brakeman 0.8.3 → 0.8.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (18) hide show
  1. data/README.md +6 -0
  2. data/bin/brakeman +9 -1
  3. data/lib/checks.rb +15 -9
  4. data/lib/checks/base_check.rb +8 -0
  5. data/lib/checks/check_default_routes.rb +2 -1
  6. data/lib/checks/check_escape_function.rb +2 -1
  7. data/lib/checks/check_filter_skipping.rb +2 -1
  8. data/lib/checks/check_forgery_setting.rb +4 -2
  9. data/lib/checks/check_mail_to.rb +2 -1
  10. data/lib/checks/check_nested_attributes.rb +2 -1
  11. data/lib/checks/check_quote_table_name.rb +2 -1
  12. data/lib/checks/check_response_splitting.rb +2 -2
  13. data/lib/checks/check_strip_tags.rb +2 -1
  14. data/lib/processors/controller_alias_processor.rb +1 -1
  15. data/lib/processors/lib/rails2_route_processor.rb +3 -3
  16. data/lib/util.rb +3 -3
  17. data/lib/version.rb +1 -1
  18. metadata +60 -108
data/README.md CHANGED
@@ -77,6 +77,12 @@ Normally Brakeman will parse `routes.rb` and attempt to infer which controller m
77
77
 
78
78
  Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
79
79
 
80
+ To skip processing the `lib` directory (which is currently only used in a couple situations):
81
+
82
+ brakeman --skip-libs
83
+
84
+ This can save processing time and memory.
85
+
80
86
  # Warning information
81
87
 
82
88
  See WARNING_TYPES for more information on the warnings reported by this tool.
data/bin/brakeman CHANGED
@@ -101,6 +101,10 @@ OptionParser.new do |opts|
101
101
  options[:output_format] = ("to_" << type.to_s).to_sym
102
102
  end
103
103
 
104
+ opts.on "--css-file CSSFile" do |file|
105
+ options[:html_style] = File.expand_path file
106
+ end
107
+
104
108
  opts.on "-l", "--[no]-combine-locations", "Combine warning locations (Default)" do |combine|
105
109
  options[:combine_locations] = combine
106
110
  end
@@ -117,10 +121,14 @@ OptionParser.new do |opts|
117
121
  options[:output_file] = file
118
122
  end
119
123
 
124
+ opts.on "--separate-models", "Warn on each model without attr_accessible" do
125
+ options[:collapse_mass_assignment] = false
126
+ end
127
+
120
128
  opts.on "-w",
121
129
  "--confidence-level LEVEL",
122
130
  ["1", "2", "3"],
123
- "Set minimal confidence level (1 - 3). Default: 1" do |level|
131
+ "Set minimal confidence level (1 - 3)" do |level|
124
132
 
125
133
  options[:min_confidence] = 3 - level.to_i
126
134
  end
data/lib/checks.rb CHANGED
@@ -8,7 +8,7 @@ require 'thread'
8
8
  class Checks
9
9
  @checks = []
10
10
 
11
- attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run, :check_results
11
+ attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
12
12
 
13
13
  #Add a check. This will call +_klass_.new+ when running tests
14
14
  def self.add klass
@@ -26,7 +26,6 @@ class Checks
26
26
  @model_warnings = []
27
27
  @controller_warnings = []
28
28
  @checks_run = []
29
- @check_results = Queue.new
30
29
  end
31
30
 
32
31
  #Add Warning to list of warnings to report.
@@ -98,9 +97,14 @@ class Checks
98
97
  warn " - #{c}"
99
98
 
100
99
  threads << Thread.new do
101
- check = c.new(tracker)
102
- check.run_check
103
- check_runner.check_results << check.warnings unless check.warnings.empty?
100
+ begin
101
+ check = c.new(tracker)
102
+ check.run_check
103
+ check.warnings
104
+ rescue Exception => e
105
+ warn "[#{c.to_s}] #{e}"
106
+ []
107
+ end
104
108
  end
105
109
 
106
110
  #Maintain list of which checks were run
@@ -111,10 +115,12 @@ class Checks
111
115
 
112
116
  threads.each { |t| t.join }
113
117
 
114
- until check_runner.check_results.empty?
115
- r = check_runner.check_results.pop
116
- r.each do |w|
117
- check_runner.add_warning w
118
+ warn "Checks finished, collecting results..."
119
+
120
+ #Collect results
121
+ threads.each do |thread|
122
+ thread.value.each do |warning|
123
+ check_runner.add_warning warning
118
124
  end
119
125
  end
120
126
 
data/lib/checks/base_check.rb CHANGED
@@ -351,4 +351,12 @@ class BaseCheck < SexpProcessor
351
351
 
