brakeman 0.6.0 → 0.6.1

data/lib/checks/check_cross_site_scripting.rb

@@ -16,11 +16,13 @@ class CheckCrossSiteScripting < BaseCheck
 
   #Ignore these methods and their arguments.
   #It is assumed they will take care of escaping their output.
-  IGNORE_METHODS = Set.new([:h, :escapeHTML, :link_to, :text_field_tag, :hidden_field_tag,
-                           :image_tag, :select, :submit_tag, :hidden_field, :url_encode,
-                           :radio_button, :will_paginate, :button_to, :url_for, :mail_to,
-                           :fields_for, :label, :text_area, :text_field, :hidden_field, :check_box,
-                           :field_field]) 
+  IGNORE_METHODS = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field, 
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] )
 
   #Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
@@ -150,6 +152,8 @@ class CheckCrossSiteScripting < BaseCheck
         message = "Unescaped model attribute" 
       elsif @matched == :params
         message = "Unescaped parameter value" 
+      elsif @matched == :cookies
+        message = "Unescaped cookie value" 
       end
 
       if message and not duplicate? exp
@@ -197,8 +201,9 @@ class CheckCrossSiteScripting < BaseCheck
       exp[0] = :ignore
       @matched = false
     elsif sexp? exp[1] and model_name? exp[1][1]
-
       @matched = :model
+    elsif cookies? exp or cookies? target or COOKIES == exp or COOKIES == target 
+      @matched = :cookies
     elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
       @matched = :params
     elsif @inspect_arguments

data/lib/checks/check_session_settings.rb

@@ -27,10 +27,9 @@ class CheckSessionSettings < BaseCheck
   def process_attrasgn exp
     if not OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session=
       check_for_issues exp[3][1], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
-      exp
-    else
-      super
     end
+      
+    exp
   end
 
   #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
@@ -38,10 +37,9 @@ class CheckSessionSettings < BaseCheck
   def process_call exp
     if OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session_store
         check_for_issues exp[3][2], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
-      exp
-    else
-      super
     end
+      
+    exp
   end
 
   private

data/lib/checks/check_validation_regex.rb

@@ -39,12 +39,14 @@ class CheckValidationRegex < BaseCheck
     return unless regexp? value
 
     regex = value[1].inspect
-    if regex =~ /[^\A].*[^\z]\/(m|i|x|n|e|u|s|o)*\z/
-      warn :model => @current_model,
-        :warning_type => "Format Validation", 
-        :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
-        :line => value.line,
-        :confidence => CONFIDENCE[:high] 
+    if regex =~ /^\/(.{2}).*(.{2})\/(m|i|x|n|e|u|s|o)*\z/
+      if $1 != "\\A" or ($2 != "\\Z" and $2 != "\\z")
+        warn :model => @current_model,
+          :warning_type => "Format Validation", 
+          :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
+          :line => value.line,
+          :confidence => CONFIDENCE[:high] 
+      end
     end
   end
 

data/lib/version.rb

@@ -1 +1 @@
-Version = "0.6.0"
+Version = "0.6.1"

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 6
-  - 0
-  version: 0.6.0
+  - 1
+  version: 0.6.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-07-20 00:00:00 -07:00
+date: 2011-07-29 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency