brakeman 0.0.2 → 0.0.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. data/README.md +16 -10
  2. data/lib/checks/check_evaluation.rb +0 -2
  3. data/lib/processors/base_processor.rb +2 -0
  4. data/lib/processors/output_processor.rb +29 -0
  5. metadata +32 -32
data/README.md CHANGED
@@ -6,44 +6,50 @@ It targets Rails versions > 2.0 and < 3.0.
6
6
 
7
7
  # Installation
8
8
 
9
+ Using RubyGems:
10
+
11
+ gem install brakeman
12
+
13
+ From source:
14
+
9
15
  gem build brakeman.gemspec
10
16
  gem install brakeman*.gem
11
17
 
12
18
  # Usage
13
19
 
14
- brakeman path/to/rails/app/root
20
+ brakeman app_path
15
21
 
16
22
  # Options
17
23
 
18
24
  To specify an output file for the results:
19
25
 
20
- brakeman -o output_file path/to/rails/app/root
26
+ brakeman -o output_file app_path
21
27
 
22
28
  The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, and `csv`.
23
29
 
24
30
  To suppress informational warnings and just output the report:
25
31
 
26
- brakeman -q path/to/rails/app/root
32
+ brakeman -q app_path
27
33
 
28
34
  To see all kinds of debugging information:
29
35
 
30
- brakeman -d path/to/rails/app/root
36
+ brakeman -d app_path
31
37
 
32
38
  Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (`DefaultRoutes`):
33
39
 
34
- brakeman -x DefaultRoutes path/to/rails/app/root
40
+ brakeman -x DefaultRoutes app_path
35
41
 
36
42
  Multiple checks should be separated by a comma:
37
43
 
38
- brakeman -x DefaultRoutes,Redirect path/to/rails/app/root
44
+ brakeman -x DefaultRoutes,Redirect app_path
39
45
 
40
46
  To do the opposite and only run a certain set of tests:
41
47
 
42
- brakeman -t SQL,ValidationRegex path/to/rails/app/root
48
+ brakeman -t SQL,ValidationRegex app_path
43
49
 
44
50
  To indicate certain methods are "safe":
45
51
 
46
- brakeman -s benign_method,totally_safe path/to/rails/app/root
52
+ brakeman -s benign_method,totally_safe app_path
47
53
 
48
54
  By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would a warning:
49
55
 
@@ -51,7 +57,7 @@ By default, brakeman will assume that unknown methods involving untrusted data a
51
57
 
52
58
  To only raise warnings only when untrusted data is being directly used:
53
59
 
54
- brakeman -r path/to/rails/app/root
60
+ brakeman -r app_path
55
61
 
56
62
  # Warning information
57
63
 
@@ -73,7 +79,7 @@ There are three levels of confidence:
73
79
 
74
80
  To only get warnings above a given confidence level:
75
81
 
76
- brakeman -w3 /path/to/rails/app/root
82
+ brakeman -w3 app_path
77
83
 
78
84
  The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only high confidence warnings).
79
85
 
data/lib/checks/check_evaluation.rb CHANGED
@@ -9,8 +9,6 @@ class CheckEvaluation < BaseCheck
9
9
  def run_check
10
10
  calls = tracker.find_call nil, [:eval, :instance_eval, :class_eval, :module_eval]
11
11
 
