
79
- super
79
+ process_default exp
80
80
  end
81
81
  end
82
82
 
@@ -1,3 +1,6 @@
1
+
2
+ require 'brakeman/processors/lib/basic_processor'
3
+
1
4
  #Processes configuration. Results are put in tracker.config.
2
5
  #
3
6
  #Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
@@ -12,7 +15,7 @@
12
15
  # tracker.config[:rails][:active_record][:whitelist_attributes]
13
16
  #
14
17
  #Values for tracker.config[:rails] will still be Sexps.
15
- class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
18
+ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
16
19
  RAILS_CONFIG = Sexp.new(:call, nil, :config)
17
20
 
18
21
  def initialize *args
@@ -1,8 +1,10 @@
1
+ require 'brakeman/processors/lib/basic_processor'
2
+
1
3
  #Processes the Sexp from routes.rb. Stores results in tracker.routes.
2
4
  #
3
5
  #Note that it is only interested in determining what methods on which
4
6
  #controllers are used as routes, not the generated URLs for routes.
5
- class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
7
+ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
6
8
  include Brakeman::RouteHelper
7
9
 
8
10
  attr_reader :map, :nested, :current_controller
@@ -53,7 +55,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
53
55
  when :controller
54
56
  process_controller_block exp
55
57
  else
56
- super
58
+ process_default exp
57
59
  end
58
60
  end
59
61
 
@@ -23,12 +23,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
23
23
  end
24
24
  end
25
25
 
26
- def process_lvar exp
27
- out = "(local #{exp[0]})"
28
- exp.clear
29
- out
30
- end
31
-
32
26
  def process_ignore exp
33
27
  exp.clear
34
28
  "[ignored]"
@@ -78,7 +72,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
78
72
  elsif string? e
79
73
  e[1]
80
74
  else
81
- process e
75
+ "\#{#{process e}}"
82
76
  end
83
77
  end.join
84
78
  exp.clear
@@ -40,6 +40,6 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
40
40
  hash = w.to_hash
41
41
  hash[:file] = warning_file w
42
42
  hash
43
- end.sort_by { |w| w[:file] }
43
+ end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
44
44
  end
45
45
  end
@@ -83,7 +83,13 @@ class Brakeman::Tracker
83
83
 
84
84
  #Iterate over all methods in controllers and models.
85
85
  def each_method
86
- [self.controllers, self.models].each do |set|
86
+ classes = [self.controllers, self.models]
87
+
88
+ if @options[:index_libs]
89
+ classes << self.libs
90
+ end
91
+
92
+ classes.each do |set|
87
93
  set.each do |set_name, info|
88
94
  [:private, :public, :protected].each do |visibility|
89
95
  info[visibility].each do |method_name, definition|
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.6.3"
2
+ Version = "3.0.0"
3
3
  end
@@ -16,7 +16,7 @@ class Brakeman::Warning
16
16
  def initialize options = {}
17
17
  @view_name = nil
18
18
 
19
- [:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
19
+ [:called_from, :check, :class, :code, :confidence, :controller, :file, :gem_info, :line, :link_path,
20
20
  :message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
21
21
 
22
22
  self.instance_variable_set("@#{option}", options[option])
@@ -35,6 +35,10 @@ class Brakeman::Warning
35
35
  end
36
36
  end
37
37
 
38
+ if @method.to_s =~ /^fake_filter\d+/
39
+ @method = :before_filter
40
+ end
41
+
38
42
  if not @line
39
43
  if @user_input and @user_input.respond_to? :line
40
44
  @line = @user_input.line
@@ -43,6 +47,16 @@ class Brakeman::Warning
43
47
  end
44
48
  end
45
49
 
