brakeman 5.2.1 → 5.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (205) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +21 -0
  3. data/bundle/load.rb +4 -4
  4. data/bundle/ruby/2.7.0/gems/{parallel-1.21.0 → parallel-1.22.1}/MIT-LICENSE.txt +0 -0
  5. data/bundle/ruby/2.7.0/gems/{parallel-1.21.0 → parallel-1.22.1}/lib/parallel/processor_count.rb +2 -3
  6. data/bundle/ruby/2.7.0/gems/parallel-1.22.1/lib/parallel/version.rb +4 -0
  7. data/bundle/ruby/2.7.0/gems/{parallel-1.21.0 → parallel-1.22.1}/lib/parallel.rb +84 -4
  8. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/History.rdoc +28 -0
  9. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/Manifest.txt +2 -0
  10. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/README.rdoc +8 -6
  11. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/compare/normalize.rb +0 -0
  12. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/debugging.md +0 -0
  13. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/gauntlet.md +19 -18
  14. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/rp_extensions.rb +0 -0
  15. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/rp_stringscanner.rb +0 -0
  16. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby20_parser.rb +10973 -0
  17. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby20_parser.y +14 -27
  18. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby21_parser.rb +10980 -0
  19. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby21_parser.y +14 -27
  20. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby22_parser.rb +11123 -0
  21. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby22_parser.y +14 -27
  22. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby23_parser.rb +11132 -0
  23. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby23_parser.y +14 -27
  24. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby24_parser.rb +11231 -0
  25. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby24_parser.y +14 -27
  26. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby25_parser.rb +11231 -0
  27. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby25_parser.y +14 -27
  28. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby26_parser.rb +11253 -0
  29. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby26_parser.y +14 -27
  30. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby27_parser.rb +12980 -0
  31. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby27_parser.y +19 -41
  32. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby30_parser.rb +13242 -0
  33. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby30_parser.y +65 -90
  34. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby31_parser.rb +13622 -0
  35. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1/lib/ruby3_parser.yy → ruby_parser-3.19.1/lib/ruby31_parser.y} +110 -105
  36. data/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby3_parser.yy +3536 -0
  37. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_lexer.rb +0 -0
  38. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_lexer.rex +0 -0
  39. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_lexer.rex.rb +0 -0
  40. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_lexer_strings.rb +0 -0
  41. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser.rb +2 -0
  42. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser.yy +19 -41
  43. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser_extras.rb +55 -2
  44. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/tools/munge.rb +0 -0
  45. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/tools/ripper.rb +0 -0
  46. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/History.rdoc +6 -0
  47. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/Manifest.txt +0 -0
  48. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/README.rdoc +0 -0
  49. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/composite_sexp_processor.rb +0 -0
  50. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb +7 -3
  51. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp.rb +0 -0
  52. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb +0 -0
  53. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_processor.rb +1 -1
  54. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb +0 -0
  55. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/unique.rb +0 -0
  56. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/COPYING +0 -0
  57. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/asciidoc.rb +0 -0
  58. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/babel.rb +0 -0
  59. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/bluecloth.rb +0 -0
  60. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/builder.rb +0 -0
  61. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/coffee.rb +0 -0
  62. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb +11 -1
  63. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/creole.rb +0 -0
  64. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb +1 -1
  65. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/dummy.rb +0 -0
  66. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erb.rb +0 -0
  67. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubi.rb +0 -0
  68. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubis.rb +0 -0
  69. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/etanni.rb +0 -0
  70. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/haml.rb +0 -0
  71. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/kramdown.rb +0 -0
  72. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/less.rb +0 -0
  73. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/liquid.rb +0 -0
  74. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/livescript.rb +0 -0
  75. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/mapping.rb +0 -0
  76. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/markaby.rb +0 -0
  77. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/maruku.rb +0 -0
  78. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/nokogiri.rb +0 -0
  79. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb +23 -15
  80. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/plain.rb +0 -0
  81. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/prawn.rb +0 -0
  82. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/radius.rb +0 -0
  83. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdiscount.rb +0 -0
  84. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdoc.rb +0 -0
  85. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb +5 -2
  86. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcloth.rb +0 -0
  87. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb +23 -0
  88. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb +78 -0
  89. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/sigil.rb +0 -0
  90. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/string.rb +0 -0
  91. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb +12 -1
  92. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/typescript.rb +0 -0
  93. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/wikicloth.rb +0 -0
