brakeman 3.7.2 → 4.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/{CHANGES → CHANGES.md} +43 -1
- data/FEATURES +1 -1
- data/README.md +2 -2
- data/bundle/load.rb +1 -1
- data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Changelog.md +6 -0
- data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Gemfile +2 -0
- data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/simulate.rb +1 -1
- data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/version.rb +1 -1
- data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_simulator.rb +10 -0
- data/lib/brakeman/call_index.rb +2 -2
- data/lib/brakeman/checks/base_check.rb +9 -32
- data/lib/brakeman/checks/check_basic_auth.rb +3 -3
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +1 -1
- data/lib/brakeman/checks/check_content_tag.rb +13 -13
- data/lib/brakeman/checks/check_create_with.rb +5 -5
- data/lib/brakeman/checks/check_cross_site_scripting.rb +8 -8
- data/lib/brakeman/checks/check_default_routes.rb +4 -4
- data/lib/brakeman/checks/check_deserialize.rb +2 -2
- data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -4
- data/lib/brakeman/checks/check_digest_dos.rb +2 -2
- data/lib/brakeman/checks/check_divide_by_zero.rb +40 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_escape_function.rb +2 -2
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +5 -5
- data/lib/brakeman/checks/check_file_access.rb +14 -5
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
- data/lib/brakeman/checks/check_filter_skipping.rb +2 -2
- data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
- data/lib/brakeman/checks/check_header_dos.rb +1 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -4
- data/lib/brakeman/checks/check_json_encoding.rb +4 -4
- data/lib/brakeman/checks/check_json_parsing.rb +6 -6
- data/lib/brakeman/checks/check_link_to.rb +5 -5
- data/lib/brakeman/checks/check_link_to_href.rb +37 -31
- data/lib/brakeman/checks/check_mail_to.rb +2 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +6 -6
- data/lib/brakeman/checks/check_mime_type_dos.rb +1 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +5 -5
- data/lib/brakeman/checks/check_model_attributes.rb +4 -4
- data/lib/brakeman/checks/check_model_serialize.rb +3 -3
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +5 -5
- data/lib/brakeman/checks/check_permit_attributes.rb +43 -0
- data/lib/brakeman/checks/check_quote_table_name.rb +2 -2
- data/lib/brakeman/checks/check_redirect.rb +23 -4
- data/lib/brakeman/checks/check_regex_dos.rb +3 -3
- data/lib/brakeman/checks/check_render.rb +4 -4
- data/lib/brakeman/checks/check_render_dos.rb +1 -1
- data/lib/brakeman/checks/check_render_inline.rb +5 -5
- data/lib/brakeman/checks/check_response_splitting.rb +1 -1
- data/lib/brakeman/checks/check_route_dos.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -2
- data/lib/brakeman/checks/check_sanitize_methods.rb +7 -7
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_select_tag.rb +2 -2
- data/lib/brakeman/checks/check_select_vulnerability.rb +3 -3
- data/lib/brakeman/checks/check_send.rb +1 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +2 -2
- data/lib/brakeman/checks/check_session_settings.rb +3 -3
- data/lib/brakeman/checks/check_simple_format.rb +4 -4
- data/lib/brakeman/checks/check_single_quotes.rb +3 -3
- data/lib/brakeman/checks/check_skip_before_filter.rb +3 -3
- data/lib/brakeman/checks/check_sql.rb +14 -10
- data/lib/brakeman/checks/check_sql_cves.rb +2 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +1 -1
- data/lib/brakeman/checks/check_strip_tags.rb +7 -7
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -2
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
- data/lib/brakeman/checks/check_translate_bug.rb +3 -3
- data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -2
- data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_weak_hash.rb +6 -6
- data/lib/brakeman/checks/check_without_protection.rb +2 -2
- data/lib/brakeman/checks/check_xml_dos.rb +1 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
- data/lib/brakeman/codeclimate/engine_configuration.rb +97 -0
- data/lib/brakeman/commandline.rb +2 -2
- data/lib/brakeman/options.rb +9 -5
- data/lib/brakeman/parsers/template_parser.rb +7 -3
