brakeman 0.8.3 → 0.8.4
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +6 -0
- data/bin/brakeman +9 -1
- data/lib/checks.rb +15 -9
- data/lib/checks/base_check.rb +8 -0
- data/lib/checks/check_default_routes.rb +2 -1
- data/lib/checks/check_escape_function.rb +2 -1
- data/lib/checks/check_filter_skipping.rb +2 -1
- data/lib/checks/check_forgery_setting.rb +4 -2
- data/lib/checks/check_mail_to.rb +2 -1
- data/lib/checks/check_nested_attributes.rb +2 -1
- data/lib/checks/check_quote_table_name.rb +2 -1
- data/lib/checks/check_response_splitting.rb +2 -2
- data/lib/checks/check_strip_tags.rb +2 -1
- data/lib/processors/controller_alias_processor.rb +1 -1
- data/lib/processors/lib/rails2_route_processor.rb +3 -3
- data/lib/util.rb +3 -3
- data/lib/version.rb +1 -1
- metadata +60 -108
data/README.md
CHANGED
@@ -77,6 +77,12 @@ Normally Brakeman will parse `routes.rb` and attempt to infer which controller m
|
|
77
77
|
|
78
78
|
Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
|
79
79
|
|
80
|
+
To skip processing the `lib` directory (which is currently only used in a couple situations):
|
81
|
+
|
82
|
+
brakeman --skip-libs
|
83
|
+
|
84
|
+
This can save processing time and memory.
|
85
|
+
|
80
86
|
# Warning information
|
81
87
|
|
82
88
|
See WARNING_TYPES for more information on the warnings reported by this tool.
|
data/bin/brakeman
CHANGED
@@ -101,6 +101,10 @@ OptionParser.new do |opts|
|
|
101
101
|
options[:output_format] = ("to_" << type.to_s).to_sym
|
102
102
|
end
|
103
103
|
|
104
|
+
opts.on "--css-file CSSFile" do |file|
|
105
|
+
options[:html_style] = File.expand_path file
|
106
|
+
end
|
107
|
+
|
104
108
|
opts.on "-l", "--[no]-combine-locations", "Combine warning locations (Default)" do |combine|
|
105
109
|
options[:combine_locations] = combine
|
106
110
|
end
|
@@ -117,10 +121,14 @@ OptionParser.new do |opts|
|
|
117
121
|
options[:output_file] = file
|
118
122
|
end
|
119
123
|
|
124
|
+
opts.on "--separate-models", "Warn on each model without attr_accessible" do
|
125
|
+
options[:collapse_mass_assignment] = false
|
126
|
+
end
|
127
|
+
|
120
128
|
opts.on "-w",
|
121
129
|
"--confidence-level LEVEL",
|
122
130
|
["1", "2", "3"],
|
123
|
-
"Set minimal confidence level (1 - 3)
|
131
|
+
"Set minimal confidence level (1 - 3)" do |level|
|
124
132
|
|
125
133
|
options[:min_confidence] = 3 - level.to_i
|
126
134
|
end
|
data/lib/checks.rb
CHANGED
@@ -8,7 +8,7 @@ require 'thread'
|
|
8
8
|
class Checks
|
9
9
|
@checks = []
|
10
10
|
|
11
|
-
attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
|
11
|
+
attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
|
12
12
|
|
13
13
|
#Add a check. This will call +_klass_.new+ when running tests
|
14
14
|
def self.add klass
|
@@ -26,7 +26,6 @@ class Checks
|
|
26
26
|
@model_warnings = []
|
27
27
|
@controller_warnings = []
|
28
28
|
@checks_run = []
|
29
|
-
@check_results = Queue.new
|
30
29
|
end
|
31
30
|
|
32
31
|
#Add Warning to list of warnings to report.
|
@@ -98,9 +97,14 @@ class Checks
|
|
98
97
|
warn " - #{c}"
|
99
98
|
|
100
99
|
threads << Thread.new do
|
101
|
-
|
102
|
-
|
103
|
-
|
100
|
+
begin
|
101
|
+
check = c.new(tracker)
|
102
|
+
check.run_check
|
103
|
+
check.warnings
|
104
|
+
rescue Exception => e
|
105
|
+
warn "[#{c.to_s}] #{e}"
|
106
|
+
[]
|
107
|
+
end
|
104
108
|
end
|
105
109
|
|
106
110
|
#Maintain list of which checks were run
|
@@ -111,10 +115,12 @@ class Checks
|
|
111
115
|
|
112
116
|
threads.each { |t| t.join }
|
113
117
|
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
+
warn "Checks finished, collecting results..."