  94. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/yajl.rb +0 -0
  95. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb +2 -1
  96. data/lib/brakeman/app_tree.rb +9 -1
  97. data/lib/brakeman/checks/check_basic_auth.rb +4 -2
  98. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
  99. data/lib/brakeman/checks/check_content_tag.rb +8 -4
  100. data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
  101. data/lib/brakeman/checks/check_create_with.rb +4 -2
  102. data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
  103. data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
  104. data/lib/brakeman/checks/check_default_routes.rb +6 -3
  105. data/lib/brakeman/checks/check_deserialize.rb +2 -1
  106. data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
  107. data/lib/brakeman/checks/check_digest_dos.rb +2 -1
  108. data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
  109. data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
  110. data/lib/brakeman/checks/check_escape_function.rb +2 -1
  111. data/lib/brakeman/checks/check_evaluation.rb +2 -1
  112. data/lib/brakeman/checks/check_execute.rb +6 -3
  113. data/lib/brakeman/checks/check_file_access.rb +2 -1
  114. data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
  115. data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
  116. data/lib/brakeman/checks/check_force_ssl.rb +2 -1
  117. data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
  118. data/lib/brakeman/checks/check_header_dos.rb +2 -1
  119. data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
  120. data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
  121. data/lib/brakeman/checks/check_json_encoding.rb +2 -1
  122. data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
  123. data/lib/brakeman/checks/check_json_parsing.rb +4 -2
  124. data/lib/brakeman/checks/check_link_to.rb +2 -1
  125. data/lib/brakeman/checks/check_link_to_href.rb +4 -2
  126. data/lib/brakeman/checks/check_mail_to.rb +2 -1
  127. data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
  128. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
  129. data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
  130. data/lib/brakeman/checks/check_model_attributes.rb +4 -2
  131. data/lib/brakeman/checks/check_model_serialize.rb +2 -1
  132. data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
  133. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
  134. data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
  135. data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
  136. data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
  137. data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
  138. data/lib/brakeman/checks/check_redirect.rb +2 -1
  139. data/lib/brakeman/checks/check_regex_dos.rb +2 -1
  140. data/lib/brakeman/checks/check_render.rb +4 -2
  141. data/lib/brakeman/checks/check_render_dos.rb +2 -1
  142. data/lib/brakeman/checks/check_render_inline.rb +4 -2
  143. data/lib/brakeman/checks/check_response_splitting.rb +2 -1
  144. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
  145. data/lib/brakeman/checks/check_route_dos.rb +2 -1
  146. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
  147. data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
  148. data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
  149. data/lib/brakeman/checks/check_secrets.rb +2 -1
  150. data/lib/brakeman/checks/check_select_tag.rb +2 -1
  151. data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
  152. data/lib/brakeman/checks/check_send.rb +2 -1
  153. data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
  154. data/lib/brakeman/checks/check_session_settings.rb +6 -3
  155. data/lib/brakeman/checks/check_simple_format.rb +4 -2
  156. data/lib/brakeman/checks/check_single_quotes.rb +2 -1
  157. data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
  158. data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
  159. data/lib/brakeman/checks/check_sql.rb +7 -4
  160. data/lib/brakeman/checks/check_sql_cves.rb +4 -2
  161. data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
  162. data/lib/brakeman/checks/check_strip_tags.rb +6 -3
  163. data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
  164. data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
  165. data/lib/brakeman/checks/check_template_injection.rb +2 -1
  166. data/lib/brakeman/checks/check_translate_bug.rb +2 -1
  167. data/lib/brakeman/checks/check_unsafe_reflection.rb +9 -3
  168. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
  169. data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
  170. data/lib/brakeman/checks/check_validation_regex.rb +2 -1
  171. data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
  172. data/lib/brakeman/checks/check_weak_hash.rb +6 -3
  173. data/lib/brakeman/checks/check_without_protection.rb +2 -1
  174. data/lib/brakeman/checks/check_xml_dos.rb +2 -1
  175. data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
  176. data/lib/brakeman/checks/eol_check.rb +4 -2
  177. data/lib/brakeman/options.rb +1 -1
  178. data/lib/brakeman/processors/alias_processor.rb +41 -2
  179. data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
  180. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  181. data/lib/brakeman/report/report_csv.rb +2 -0
  182. data/lib/brakeman/report/report_junit.rb +2 -2
  183. data/lib/brakeman/report/report_table.rb +5 -5
  184. data/lib/brakeman/report/report_text.rb +2 -0
  185. data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
  186. data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
  187. data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
  188. data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
  189. data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
  190. data/lib/brakeman/version.rb +1 -1
  191. data/lib/brakeman/warning.rb +5 -2
  192. data/lib/brakeman/warning_codes.rb +1 -0
  193. metadata +95 -92
  194. data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb +0 -4
  195. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.rb +0 -7128
  196. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.rb +0 -7182
  197. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.rb +0 -7228
  198. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.rb +0 -7237
  199. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.rb +0 -7268
  200. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.rb +0 -7268
  201. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.rb +0 -7287
  202. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.rb +0 -8517
  203. data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.rb +0 -8751
  204. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/rst-pandoc.rb +0 -18
  205. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/sass.rb +0 -52
@@ -4,7 +4,7 @@ require 'tilt/template'
4
4
  # Namespace for Tilt. This module is not intended to be included anywhere.
5
5
  module Tilt
6
6
  # Current version.
7
- VERSION = '2.0.10'
7
+ VERSION = '2.0.11'
8
8
 