- data/lib/brakeman/processor.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +37 -18
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +8 -8
- data/lib/brakeman/processors/lib/render_helper.rb +3 -3
- data/lib/brakeman/report/pager.rb +110 -0
- data/lib/brakeman/report/report_base.rb +2 -1
- data/lib/brakeman/report/report_codeclimate.rb +10 -1
- data/lib/brakeman/report/report_text.rb +4 -6
- data/lib/brakeman/report.rb +9 -6
- data/lib/brakeman/rescanner.rb +8 -8
- data/lib/brakeman/tracker/collection.rb +1 -1
- data/lib/brakeman/tracker/config.rb +44 -0
- data/lib/brakeman/tracker.rb +3 -3
- data/lib/brakeman/util.rb +5 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +51 -23
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/brakeman.rb +32 -17
- data/lib/ruby_parser/bm_sexp.rb +16 -0
- metadata +54 -50
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/AUTHORS +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/COPYING +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/INSTALL +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/LICENSE +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/README.rdoc +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Rakefile +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/TODO +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/ansi_colors.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/asking_for_arrays.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/basic_usage.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/color_scheme.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/get_character.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/limit.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/menus.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/overwrite.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/page_and_wrap.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/password.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/repeat_entry.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/trapping_eof.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/examples/using_readline.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/highline.gemspec +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/color_scheme.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/compatibility.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/import.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/menu.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/question.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/string_extensions.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/style.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/system_extensions.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/setup.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/site/highline.css +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/site/images/logo.png +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/site/index.html +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/string_methods.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_color_scheme.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_highline.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_import.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_menu.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_string_extension.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_string_highline.rb +0 -0
- /data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_style.rb +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5473cad261403087ab82423bcb64eab734d11e8c
|
4
|
+
data.tar.gz: 59a9f5320cdd156c0d6202cd950238ce05a7b92f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 72a9fc46b9385feddcb5ef032794470d68c2ce52f551f3eed00157c24e2f36015dff891f6c409a3862f78ec649c8aee2f3d373d5654f1fcfa3769d3cbf90f67c
|
7
|
+
data.tar.gz: 2fb4b886463bea09c6a46b78b83a507d1312d1d2f68df7d94df364d2eb374ea758f9f7fb959299a632d089288bc0b4304ec04f793708505b76f450c7e639ac9d
|
data/{CHANGES → CHANGES.md}
RENAMED
@@ -1,3 +1,45 @@
|
|
1
|
+
# 4.1.0
|
2
|
+
|
3
|
+
* Process models as root sexp instead of each sexp
|
4
|
+
* Avoid CSRF warning in Rails 5.2 default config
