brakeman 5.2.2 → 5.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +17 -0
- data/bundle/load.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/History.rdoc +6 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb +7 -3
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/unique.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/COPYING +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/asciidoc.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/babel.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/bluecloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/builder.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/coffee.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb +11 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/creole.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/dummy.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erb.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubi.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubis.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/etanni.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/kramdown.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/less.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/liquid.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/livescript.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/mapping.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/markaby.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/maruku.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/nokogiri.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb +23 -15
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/plain.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/prawn.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/radius.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdiscount.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdoc.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb +5 -2
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb +23 -0
- data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb +78 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/sigil.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/string.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb +12 -1
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/typescript.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/wikicloth.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/yajl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb +2 -1
- data/lib/brakeman/app_tree.rb +9 -1
- data/lib/brakeman/checks/check_basic_auth.rb +4 -2
- data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
- data/lib/brakeman/checks/check_content_tag.rb +8 -4
- data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
- data/lib/brakeman/checks/check_create_with.rb +4 -2
- data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
- data/lib/brakeman/checks/check_default_routes.rb +6 -3
- data/lib/brakeman/checks/check_deserialize.rb +2 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
- data/lib/brakeman/checks/check_digest_dos.rb +2 -1
- data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
- data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
- data/lib/brakeman/checks/check_escape_function.rb +2 -1
- data/lib/brakeman/checks/check_evaluation.rb +2 -1
- data/lib/brakeman/checks/check_execute.rb +6 -3
- data/lib/brakeman/checks/check_file_access.rb +2 -1
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
- data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
- data/lib/brakeman/checks/check_force_ssl.rb +2 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
- data/lib/brakeman/checks/check_header_dos.rb +2 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
- data/lib/brakeman/checks/check_json_encoding.rb +2 -1
- data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
- data/lib/brakeman/checks/check_json_parsing.rb +4 -2
- data/lib/brakeman/checks/check_link_to.rb +2 -1
- data/lib/brakeman/checks/check_link_to_href.rb +4 -2
- data/lib/brakeman/checks/check_mail_to.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
- data/lib/brakeman/checks/check_model_attributes.rb +4 -2
- data/lib/brakeman/checks/check_model_serialize.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
- data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
- data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
- data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
- data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -1
- data/lib/brakeman/checks/check_regex_dos.rb +2 -1
- data/lib/brakeman/checks/check_render.rb +4 -2
- data/lib/brakeman/checks/check_render_dos.rb +2 -1
- data/lib/brakeman/checks/check_render_inline.rb +4 -2
- data/lib/brakeman/checks/check_response_splitting.rb +2 -1
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
- data/lib/brakeman/checks/check_route_dos.rb +2 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
- data/lib/brakeman/checks/check_secrets.rb +2 -1
- data/lib/brakeman/checks/check_select_tag.rb +2 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
- data/lib/brakeman/checks/check_send.rb +2 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
- data/lib/brakeman/checks/check_session_settings.rb +6 -3
- data/lib/brakeman/checks/check_simple_format.rb +4 -2
- data/lib/brakeman/checks/check_single_quotes.rb +2 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
- data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +4 -2
- data/lib/brakeman/checks/check_sql_cves.rb +4 -2
- data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
- data/lib/brakeman/checks/check_strip_tags.rb +6 -3
- data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
- data/lib/brakeman/checks/check_template_injection.rb +2 -1
- data/lib/brakeman/checks/check_translate_bug.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -1
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
- data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -1
- data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
- data/lib/brakeman/checks/check_weak_hash.rb +6 -3
- data/lib/brakeman/checks/check_without_protection.rb +2 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
- data/lib/brakeman/checks/eol_check.rb +4 -2
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +24 -1
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/report_csv.rb +2 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_table.rb +5 -5
- data/lib/brakeman/report/report_text.rb +2 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +5 -2
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +53 -52
- data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/rst-pandoc.rb +0 -18
- data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/sass.rb +0 -52
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 828d560cb256d564c8e79fc7222e7c7edea911639a6c4b45699901371d0c750b
|
4
|
+
data.tar.gz: c9e8791df7f77b1e6a8d3bfe9cf0f5b753325171021fdafac3531f96edd3b7e1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8d29d985cdba9407830c4881372dc4c8ba4cd635c1c48c6cfb16c6fc6b0ef7993816460af301cdf5ca51b096bfdf30699286d6d9fffaae79fff042160b481a87
|
7
|
+
data.tar.gz: 5d1824dba9dfd9661eccc7ed2a2bb9d2fd1c8d80e131bf0f97ab31cebc738f920682fe7204a8b84ee49c884c8730c2425ef20bd15f2b53c3ada1a2332d75779e
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,20 @@
|
|
1
|
+
# 5.3.1 - 2022-08-09
|
2
|
+
|
3
|
+
* Fix version range for CVE-2022-32209
|
4
|
+
|
5
|
+
# 5.3.0 - 2022-08-09
|
6
|
+
|
7
|
+
* Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
|
8
|
+
* Load rexml as a Brakeman dependency
|
9
|
+
* Fix "full call" information propagating unnecessarily
|
10
|
+
* Add check for CVE-2022-32209
|
11
|
+
* Add CWE information to warnings (Stephen Aghaulor)
|
12
|
+
|
13
|
+
# 5.2.3 - 2022-05-01
|
14
|
+
|
15
|
+
* Fix error with hash shorthand syntax
|
16
|
+
* Match order of interactive options with help message (Rory O'Kane)
|
17
|
+
|
1
18
|
# 5.2.2 - 2022-04-06
|
2
19
|
|
3
20
|
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
|
data/bundle/load.rb
CHANGED
@@ -1,8 +1,6 @@
|
|
1
1
|
path = File.expand_path('../..', __FILE__)
|
2
2
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib"
|
3
3
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
|
4
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.0/lib"
|
5
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
|
6
4
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/lib"
|
7
5
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
|
8
6
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
|
@@ -10,6 +8,8 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
|
|
10
8
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
|
11
9
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.2/lib"
|
12
10
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/parallel-1.22.1/lib"
|
11
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib"
|
12
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.1/lib"
|
13
13
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
|
14
14
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
|
15
15
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib"
|
File without changes
|
File without changes
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb
RENAMED
@@ -34,6 +34,12 @@ class Examples
|
|
34
34
|
end
|
35
35
|
|
36
36
|
class ParseTreeTestCase < Minitest::Test
|
37
|
+
all_versions = %w[18 19 20 21 22 23 24 25 26 27 30 31]
|
38
|
+
most_versions = all_versions.drop(1)
|
39
|
+
|
40
|
+
TEST_SUFFIX = "_#{most_versions.join "_"}"
|
41
|
+
VER_RE = /(#{Regexp.union(*all_versions)})/
|
42
|
+
|
37
43
|
attr_accessor :processor # to be defined by subclass
|
38
44
|
|
39
45
|
def setup
|
@@ -77,7 +83,7 @@ class ParseTreeTestCase < Minitest::Test
|
|
77
83
|
end
|
78
84
|
|
79
85
|
def self.add_19tests name, hash
|
80
|
-
add_tests "#{name}
|
86
|
+
add_tests "#{name}_#{TEST_SUFFIX}", hash # HACK?
|
81
87
|
end
|
82
88
|
|
83
89
|
def self.add_19edgecases ruby, sexp, cases
|
@@ -102,8 +108,6 @@ class ParseTreeTestCase < Minitest::Test
|
|
102
108
|
testcases[verbose][klass] = testcases[nonverbose][klass]
|
103
109
|
end
|
104
110
|
|
105
|
-
VER_RE = "(1[89]|2[01234567]|3[0])"
|
106
|
-
|
107
111
|
def self.generate_test klass, node, data, input_name, output_name
|
108
112
|
klass.send :define_method, "test_#{node}" do
|
109
113
|
flunk "Processor is nil" if processor.nil?