12
- @templates = tracker.templates
13
-
14
12
  calls.each do |call|
15
13
  process_result call
16
14
  end
data/lib/processors/base_processor.rb CHANGED
@@ -210,6 +210,8 @@ class BaseProcessor < SexpProcessor
210
210
  elsif args[1].is_a? Symbol or args[1].is_a? String
211
211
  type = :action
212
212
  value = Sexp.new(:lit, args[1].to_sym)
213
+ elsif args[1].nil?
214
+ type = :default
213
215
  elsif not hash? args[1]
214
216
  type = :action
215
217
  value = args[1]
data/lib/processors/output_processor.rb CHANGED
@@ -201,4 +201,33 @@ class OutputProcessor < Ruby2Ruby
201
201
  exp.clear
202
202
  out
203
203
  end
204
+
205
+ #This is copied from Ruby2Ruby, except the :string_eval type has been added
206
+ def util_dthing(type, exp)
207
+ s = []
208
+
209
+ # first item in sexp is a string literal
210
+ s << dthing_escape(type, exp.shift)
211
+
212
+ until exp.empty?
213
+ pt = exp.shift
214
+ case pt
215
+ when Sexp then
216
+ case pt.first
217
+ when :str then
218
+ s << dthing_escape(type, pt.last)
219
+ when :evstr, :string_eval then
220
+ s << '#{' << process(pt) << '}' # do not use interpolation here
221
+ else
222
+ raise "unknown type: #{pt.inspect}"
223
+ end
224
+ else
225
+ # HACK: raise "huh?: #{pt.inspect}" -- hitting # constants in regexps
226
+ # do nothing for now
227
+ end
228
+ end
229
+
230
+ s.join
231
+ end
232
+
204
233
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 27
4
+ hash: 25
5
5
  prerelease: false
6
6
  segments:
7
7
  - 0
8
8
  - 0
9
- - 2
10
- version: 0.0.2
9
+ - 3
10
+ version: 0.0.3
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2010-08-27 00:00:00 -07:00
18
+ date: 2010-10-15 00:00:00 -07:00
19
19
  default_executable:
20
20
  dependencies:
21
21
  - !ruby/object:Gem::Dependency
@@ -111,47 +111,47 @@ files:
111
111
  - WARNING_TYPES
112
112
  - FEATURES
113
113
  - README.md
114
- - lib/report.rb
115
- - lib/processor.rb
116
- - lib/tracker.rb
114
+ - lib/warning.rb
115
+ - lib/processors/params_processor.rb
116
+ - lib/processors/controller_alias_processor.rb
117
+ - lib/processors/base_processor.rb
117
118
  - lib/processors/controller_processor.rb
118
- - lib/processors/route_processor.rb
119
- - lib/processors/alias_processor.rb
120
119
  - lib/processors/library_processor.rb
121
- - lib/processors/params_processor.rb
122
- - lib/processors/lib/render_helper.rb
120
+ - lib/processors/erb_template_processor.rb
121
+ - lib/processors/haml_template_processor.rb
122
+ - lib/processors/template_alias_processor.rb
123
+ - lib/processors/route_processor.rb
124
+ - lib/processors/model_processor.rb
123
125
  - lib/processors/lib/find_call.rb
124
- - lib/processors/lib/find_model_call.rb
125
126
  - lib/processors/lib/processor_helper.rb
126
- - lib/processors/erubis_template_processor.rb
127
- - lib/processors/template_alias_processor.rb
128
- - lib/processors/erb_template_processor.rb
129
- - lib/processors/controller_alias_processor.rb
130
- - lib/processors/config_processor.rb
127
+ - lib/processors/lib/find_model_call.rb
128
+ - lib/processors/lib/render_helper.rb
129
+ - lib/processors/alias_processor.rb
131
130
  - lib/processors/output_processor.rb
132
- - lib/processors/base_processor.rb
133
- - lib/processors/haml_template_processor.rb
131
+ - lib/processors/config_processor.rb
132
+ - lib/processors/erubis_template_processor.rb
134
133
  - lib/processors/template_processor.rb
135
- - lib/processors/model_processor.rb
136
- - lib/warning.rb
137
- - lib/checks/check_evaluation.rb
138
- - lib/checks/check_session_settings.rb
139
- - lib/checks/check_cross_site_scripting.rb
140
134
  - lib/checks/check_send_file.rb
135
+ - lib/checks/check_session_settings.rb
136
+ - lib/checks/check_sql.rb
141
137
  - lib/checks/check_mass_assignment.rb
142
- - lib/checks/check_default_routes.rb
138
+ - lib/checks/check_cross_site_scripting.rb
143
139
  - lib/checks/check_model_attributes.rb
144
- - lib/checks/check_file_access.rb
145
- - lib/checks/check_render.rb
146
- - lib/checks/check_forgery_setting.rb
147
- - lib/checks/base_check.rb
148
- - lib/checks/check_redirect.rb
140
+ - lib/checks/check_default_routes.rb
141
+ - lib/checks/check_evaluation.rb
149
142
  - lib/checks/check_validation_regex.rb
150
- - lib/checks/check_sql.rb
151
143
  - lib/checks/check_execute.rb
144
+ - lib/checks/base_check.rb
145
+ - lib/checks/check_file_access.rb
146
+ - lib/checks/check_redirect.rb
147
+ - lib/checks/check_forgery_setting.rb
148
+ - lib/checks/check_render.rb
149
+ - lib/tracker.rb
152
150
  - lib/util.rb
153
- - lib/checks.rb
151
+ - lib/report.rb
154
152
  - lib/scanner.rb
153
+ - lib/checks.rb
154
+ - lib/processor.rb
155
155
  - lib/format/style.css
156
156
  has_rdoc: true
157
157
  homepage: http://github.com/presidentbeef/brakeman