|
5
|
+
* Show better location for Sass errors (Andrew Bromwich)
|
6
|
+
* Warn about dynamic values in `Arel.sql`
|
7
|
+
* Fix `include_paths` for Code Climate engine (Will Fleming)
|
8
|
+
* Add check for dangerous keys in `permit`
|
9
|
+
* Try to guess options for `less` pager
|
10
|
+
* Better processing of op_asgn1 (e.g. x[:y] += 1)
|
11
|
+
* Add optional check for divide by zero
|
12
|
+
* Remove errors about divide by zero
|
13
|
+
* Avoid warning about file access for temp files
|
14
|
+
* Do not warn on params.permit with safe values
|
15
|
+
* Add Sexp#call_chain
|
16
|
+
* Use HTTPS for warning links
|
17
|
+
* Handle nested destructuring/multiple assignment
|
18
|
+
* Leave results on screen after paging
|
19
|
+
* Do not page if results fit on screen
|
20
|
+
* Support `app_path` configuration for Code Climate engine (Noah Davis)
|
21
|
+
* Refactor Code Climate engine options parsing (Noah Davis)
|
22
|
+
* Fix upgrade version for CVE-2016-6316
|
23
|
+
|
24
|
+
# 4.0.1
|
25
|
+
|
26
|
+
* Disable pager when `CI` environment variable is set
|
27
|
+
* Fix output when pager fails
|
28
|
+
|
29
|
+
# 4.0.0
|
30
|
+
|
31
|
+
* Add simple pager for reports output to terminal
|
32
|
+
* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
|
33
|
+
* Rearrange tests a little bit
|
34
|
+
* Treat `request.cookies` like `cookies`
|
35
|
+
* Treat `fail`/`raise` like early returns
|
36
|
+
* Remove reliance on `CONFIDENCE` constant in checks
|
37
|
+
* Remove low confidence mass assignment warnings
|
38
|
+
* Reduce warnings about XSS in `link_to`
|
39
|
+
* "Plain" report output is now the default
|
40
|
+
* --exit-on-error and --exit-on-warn are now the default
|
41
|
+
* Fix --exit-on-error and --exit-on-warn in config files
|
42
|
+
|
1
43
|
# 3.7.2
|
2
44
|
|
3
45
|
* Fix --ensure-latest (David Guyon)
|
@@ -300,7 +342,7 @@
|
|
300
342
|
# 3.0.0
|
301
343
|
|
302
344
|
* Add check for CVE-2014-7829
|
303
|
-
* Add check for cross
|
345
|
+
* Add check for cross-site scripting via inline renders
|
304
346
|
* Fix formatting of command interpolation
|
305
347
|
* Local variables are no longer formatted as `(local var)`
|
306
348
|
* Actually skip skipped before filters
|
data/FEATURES
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
Can detect:
|
2
|
-
-Possibly unescaped model attributes or parameters in views (Cross
|
2
|
+
-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
|
3
3
|
-Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
|
4
4
|
-String interpolation in find_by_sql (SQL Injection)
|
5
5
|
-String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
|
data/README.md
CHANGED
@@ -2,8 +2,8 @@
|
|
2
2
|
[![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
|
3
3
|
|
4
4
|
[![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
|
5
|
-
[![
|
6
|
-
[![Test Coverage](https://codeclimate.com/
|
5
|
+
[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
|
6
|
+
[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
|
7
7
|
[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
|
8
8
|
|
9
9
|
# Brakeman
|
data/bundle/load.rb
CHANGED
@@ -1,6 +1,5 @@
|
|
1
1
|
path = File.expand_path('../..', __FILE__)
|
2
2
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/haml-4.0.7/lib"
|
3
|
-
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
|
4
3
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib"
|
5
4
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/lib"
|
6
5
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/lib"
|
@@ -9,6 +8,7 @@ $:.unshift "#{path}/bundle/ruby/2.3.0/gems/temple-0.7.7/lib"
|
|
9
8
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.3.0/lib"
|
10
9
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib"
|
11
10
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib"
|
11
|
+
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.10/lib"
|
12
12
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/terminal-table-1.8.0/lib"
|
13
13
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/slim-3.0.7/lib"
|
14
14
|
$:.unshift "#{path}/bundle/ruby/2.3.0/gems/erubis-2.7.0/lib"
|
@@ -2,6 +2,12 @@
|
|
2
2
|
|
3
3
|
Below is a complete listing of changes for each revision of HighLine.
|
4
4
|
|
5
|
+
### 1.7.10 / 2017-11-23
|
6
|
+
* Add gemspec to Gemfile. Address #223. (@abinoam)
|
7
|
+
|
8
|
+
### 1.7.9 / 2017-05-08
|
9
|
+
* Fix frozen string issue on HighLine::Simulate. (Ivan Giuliani (@ivgiuliani), PR #210)
|
10
|
+
|
5
11
|
### 1.7.8 / 2015-10-09
|
6
12
|
* Fix some issues when paginating. (Nick Carboni (@carbonin) and Abinoam P. Marques Jr. (@abinoam), #168, PRs #169 #170)
|
7
13
|
|
@@ -20,4 +20,14 @@ class SimulatorTest < Test::Unit::TestCase
|
|
20
20
|
assert_equal '18', age
|
21
21
|
end
|
22
22
|
end
|
23
|
+
|
24
|
+
def test_simulate_with_echo_and_frozen_strings
|
25
|
+
HighLine::Simulate.with('the password'.freeze) do
|
26
|
+
password = ask('What is your password?') do |q|
|
27
|
+
q.echo = '*'
|
28
|
+
end
|
29
|
+
|
30
|
+
assert_equal 'the password', password
|
31
|
+
end
|
32
|
+
end
|
23
33
|
end
|
data/lib/brakeman/call_index.rb
CHANGED
@@ -67,7 +67,7 @@ class Brakeman::CallIndex
|
|
67
67
|
|
68
68
|
def remove_template_indexes template_name = nil
|
69
69
|
[@calls_by_method, @calls_by_target].each do |calls_by|
|
70
|
-
calls_by.each do |
|
70
|
+
calls_by.each do |_name, calls|
|
71
71
|
calls.delete_if do |call|
|
72
72
|
from_template call, template_name
|
73
73
|
end
|
@@ -77,7 +77,7 @@ class Brakeman::CallIndex
|
|
77
77
|
|
78
78
|
def remove_indexes_by_class classes
|
79
79
|
[@calls_by_method, @calls_by_target].each do |calls_by|
|
80
|
-
calls_by.each do |
|
80
|
+
calls_by.each do |_name, calls|
|
81
81
|
calls.delete_if do |call|
|
82
82
|
call[:location][:type] == :class and classes.include? call[:location][:class]
|
83
83
|
end
|
@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
10
10
|
include Brakeman::Util
|
11
11
|
attr_reader :tracker, :warnings
|
12
12
|
|
13
|
-
|
13
|
+
# This is for legacy support.
|
14
|
+
# Use :high, :medium, or :low instead when creating warnings.
|
15
|
+
CONFIDENCE = Brakeman::Warning::CONFIDENCE
|
14
16
|
|
15
17
|
Match = Struct.new(:type, :match)
|
16
18
|
|
@@ -60,7 +62,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
60
62
|
#Default Sexp processing. Iterates over each value in the Sexp
|
61
63
|
#and processes them if they are also Sexps.
|
62
64
|
def process_default exp
|
63
|
-
exp.each_with_index do |e,
|
65
|
+
exp.each_with_index do |e, _i|
|
64
66
|
if sexp? e
|
65
67
|
process e
|
66
68
|
else
|
@@ -443,41 +445,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
443
445
|
false
|
444
446
|
end
|
445
447
|
|
446
|
-
#Returns true if low_version <= RAILS_VERSION <= high_version
|
447
|
-
#
|
448
|
-
#If the Rails version is unknown, returns false.