9
9
  @default_mapping = Mapping.new
10
10
 
@@ -161,6 +161,7 @@ module Tilt
161
161
  register_lazy 'Slim::Template', 'slim', 'slim'
162
162
  register_lazy 'Tilt::HandlebarsTemplate', 'tilt/handlebars', 'handlebars', 'hbs'
163
163
  register_lazy 'Tilt::OrgTemplate', 'org-ruby', 'org'
164
+ register_lazy 'Tilt::EmacsOrgTemplate', 'tilt/emacs_org', 'org'
164
165
  register_lazy 'Opal::Processor', 'opal', 'opal', 'rb'
165
166
  register_lazy 'Tilt::JbuilderTemplate', 'tilt/jbuilder', 'jbuilder'
166
167
  end
@@ -205,7 +205,7 @@ module Brakeman
205
205
  paths.reject do |path|
206
206
  relative_path = path.relative
207
207
 
208
- if @skip_vendor and relative_path.include? 'vendor/'
208
+ if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
209
209
  true
210
210
  else
211
211
  EXCLUDED_PATHS.any? do |excluded|
@@ -215,6 +215,14 @@ module Brakeman
215
215
  end
216
216
  end
217
217
 
218
+ def in_engine_paths?(path)
219
+ @engine_paths.any? { |p| path.absolute.include?(p) }
220
+ end
221
+
222
+ def in_add_libs_paths?(path)
223
+ @additional_libs_path.any? { |p| path.absolute.include?(p) }
224
+ end
225
+
218
226
  def match_path files, path
219
227
  absolute_path = Pathname.new(path)
220
228
  # relative root never has a leading separator. But, we use a leading
@@ -31,7 +31,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
31
31
  :message => "Basic authentication password stored in source code",
32
32
  :code => call,
33
33
  :confidence => :high,
34
- :file => controller.file
34
+ :file => controller.file,
35
+ :cwe_id => [259]
35
36
  break
36
37
  end
37
38
  end
@@ -50,7 +51,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
50
51
  :warning_type => "Basic Auth",
51
52
  :warning_code => :basic_auth_password,
52
53
  :message => "Basic authentication password stored in source code",
53
- :confidence => :high
54
+ :confidence => :high,
55
+ :cwe_id => [259]
54
56
  end
55
57
  end
56
58
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
27
27
  :warning_code => :CVE_2015_7576,
28
28
  :message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
29
29
  :confidence => :high,
30
- :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
30
+ :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
31
+ :cwe_id => [1254]
31
32
  end
32
33
  end
33
34
  end
@@ -117,7 +117,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
117
117
  :message => message,
118
118
  :user_input => input,
119
119
  :confidence => :high,
120
- :link_path => "content_tag"
120
+ :link_path => "content_tag",
121
+ :cwe_id => [79]
121
122
 
122
123
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
123
124
  unless IGNORE_MODEL_METHODS.include? match.method
@@ -135,7 +136,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
135
136
  :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
136
137
  :user_input => match,
137
138
  :confidence => confidence,
138
- :link_path => "content_tag"
139
+ :link_path => "content_tag",
140
+ :cwe_id => [79]
139
141
  end
140
142
 
141
143
  elsif @matched
@@ -151,7 +153,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
151
153
  :message => message,
152
154
  :user_input => @matched,
153
155
  :confidence => :medium,
154
- :link_path => "content_tag"
156
+ :link_path => "content_tag",
157
+ :cwe_id => [79]
155
158
  end
156
159
  end
157
160
 
@@ -195,7 +198,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
195
198
  :message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
196
199
  :confidence => confidence,
197
200
  :gem_info => gemfile_or_environment,
198
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
201
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
202
+ :cwe_id => [79]
199
203
  end
200
204
  end
201
205
 
@@ -15,7 +15,8 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
15
15
  :warning_code => :unsafe_cookie_serialization,
16
16
  :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
17
17
  :confidence => :medium,
18
- :link_path => "unsafe_deserialization"
18
+ :link_path => "unsafe_deserialization",
19
+ :cwe_id => [565, 502]
19
20
  end
20
21
  end
21
22
  end
@@ -39,7 +39,8 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
39
39
  :result => result,
40
40
  :message => @message,
41
41
  :confidence => confidence,
42
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
42
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
43
+ :cwe_id => [915]
43
44
  end
44
45
  end
45
46
 
@@ -69,6 +70,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
69
70
  :message => @message,
70
71
  :gem_info => gemfile_or_environment,
71
72
  :confidence => :medium,
72
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
73
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
74
+ :cwe_id => [915]
73
75
  end
74
76
  end
@@ -82,7 +82,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
82
82
  :warning_code => :cross_site_scripting,
83
83
  :message => message,
84
84
  :code => input.match,
85
- :confidence => :high
85
+ :confidence => :high,
86
+ :cwe_id => [79]
86
87
 
87
88
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
88
89
  method = if call? match
@@ -116,7 +117,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
116
117
  :message => message,
117
118
  :code => match,
118
119
  :confidence => confidence,
119
- :link_path => link_path
120
+ :link_path => link_path,
121
+ :cwe_id => [79]
120
122
  end
121
123
 
122
124
  else
@@ -200,7 +202,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
200
202
  :code => exp,
201
203
  :user_input => @matched,
202
204
  :confidence => confidence,
203
- :link_path => link_path
205
+ :link_path => link_path,
206
+ :cwe_id => [79]
204
207
  end
205
208
  end
206
209
 
@@ -21,7 +21,8 @@ class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
21
21
  :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
22
22
  :confidence => :medium,
23
23
  :gem_info => gemfile_or_environment,
24
- :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
24
+ :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
25
+ :cwe_id => [352]
25
26
  end
26
27
  end
27
28
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
27
27
  :message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
28
28
  :line => tracker.routes[:allow_all_actions].line,
29
29
  :confidence => :high,
30
- :file => "#{tracker.app_path}/config/routes.rb"
30
+ :file => "#{tracker.app_path}/config/routes.rb",
31
+ :cwe_id => [22]
31
32
  end
32
33
  end
33
34
 
@@ -49,7 +50,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
49
50
  :message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
50
51
  :line => actions[2],
51
52
  :confidence => :medium,
52
- :file => "#{tracker.app_path}/config/routes.rb"
53
+ :file => "#{tracker.app_path}/config/routes.rb",
54
+ :cwe_id => [22]
53
55
  end
54
56
  end
55
57
  end
@@ -82,7 +84,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
82
84
  :message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
83
85
  :confidence => confidence,
84
86
  :file => "#{tracker.app_path}/config/routes.rb",
85
- :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
87
+ :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf",
88
+ :cwe_id => [22]
86
89
  end
87
90
 
88
91
  def allow_all_actions?
@@ -87,7 +87,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
87
87
  :message => message,
88
88
  :user_input => input,
89
89
  :confidence => confidence,
90
- :link_path => "unsafe_deserialization"
90
+ :link_path => "unsafe_deserialization",
91
+ :cwe_id => [502]
91
92
  end
92
93
  end
93
94
 
