RubyGems - brakeman - Versions diffs - 0.8.3 → 0.8.4 - Mend

brakeman 0.8.3 → 0.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

data/README.md +6 -0
data/bin/brakeman +9 -1
data/lib/checks.rb +15 -9
data/lib/checks/base_check.rb +8 -0
data/lib/checks/check_default_routes.rb +2 -1
data/lib/checks/check_escape_function.rb +2 -1
data/lib/checks/check_filter_skipping.rb +2 -1
data/lib/checks/check_forgery_setting.rb +4 -2
data/lib/checks/check_mail_to.rb +2 -1
data/lib/checks/check_nested_attributes.rb +2 -1
data/lib/checks/check_quote_table_name.rb +2 -1
data/lib/checks/check_response_splitting.rb +2 -2
data/lib/checks/check_strip_tags.rb +2 -1
data/lib/processors/controller_alias_processor.rb +1 -1
data/lib/processors/lib/rails2_route_processor.rb +3 -3
data/lib/util.rb +3 -3
data/lib/version.rb +1 -1
metadata +60 -108

data/README.md CHANGED

@@ -77,6 +77,12 @@ Normally Brakeman will parse `routes.rb` and attempt to infer which controller m
 Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
+To skip processing the `lib` directory (which is currently only used in a couple situations):
+    brakeman --skip-libs
+This can save processing time and memory.
 # Warning information
 See WARNING_TYPES for more information on the warnings reported by this tool.

data/bin/brakeman CHANGED

@@ -101,6 +101,10 @@ OptionParser.new do |opts|
     options[:output_format] = ("to_" << type.to_s).to_sym
   end
+  opts.on "--css-file CSSFile" do |file|
+    options[:html_style] = File.expand_path file
+  end
   opts.on "-l", "--[no]-combine-locations", "Combine warning locations (Default)" do |combine|
     options[:combine_locations] = combine
   end
@@ -117,10 +121,14 @@ OptionParser.new do |opts|
     options[:output_file] = file
   end
+  opts.on "--separate-models", "Warn on each model without attr_accessible" do
+    options[:collapse_mass_assignment] = false
+  end
   opts.on "-w",
     "--confidence-level LEVEL",
     ["1", "2", "3"],
-    "Set minimal confidence level (1 - 3). Default: 1" do |level|
+    "Set minimal confidence level (1 - 3)" do |level|
     options[:min_confidence] =  3 - level.to_i
   end

data/lib/checks.rb CHANGED

@@ -8,7 +8,7 @@ require 'thread'
 class Checks
   @checks = []
-  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run, :check_results
+  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
   #Add a check. This will call +_klass_.new+ when running tests
   def self.add klass
@@ -26,7 +26,6 @@ class Checks
     @model_warnings = []
     @controller_warnings = []
     @checks_run = []
-    @check_results = Queue.new
   end
   #Add Warning to list of warnings to report.
@@ -98,9 +97,14 @@ class Checks
         warn " - #{c}"
         threads << Thread.new do
-          check = c.new(tracker)
-          check.run_check
-          check_runner.check_results << check.warnings unless check.warnings.empty?
+          begin
+            check = c.new(tracker)
+            check.run_check
+            check.warnings
+          rescue Exception => e
+            warn "[#{c.to_s}] #{e}"
+            []
+          end
         end
         #Maintain list of which checks were run
@@ -111,10 +115,12 @@ class Checks
     threads.each { |t| t.join }
-    until check_runner.check_results.empty?
-      r = check_runner.check_results.pop
-      r.each do |w|
-        check_runner.add_warning w
+    warn "Checks finished, collecting results..."
+    #Collect results
+    threads.each do |thread|
+      thread.value.each do |warning|
+        check_runner.add_warning warning
       end
     end

data/lib/checks/base_check.rb CHANGED

@@ -351,4 +351,12 @@ class BaseCheck < SexpProcessor
     return true
   end
+  def gemfile_or_environment
+    if File.exist? File.expand_path "#{OPTIONS[:app_path]}/Gemfile"
+      "Gemfile"
+    else
+      "config/environment.rb"
+    end
+  end
 end

data/lib/checks/check_default_routes.rb CHANGED

@@ -16,10 +16,11 @@ class CheckDefaultRoutes < BaseCheck
         :file => "#{OPTIONS[:app_path]}/config/routes.rb"
     else #Report each controller separately
       tracker.routes.each do |name, actions|
-        if actions == :allow_all_actions
+        if actions.is_a? Array and actions[0] == :allow_all_actions
           warn :controller => name,
             :warning_type => "Default Routes",
             :message => "Any public method in #{name} can be used as an action.",
+            :line => actions[1],
             :confidence => CONFIDENCE[:med],
             :file => "#{OPTIONS[:app_path]}/config/routes.rb"
         end

data/lib/checks/check_escape_function.rb CHANGED

@@ -11,7 +11,8 @@ class CheckEscapeFunction < BaseCheck
       warn :warning_type => 'Cross Site Scripting',
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end
 end

data/lib/checks/check_filter_skipping.rb CHANGED

@@ -11,7 +11,8 @@ class CheckFilterSkipping < BaseCheck
       warn :warning_type => "Default Routes",
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end