|
449
|
-
def version_between? low_version, high_version, current_version = nil
|
450
|
-
current_version ||= rails_version
|
451
|
-
return false unless current_version
|
452
|
-
|
453
|
-
version = current_version.split(".").map! { |n| n.to_i }
|
454
|
-
low_version = low_version.split(".").map! { |n| n.to_i }
|
455
|
-
high_version = high_version.split(".").map! { |n| n.to_i }
|
456
|
-
|
457
|
-
version.each_with_index do |v, i|
|
458
|
-
if v < low_version.fetch(i, 0)
|
459
|
-
return false
|
460
|
-
elsif v > low_version.fetch(i, 0)
|
461
|
-
break
|
462
|
-
end
|
463
|
-
end
|
464
|
-
|
465
|
-
version.each_with_index do |v, i|
|
466
|
-
if v > high_version.fetch(i, 0)
|
467
|
-
return false
|
468
|
-
elsif v < high_version.fetch(i, 0)
|
469
|
-
break
|
470
|
-
end
|
471
|
-
end
|
472
|
-
|
473
|
-
true
|
474
|
-
end
|
475
|
-
|
476
448
|
def lts_version? version
|
477
449
|
tracker.config.has_gem? :'railslts-version' and
|
478
450
|
version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
|
479
451
|
end
|
480
452
|
|
453
|
+
|
454
|
+
def version_between? low_version, high_version, current_version = nil
|
455
|
+
tracker.config.version_between? low_version, high_version, current_version
|
456
|
+
end
|
457
|
+
|
481
458
|
def gemfile_or_environment gem_name = :rails
|
482
459
|
if gem_name and info = tracker.config.get_gem(gem_name)
|
483
460
|
info
|
@@ -17,7 +17,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
17
17
|
end
|
18
18
|
|
19
19
|
def check_basic_auth_filter
|
20
|
-
controllers = tracker.controllers.select do |
|
20
|
+
controllers = tracker.controllers.select do |_name, c|
|
21
21
|
c.options[:http_basic_authenticate_with]
|
22
22
|
end
|
23
23
|
|
@@ -30,7 +30,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
30
30
|
:warning_code => :basic_auth_password,
|
31
31
|
:message => "Basic authentication password stored in source code",
|
32
32
|
:code => call,
|
33
|
-
:confidence =>
|
33
|
+
:confidence => :high,
|
34
34
|
:file => controller.file
|
35
35
|
break
|
36
36
|
end
|
@@ -50,7 +50,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
50
50
|
:warning_type => "Basic Auth",
|
51
51
|
:warning_code => :basic_auth_password,
|
52
52
|
:message => "Basic authentication password stored in source code",
|
53
|
-
:confidence =>
|
53
|
+
:confidence => :high
|
54
54
|
end
|
55
55
|
end
|
56
56
|
end
|
@@ -26,7 +26,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
|
|
26
26
|
:warning_type => "Timing Attack",
|
27
27
|
:warning_code => :CVE_2015_7576,
|
28
28
|
:message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
|
29
|
-
:confidence =>
|
29
|
+
:confidence => :high,
|
30
30
|
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
|
31
31
|
end
|
32
32
|
end
|
@@ -66,7 +66,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
66
66
|
|
67
67
|
#Attribute keys are never escaped, so check them for user input
|
68
68
|
if not @matched and hash? attributes and not request_value? attributes
|
69
|
-
hash_iterate(attributes) do |k,
|
69
|
+
hash_iterate(attributes) do |k, _v|
|
70
70
|
check_argument result, k
|
71
71
|
return if @matched
|
72
72
|
end
|
@@ -79,7 +79,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
79
79
|
if request_value? attributes or not hash? attributes
|
80
80
|
check_argument result, attributes
|
81
81
|
else #check hash values
|
82
|
-
hash_iterate(attributes) do |
|
82
|
+
hash_iterate(attributes) do |_k, v|
|
83
83
|
check_argument result, v
|
84
84
|
return if @matched
|
85
85
|
end
|
@@ -101,11 +101,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
101
101
|
add_result result
|
102
102
|
|
103
103
|
warn :result => result,
|
104
|
-
:warning_type => "Cross
|
104
|
+
:warning_type => "Cross-Site Scripting",
|
105
105
|
:warning_code => :xss_content_tag,
|
106
106
|
:message => message,
|
107
107
|
:user_input => input,
|
108
|
-
:confidence =>
|
108
|
+
:confidence => :high,
|
109
109
|
:link_path => "content_tag"
|
110
110
|
|
111
111
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
|
@@ -113,13 +113,13 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
113
113
|
add_result result
|
114
114
|
|
115
115
|
if likely_model_attribute? match
|
116
|
-
confidence =
|
116
|
+
confidence = :high
|
117
117
|
else
|
118
|
-
confidence =
|
118
|
+
confidence = :medium
|
119
119
|
end
|
120
120
|
|
121
121
|
warn :result => result,
|
122
|
-
:warning_type => "Cross
|
122
|
+
:warning_type => "Cross-Site Scripting",
|
123
123
|
:warning_code => :xss_content_tag,
|
124
124
|
:message => "Unescaped model attribute in content_tag",
|
125
125
|
:user_input => match,
|
@@ -135,11 +135,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
135
135
|
add_result result
|
136
136
|
|
137
137
|
warn :result => result,
|
138
|
-
:warning_type => "Cross
|
138
|
+
:warning_type => "Cross-Site Scripting",
|
139
139
|
:warning_code => :xss_content_tag,
|
140
140
|
:message => message,
|
141
141
|
:user_input => @matched,
|
142
|
-
:confidence =>
|
142
|
+
:confidence => :medium,
|
143
143
|
:link_path => "content_tag"
|
144
144
|
end
|
145
145
|
end
|
@@ -159,9 +159,9 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
159
159
|
def check_cve_2016_6316
|
160
160
|
if cve_2016_6316?
