brakeman 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +4 -4
- data/bin/brakeman +5 -0
- data/lib/checks/check_mass_assignment.rb +3 -1
- data/lib/scanner.rb +1 -1
- data/lib/version.rb +1 -1
- metadata +5 -13
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
|
|
4
4
|
|
|
5
|
-
It targets Rails versions > 2.0
|
|
5
|
+
It targets Rails versions > 2.0 with experimental support for Rails 3.x
|
|
6
6
|
|
|
7
7
|
# Installation
|
|
8
8
|
|
|
@@ -25,7 +25,7 @@ To specify an output file for the results:
|
|
|
25
25
|
|
|
26
26
|
brakeman -o output_file app_path
|
|
27
27
|
|
|
28
|
-
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, and `
|
|
28
|
+
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `csv`, and `tabs`.
|
|
29
29
|
|
|
30
30
|
To suppress informational warnings and just output the report:
|
|
31
31
|
|
|
@@ -51,7 +51,7 @@ To indicate certain methods are "safe":
|
|
|
51
51
|
|
|
52
52
|
brakeman -s benign_method,totally_safe app_path
|
|
53
53
|
|
|
54
|
-
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would a warning:
|
|
54
|
+
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would cause a warning (Rails 2):
|
|
55
55
|
|
|
56
56
|
<%= some_method(:option => params[:input]) %>
|
|
57
57
|
|
|
@@ -81,7 +81,7 @@ To only get warnings above a given confidence level:
|
|
|
81
81
|
|
|
82
82
|
brakeman -w3 app_path
|
|
83
83
|
|
|
84
|
-
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only
|
|
84
|
+
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
|
|
85
85
|
|
|
86
86
|
# Configuration files
|
|
87
87
|
|
data/bin/brakeman
CHANGED
|
@@ -243,6 +243,11 @@ abort("Please supply the path to a Rails application.") unless app_path and File
|
|
|
243
243
|
|
|
244
244
|
warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
|
|
245
245
|
|
|
246
|
+
if File.exist? app_path + "/script/rails"
|
|
247
|
+
OPTIONS[:rails3] = true
|
|
248
|
+
warn "[Notice] Detected Rails 3 application. Enabling experimental Rails 3 support."
|
|
249
|
+
end
|
|
250
|
+
|
|
246
251
|
#Load scanner
|
|
247
252
|
begin
|
|
248
253
|
require 'scanner'
|
data/lib/scanner.rb
CHANGED
|
@@ -61,7 +61,7 @@ class Scanner
|
|
|
61
61
|
@processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
|
|
62
62
|
end
|
|
63
63
|
|
|
64
|
-
if File.exists? "#@path/vendor/plugins/rails_xss"
|
|
64
|
+
if File.exists? "#@path/vendor/plugins/rails_xss" or OPTIONS[:rails3]
|
|
65
65
|
tracker.config[:escape_html] = true
|
|
66
66
|
warn "[Notice] Escaping HTML by default"
|
|
67
67
|
end
|
data/lib/version.rb
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
Version = "0.3.
|
|
1
|
+
Version = "0.3.2"
|
metadata
CHANGED
|
@@ -1,13 +1,12 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
|
|
5
|
-
prerelease:
|
|
4
|
+
prerelease: false
|
|
6
5
|
segments:
|
|
7
6
|
- 0
|
|
8
7
|
- 3
|
|
9
|
-
-
|
|
10
|
-
version: 0.3.
|
|
8
|
+
- 2
|
|
9
|
+
version: 0.3.2
|
|
11
10
|
platform: ruby
|
|
12
11
|
authors:
|
|
13
12
|
- Justin Collins
|
|
@@ -15,7 +14,7 @@ autorequire:
|
|
|
15
14
|
bindir: bin
|
|
16
15
|
cert_chain: []
|
|
17
16
|
|
|
18
|
-
date: 2011-05-
|
|
17
|
+
date: 2011-05-12 00:00:00 -07:00
|
|
19
18
|
default_executable:
|
|
20
19
|
dependencies:
|
|
21
20
|
- !ruby/object:Gem::Dependency
|
|
@@ -26,7 +25,6 @@ dependencies:
|
|
|
26
25
|
requirements:
|
|
27
26
|
- - ~>
|
|
28
27
|
- !ruby/object:Gem::Version
|
|
29
|
-
hash: 7
|
|
30
28
|
segments:
|
|
31
29
|
- 2
|
|
32
30
|
- 2
|
|
@@ -41,7 +39,6 @@ dependencies:
|
|
|
41
39
|
requirements:
|
|
42
40
|
- - ~>
|
|
43
41
|
- !ruby/object:Gem::Version
|
|
44
|
-
hash: 23
|
|
45
42
|
segments:
|
|
46
43
|
- 1
|
|
47
44
|
- 2
|
|
@@ -57,7 +54,6 @@ dependencies:
|
|
|
57
54
|
requirements:
|
|
58
55
|
- - ~>
|
|
59
56
|
- !ruby/object:Gem::Version
|
|
60
|
-
hash: 9
|
|
61
57
|
segments:
|
|
62
58
|
- 1
|
|
63
59
|
- 6
|
|
@@ -73,7 +69,6 @@ dependencies:
|
|
|
73
69
|
requirements:
|
|
74
70
|
- - ~>
|
|
75
71
|
- !ruby/object:Gem::Version
|
|
76
|
-
hash: 29
|
|
77
72
|
segments:
|
|
78
73
|
- 2
|
|
79
74
|
- 6
|
|
@@ -89,7 +84,6 @@ dependencies:
|
|
|
89
84
|
requirements:
|
|
90
85
|
- - ~>
|
|
91
86
|
- !ruby/object:Gem::Version
|
|
92
|
-
hash: 31
|
|
93
87
|
segments:
|
|
94
88
|
- 3
|
|
95
89
|
- 0
|
|
@@ -172,7 +166,6 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
172
166
|
requirements:
|
|
173
167
|
- - ">="
|
|
174
168
|
- !ruby/object:Gem::Version
|
|
175
|
-
hash: 3
|
|
176
169
|
segments:
|
|
177
170
|
- 0
|
|
178
171
|
version: "0"
|
|
@@ -181,14 +174,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
181
174
|
requirements:
|
|
182
175
|
- - ">="
|
|
183
176
|
- !ruby/object:Gem::Version
|
|
184
|
-
hash: 3
|
|
185
177
|
segments:
|
|
186
178
|
- 0
|
|
187
179
|
version: "0"
|
|
188
180
|
requirements: []
|
|
189
181
|
|
|
190
182
|
rubyforge_project:
|
|
191
|
-
rubygems_version: 1.
|
|
183
|
+
rubygems_version: 1.3.7
|
|
192
184
|
signing_key:
|
|
193
185
|
specification_version: 3
|
|
194
186
|
summary: Security vulnerability scanner for Ruby on Rails.
|