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb
RENAMED
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -9,21 +9,31 @@ module Tilt
|
|
9
9
|
:smartypants => :SMART
|
10
10
|
}
|
11
11
|
PARSE_OPTIONS = [
|
12
|
+
:FOOTNOTES,
|
13
|
+
:LIBERAL_HTML_TAG,
|
12
14
|
:SMART,
|
13
15
|
:smartypants,
|
16
|
+
:STRIKETHROUGH_DOUBLE_TILDE,
|
17
|
+
:UNSAFE,
|
18
|
+
:VALIDATE_UTF8,
|
14
19
|
].freeze
|
15
20
|
RENDER_OPTIONS = [
|
21
|
+
:FOOTNOTES,
|
22
|
+
:FULL_INFO_STRING,
|
16
23
|
:GITHUB_PRE_LANG,
|
17
24
|
:HARDBREAKS,
|
18
25
|
:NOBREAKS,
|
19
|
-
:SAFE,
|
26
|
+
:SAFE, # Removed in v0.18.0 (2018-10-17)
|
20
27
|
:SOURCEPOS,
|
28
|
+
:TABLE_PREFER_STYLE_ATTRIBUTES,
|
29
|
+
:UNSAFE,
|
21
30
|
].freeze
|
22
31
|
EXTENSIONS = [
|
23
32
|
:autolink,
|
24
33
|
:strikethrough,
|
25
34
|
:table,
|
26
35
|
:tagfilter,
|
36
|
+
:tasklist,
|
27
37
|
].freeze
|
28
38
|
|
29
39
|
def extensions
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -7,30 +7,38 @@ module Tilt
|
|
7
7
|
class PandocTemplate < Template
|
8
8
|
self.default_mime_type = 'text/html'
|
9
9
|
|
10
|
-
def tilt_to_pandoc_mapping
|
11
|
-
{ :smartypants => :smart,
|
12
|
-
:escape_html => { :f => 'markdown-raw_html' },
|
13
|
-
:commonmark => { :f => 'commonmark' },
|
14
|
-
:markdown_strict => { :f => 'markdown_strict' }
|
15
|
-
}
|
16
|
-
end
|
17
|
-
|
18
10
|
# turn options hash into an array
|
19
11
|
# Map tilt options to pandoc options
|
20
12
|
# Replace hash keys with value true with symbol for key
|
21
13
|
# Remove hash keys with value false
|
22
14
|
# Leave other hash keys untouched
|
23
15
|
def pandoc_options
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
16
|
+
result = []
|
17
|
+
from = "markdown"
|
18
|
+
smart_extension = "-smart"
|
19
|
+
options.each do |k,v|
|
20
|
+
case k
|
21
|
+
when :smartypants
|
22
|
+
smart_extension = "+smart" if v
|
23
|
+
when :escape_html
|
24
|
+
from = "markdown-raw_html" if v
|
25
|
+
when :commonmark
|
26
|
+
from = "commonmark" if v
|
27
|
+
when :markdown_strict
|
28
|
+
from = "markdown_strict" if v
|
30
29
|
else
|
31
|
-
|
30
|
+
case v
|
31
|
+
when true
|
32
|
+
result << k
|
33
|
+
when false
|
34
|
+
# do nothing
|
35
|
+
else
|
36
|
+
result << { k => v }
|
37
|
+
end
|
32
38
|
end
|
33
39
|
end
|
40
|
+
result << { :f => from + smart_extension }
|
41
|
+
result
|
34
42
|
end
|
35
43
|
|
36
44
|
def prepare
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -75,9 +75,12 @@ module Tilt
|
|
75
75
|
end
|
76
76
|
|
77
77
|
if defined? ::Redcarpet::Render and defined? ::Redcarpet::Markdown
|
78
|
-
|
78
|
+
superclass = Redcarpet2Template
|
79
79
|
else
|
80
|
-
|
80
|
+
superclass = Redcarpet1Template
|
81
|
+
end
|
82
|
+
|
83
|
+
class RedcarpetTemplate < superclass
|
81
84
|
end
|
82
85
|
end
|
83
86
|
|
File without changes
|
@@ -0,0 +1,23 @@
|
|
1
|
+
require 'tilt/template'
|
2
|
+
require 'pandoc'
|
3
|
+
|
4
|
+
module Tilt
|
5
|
+
# Pandoc reStructuredText implementation. See:
|
6
|
+
# http://pandoc.org/
|
7
|
+
class RstPandocTemplate < PandocTemplate
|
8
|
+
self.default_mime_type = 'text/html'
|
9
|
+
|
10
|
+
def prepare
|
11
|
+
@engine = PandocRuby.new(data, :f => "rst")
|
12
|
+
@output = nil
|
13
|
+
end
|
14
|
+
|
15
|
+
def evaluate(scope, locals, &block)
|
16
|
+
@output ||= @engine.to_html.strip
|
17
|
+
end
|
18
|
+
|
19
|
+
def allows_script?
|
20
|
+
false
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
require 'tilt/template'
|
2
|
+
|
3
|
+
module Tilt
|
4
|
+
# Sass template implementation. See:
|
5
|
+
# http://haml.hamptoncatlin.com/
|
6
|
+
#
|
7
|
+
# Sass templates do not support object scopes, locals, or yield.
|
8
|
+
class SassTemplate < Template
|
9
|
+
self.default_mime_type = 'text/css'
|
10
|
+
|
11
|
+
begin
|
12
|
+
require 'sass-embedded'
|
13
|
+
require 'uri'
|
14
|
+
Engine = nil
|
15
|
+
rescue LoadError => err
|
16
|
+
begin
|
17
|
+
require 'sassc'
|
18
|
+
Engine = ::SassC::Engine
|
19
|
+
rescue LoadError
|
20
|
+
begin
|
21
|
+
require 'sass'
|
22
|
+
Engine = ::Sass::Engine
|
23
|
+
rescue LoadError
|
24
|
+
raise err
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def prepare
|
30
|
+
@engine = unless Engine.nil?
|
31
|
+
Engine.new(data, sass_options)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
def evaluate(scope, locals, &block)
|
36
|
+
@output ||= if @engine.nil?
|
37
|
+
::Sass.compile_string(data, **sass_embedded_options).css
|
38
|
+
else
|
39
|
+
@engine.render
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def allows_script?
|
44
|
+
false
|
45
|
+
end
|
46
|
+
|
47
|
+
private
|
48
|
+
def eval_file_url
|
49
|
+
path = File.absolute_path(eval_file)
|
50
|
+
path = '/' + path unless path.start_with?('/')
|
51
|
+
::URI::File.build([nil, ::URI::DEFAULT_PARSER.escape(path)]).to_s
|
52
|
+
end
|
53
|
+
|
54
|
+
def sass_embedded_options
|
55
|
+
options.merge(:url => eval_file_url, :syntax => :indented)
|
56
|
+
end
|
57
|
+
|
58
|
+
def sass_options
|
59
|
+
options.merge(:filename => eval_file, :line => line, :syntax => :sass)
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
# Sass's new .scss type template implementation.
|
64
|
+
class ScssTemplate < SassTemplate
|
65
|
+
self.default_mime_type = 'text/css'
|
66
|
+
|
67
|
+
private
|
68
|
+
def sass_embedded_options
|
69
|
+
options.merge(:url => eval_file_url, :syntax => :scss)
|
70
|
+
end
|
71
|
+
|
72
|
+
def sass_options
|
73
|
+
options.merge(:filename => eval_file, :line => line, :syntax => :scss)
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
end
|
78
|
+
|
File without changes
|
File without changes
|
@@ -157,6 +157,8 @@ module Tilt
|
|
157
157
|
raise NotImplementedError
|
158
158
|
end
|
159
159
|
|
160
|
+
CLASS_METHOD = Kernel.instance_method(:class)
|
161
|
+
|
160
162
|
# Execute the compiled template and return the result string. Template
|
161
163
|
# evaluation is guaranteed to be performed in the scope object with the
|
162
164
|
# locals specified and with support for yielding to the block.
|
@@ -166,7 +168,16 @@ module Tilt
|
|
166
168
|
def evaluate(scope, locals, &block)
|
167
169
|
locals_keys = locals.keys
|
168
170
|
locals_keys.sort!{|x, y| x.to_s <=> y.to_s}
|
169
|
-
|
171
|
+
case scope
|
172
|
+
when Object
|
173
|
+
method = compiled_method(locals_keys, Module === scope ? scope : scope.class)
|
174
|
+
else
|
175
|
+
if RUBY_VERSION >= '2'
|
176
|
+
method = compiled_method(locals_keys, CLASS_METHOD.bind(scope).call)
|
177
|
+
else
|
178
|
+
method = compiled_method(locals_keys, Object)
|
179
|
+
end
|
180
|
+
end
|
170
181
|
method.bind(scope).call(locals, &block)
|
171
182
|
end
|
172
183
|
|
File without changes
|
File without changes
|
File without changes
|
@@ -4,7 +4,7 @@ require 'tilt/template'
|
|
4
4
|
# Namespace for Tilt. This module is not intended to be included anywhere.
|
5
5
|
module Tilt
|
6
6
|
# Current version.
|
7
|
-
VERSION = '2.0.
|
7
|
+
VERSION = '2.0.11'
|
8
8
|
|
9
9
|
@default_mapping = Mapping.new
|
10
10
|
|
@@ -161,6 +161,7 @@ module Tilt
|
|
161
161
|
register_lazy 'Slim::Template', 'slim', 'slim'
|
162
162
|
register_lazy 'Tilt::HandlebarsTemplate', 'tilt/handlebars', 'handlebars', 'hbs'
|
163
163
|
register_lazy 'Tilt::OrgTemplate', 'org-ruby', 'org'
|
164
|
+
register_lazy 'Tilt::EmacsOrgTemplate', 'tilt/emacs_org', 'org'
|
164
165
|
register_lazy 'Opal::Processor', 'opal', 'opal', 'rb'
|
165
166
|
register_lazy 'Tilt::JbuilderTemplate', 'tilt/jbuilder', 'jbuilder'
|
166
167
|
end
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -205,7 +205,7 @@ module Brakeman
|
|
205
205
|
paths.reject do |path|
|
206
206
|
relative_path = path.relative
|
207
207
|
|
208
|
-
if @skip_vendor and relative_path.include? 'vendor/'
|
208
|
+
if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
|
209
209
|
true
|
210
210
|
else
|
211
211
|
EXCLUDED_PATHS.any? do |excluded|
|
@@ -215,6 +215,14 @@ module Brakeman
|
|
215
215
|
end
|
216
216
|
end
|
217
217
|
|
218
|
+
def in_engine_paths?(path)
|
219
|
+
@engine_paths.any? { |p| path.absolute.include?(p) }
|
220
|
+
end
|
221
|
+
|
222
|
+
def in_add_libs_paths?(path)
|
223
|
+
@additional_libs_path.any? { |p| path.absolute.include?(p) }
|
224
|
+
end
|
225
|
+
|
218
226
|
def match_path files, path
|
219
227
|
absolute_path = Pathname.new(path)
|
220
228
|
# relative root never has a leading separator. But, we use a leading
|
@@ -31,7 +31,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
31
31
|
:message => "Basic authentication password stored in source code",
|
32
32
|
:code => call,
|
33
33
|
:confidence => :high,
|
34
|
-
:file => controller.file
|
34
|
+
:file => controller.file,
|
35
|
+
:cwe_id => [259]
|
35
36
|
break
|
36
37
|
end
|
37
38
|
end
|
@@ -50,7 +51,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
50
51
|
:warning_type => "Basic Auth",
|
51
52
|
:warning_code => :basic_auth_password,
|
52
53
|
:message => "Basic authentication password stored in source code",
|
53
|
-
:confidence => :high
|
54
|
+
:confidence => :high,
|
55
|
+
:cwe_id => [259]
|
54
56
|
end
|
55
57
|
end
|
56
58
|
end
|
@@ -27,7 +27,8 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
|
|
27
27
|
:warning_code => :CVE_2015_7576,
|
28
28
|
:message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
|
29
29
|
:confidence => :high,
|
30
|
-
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
|
30
|
+
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
|
31
|
+
:cwe_id => [1254]
|
31
32
|
end
|
32
33
|
end
|
33
34
|
end
|
@@ -117,7 +117,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
117
117
|
:message => message,
|
118
118
|
:user_input => input,
|
119
119
|
:confidence => :high,
|
120
|
-
:link_path => "content_tag"
|
120
|
+
:link_path => "content_tag",
|
121
|
+
:cwe_id => [79]
|
121
122
|
|
122
123
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
|
123
124
|
unless IGNORE_MODEL_METHODS.include? match.method
|
@@ -135,7 +136,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
135
136
|
:message => msg("Unescaped model attribute in ", msg_code("content_tag")),
|
136
137
|
:user_input => match,
|
137
138
|
:confidence => confidence,
|
138
|
-
:link_path => "content_tag"
|
139
|
+
:link_path => "content_tag",
|
140
|
+
:cwe_id => [79]
|
139
141
|
end
|
140
142
|
|
141
143
|
elsif @matched
|
@@ -151,7 +153,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
151
153
|
:message => message,
|
152
154
|
:user_input => @matched,
|
153
155
|
:confidence => :medium,
|
154
|
-
:link_path => "content_tag"
|
156
|
+
:link_path => "content_tag",
|
157
|
+
:cwe_id => [79]
|
155
158
|
end
|
156
159
|
end
|
157
160
|
|
@@ -195,7 +198,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
|
|
195
198
|
:message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
|
196
199
|
:confidence => confidence,
|
197
200
|
:gem_info => gemfile_or_environment,
|
198
|
-
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
|
201
|
+
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
|
202
|
+
:cwe_id => [79]
|
199
203
|
end
|
200
204
|
end
|
201
205
|
|
@@ -15,7 +15,8 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
|
|
15
15
|
:warning_code => :unsafe_cookie_serialization,
|
16
16
|
:message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
|
17
17
|
:confidence => :medium,
|
18
|
-
:link_path => "unsafe_deserialization"
|
18
|
+
:link_path => "unsafe_deserialization",
|
19
|
+
:cwe_id => [565, 502]
|
19
20
|
end
|
20
21
|
end
|
21
22
|
end
|
@@ -39,7 +39,8 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
39
39
|
:result => result,
|
40
40
|
:message => @message,
|
41
41
|
:confidence => confidence,
|
42
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
|
42
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
|
43
|
+
:cwe_id => [915]
|
43
44
|
end
|
44
45
|
end
|
45
46
|
|
@@ -69,6 +70,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
|
|
69
70
|
:message => @message,
|
70
71
|
:gem_info => gemfile_or_environment,
|
71
72
|
:confidence => :medium,
|
72
|
-
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
|
73
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
|
74
|
+
:cwe_id => [915]
|
73
75
|
end
|
74
76
|
end
|
@@ -82,7 +82,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
82
82
|
:warning_code => :cross_site_scripting,
|
83
83
|
:message => message,
|
84
84
|
:code => input.match,
|
85
|
-
:confidence => :high
|
85
|
+
:confidence => :high,
|
86
|
+
:cwe_id => [79]
|
86
87
|
|
87
88
|
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
|
88
89
|
method = if call? match
|
@@ -116,7 +117,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
116
117
|
:message => message,
|
117
118
|
:code => match,
|
118
119
|
:confidence => confidence,
|
119
|
-
:link_path => link_path
|
120
|
+
:link_path => link_path,
|
121
|
+
:cwe_id => [79]
|
120
122
|
end
|
121
123
|
|
122
124
|
else
|
@@ -200,7 +202,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
200
202
|
:code => exp,
|
201
203
|
:user_input => @matched,
|
202
204
|
:confidence => confidence,
|
203
|
-
:link_path => link_path
|
205
|
+
:link_path => link_path,
|
206
|
+
:cwe_id => [79]
|
204
207
|
end
|
205
208
|
end
|
206
209
|
|
@@ -21,7 +21,8 @@ class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
|
|
21
21
|
:message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
|
22
22
|
:confidence => :medium,
|
23
23
|
:gem_info => gemfile_or_environment,
|
24
|
-
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
|
24
|
+
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
|
25
|
+
:cwe_id => [352]
|
25
26
|
end
|
26
27
|
end
|
27
28
|
end
|