|
161
161
|
confidence = if @content_tags.any?
|
162
|
-
|
162
|
+
:high
|
163
163
|
else
|
164
|
-
|
164
|
+
:medium
|
165
165
|
end
|
166
166
|
|
167
167
|
fix_version = case
|
@@ -170,7 +170,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
170
170
|
when version_between?("4.0.0", "4.2.7.0")
|
171
171
|
"4.2.7.1"
|
172
172
|
when version_between?("5.0.0", "5.0.0")
|
173
|
-
"5.0.0"
|
173
|
+
"5.0.0.1"
|
174
174
|
when (version.nil? and tracker.options[:rails3])
|
175
175
|
"3.2.22.4"
|
176
176
|
when (version.nil? and tracker.options[:rails4])
|
@@ -179,7 +179,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
179
179
|
return
|
180
180
|
end
|
181
181
|
|
182
|
-
warn :warning_type => "Cross
|
182
|
+
warn :warning_type => "Cross-Site Scripting",
|
183
183
|
:warning_code => :CVE_2016_6316,
|
184
184
|
:message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
|
185
185
|
:confidence => confidence,
|
@@ -51,15 +51,15 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
51
51
|
if call? exp and exp.method == :permit
|
52
52
|
nil
|
53
53
|
elsif request_value? exp
|
54
|
-
|
54
|
+
:high
|
55
55
|
elsif hash? exp
|
56
56
|
nil
|
57
57
|
elsif has_immediate_user_input?(exp)
|
58
|
-
|
58
|
+
:high
|
59
59
|
elsif include_user_input? exp
|
60
|
-
|
60
|
+
:medium
|
61
61
|
else
|
62
|
-
|
62
|
+
:weak
|
63
63
|
end
|
64
64
|
end
|
65
65
|
|
@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
68
68
|
:warning_code => :CVE_2014_3514,
|
69
69
|
:message => @message,
|
70
70
|
:gem_info => gemfile_or_environment,
|
71
|
-
:confidence =>
|
71
|
+
:confidence => :medium,
|
72
72
|
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
|
73
73
|
end
|
74
74
|
end
|
@@ -73,11 +73,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
73
73
|
message = "Unescaped #{friendly_type_of input}"
|
74
74
|
|
75
75
|
warn :template => @current_template,
|
76
|
-
:warning_type => "Cross
|
76
|
+
:warning_type => "Cross-Site Scripting",
|
77
77
|
:warning_code => :cross_site_scripting,
|
78
78
|
:message => message,
|
79
79
|
:code => input.match,
|
80
|
-
:confidence =>
|
80
|
+
:confidence => :high
|
81
81
|
|
82
82
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
|
83
83
|
method = if call? match
|
@@ -90,9 +90,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
90
90
|
add_result exp
|
91
91
|
|
92
92
|
if likely_model_attribute? match
|
93
|
-
confidence =
|
93
|
+
confidence = :high
|
94
94
|
else
|
95
|
-
confidence =
|
95
|
+
confidence = :medium
|
96
96
|
end
|
97
97
|
|
98
98
|
message = "Unescaped model attribute"
|
@@ -106,7 +106,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
106
106
|
end
|
107
107
|
|
108
108
|
warn :template => @current_template,
|
109
|
-
:warning_type => "Cross
|
109
|
+
:warning_type => "Cross-Site Scripting",
|
110
110
|
:warning_code => warning_code,
|
111
111
|
:message => message,
|
112
112
|
:code => match,
|
@@ -178,18 +178,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
178
178
|
warning_code = :cross_site_scripting
|
179
179
|
|
180
180
|
if @known_dangerous.include? exp.method
|
181
|
-
confidence =
|
181
|
+
confidence = :high
|
182
182
|
if exp.method == :to_json
|
183
183
|
message += " in JSON hash"
|
184
184
|
link_path += "_to_json"
|
185
185
|
warning_code = :xss_to_json
|
186
186
|
end
|
187
187
|
else
|
188
|
-
confidence =
|
188
|
+
confidence = :weak
|
189
189
|
end
|
190
190
|
|
191
191
|
warn :template => @current_template,
|
192
|
-
:warning_type => "Cross
|
192
|
+
:warning_type => "Cross-Site Scripting",
|
193
193
|
:warning_code => warning_code,
|
194
194
|
:message => message,
|
195
195
|
:code => exp,
|
@@ -21,7 +21,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
21
21
|
:warning_code => :all_default_routes,
|
22
22
|
:message => "All public methods in controllers are available as actions in routes.rb",
|
23
23
|
:line => tracker.routes[:allow_all_actions].line,
|
24
|
-
:confidence =>
|
24
|
+
:confidence => :high,
|
25
25
|
:file => "#{tracker.app_path}/config/routes.rb"
|
26
26
|
end
|
27
27
|
end
|
@@ -43,7 +43,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
43
43
|
:warning_code => :controller_default_routes,
|
44
44
|
:message => "Any public method in #{name} can be used as an action for #{verb} requests.",
|
45
45
|
:line => actions[2],
|
46
|
-
:confidence =>
|
46
|
+
:confidence => :medium,
|
47
47
|
:file => "#{tracker.app_path}/config/routes.rb"
|
48
48
|
end
|
49
49
|
end
|
@@ -67,9 +67,9 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
|
|
67
67
|
end
|
68
68
|
|
69
69
|
if allow_all_actions? or @actions_allowed_on_controller
|
70
|
-
confidence =
|
70
|
+
confidence = :high
|
71
71
|
else
|
72
|
-
confidence =
|
72
|
+
confidence = :medium
|
73
73
|
end
|
74
74
|
|
75
75
|
warn :warning_type => "Remote Code Execution",
|
@@ -36,9 +36,9 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
|
|
36
36
|
method = result[:call].method
|
37
37
|
|
38
38
|
if input = has_immediate_user_input?(arg)
|
39
|
-
confidence =
|
39
|
+
confidence = :high
|
40
40
|
elsif input = include_user_input?(arg)
|
41
|
-
confidence =
|
41
|
+
confidence = :medium
|
42
42
|
end
|
43
43
|
|
44
44
|
if confidence
|
@@ -18,13 +18,13 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
18
18
|
warn :warning_type => "Information Disclosure",
|
19
19
|
:warning_code => :local_request_config,
|
20
20
|
:message => "Detailed exceptions are enabled in production",
|
21
|
-
:confidence =>
|
21
|
+
:confidence => :high,
|
22
22
|
:file => "config/environments/production.rb"
|
23
23
|
end
|
24
24
|
end
|
25
25
|
|
26
26
|
def check_detailed_exceptions
|
27
|
-
tracker.controllers.each do |
|
27
|
+
tracker.controllers.each do |_name, controller|
|
28
28
|
controller.methods_public.each do |method_name, definition|
|
29
29
|
src = definition[:src]
|
30
30
|
body = src.body.last
|
@@ -32,9 +32,9 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
32
32
|
|
33
33
|
if method_name == :show_detailed_exceptions? and not safe? body
|
34
34
|
if true? body
|
35
|
-
confidence =
|
35
|
+
confidence = :high
|
36
36
|
else
|
37
|
-
confidence =
|
37
|
+
confidence = :medium
|
38
38
|
end
|
39
39
|
|
40
40
|
warn :warning_type => "Information Disclosure",
|
@@ -19,9 +19,9 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
|
|
19
19
|
end
|
20
20
|
|
21
21
|
if with_http_digest?