352
352
  return true
353
353
  end
354
+
355
+ def gemfile_or_environment
356
+ if File.exist? File.expand_path "#{OPTIONS[:app_path]}/Gemfile"
357
+ "Gemfile"
358
+ else
359
+ "config/environment.rb"
360
+ end
361
+ end
354
362
  end
data/lib/checks/check_default_routes.rb CHANGED
@@ -16,10 +16,11 @@ class CheckDefaultRoutes < BaseCheck
16
16
  :file => "#{OPTIONS[:app_path]}/config/routes.rb"
17
17
  else #Report each controller separately
18
18
  tracker.routes.each do |name, actions|
19
- if actions == :allow_all_actions
19
+ if actions.is_a? Array and actions[0] == :allow_all_actions
20
20
  warn :controller => name,
21
21
  :warning_type => "Default Routes",
22
22
  :message => "Any public method in #{name} can be used as an action.",
23
+ :line => actions[1],
23
24
  :confidence => CONFIDENCE[:med],
24
25
  :file => "#{OPTIONS[:app_path]}/config/routes.rb"
25
26
  end
data/lib/checks/check_escape_function.rb CHANGED
@@ -11,7 +11,8 @@ class CheckEscapeFunction < BaseCheck
11
11
 
12
12
  warn :warning_type => 'Cross Site Scripting',
13
13
  :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
14
- :confidence => CONFIDENCE[:high]
14
+ :confidence => CONFIDENCE[:high],
15
+ :file => gemfile_or_environment
15
16
  end
16
17
  end
17
18
  end
data/lib/checks/check_filter_skipping.rb CHANGED
@@ -11,7 +11,8 @@ class CheckFilterSkipping < BaseCheck
11
11
 
12
12
  warn :warning_type => "Default Routes",
13
13
  :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
14
- :confidence => CONFIDENCE[:high]
14
+ :confidence => CONFIDENCE[:high],
15
+ :file => gemfile_or_environment
15
16
  end
16
17
  end
17
18
 
data/lib/checks/check_forgery_setting.rb CHANGED
@@ -29,14 +29,16 @@ class CheckForgerySetting < BaseCheck
29
29
  warn :controller => :ApplicationController,
30
30
  :warning_type => "Cross-Site Request Forgery",
31
31
  :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
32
- :confidence => CONFIDENCE[:high]
32
+ :confidence => CONFIDENCE[:high],
33
+ :file => gemfile_or_environment
33
34
 
34
35
  elsif version_between? "3.0.0", "3.0.3"
35
36
 
36
37
  warn :controller => :ApplicationController,
37
38
  :warning_type => "Cross-Site Request Forgery",
38
39
  :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
39
- :confidence => CONFIDENCE[:high]
40
+ :confidence => CONFIDENCE[:high],
41
+ :file => gemfile_or_environment
40
42
  end
41
43
  end
42
44
  end
data/lib/checks/check_mail_to.rb CHANGED
@@ -21,7 +21,8 @@ class CheckMailTo < BaseCheck
21
21
  warn :result => result,
22
22
  :warning_type => "Mail Link",
23
23
  :message => message,
24
- :confidence => CONFIDENCE[:high]
24
+ :confidence => CONFIDENCE[:high],
25
+ :file => gemfile_or_environment
25
26
  end
26
27
  end
27
28
 
data/lib/checks/check_nested_attributes.rb CHANGED
@@ -20,7 +20,8 @@ class CheckNestedAttributes < BaseCheck
20
20
 
21
21
  warn :warning_type => "Nested Attributes",
22
22
  :message => message,
23
- :confidence => CONFIDENCE[:high]
23
+ :confidence => CONFIDENCE[:high],
24
+ :file => gemfile_or_environment
24
25
  end
25
26
  end
26
27
 
data/lib/checks/check_quote_table_name.rb CHANGED
@@ -24,7 +24,8 @@ class CheckQuoteTableName < BaseCheck
24
24
 
25
25
  warn :warning_type => "SQL Injection",
26
26
  :message => message,
27
- :confidence => confidence
27
+ :confidence => confidence,
28
+ :file => gemfile_or_environment
28
29
  end
29
30
  end
30
31
 
data/lib/checks/check_response_splitting.rb CHANGED
@@ -11,8 +11,8 @@ class CheckResponseSplitting < BaseCheck
11
11
 
12
12
  warn :warning_type => "Response Splitting",
13
13
  :message => "Versions before 2.3.14 have a vulnerability content type handling allowing injection of headers: CVE-2011-3186",
14
- :confidence => CONFIDENCE[:med]
15
-
14
+ :confidence => CONFIDENCE[:med],
15
+ :file => gemfile_or_environment
16
16
  end
17
17
  end
18
18
  end
data/lib/checks/check_strip_tags.rb CHANGED
@@ -18,7 +18,8 @@ class CheckStripTags < BaseCheck
18
18
 