|
119
|
+
|
120
|
+
#Collect results
|
121
|
+
threads.each do |thread|
|
122
|
+
thread.value.each do |warning|
|
123
|
+
check_runner.add_warning warning
|
118
124
|
end
|
119
125
|
end
|
120
126
|
|
data/lib/checks/base_check.rb
CHANGED
@@ -16,10 +16,11 @@ class CheckDefaultRoutes < BaseCheck
|
|
16
16
|
:file => "#{OPTIONS[:app_path]}/config/routes.rb"
|
17
17
|
else #Report each controller separately
|
18
18
|
tracker.routes.each do |name, actions|
|
19
|
-
if actions == :allow_all_actions
|
19
|
+
if actions.is_a? Array and actions[0] == :allow_all_actions
|
20
20
|
warn :controller => name,
|
21
21
|
:warning_type => "Default Routes",
|
22
22
|
:message => "Any public method in #{name} can be used as an action.",
|
23
|
+
:line => actions[1],
|
23
24
|
:confidence => CONFIDENCE[:med],
|
24
25
|
:file => "#{OPTIONS[:app_path]}/config/routes.rb"
|
25
26
|
end
|
@@ -11,7 +11,8 @@ class CheckEscapeFunction < BaseCheck
|
|
11
11
|
|
12
12
|
warn :warning_type => 'Cross Site Scripting',
|
13
13
|
:message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
|
14
|
-
:confidence => CONFIDENCE[:high]
|
14
|
+
:confidence => CONFIDENCE[:high],
|
15
|
+
:file => gemfile_or_environment
|
15
16
|
end
|
16
17
|
end
|
17
18
|
end
|
@@ -11,7 +11,8 @@ class CheckFilterSkipping < BaseCheck
|
|
11
11
|
|
12
12
|
warn :warning_type => "Default Routes",
|
13
13
|
:message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
|
14
|
-
:confidence => CONFIDENCE[:high]
|
14
|
+
:confidence => CONFIDENCE[:high],
|
15
|
+
:file => gemfile_or_environment
|
15
16
|
end
|
16
17
|
end
|
17
18
|
|
@@ -29,14 +29,16 @@ class CheckForgerySetting < BaseCheck
|
|
29
29
|
warn :controller => :ApplicationController,
|
30
30
|
:warning_type => "Cross-Site Request Forgery",
|
31
31
|
:message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
|
32
|
-
:confidence => CONFIDENCE[:high]
|
32
|
+
:confidence => CONFIDENCE[:high],
|
33
|
+
:file => gemfile_or_environment
|
33
34
|
|
34
35
|
elsif version_between? "3.0.0", "3.0.3"
|
35
36
|
|
36
37
|
warn :controller => :ApplicationController,
|
37
38
|
:warning_type => "Cross-Site Request Forgery",
|
38
39
|
:message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
|
39
|
-
:confidence => CONFIDENCE[:high]
|
40
|
+
:confidence => CONFIDENCE[:high],
|
41
|
+
:file => gemfile_or_environment
|
40
42
|
end
|
41
43
|
end
|
42
44
|
end
|
data/lib/checks/check_mail_to.rb
CHANGED
@@ -11,8 +11,8 @@ class CheckResponseSplitting < BaseCheck
|
|
11
11
|
|
12
12
|
warn :warning_type => "Response Splitting",
|
13
13
|
:message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
|
14
|
-
:confidence => CONFIDENCE[:med]
|
15
|
-
|
14
|
+
:confidence => CONFIDENCE[:med],
|
15
|
+
:file => gemfile_or_environment
|
16
16
|
end
|
17
17
|
end
|
18
18
|
end
|
@@ -26,13 +26,13 @@ class ControllerAliasProcessor < AliasProcessor
|
|
26
26
|
#Processes a method definition, which may include
|
27
27
|
#processing any rendered templates.