|
22
|
-
confidence =
|
22
|
+
confidence = :high
|
23
23
|
else
|
24
|
-
confidence =
|
24
|
+
confidence = :weak
|
25
25
|
end
|
26
26
|
|
27
27
|
warn :warning_type => "Denial of Service",
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add_optional self
|
5
|
+
|
6
|
+
@description = "Warns on potential division by zero"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
tracker.find_call(:method => :"/").each do |result|
|
10
|
+
check_division result
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
def check_division result
|
15
|
+
call = result[:call]
|
16
|
+
|
17
|
+
denominator = call.first_arg
|
18
|
+
|
19
|
+
if number? denominator and denominator.value == 0
|
20
|
+
numerator = call.target
|
21
|
+
|
22
|
+
if number? numerator
|
23
|
+
if numerator.value.is_a? Float
|
24
|
+
return # 0.0 / 0 is NaN and 1.0 / 0 is Infinity
|
25
|
+
else
|
26
|
+
confidence = :medium
|
27
|
+
end
|
28
|
+
else
|
29
|
+
confidence = :weak
|
30
|
+
end
|
31
|
+
|
32
|
+
warn :result => result,
|
33
|
+
:warning_type => "Divide by Zero",
|
34
|
+
:warning_code => :divide_by_zero,
|
35
|
+
:message => "Potential division by zero",
|
36
|
+
:confidence => confidence,
|
37
|
+
:user_input => denominator
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -26,7 +26,7 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
|
|
26
26
|
:warning_type => "SQL Injection",
|
27
27
|
:warning_code => :sql_injection_dynamic_finder,
|
28
28
|
:message => "MySQL integer conversion may cause 0 to match any string",
|
29
|
-
:confidence =>
|
29
|
+
:confidence => :medium,
|
30
30
|
:user_input => arg
|
31
31
|
|
32
32
|
break
|
@@ -10,10 +10,10 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
|
|
10
10
|
def run_check
|
11
11
|
if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0'
|
12
12
|
|
13
|
-
warn :warning_type => 'Cross
|
13
|
+
warn :warning_type => 'Cross-Site Scripting',
|
14
14
|
:warning_code => :CVE_2011_2932,
|
15
15
|
:message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
|
16
|
-
:confidence =>
|
16
|
+
:confidence => :high,
|
17
17
|
:gem_info => gemfile_or_environment,
|
18
18
|
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
|
19
19
|
end
|
@@ -56,9 +56,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
56
56
|
if failure and original? result
|
57
57
|
|
58
58
|
if failure.type == :interp #Not from user input
|
59
|
-
confidence =
|
59
|
+
confidence = :medium
|
60
60
|
else
|
61
|
-
confidence =
|
61
|
+
confidence = :high
|
62
62
|
end
|
63
63
|
|
64
64
|
warn :result => result,
|
@@ -79,7 +79,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
79
79
|
:warning_code => :command_injection,
|
80
80
|
:message => "Possible command injection in open()",
|
81
81
|
:user_input => match,
|
82
|
-
:confidence =>
|
82
|
+
:confidence => :high
|
83
83
|
end
|
84
84
|
end
|
85
85
|
end
|
@@ -111,9 +111,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
111
111
|
exp = result[:call]
|
112
112
|
|
113
113
|
if input = include_user_input?(exp)
|
114
|
-
confidence =
|
114
|
+
confidence = :high
|
115
115
|
elsif input = dangerous?(exp)
|
116
|
-
confidence =
|
116
|
+
confidence = :medium
|
117
117
|
else
|
118
118
|
return
|
119
119
|
end
|