19
19
  warn :warning_type => "Cross Site Scripting",
20
20
  :message => message,
21
- :confidence => CONFIDENCE[:high]
21
+ :confidence => CONFIDENCE[:high],
22
+ :file => gemfile_or_environment
22
23
  end
23
24
  end
24
25
 
data/lib/processors/controller_alias_processor.rb CHANGED
@@ -26,13 +26,13 @@ class ControllerAliasProcessor < AliasProcessor
26
26
  #Processes a method definition, which may include
27
27
  #processing any rendered templates.
28
28
  def process_methdef exp
29
- set_env_defaults
30
29
  is_route = route? exp[1]
31
30
  other_method = @current_method
32
31
  @current_method = exp[1]
33
32
  @rendered = false if is_route
34
33
 
35
34
  env.scope do
35
+ set_env_defaults
36
36
 
37
37
  if is_route
38
38
  before_filter_list(@current_method, @current_class).each do |f|
data/lib/processors/lib/rails2_route_processor.rb CHANGED
@@ -184,15 +184,15 @@ class RoutesProcessor < BaseProcessor
184
184
  if exp[0][1] == ":controller/:action/:id"
185
185
  @tracker.routes[:allow_all_actions] = exp[0]
186
186
  elsif exp[0][1].include? ":action"
187
- @tracker.routes[@current_controller] = :allow_all_actions
187
+ @tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
188
188
  return
189
189
  end
190
190
  end
191
191
 
192
192
  #This -seems- redundant, but people might connect actions
193
193
  #to a controller which already allows them all
194
- return if @tracker.routes[@current_controller] == :allow_all_actions
195
-
194
+ return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
195
+
196
196
  exp[-1].each_with_index do |e,i|
197
197
  if symbol? e and e[1] == :action
198
198
  @tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym
data/lib/util.rb CHANGED
@@ -64,13 +64,13 @@ module Util
64
64
 
65
65
  #Insert value into Hash Sexp
66
66
  def hash_insert hash, key, value
67
- index = 0
67
+ index = 1
68
68
  hash_iterate hash.dup do |k,v|
69
- index += 1
70
- if k == key and index % 2 == 1
69
+ if k == key
71
70
  hash[index + 1] = value
72
71
  return hash
73
72
  end
73
+ index += 2
74
74
  end
75
75
 