@@ -19,7 +19,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
19
19
  :warning_code => :local_request_config,
20
20
  :message => "Detailed exceptions are enabled in production",
21
21
  :confidence => :high,
22
- :file => "config/environments/production.rb"
22
+ :file => "config/environments/production.rb",
23
+ :cwe_id => [200]
23
24
  end
24
25
  end
25
26
 
@@ -42,7 +43,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
42
43
  :message => msg("Detailed exceptions may be enabled in ", msg_code("show_detailed_exceptions?")),
43
44
  :confidence => confidence,
44
45
  :code => src,
45
- :file => definition[:file]
46
+ :file => definition[:file],
47
+ :cwe_id => [200]
46
48
  end
47
49
  end
48
50
  end
@@ -29,7 +29,8 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
29
29
  :message => message,
30
30
  :confidence => confidence,
31
31
  :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
32
- :gem_info => gemfile_or_environment
32
+ :gem_info => gemfile_or_environment,
33
+ :cwe_id => [287]
33
34
  end
34
35
 
35
36
  def with_http_digest?
@@ -36,7 +36,8 @@ class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
36
36
  :warning_code => :divide_by_zero,
37
37
  :message => "Potential division by zero",
38
38
  :confidence => confidence,
39
- :user_input => denominator
39
+ :user_input => denominator,
40
+ :cwe_id => [369]
40
41
  end
41
42
  end
42
43
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
27
27
  :warning_code => :sql_injection_dynamic_finder,
28
28
  :message => "MySQL integer conversion may cause 0 to match any string",
29
29
  :confidence => :medium,
30
- :user_input => arg
30
+ :user_input => arg,
31
+ :cwe_id => [89]
31
32
 
32
33
  break
33
34
  end
@@ -15,7 +15,8 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
15
15
  :message => msg("Rails versions before 2.3.14 have a vulnerability in the ", msg_code("escape"), " method when used with Ruby 1.8 ", msg_cve("CVE-2011-2932")),
16
16
  :confidence => :high,
17
17
  :gem_info => gemfile_or_environment,
18
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
18
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion",
19
+ :cwe_id => [79]
19
20
  end
20
21
  end
21
22
  end
@@ -28,7 +28,8 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
28
28
  :warning_code => :code_eval,
29
29
  :message => "User input in eval",
30
30
  :user_input => input,
31
- :confidence => :high
31
+ :confidence => :high,
32
+ :cwe_id => [913, 95]
32
33
  end
33
34
  end
34
35
  end
@@ -117,7 +117,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
117
117
  :message => "Possible command injection",
118
118
  :code => call,
119
119
  :user_input => failure,
120
- :confidence => confidence
120
+ :confidence => confidence,
121
+ :cwe_id => [77]
121
122
  end
122
123
  end
123
124
 
@@ -138,7 +139,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
138
139
  :warning_code => :command_injection,
139
140
  :message => msg("Possible command injection in ", msg_code("open")),
140
141
  :user_input => match,
141
- :confidence => :high
142
+ :confidence => :high,
143
+ :cwe_id => [77]
142
144
  end
143
145
  end
144
146
  end
@@ -201,7 +203,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
201
203
  :message => "Possible command injection",
202
204
  :code => exp,
203
205
  :user_input => input,
204
- :confidence => confidence
206
+ :confidence => confidence,
207
+ :cwe_id => [77]
205
208
  end
206
209
 
207
210
  # This method expects a :dstr or :evstr node
@@ -60,7 +60,8 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
60
60
  :message => message,
61
61
  :confidence => confidence,
62
62
  :code => call,
63
- :user_input => match
63
+ :user_input => match,
64
+ :cwe_id => [22]
64
65
  end
65
66
  end
66
67
 
@@ -25,7 +25,8 @@ class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
25
25
  :message => msg(msg_version(rails_version), " has a file existence disclosure vulnerability. Upgrade to ", msg_version(fix_version), " or disable serving static assets"),
26
26
  :confidence => :high,
27
27
  :gem_info => gemfile_or_environment,
28
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
28
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ",
29
+ :cwe_id => [22]
29
30
  end
30
31
  end
31
32
 
@@ -15,7 +15,8 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
15
15
  :message => msg("Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed", msg_cve("CVE-2011-2929")),
16
16
  :confidence => :high,
17
17
  :gem_info => gemfile_or_environment,
18
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
18
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion",
19
+ :cwe_id => [20]
19
20
  end
20
21
  end
21
22
 