data/lib/checks/check_forgery_setting.rb CHANGED

@@ -29,14 +29,16 @@ class CheckForgerySetting < BaseCheck
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     elsif version_between? "3.0.0", "3.0.3"
       warn :controller => :ApplicationController,
         :warning_type => "Cross-Site Request Forgery",
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end
 end

data/lib/checks/check_mail_to.rb CHANGED

@@ -21,7 +21,8 @@ class CheckMailTo < BaseCheck
       warn :result => result,
         :warning_type => "Mail Link",
         :message => message,
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end

data/lib/checks/check_nested_attributes.rb CHANGED

@@ -20,7 +20,8 @@ class CheckNestedAttributes < BaseCheck
       warn :warning_type => "Nested Attributes",
         :message => message,
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end

data/lib/checks/check_quote_table_name.rb CHANGED

@@ -24,7 +24,8 @@ class CheckQuoteTableName < BaseCheck
       warn :warning_type => "SQL Injection",
         :message => message,
-        :confidence => confidence
+        :confidence => confidence,
+        :file => gemfile_or_environment
     end
   end

data/lib/checks/check_response_splitting.rb CHANGED

@@ -11,8 +11,8 @@ class CheckResponseSplitting < BaseCheck
       warn :warning_type => "Response Splitting",
         :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
-        :confidence => CONFIDENCE[:med]
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment
     end
   end
 end

data/lib/checks/check_strip_tags.rb CHANGED

@@ -18,7 +18,8 @@ class CheckStripTags < BaseCheck
       warn :warning_type => "Cross Site Scripting",
         :message => message,
-        :confidence => CONFIDENCE[:high]
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
     end
   end

data/lib/processors/controller_alias_processor.rb CHANGED

@@ -26,13 +26,13 @@ class ControllerAliasProcessor < AliasProcessor
   #Processes a method definition, which may include
   #processing any rendered templates.
   def process_methdef exp
-    set_env_defaults
     is_route = route? exp[1]
     other_method = @current_method
     @current_method = exp[1]
     @rendered = false if is_route
     env.scope do
+      set_env_defaults
       if is_route
         before_filter_list(@current_method, @current_class).each do |f|

data/lib/processors/lib/rails2_route_processor.rb CHANGED

@@ -184,15 +184,15 @@ class RoutesProcessor < BaseProcessor
       if exp[0][1] == ":controller/:action/:id"
         @tracker.routes[:allow_all_actions] = exp[0]
       elsif exp[0][1].include? ":action"
-        @tracker.routes[@current_controller] = :allow_all_actions
+        @tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
         return
       end
     end
     #This -seems- redundant, but people might connect actions
     #to a controller which already allows them all
-    return if @tracker.routes[@current_controller] == :allow_all_actions
+    return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
     exp[-1].each_with_index do |e,i|
       if symbol? e and e[1] == :action
         @tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym

data/lib/util.rb CHANGED

@@ -64,13 +64,13 @@ module Util
   #Insert value into Hash Sexp
   def hash_insert hash, key, value
-    index = 0
+    index = 1
     hash_iterate hash.dup do |k,v|
-      index += 1
-      if k == key and index % 2 == 1
+      if k == key
         hash[index + 1] = value
         return hash
       end
+      index += 2
     end
     hash << key << value

data/lib/version.rb CHANGED

	@@ -1 +1 @@
1	- Version = "0.8.3"
1	+ Version = "0.8.4"

metadata CHANGED

@@ -1,127 +1,90 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version
-  hash: 57
+version: !ruby/object:Gem::Version
+  version: 0.8.4
   prerelease:
-  segments:
-  - 0
-  - 8
-  - 3
-  version: 0.8.3
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-10-25 00:00:00 -07:00
-default_executable:
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2011-11-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
+  requirement: &70053260 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 2
-        - 2
-        version: "2.2"
+      - !ruby/object:Gem::Version
+        version: '2.2'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: ruby2ruby
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
+  version_requirements: *70053260
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: &70052900 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 23
-        segments:
-        - 1
-        - 2
-        - 4
+      - !ruby/object:Gem::Version
         version: 1.2.4
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: ruby_parser
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
+  version_requirements: *70052900
+- !ruby/object:Gem::Dependency
+  name: ruby_parser
+  requirement: &70051800 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 2
-        - 3
-        - 0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
         version: 2.3.0
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency
-  name: ruport
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement
+  version_requirements: *70051800
+- !ruby/object:Gem::Dependency
+  name: ruport
+  requirement: &70051430 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 9
-        segments:
-        - 1
-        - 6
-        - 3
+      - !ruby/object:Gem::Version
         version: 1.6.3
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency
-  name: erubis
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement
+  version_requirements: *70051430
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: &70051060 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 29
-        segments:
-        - 2
-        - 6
-        - 5
+      - !ruby/object:Gem::Version
         version: 2.6.5
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency
-  name: haml
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement
+  version_requirements: *70051060
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: &70050750 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 31
-        segments:
-        - 3
-        - 0
-        - 12
+      - !ruby/object:Gem::Version
         version: 3.0.12
   type: :runtime
-  version_requirements: *id006
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
+  prerelease: false
+  version_requirements: *70050750
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis.
 email:
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -185,39 +148,28 @@ files:
 - lib/checks.rb
 - lib/processor.rb
 - lib/format/style.css
-has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.6.2
+rubygems_version: 1.8.6
 signing_key:
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []