brakeman 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +4 -4
- data/bin/brakeman +5 -0
- data/lib/checks/check_mass_assignment.rb +3 -1
- data/lib/scanner.rb +1 -1
- data/lib/version.rb +1 -1
- metadata +5 -13
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
|
|
4
4
|
|
|
5
|
-
It targets Rails versions > 2.0
|
|
5
|
+
It targets Rails versions > 2.0 with experimental support for Rails 3.x
|
|
6
6
|
|
|
7
7
|
# Installation
|
|
8
8
|
|
|
@@ -25,7 +25,7 @@ To specify an output file for the results:
|
|
|
25
25
|
|
|
26
26
|
brakeman -o output_file app_path
|
|
27
27
|
|
|
28
|
-
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, and `
|
|
28
|
+
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `csv`, and `tabs`.
|
|
29
29
|
|
|
30
30
|
To suppress informational warnings and just output the report:
|
|
31
31
|
|
|
@@ -51,7 +51,7 @@ To indicate certain methods are "safe":
|
|
|
51
51
|
|
|
52
52
|
brakeman -s benign_method,totally_safe app_path
|
|
53
53
|
|
|
54
|
-
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would a warning:
|
|
54
|
+
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would cause a warning (Rails 2):
|
|
55
55
|
|
|
56
56
|
<%= some_method(:option => params[:input]) %>
|
|
57
57
|
|
|
@@ -81,7 +81,7 @@ To only get warnings above a given confidence level:
|
|
|
81
81
|
|
|
82
82
|
brakeman -w3 app_path
|
|
83
83
|
|
|
84
|
-
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only
|
|
84
|
+
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
|
|
85
85
|
|
|
86
86
|
# Configuration files
|
|
87
87
|
|
data/bin/brakeman
CHANGED
|
@@ -243,6 +243,11 @@ abort("Please supply the path to a Rails application.") unless app_path and File
|
|
|
243
243
|
|
|
244
244
|
warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
|
|
245
245
|
|
|
246
|
+
if File.exist? app_path + "/script/rails"
|
|
247
|
+
OPTIONS[:rails3] = true
|
|
248
|
+
warn "[Notice] Detected Rails 3 application. Enabling experimental Rails 3 support."
|
|
249
|
+
end
|
|
250
|
+
|
|
246
251
|
#Load scanner
|
|
247
252
|
begin
|
|
248
253
|
require 'scanner'
|
data/lib/scanner.rb
CHANGED
|
@@ -61,7 +61,7 @@ class Scanner
|
|
|
61
61
|
@processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
|
|
62
62
|
end
|
|
63
63
|
|
|
64
|
-
if File.exists? "#@path/vendor/plugins/rails_xss"
|
|
64
|
+
if File.exists? "#@path/vendor/plugins/rails_xss" or OPTIONS[:rails3]
|
|
65
65
|
tracker.config[:escape_html] = true
|
|
66
66
|
warn "[Notice] Escaping HTML by default"
|
|
67
67
|
end
|
data/lib/version.rb
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
Version = "0.3.
|
|
1
|
+
Version = "0.3.2"
|
metadata
CHANGED
|
@@ -1,13 +1,12 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
|
|
5
|
-
prerelease:
|
|
4
|
+
prerelease: false
|
|
6
5
|
segments:
|
|
7
6
|
- 0
|
|
8
7
|
- 3
|
|
9
|
-
-
|
|
10
|
-
version: 0.3.
|
|
8
|
+
- 2
|
|
9
|
+
version: 0.3.2
|
|
11
10
|
platform: ruby
|
|
12
11
|
authors:
|
|
13
12
|
- Justin Collins
|
|
@@ -15,7 +14,7 @@ autorequire:
|
|
|
15
14
|
bindir: bin
|
|
16
15
|
cert_chain: []
|
|
17
16
|
|
|
18
|
-
date: 2011-05-
|
|
17
|
+
date: 2011-05-12 00:00:00 -07:00
|
|
19
18
|
default_executable:
|
|
20
19
|
dependencies:
|
|
21
20
|
- !ruby/object:Gem::Dependency
|
|
@@ -26,7 +25,6 @@ dependencies:
|
|
|
26
25
|
requirements:
|
|
27
26
|
- - ~>
|
|
28
27
|
- !ruby/object:Gem::Version
|
|
29
|
-
hash: 7
|
|
30
28
|
segments:
|
|
31
29
|
- 2
|
|
32
30
|
- 2
|
|
@@ -41,7 +39,6 @@ dependencies:
|
|
|
41
39
|
requirements:
|
|
42
40
|
- - ~>
|
|
43
41
|
- !ruby/object:Gem::Version
|
|
44
|
-
hash: 23
|
|
45
42
|
segments:
|
|
46
43
|
- 1
|
|
47
44
|
- 2
|
|
@@ -57,7 +54,6 @@ dependencies:
|
|
|
57
54
|
requirements:
|
|
58
55
|
- - ~>
|
|
59
56
|
- !ruby/object:Gem::Version
|
|
60
|
-
hash: 9
|
|
61
57
|
segments:
|
|
62
58
|
- 1
|
|
63
59
|
- 6
|
|
@@ -73,7 +69,6 @@ dependencies:
|
|
|
73
69
|
requirements:
|
|
74
70
|
- - ~>
|
|
75
71
|
- !ruby/object:Gem::Version
|
|
76
|
-
hash: 29
|
|
77
72
|
segments:
|
|
78
73
|
- 2
|
|
79
74
|
- 6
|
|
@@ -89,7 +84,6 @@ dependencies:
|
|
|
89
84
|
requirements:
|
|
90
85
|
- - ~>
|
|
91
86
|
- !ruby/object:Gem::Version
|
|
92
|
-
hash: 31
|
|
93
87
|
segments:
|
|
94
88
|
- 3
|
|
95
89
|
- 0
|
|
@@ -172,7 +166,6 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
172
166
|
requirements:
|
|
173
167
|
- - ">="
|
|
174
168
|
- !ruby/object:Gem::Version
|
|
175
|
-
hash: 3
|
|
176
169
|
segments:
|
|
177
170
|
- 0
|
|
178
171
|
version: "0"
|
|
@@ -181,14 +174,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
181
174
|
requirements:
|
|
182
175
|
- - ">="
|
|
183
176
|
- !ruby/object:Gem::Version
|
|
184
|
-
hash: 3
|
|
185
177
|
segments:
|
|
186
178
|
- 0
|
|
187
179
|
version: "0"
|
|
188
180
|
requirements: []
|
|
189
181
|
|
|
190
182
|
rubyforge_project:
|
|
191
|
-
rubygems_version: 1.
|
|
183
|
+
rubygems_version: 1.3.7
|
|
192
184
|
signing_key:
|
|
193
185
|
specification_version: 3
|
|
194
186
|
summary: Security vulnerability scanner for Ruby on Rails.
|