@@ -21,7 +21,8 @@ class Brakeman::CheckForceSSL < Brakeman::BaseCheck
21
21
  :message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
22
22
  :confidence => :high,
23
23
  :file => "config/environments/production.rb",
24
- :line => line
24
+ :line => line,
25
+ :cwe_id => [311]
25
26
  end
26
27
  end
27
28
  end
@@ -52,7 +52,8 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
52
52
  opts = {
53
53
  :controller => :ApplicationController,
54
54
  :warning_type => "Cross-Site Request Forgery",
55
- :confidence => :high
55
+ :confidence => :high,
56
+ :cwe_id => [352]
56
57
  }.merge opts
57
58
 
58
59
  warn opts
@@ -76,6 +77,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
76
77
  :message => msg("CSRF protection is flawed in unpatched versions of ", msg_version(rails_version), " ", msg_cve("CVE-2011-0447"), ". Upgrade to ", msg_version(new_version), " or apply patches as needed"),
77
78
  :gem_info => gemfile_or_environment,
78
79
  :file => nil,
79
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
80
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion",
81
+ :cwe_id => [352]
80
82
  end
81
83
  end
@@ -20,7 +20,8 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
20
20
  :message => message,
21
21
  :confidence => :medium,
22
22
  :gem_info => gemfile_or_environment,
23
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
23
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ",
24
+ :cwe_id => [20]
24
25
  end
25
26
  end
26
27
 
@@ -23,7 +23,8 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
23
23
  :message => message,
24
24
  :confidence => :medium,
25
25
  :gem_info => gemfile_or_environment(:i18n),
26
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
26
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ",
27
+ :cwe_id => [79]
27
28
  end
28
29
  end
29
30
 
@@ -31,6 +31,7 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
31
31
  :message => msg(msg_version(rails_version), " with JRuby has a vulnerability in XML parser. Upgrade to ", msg_version(fix_version), " or patch"),
32
32
  :confidence => :high,
33
33
  :gem_info => gemfile_or_environment,
34
- :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
34
+ :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ",
35
+ :cwe_id => [20]
35
36
  end
36
37
  end
@@ -26,7 +26,8 @@ class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
26
26
  :message => message,
27
27
  :confidence => confidence,
28
28
  :gem_info => gemfile_or_environment,
29
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
29
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ",
30
+ :cwe_id => [79]
30
31
  end
31
32
  end
32
33
 
@@ -17,7 +17,8 @@ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
17
17
  :message => msg("HTML entities in JSON are not escaped by default"),
18
18
  :confidence => :medium,
19
19
  :file => "config/environments/production.rb",
20
- :line => 1
20
+ :line => 1,
21
+ :cwe_id => [79]
21
22
  end
22
23
  end
23
24
 
@@ -31,7 +32,8 @@ class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
31
32
  :warning_code => :json_html_escape_module,
32
33
  :message => msg("HTML entities in JSON are not escaped by default"),
33
34
  :confidence => :medium,
34
- :file => "config/environments/production.rb"
35
+ :file => "config/environments/production.rb",
36
+ :cwe_id => [79]
35
37
  end
36
38
  end
37
39
  end
@@ -33,7 +33,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
33
33
  :message => message,
34
34
  :confidence => :high,
35
35
  :gem_info => gem_info,
36
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
36
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion",
37
+ :cwe_id => [74] # TODO: is this the best CWE for this?
37
38
  end
38
39
  end
39
40
 
@@ -98,7 +99,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
98
99
  :message => message,
99
100
  :confidence => confidence,
100
101
  :gem_info => gemfile_or_environment(name),
101
- :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
102
+ :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion",
103
+ :cwe_id => [74] # TODO: is this the best CWE for this?
102
104
  end
103
105
 
104
106
  def uses_json_parse?
@@ -105,7 +105,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
105
105
  :message => message,
106
106
  :user_input => user_input,
107
107
  :confidence => confidence,
108
- :link_path => "link_to"
108
+ :link_path => "link_to",
109
+ :cwe_id => [79]
109
110
 