50
+ if @gem_info
51
+ if @gem_info.is_a? Hash
52
+ @line ||= @gem_info[:line]
53
+ @file ||= @gem_info[:file]
54
+ else
55
+ # Fallback behavior returns just a string for the file name
56
+ @file ||= @gem_info
57
+ end
58
+ end
59
+
46
60
  unless @warning_set
47
61
  if self.model
48
62
  @warning_set = :model
@@ -84,6 +84,9 @@ module Brakeman::WarningCodes
84
84
  :CVE_2014_3514 => 80,
85
85
  :CVE_2014_3514_call => 81,
86
86
  :unscoped_find => 82,
87
+ :CVE_2011_2932 => 83,
88
+ :cross_site_scripting_inline => 84,
89
+ :CVE_2014_7829 => 85,
87
90
  }
88
91
 
89
92
  def self.code name
@@ -4,7 +4,7 @@
4
4
  class Sexp
5
5
  attr_reader :paren
6
6
  attr_accessor :original_line, :or_depth
7
- ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
7
+ ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
8
8
 
9
9
  def method_missing name, *args
10
10
  #Brakeman does not use this functionality,
@@ -419,6 +419,7 @@ class Sexp
419
419
  #Sets the left hand side of assignment or boolean.
420
420
  def lhs= exp
421
421
  expect *ASSIGNMENT_BOOL
422
+ @my_hash_value = nil
422
423
  self[1] = exp
423
424
  end
424
425
 
@@ -427,14 +428,25 @@ class Sexp
427
428
  # s(:lasgn, :x, s(:lit, 1))
428
429
  # ^--rhs---^
429
430
  def rhs
430
- expect *ASSIGNMENT_BOOL
431
- self[2]
431
+ expect :attrasgn, *ASSIGNMENT_BOOL
432
+
433
+ if self.node_type == :attrasgn
434
+ self[3]
435
+ else
436
+ self[2]
437
+ end
432
438
  end
433
439
 
434
440
  #Sets the right hand side of assignment or boolean.
435
441
  def rhs= exp
436
- expect *ASSIGNMENT_BOOL
437
- self[2] = exp
442
+ expect :attrasgn, *ASSIGNMENT_BOOL
443
+ @my_hash_value = nil
444
+
445
+ if self.node_type == :attrasgn
446
+ self[3] = exp
447
+ else
448
+ self[2] = exp
449
+ end
438
450
  end
439
451
 
440
452
  #Returns name of method being defined in a method definition.
metadata CHANGED
@@ -1,192 +1,187 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.6.3
4
+ version: 3.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
- - !binary |-
12
- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJB
13
- Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREE5TVF3d0NnWURWUVFEREFOblpX
14
- MHgKR0RBV0Jnb0praWFKay9Jc1pBRVpGZ2hpY21GclpXMWhiakVUTUJFR0Nn
15
- bVNKb21UOGl4a0FSa1dBMjl5WnpBZQpGdzB4TXpFeU1USXdNRE14TlRkYUZ3
16
- MHhOREV5TVRJd01ETXhOVGRhTUQweEREQUtCZ05WQkFNTUEyZGxiVEVZCk1C
17
- WUdDZ21TSm9tVDhpeGtBUmtXQ0dKeVlXdGxiV0Z1TVJNd0VRWUtDWkltaVpQ
18
- eUxHUUJHUllEYjNKbk1JSUIKSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4
19
- QU1JSUJDZ0tDQVFFQXhDSG1YQ2FBY1o0YlZqaWpLb3lRRng0TgpkeU43Qjdi
20
- cVk4d09YeTZmL1VaNm1kQzhJUkFqODJLYVdRak5FMkxUL09iRlVXcENSeUxk
21
- cndqa0RqZEZEeU9UCm1aQ1praU9lRXkyWnhZR2Z4WE1JL3hnMjRjOHI1WG1o
22
- MTZFcnNZdXByUmNnKy9LWjZzNFVqc2VCTlRBUm1CSzQKSUhjcUlkbm9XYllh
23
- M0JXSG9mbEpQYUpVSWFVKy95VGNsekZRSHBzd1U3a2E4ZnRJQVdlb0RRbzIy
24
- Z2FzUC80TgpIdEp2QUl5ZzFEY1dQTGNuMHFiWm1kZWhnOEhadjhDKzJNdUxL
25
- WC8ycVpHOWVzZWVnTXFNbEhIYWJ3d0V5OVZ2CmYvdC8rbHRMakMwQ1JhMlRx
26
- WjJFdVE1RUV6Yk9zcUFmdGFaSkZtd3Y5VXQxVWhqbWR2UjVSZk42ZFdNUTVR
27
- SUQKQVFBQm96a3dOekFMQmdOVkhROEVCQU1DQkxBd0hRWURWUjBPQkJZRUZQ
28
- eUVLZVJ5MDlpOHFTcis5S0ZiZVRxdwprTUNTTUFrR0ExVWRFd1FDTUFBd0RR
29
- WUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFMRWs4L1dubDJWQXFjaHhXbGJnClJO
30
- ME1rVlVXTWY4TDB4eFVpVktvNVFlTDROQlZpQUxNQnJVNklTNHk2enluK0Zv
31
- VUxBTUVhd1VqWmxaZjRIY2cKUzl1bmV2M3ArUlRXVXlrc0FuQTI3d0hacy9O
32
- UklrVzM0czFaSTVOTkUveHl1NFVMT1FqZmgxd09qbFd6eUh1OQowdDQxL0N0
33
- cGdOUE0ydUFqRzNSSXFscDdRS1hsYnk1MGNRcVdKUUNnVEgzSk5qTWhtUk9F
34
- aFRzSTZDT29BcHZkCkNlN0JyMzl5amVvYXJ2ZWtxMHdDWEJZYWtVQncvRGRa
35
- Q0c3bUZaNnhnaDAxZXFuWlVzTmQ4dk0rNlY2djIzVnUKamsydE1qRlQ0TDFk
36
- QTNNRXN6MytNUDE0NFBEaFBDaDd0UGU2eXk4MUJPdnlZVFZrS3pyQWtnS3dI
37
- RDFDdXZzSApiZHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
38
- date: 2014-10-14 00:00:00.000000000 Z
11
+ - |
12
+ -----BEGIN CERTIFICATE-----
13
+ MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
14
+ aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
15
+ GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
16
+ AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
17
+ JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
18
+ xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
19
+ cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
20
+ HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
21
+ kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
22
+ f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
23
+ CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
24
+ sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
25
+ dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
26
+ bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
27
+ gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
28
+ VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
29
+ fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
30
+ bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
31
+ mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
32
+ -----END CERTIFICATE-----
33
+ date: 2015-01-03 00:00:00.000000000 Z
39
34
  dependencies:
40
35
  - !ruby/object:Gem::Dependency
41
36
  name: ruby_parser
42
37
  requirement: !ruby/object:Gem::Requirement
43
38
  requirements:
44
- - - ~>
39
+ - - "~>"
45
40
  - !ruby/object:Gem::Version
46
41
  version: 3.5.0
47
42
  type: :runtime
48
43
  prerelease: false
49
44
  version_requirements: !ruby/object:Gem::Requirement
50
45
  requirements:
51
- - - ~>
46
+ - - "~>"
52
47
  - !ruby/object:Gem::Version
53
48
  version: 3.5.0
54
49
  - !ruby/object:Gem::Dependency
55
50
  name: ruby2ruby
56
51
  requirement: !ruby/object:Gem::Requirement
57
52
  requirements:
58
- - - ~>
53
+ - - "~>"
59
54
  - !ruby/object:Gem::Version
60
55
  version: 2.1.1
61
56
  type: :runtime
62
57
  prerelease: false
63
58
  version_requirements: !ruby/object:Gem::Requirement
64
59
  requirements:
65
- - - ~>
60
+ - - "~>"
66
61
  - !ruby/object:Gem::Version
67
62
  version: 2.1.1
68
63
  - !ruby/object:Gem::Dependency
69
64
  name: terminal-table
70
65
  requirement: !ruby/object:Gem::Requirement
71
66
  requirements:
72
- - - ~>
67
+ - - "~>"
73
68
  - !ruby/object:Gem::Version
74
69
  version: '1.4'
75
70
  type: :runtime
76
71
  prerelease: false
77
72
  version_requirements: !ruby/object:Gem::Requirement
78
73
  requirements:
79
- - - ~>
74
+ - - "~>"
80
75
  - !ruby/object:Gem::Version
81
76
  version: '1.4'
82
77
  - !ruby/object:Gem::Dependency
83
78
  name: fastercsv
84
79
  requirement: !ruby/object:Gem::Requirement
85
80
  requirements:
86
- - - ~>
81
+ - - "~>"
87
82
  - !ruby/object:Gem::Version
88
83
  version: '1.5'
89
84
  type: :runtime
90
85
  prerelease: false
91
86
  version_requirements: !ruby/object:Gem::Requirement
92
87
  requirements:
93
- - - ~>
88
+ - - "~>"
94
89
  - !ruby/object:Gem::Version
95
90
  version: '1.5'
96
91
  - !ruby/object:Gem::Dependency
97
92
  name: highline
98
93
  requirement: !ruby/object:Gem::Requirement
99
94
  requirements:
100
- - - ~>
95
+ - - "~>"
101
96
  - !ruby/object:Gem::Version
102
97
  version: 1.6.20
103
98
  type: :runtime
104
99
  prerelease: false
105
100
  version_requirements: !ruby/object:Gem::Requirement
106
101
  requirements:
107
- - - ~>
102
+ - - "~>"
108
103
  - !ruby/object:Gem::Version
109
104
  version: 1.6.20
110
105
  - !ruby/object:Gem::Dependency
111
106
  name: erubis
112
107
  requirement: !ruby/object:Gem::Requirement
113
108
  requirements:
114
- - - ~>
109
+ - - "~>"
115
110
  - !ruby/object:Gem::Version
116
111
  version: '2.6'
117
112
  type: :runtime
118
113
  prerelease: false
119
114
  version_requirements: !ruby/object:Gem::Requirement
120
115
  requirements:
121
- - - ~>
116
+ - - "~>"
122
117
  - !ruby/object:Gem::Version
123
118
  version: '2.6'
124
119
  - !ruby/object:Gem::Dependency
125
120
  name: haml
126
121
  requirement: !ruby/object:Gem::Requirement
127
122
  requirements:
128
- - - ! '>='
123
+ - - ">="
129
124
  - !ruby/object:Gem::Version
130
125
  version: '3.0'
131
- - - <
126
+ - - "<"
132
127
  - !ruby/object:Gem::Version
133
128
  version: '5.0'
134
129
  type: :runtime
135
130
  prerelease: false
136
131
  version_requirements: !ruby/object:Gem::Requirement
137
132
  requirements:
138
- - - ! '>='
133
+ - - ">="
139
134
  - !ruby/object:Gem::Version
140
135
  version: '3.0'
141
- - - <
136
+ - - "<"
142
137
  - !ruby/object:Gem::Version
143
138
  version: '5.0'
144
139
  - !ruby/object:Gem::Dependency
145
140
  name: sass
146
141
  requirement: !ruby/object:Gem::Requirement
147
142
  requirements:
148
- - - ~>
143
+ - - "~>"
149
144
  - !ruby/object:Gem::Version
150
145
  version: '3.0'
151
146
  type: :runtime
152
147
  prerelease: false
153
148
  version_requirements: !ruby/object:Gem::Requirement
154
149
  requirements:
155
- - - ~>
150
+ - - "~>"
156
151
  - !ruby/object:Gem::Version
157
152
  version: '3.0'
158
153
  - !ruby/object:Gem::Dependency
159
154
  name: slim
160
155
  requirement: !ruby/object:Gem::Requirement
161
156
  requirements:
162
- - - ! '>='
157
+ - - ">="
163
158
  - !ruby/object:Gem::Version
164
159
  version: 1.3.6
165
- - - <
160
+ - - "<"
166
161
  - !ruby/object:Gem::Version
167
162
  version: '3.0'
168
163
  type: :runtime
169
164
  prerelease: false
170
165
  version_requirements: !ruby/object:Gem::Requirement
171
166
  requirements:
172
- - - ! '>='
167
+ - - ">="
173
168
  - !ruby/object:Gem::Version
174
169
  version: 1.3.6
175
- - - <
170
+ - - "<"
176
171
  - !ruby/object:Gem::Version
177
172
  version: '3.0'
178
173
  - !ruby/object:Gem::Dependency
179
174
  name: multi_json
180
175
  requirement: !ruby/object:Gem::Requirement
181
176
  requirements:
182
- - - ~>
177
+ - - "~>"
183
178
  - !ruby/object:Gem::Version
184
179
  version: '1.2'
185
180
  type: :runtime
186
181
  prerelease: false
187
182
  version_requirements: !ruby/object:Gem::Requirement
188
183
  requirements:
189
- - - ~>
184
+ - - "~>"
190
185
  - !ruby/object:Gem::Version
191
186
  version: '1.2'
192
187
  description: Brakeman detects security vulnerabilities in Ruby on Rails applications
@@ -220,6 +215,7 @@ files:
220
215
  - lib/brakeman/checks/check_evaluation.rb
221
216
  - lib/brakeman/checks/check_execute.rb
222
217
  - lib/brakeman/checks/check_file_access.rb
218
+ - lib/brakeman/checks/check_file_disclosure.rb
223
219
  - lib/brakeman/checks/check_filter_skipping.rb
224
220
  - lib/brakeman/checks/check_forgery_setting.rb
225
221
  - lib/brakeman/checks/check_header_dos.rb
@@ -240,6 +236,7 @@ files:
240
236
  - lib/brakeman/checks/check_regex_dos.rb
241
237
  - lib/brakeman/checks/check_render.rb
242
238
  - lib/brakeman/checks/check_render_dos.rb
239
+ - lib/brakeman/checks/check_render_inline.rb
243
240
  - lib/brakeman/checks/check_response_splitting.rb
244
241
  - lib/brakeman/checks/check_safe_buffer_manipulation.rb
245
242
  - lib/brakeman/checks/check_sanitize_methods.rb
@@ -256,6 +253,7 @@ files:
256
253
  - lib/brakeman/checks/check_ssl_verify.rb
257
254
  - lib/brakeman/checks/check_strip_tags.rb
258
255
  - lib/brakeman/checks/check_symbol_dos.rb
256
+ - lib/brakeman/checks/check_symbol_dos_cve.rb
259
257
  - lib/brakeman/checks/check_translate_bug.rb
260
258
  - lib/brakeman/checks/check_unsafe_reflection.rb
261
259
  - lib/brakeman/checks/check_unscoped_find.rb
@@ -280,6 +278,7 @@ files:
280
278
  - lib/brakeman/processors/erubis_template_processor.rb
281
279
  - lib/brakeman/processors/gem_processor.rb
282
280
  - lib/brakeman/processors/haml_template_processor.rb
281
+ - lib/brakeman/processors/lib/basic_processor.rb
283
282
  - lib/brakeman/processors/lib/find_all_calls.rb
284
283
  - lib/brakeman/processors/lib/find_call.rb
285
284
  - lib/brakeman/processors/lib/find_return_value.rb
@@ -341,17 +340,17 @@ require_paths:
341
340
  - lib
342
341
  required_ruby_version: !ruby/object:Gem::Requirement
343
342
  requirements:
344
- - - ! '>='
343
+ - - ">="
345
344
  - !ruby/object:Gem::Version
346
345
  version: '0'
347
346
  required_rubygems_version: !ruby/object:Gem::Requirement
348
347
  requirements:
349
- - - ! '>='
348
+ - - ">="
350
349
  - !ruby/object:Gem::Version
351
350
  version: '0'
352
351
  requirements: []
353
352
  rubyforge_project:
354
- rubygems_version: 2.3.0
353
+ rubygems_version: 2.4.5
355
354
  signing_key:
356
355
  specification_version: 4
357
356
  summary: Security vulnerability scanner for Ruby on Rails.