brakeman 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
@@ -16,11 +16,13 @@ class CheckCrossSiteScripting < BaseCheck
|
|
16
16
|
|
17
17
|
#Ignore these methods and their arguments.
|
18
18
|
#It is assumed they will take care of escaping their output.
|
19
|
-
IGNORE_METHODS = Set.new([:
|
20
|
-
:
|
21
|
-
:
|
22
|
-
:
|
23
|
-
:
|
19
|
+
IGNORE_METHODS = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
|
20
|
+
:field_field, :fields_for, :h, :hidden_field,
|
21
|
+
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
22
|
+
:link_to, :mail_to, :radio_button, :select,
|
23
|
+
:submit_tag, :text_area, :text_field,
|
24
|
+
:text_field_tag, :url_encode, :url_for,
|
25
|
+
:will_paginate] )
|
24
26
|
|
25
27
|
#Model methods which are known to be harmless
|
26
28
|
IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
|
@@ -150,6 +152,8 @@ class CheckCrossSiteScripting < BaseCheck
|
|
150
152
|
message = "Unescaped model attribute"
|
151
153
|
elsif @matched == :params
|
152
154
|
message = "Unescaped parameter value"
|
155
|
+
elsif @matched == :cookies
|
156
|
+
message = "Unescaped cookie value"
|
153
157
|
end
|
154
158
|
|
155
159
|
if message and not duplicate? exp
|
@@ -197,8 +201,9 @@ class CheckCrossSiteScripting < BaseCheck
|
|
197
201
|
exp[0] = :ignore
|
198
202
|
@matched = false
|
199
203
|
elsif sexp? exp[1] and model_name? exp[1][1]
|
200
|
-
|
201
204
|
@matched = :model
|
205
|
+
elsif cookies? exp or cookies? target or COOKIES == exp or COOKIES == target
|
206
|
+
@matched = :cookies
|
202
207
|
elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
|
203
208
|
@matched = :params
|
204
209
|
elsif @inspect_arguments
|
@@ -27,10 +27,9 @@ class CheckSessionSettings < BaseCheck
|
|
27
27
|
def process_attrasgn exp
|
28
28
|
if not OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session=
|
29
29
|
check_for_issues exp[3][1], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
|
30
|
-
exp
|
31
|
-
else
|
32
|
-
super
|
33
30
|
end
|
31
|
+
|
32
|
+
exp
|
34
33
|
end
|
35
34
|
|
36
35
|
#Looks for Rails3::Application.config.session_store :cookie_store, { ... }
|
@@ -38,10 +37,9 @@ class CheckSessionSettings < BaseCheck
|
|
38
37
|
def process_call exp
|
39
38
|
if OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session_store
|
40
39
|
check_for_issues exp[3][2], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
|
41
|
-
exp
|
42
|
-
else
|
43
|
-
super
|
44
40
|
end
|
41
|
+
|
42
|
+
exp
|
45
43
|
end
|
46
44
|
|
47
45
|
private
|
@@ -39,12 +39,14 @@ class CheckValidationRegex < BaseCheck
|
|
39
39
|
return unless regexp? value
|
40
40
|
|
41
41
|
regex = value[1].inspect
|
42
|
-
if regex =~
|
43
|
-
|
44
|
-
:
|
45
|
-
|
46
|
-
|
47
|
-
|
42
|
+
if regex =~ /^\/(.{2}).*(.{2})\/(m|i|x|n|e|u|s|o)*\z/
|
43
|
+
if $1 != "\\A" or ($2 != "\\Z" and $2 != "\\z")
|
44
|
+
warn :model => @current_model,
|
45
|
+
:warning_type => "Format Validation",
|
46
|
+
:message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
|
47
|
+
:line => value.line,
|
48
|
+
:confidence => CONFIDENCE[:high]
|
49
|
+
end
|
48
50
|
end
|
49
51
|
end
|
50
52
|
|
data/lib/version.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
Version = "0.6.
|
1
|
+
Version = "0.6.1"
|
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 6
|
8
|
-
-
|
9
|
-
version: 0.6.
|
8
|
+
- 1
|
9
|
+
version: 0.6.1
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Justin Collins
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2011-07-
|
17
|
+
date: 2011-07-29 00:00:00 -07:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|