110
111
  true
111
112
  end
@@ -56,7 +56,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
56
56
  :message => message,
57
57
  :user_input => input,
58
58
  :confidence => :high,
59
- :link_path => "link_to_href"
59
+ :link_path => "link_to_href",
60
+ :cwe_id => [79]
60
61
  end
61
62
  elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg)
62
63
  return if ignore_model_call? url_arg, input or duplicate? result
@@ -70,7 +71,8 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
70
71
  :message => message,
71
72
  :user_input => input,
72
73
  :confidence => :weak,
73
- :link_path => "link_to_href"
74
+ :link_path => "link_to_href",
75
+ :cwe_id => [79]
74
76
  end
75
77
  end
76
78
 
@@ -25,7 +25,8 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
25
25
  :message => message,
26
26
  :confidence => :high,
27
27
  :gem_info => gemfile_or_environment, # Probably ignored now
28
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
28
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion",
29
+ :cwe_id => [79]
29
30
  end
30
31
  end
31
32
 
@@ -99,7 +99,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
99
99
  :message => "Unprotected mass assignment",
100
100
  :code => call,
101
101
  :user_input => input,
102
- :confidence => confidence
102
+ :confidence => confidence,
103
+ :cwe_id => [915]
103
104
  end
104
105
 
105
106
  res
@@ -205,7 +206,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
205
206
  :warning_type => "Mass Assignment",
206
207
  :warning_code => :mass_assign_permit!,
207
208
  :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
208
- :confidence => confidence
209
+ :confidence => confidence,
210
+ :cwe_id => [915]
209
211
  end
210
212
 
211
213
  def check_permit_all_parameters
@@ -217,7 +219,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
217
219
  :warning_type => "Mass Assignment",
218
220
  :warning_code => :mass_assign_permit_all,
219
221
  :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
220
- :confidence => :high
222
+ :confidence => :high,
223
+ :cwe_id => [915]
221
224
  end
222
225
  end
223
226
  end
@@ -26,7 +26,8 @@ class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
26
26
  :message => message,
27
27
  :confidence => :medium,
28
28
  :gem_info => gemfile_or_environment,
29
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ"
29
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ",
30
+ :cwe_id => [399]
30
31
  end
31
32
 
32
33
  def has_workaround?
@@ -31,7 +31,8 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
31
31
  :warning_code => :dangerous_attr_accessible,
32
32
  :message => "Potentially dangerous attribute available for mass assignment",
33
33
  :confidence => confidence,
34
- :code => Sexp.new(:lit, attribute)
34
+ :code => Sexp.new(:lit, attribute),
35
+ :cwe_id => [915]
35
36
  break # Prevent from matching single attr multiple times
36
37
  end
37
38
  end
@@ -23,7 +23,8 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
23
23
  :warning_type => "Attribute Restriction",
24
24
  :warning_code => :no_attr_accessible,
25
25
  :message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
26
- :confidence => :high
26
+ :confidence => :high,
27
+ :cwe_id => [915] # TODO: Should this be mass assignment?
27
28
  elsif not tracker.options[:ignore_attr_protected]
28
29
  message, confidence, link = check_for_attr_protected_bypass
29
30
 
@@ -39,7 +40,8 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
39
40
  :warning_type => "Attribute Restriction",
40
41
  :warning_code => warning_code,
41
42
  :message => message,
42
- :confidence => confidence
43
+ :confidence => confidence,
44
+ :cwe_id => [915] # TODO: Should this be mass assignment?
43
45
  end
44
46
  end
45
47
  end
@@ -61,7 +61,8 @@ class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
61
61
  :confidence => confidence,
62
62
  :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
63
63
  :file => model.file,
64
- :line => model.top_line
64
+ :line => model.top_line,
65
+ :cwe_id => [502]
65
66
  end
66
67
  end
67
68
  end
@@ -24,7 +24,8 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
24
24
  :message => message,
25
25
  :confidence => :high,
26
26
  :gem_info => gemfile_or_environment,
27
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
27
+ :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion",
28
+ :cwe_id => [20]
28
29
  end
29
30
  end
30
31
 
@@ -39,7 +39,8 @@ class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
39
39
  :file => model.file,
40
40
  :line => args.line,
41
41
  :confidence => :medium,
42
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
42
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ",
43
+ :cwe_id => [284]
43
44
  end
44
45
 
45
46
  def allow_destroy? arg