|
28
28
|
def process_methdef exp
|
29
|
-
set_env_defaults
|
30
29
|
is_route = route? exp[1]
|
31
30
|
other_method = @current_method
|
32
31
|
@current_method = exp[1]
|
33
32
|
@rendered = false if is_route
|
34
33
|
|
35
34
|
env.scope do
|
35
|
+
set_env_defaults
|
36
36
|
|
37
37
|
if is_route
|
38
38
|
before_filter_list(@current_method, @current_class).each do |f|
|
@@ -184,15 +184,15 @@ class RoutesProcessor < BaseProcessor
|
|
184
184
|
if exp[0][1] == ":controller/:action/:id"
|
185
185
|
@tracker.routes[:allow_all_actions] = exp[0]
|
186
186
|
elsif exp[0][1].include? ":action"
|
187
|
-
@tracker.routes[@current_controller] = :allow_all_actions
|
187
|
+
@tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
|
188
188
|
return
|
189
189
|
end
|
190
190
|
end
|
191
191
|
|
192
192
|
#This -seems- redundant, but people might connect actions
|
193
193
|
#to a controller which already allows them all
|
194
|
-
return if @tracker.routes[@current_controller] == :allow_all_actions
|
195
|
-
|
194
|
+
return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
|
195
|
+
|
196
196
|
exp[-1].each_with_index do |e,i|
|
197
197
|
if symbol? e and e[1] == :action
|
198
198
|
@tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym
|
data/lib/util.rb
CHANGED
@@ -64,13 +64,13 @@ module Util
|
|
64
64
|
|
65
65
|
#Insert value into Hash Sexp
|
66
66
|
def hash_insert hash, key, value
|
67
|
-
index =
|
67
|
+
index = 1
|
68
68
|
hash_iterate hash.dup do |k,v|
|
69
|
-
|
70
|
-
if k == key and index % 2 == 1
|
69
|
+
if k == key
|
71
70
|
hash[index + 1] = value
|
72
71
|
return hash
|
73
72
|
end
|
73
|
+
index += 2
|
74
74
|
end
|
75
75
|
|
76
76
|
hash << key << value
|
data/lib/version.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
Version = "0.8.
|
1
|
+
Version = "0.8.4"
|
metadata
CHANGED
@@ -1,127 +1,90 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.8.4
|
5
5
|
prerelease:
|
6
|
-
segments:
|
7
|
-
- 0
|
8
|
-
- 8
|
9
|
-
- 3
|
10
|
-
version: 0.8.3
|
11
6
|
platform: ruby
|
12
|
-
authors:
|
7
|
+
authors:
|
13
8
|
- Justin Collins
|
14
9
|
autorequire:
|
15
10
|
bindir: bin
|
16
11
|
cert_chain: []
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
dependencies:
|
21
|
-
- !ruby/object:Gem::Dependency
|
12
|
+
date: 2011-11-04 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
22
15
|
name: activesupport
|
23
|
-
|
24
|
-
requirement: &id001 !ruby/object:Gem::Requirement
|
16
|
+
requirement: &70053260 !ruby/object:Gem::Requirement
|
25
17
|
none: false
|
26
|
-
requirements:
|
18
|
+
requirements:
|
27
19
|
- - ~>
|
28
|
-
- !ruby/object:Gem::Version
|
29
|
-
|
30
|
-
segments:
|
31
|
-
- 2
|
32
|
-
- 2
|
33
|
-
version: "2.2"
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '2.2'
|
34
22
|
type: :runtime
|
35
|
-
version_requirements: *id001
|
36
|
-
- !ruby/object:Gem::Dependency
|
37
|
-
name: ruby2ruby
|
38
23
|
prerelease: false
|
39
|
-
|
24
|
+
version_requirements: *70053260
|
25
|
+
- !ruby/object:Gem::Dependency
|
26
|
+
name: ruby2ruby
|
27
|
+
requirement: &70052900 !ruby/object:Gem::Requirement
|
40
28
|
none: false
|
41
|
-
requirements:
|
29
|
+
requirements:
|
42
30
|
- - ~>
|
43
|
-
- !ruby/object:Gem::Version
|
44
|
-
hash: 23
|
45
|
-
segments:
|
46
|
-
- 1
|
47
|
-
- 2
|
48
|
-
- 4
|
31
|
+
- !ruby/object:Gem::Version
|
49
32
|
version: 1.2.4
|
50
33
|
type: :runtime
|
51
|
-
version_requirements: *id002
|
52
|
-
- !ruby/object:Gem::Dependency
|
53
|
-
name: ruby_parser
|
54
34
|
prerelease: false
|
55
|
-
|
35
|
+
version_requirements: *70052900
|
36
|
+
- !ruby/object:Gem::Dependency
|
37
|
+
name: ruby_parser
|
38
|
+
requirement: &70051800 !ruby/object:Gem::Requirement
|
56
39
|
none: false
|
57
|
-
requirements:
|
58
|
-
- -
|
59
|
-
- !ruby/object:Gem::Version
|
60
|
-
hash: 3
|
61
|
-
segments:
|
62
|
-
- 2
|
63
|
-
- 3
|
64
|
-
- 0
|
40
|
+
requirements:
|
41
|
+
- - ! '>='
|
42
|
+
- !ruby/object:Gem::Version
|
65
43
|
version: 2.3.0
|
66
44
|
type: :runtime
|
67
|
-
version_requirements: *id003
|
68
|
-
- !ruby/object:Gem::Dependency
|
69
|
-
name: ruport
|
70
45
|
prerelease: false
|
71
|
-
|
46
|
+
version_requirements: *70051800
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: ruport
|
49
|
+
requirement: &70051430 !ruby/object:Gem::Requirement
|
72
50
|
none: false
|
73
|
-
requirements:
|
51
|
+
requirements:
|
74
52
|
- - ~>
|
75
|
-
- !ruby/object:Gem::Version
|
76
|
-
hash: 9
|
77
|
-
segments:
|
78
|
-
- 1
|
79
|
-
- 6
|
80
|
-
- 3
|
53
|
+
- !ruby/object:Gem::Version
|
81
54
|
version: 1.6.3
|
82
55
|
type: :runtime
|
83
|
-
version_requirements: *id004
|
84
|
-
- !ruby/object:Gem::Dependency
|
85
|
-
name: erubis
|
86
56
|
prerelease: false
|
87
|
-
|
57
|
+
version_requirements: *70051430
|
58
|
+
- !ruby/object:Gem::Dependency
|
59
|
+
name: erubis
|
60
|
+
requirement: &70051060 !ruby/object:Gem::Requirement
|
88
61
|
none: false
|
89
|
-
requirements:
|
62
|
+
requirements:
|
90
63
|
- - ~>
|
91
|
-
- !ruby/object:Gem::Version
|
92
|
-
hash: 29
|
93
|
-
segments:
|
94
|
-
- 2
|
95
|
-
- 6
|
96
|
-
- 5
|
64
|
+
- !ruby/object:Gem::Version
|
97
65
|
version: 2.6.5
|
98
66
|
type: :runtime
|
99
|
-
version_requirements: *id005
|
100
|
-
- !ruby/object:Gem::Dependency
|
101
|
-
name: haml
|
102
67
|
prerelease: false
|
103
|
-
|
68
|
+
version_requirements: *70051060
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: haml
|
71
|
+
requirement: &70050750 !ruby/object:Gem::Requirement
|
104
72
|
none: false
|
105
|
-
requirements:
|
73
|
+
requirements:
|
106
74
|
- - ~>
|
107
|
-
- !ruby/object:Gem::Version
|
108
|
-
hash: 31
|
109
|
-
segments:
|
110
|
-
- 3
|
111
|
-
- 0
|
112
|
-
- 12
|
75
|
+
- !ruby/object:Gem::Version
|
113
76
|
version: 3.0.12
|
114
77
|
type: :runtime
|
115
|
-
|
116
|
-
|
78
|
+
prerelease: false
|
79
|
+
version_requirements: *70050750
|
80
|
+
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
81
|
+
via static analysis.
|
117
82
|
email:
|
118
|
-
executables:
|
83
|
+
executables:
|
119
84
|
- brakeman
|
120
85
|
extensions: []
|
121
|
-
|
122
86
|
extra_rdoc_files: []
|
123
|
-
|
124
|
-
files:
|
87
|
+
files:
|
125
88
|
- bin/brakeman
|
126
89
|
- WARNING_TYPES
|
127
90
|
- FEATURES
|
@@ -185,39 +148,28 @@ files:
|
|
185
148
|
- lib/checks.rb
|
186
149
|
- lib/processor.rb
|
187
150
|
- lib/format/style.css
|
188
|
-
has_rdoc: true
|
189
151
|
homepage: http://brakemanscanner.org
|
190
152
|
licenses: []
|
191
|
-
|
192
153
|
post_install_message:
|
193
154
|
rdoc_options: []
|
194
|
-
|
195
|
-
require_paths:
|
155
|
+
require_paths:
|
196
156
|
- lib
|
197
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
157
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
198
158
|
none: false
|
199
|
-
requirements:
|
200
|
-
- -
|
201
|
-
- !ruby/object:Gem::Version
|
202
|
-
|
203
|
-
|
204
|
-
- 0
|
205
|
-
version: "0"
|
206
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
159
|
+
requirements:
|
160
|
+
- - ! '>='
|
161
|
+
- !ruby/object:Gem::Version
|
162
|
+
version: '0'
|
163
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
207
164
|
none: false
|
208
|
-
requirements:
|
209
|
-
- -
|
210
|
-
- !ruby/object:Gem::Version
|
211
|
-
|
212
|
-
segments:
|
213
|
-
- 0
|
214
|
-
version: "0"
|
165
|
+
requirements:
|
166
|
+
- - ! '>='
|
167
|
+
- !ruby/object:Gem::Version
|
168
|
+
version: '0'
|
215
169
|
requirements: []
|
216
|
-
|
217
170
|
rubyforge_project:
|
218
|
-
rubygems_version: 1.6
|
171
|
+
rubygems_version: 1.8.6
|
219
172
|
signing_key:
|
220
173
|
specification_version: 3
|
221
174
|
summary: Security vulnerability scanner for Ruby on Rails.
|
222
175
|
test_files: []
|
223
|
-
|