76
76
  hash << key << value
data/lib/version.rb CHANGED
@@ -1 +1 @@
1
- Version = "0.8.3"
1
+ Version = "0.8.4"
metadata CHANGED
@@ -1,127 +1,90 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
- version: !ruby/object:Gem::Version
4
- hash: 57
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.8.4
5
5
  prerelease:
6
- segments:
7
- - 0
8
- - 8
9
- - 3
10
- version: 0.8.3
11
6
  platform: ruby
12
- authors:
7
+ authors:
13
8
  - Justin Collins
14
9
  autorequire:
15
10
  bindir: bin
16
11
  cert_chain: []
17
-
18
- date: 2011-10-25 00:00:00 -07:00
19
- default_executable:
20
- dependencies:
21
- - !ruby/object:Gem::Dependency
12
+ date: 2011-11-04 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
22
15
  name: activesupport
23
- prerelease: false
24
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: &70053260 !ruby/object:Gem::Requirement
25
17
  none: false
26
- requirements:
18
+ requirements:
27
19
  - - ~>
28
- - !ruby/object:Gem::Version
29
- hash: 7
30
- segments:
31
- - 2
32
- - 2
33
- version: "2.2"
20
+ - !ruby/object:Gem::Version
21
+ version: '2.2'
34
22
  type: :runtime
35
- version_requirements: *id001
36
- - !ruby/object:Gem::Dependency
37
- name: ruby2ruby
38
23
  prerelease: false
39
- requirement: &id002 !ruby/object:Gem::Requirement
24
+ version_requirements: *70053260
25
+ - !ruby/object:Gem::Dependency
26
+ name: ruby2ruby
27
+ requirement: &70052900 !ruby/object:Gem::Requirement
40
28
  none: false
41
- requirements:
29
+ requirements:
42
30
  - - ~>
43
- - !ruby/object:Gem::Version
44
- hash: 23
45
- segments:
46
- - 1
47
- - 2
48
- - 4
31
+ - !ruby/object:Gem::Version
49
32
  version: 1.2.4
50
33
  type: :runtime
51
- version_requirements: *id002
52
- - !ruby/object:Gem::Dependency
53
- name: ruby_parser
54
34
  prerelease: false
55
- requirement: &id003 !ruby/object:Gem::Requirement
35
+ version_requirements: *70052900
36
+ - !ruby/object:Gem::Dependency
37
+ name: ruby_parser
38
+ requirement: &70051800 !ruby/object:Gem::Requirement
56
39
  none: false
57
- requirements:
58
- - - ">="
59
- - !ruby/object:Gem::Version
60
- hash: 3
61
- segments:
62
- - 2
63
- - 3
64
- - 0
40
+ requirements:
41
+ - - ! '>='
42
+ - !ruby/object:Gem::Version
65
43
  version: 2.3.0
66
44
  type: :runtime
67
- version_requirements: *id003
68
- - !ruby/object:Gem::Dependency
69
- name: ruport
70
45
  prerelease: false
71
- requirement: &id004 !ruby/object:Gem::Requirement
46
+ version_requirements: *70051800
47
+ - !ruby/object:Gem::Dependency
48
+ name: ruport
49
+ requirement: &70051430 !ruby/object:Gem::Requirement
72
50
  none: false
73
- requirements:
51
+ requirements:
74
52
  - - ~>
75
- - !ruby/object:Gem::Version
76
- hash: 9
77
- segments:
78
- - 1
79
- - 6
80
- - 3
53
+ - !ruby/object:Gem::Version
81
54
  version: 1.6.3
82
55
  type: :runtime
83
- version_requirements: *id004
84
- - !ruby/object:Gem::Dependency
85
- name: erubis
86
56
  prerelease: false
87
- requirement: &id005 !ruby/object:Gem::Requirement
57
+ version_requirements: *70051430
58
+ - !ruby/object:Gem::Dependency
59
+ name: erubis
60
+ requirement: &70051060 !ruby/object:Gem::Requirement
88
61
  none: false
89
- requirements:
62
+ requirements:
90
63
  - - ~>
91
- - !ruby/object:Gem::Version
92
- hash: 29
93
- segments:
94
- - 2
95
- - 6
96
- - 5
64
+ - !ruby/object:Gem::Version
97
65
  version: 2.6.5
98
66
  type: :runtime
99
- version_requirements: *id005
100
- - !ruby/object:Gem::Dependency
101
- name: haml
102
67
  prerelease: false
103
- requirement: &id006 !ruby/object:Gem::Requirement
68
+ version_requirements: *70051060
69
+ - !ruby/object:Gem::Dependency
70
+ name: haml
71
+ requirement: &70050750 !ruby/object:Gem::Requirement
104
72
  none: false
105
- requirements:
73
+ requirements:
106
74
  - - ~>
107
- - !ruby/object:Gem::Version
108
- hash: 31
109
- segments:
110
- - 3
111
- - 0
112
- - 12
75
+ - !ruby/object:Gem::Version
113
76
  version: 3.0.12
114
77
  type: :runtime
115
- version_requirements: *id006
116
- description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
78
+ prerelease: false
79
+ version_requirements: *70050750
80
+ description: Brakeman detects security vulnerabilities in Ruby on Rails applications
81
+ via static analysis.
117
82
  email:
118
- executables:
83
+ executables:
119
84
  - brakeman
120
85
  extensions: []
121
-
122
86
  extra_rdoc_files: []
123
-
124
- files:
87
+ files:
125
88
  - bin/brakeman
126
89
  - WARNING_TYPES
127
90
  - FEATURES
@@ -185,39 +148,28 @@ files:
185
148
  - lib/checks.rb
186
149
  - lib/processor.rb
187
150
  - lib/format/style.css
188
- has_rdoc: true
189
151
  homepage: http://brakemanscanner.org
190
152
  licenses: []
191
-
192
153
  post_install_message:
193
154
  rdoc_options: []
194
-
195
- require_paths:
155
+ require_paths:
196
156
  - lib
197
- required_ruby_version: !ruby/object:Gem::Requirement
157
+ required_ruby_version: !ruby/object:Gem::Requirement
198
158
  none: false
199
- requirements:
200
- - - ">="
201
- - !ruby/object:Gem::Version
202
- hash: 3
203
- segments:
204
- - 0
205
- version: "0"
206
- required_rubygems_version: !ruby/object:Gem::Requirement
159
+ requirements:
160
+ - - ! '>='
161
+ - !ruby/object:Gem::Version
162
+ version: '0'
163
+ required_rubygems_version: !ruby/object:Gem::Requirement
207
164
  none: false
208
- requirements:
209
- - - ">="
210
- - !ruby/object:Gem::Version
211
- hash: 3
212
- segments:
213
- - 0
214
- version: "0"
165
+ requirements:
166
+ - - ! '>='
167
+ - !ruby/object:Gem::Version
168
+ version: '0'
215
169
  requirements: []
216
-
217
170
  rubyforge_project:
218
- rubygems_version: 1.6.2
171
+ rubygems_version: 1.8.6
219
172
  signing_key:
220
173
  specification_version: 3
221
174
  summary: Security vulnerability scanner for Ruby on Rails.
222
175
  test_files: []
223
-