RubyGems - brakeman - Versions diffs - 1.2.1 → 1.2.2 - Mend

brakeman 1.2.1 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/lib/brakeman.rb +3 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +0 -124
data/lib/brakeman/checks/check_link_to.rb +126 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
data/lib/brakeman/rescanner.rb +8 -0
data/lib/brakeman/version.rb +1 -1
metadata +110 -74

data/lib/brakeman.rb CHANGED Viewed

@@ -48,7 +48,9 @@ module Brakeman
     @quiet = !!options[:quiet]
     @debug = !!options[:debug]
-    options[:report_progress] = !@quiet
+    if @quiet
+      options[:report_progress] = false
+    end
     scan options
   end

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -44,12 +44,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
-    if version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
-      link_to_check = Brakeman::CheckLinkTo.new(tracker)
-      link_to_check.run_check
-      warnings.concat link_to_check.warnings unless link_to_check.warnings.empty?
-    end
     @known_dangerous = Set.new([:truncate, :concat])
     if version_between? "2.0.0", "3.0.5"
@@ -264,121 +258,3 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp[1].node_type == :call and exp[1][2] == :raw
   end
 end
-#This _only_ checks calls to link_to
-class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
-  def run_check
-    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
-                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :mail_to, :radio_button, :select,
-                           :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] ).merge tracker.options[:safe_methods]
-    @known_dangerous = []
-    #Ideally, I think this should also check to see if people are setting
-    #:escape => false
-    methods = tracker.find_call :target => false, :method => :link_to
-    @models = tracker.models.keys
-    @inspect_arguments = tracker.options[:check_arguments]
-    methods.each do |call|
-      process_result call
-    end
-  end
-  def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[:call] = result[:call].dup
-    @matched = false
-    return if call[3][1].nil?
-    #Only check first argument for +link_to+, as the second
-    #will *usually* be a record or escaped.
-    first_arg = process call[3][1]
-    type, match = has_immediate_user_input? first_arg
-    if type
-      case type
-      when :params
-        message = "Unescaped parameter value in link_to"
-      when :cookies
-        message = "Unescaped cookie value in link_to"
-      else
-        message = "Unescaped user input value in link_to"
-      end
-      unless duplicate? result
-        add_result result
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => message,
-          :confidence => CONFIDENCE[:high]
-      end
-    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
-      method = match[2]
-      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
-        add_result result
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-          confidence = CONFIDENCE[:high]
-        else
-          confidence = CONFIDENCE[:med]
-        end
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => "Unescaped model attribute in link_to",
-          :confidence => confidence
-      end
-    elsif @matched
-      if @matched == :model and not tracker.options[:ignore_model_output]
-        message = "Unescaped model attribute in link_to"
-      elsif @matched == :params
-        message = "Unescaped parameter value in link_to"
-      end
-      if message and not duplicate? result
-        add_result result
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :message => message,
-          :confidence => CONFIDENCE[:med]
-      end
-    end
-  end
-  def process_call exp
-    @mark = true
-    actually_process_call exp
-    exp
-  end
-  def actually_process_call exp
-    return if @matched
-    target = exp[1]
-    if sexp? target
-      target = process target.dup
-    end
-    #Bare records create links to the model resource,
-    #not a string that could have injection
-    if model_name? target and context == [:call, :arglist]
-      return exp
-    end
-    super
-  end
-end

data/lib/brakeman/checks/check_link_to.rb ADDED Viewed

@@ -0,0 +1,126 @@
+require 'brakeman/checks/check_cross_site_scripting'
+#Checks for calls to link_to in versions of Ruby where link_to did not
+#escape the first argument.
+#
+#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
+class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+  def run_check
+    return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
+    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] ).merge tracker.options[:safe_methods]
+    @known_dangerous = []
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    methods = tracker.find_call :target => false, :method => :link_to
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    methods.each do |call|
+      process_result call
+    end
+  end
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[:call] = result[:call].dup
+    @matched = false
+    return if call[3][1].nil?
+    #Only check first argument for +link_to+, as the second
+    #will *usually* be a record or escaped.
+    first_arg = process call[3][1]
+    type, match = has_immediate_user_input? first_arg
+    if type
+      case type
+      when :params
+        message = "Unescaped parameter value in link_to"
+      when :cookies
+        message = "Unescaped cookie value in link_to"
+      else
+        message = "Unescaped user input value in link_to"
+      end
+      unless duplicate? result
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => message,
+          :confidence => CONFIDENCE[:high]
+      end
+    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
+      method = match[2]
+      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
+        add_result result
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => "Unescaped model attribute in link_to",
+          :confidence => confidence
+      end
+    elsif @matched
+      if @matched == :model and not tracker.options[:ignore_model_output]
+        message = "Unescaped model attribute in link_to"
+      elsif @matched == :params
+        message = "Unescaped parameter value in link_to"
+      end
+      if message and not duplicate? result
+        add_result result
+        warn :result => result,
+          :warning_type => "Cross Site Scripting",
+          :message => message,
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+  def actually_process_call exp
+    return if @matched
+    target = exp[1]
+    if sexp? target
+      target = process target.dup
+    end
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    if model_name? target and context == [:call, :arglist]
+      return exp
+    end
+    super
+  end
+end

data/lib/brakeman/processors/lib/rails2_route_processor.rb CHANGED Viewed

@@ -69,7 +69,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
         process_namespace exp
       when :resources, :resource
         process_resources exp[1][3][1..-1]
-        process_default exp[3]
+        process_default exp[3] if exp[3]
       when :with_options
         process_with_options exp
       end
@@ -111,7 +111,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     hash_iterate(exp) do |option, value|
       case option[1]
       when :controller, :requirements, :singular, :path_prefix, :as,
-        :path_names, :shallow, :name_prefix
+        :path_names, :shallow, :name_prefix, :member_path, :nested_member_path
         #should be able to skip
       when :collection, :member, :new
         process_collection value
@@ -128,7 +128,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
       when :except
         process_option_except value
       else
-        raise "Unhandled resource option: #{option}"
+        Brakeman.notify "[Notice] Unhandled resource option: #{option}"
       end
     end
   end

data/lib/brakeman/rescanner.rb CHANGED Viewed

@@ -245,6 +245,14 @@ class Brakeman::RescanReport
     @diff ||= @new_results.diff(@old_results)
   end
+  #Returns an array of warnings which were in the old report and the new report
+  def existing_warnings
+    @old ||= all_warnings.select do |w|
+      not new_warnings.include? w
+    end
+  end
+  #Output total, fixed, and new warnings
   def to_s
     <<-OUTPUT
 Total warnings: #{all_warnings.length}

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.2.1"
+  Version = "1.2.2"
 end

metadata CHANGED Viewed

@@ -1,101 +1,127 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version
-  version: 1.2.1
-  prerelease:
+version: !ruby/object:Gem::Version
+  prerelease: false
+  segments:
+  - 1
+  - 2
+  - 2
+  version: 1.2.2
 platform: ruby
-authors:
+authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-01-20 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2012-01-26 00:00:00 -08:00
+default_executable:
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &76221240 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76221240
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency
   name: i18n
-  requirement: &76220920 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76220920
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency
   name: ruby2ruby
-  requirement: &76220320 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+      - !ruby/object:Gem::Version
+        segments:
+        - 1
+        - 2
+        version: "1.2"
   type: :runtime
-  prerelease: false
-  version_requirements: *76220320
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency
   name: ruport
-  requirement: &76219720 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.6'
+      - !ruby/object:Gem::Version
+        segments:
+        - 1
+        - 6
+        version: "1.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *76219720
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency
   name: erubis
-  requirement: &76943790 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.6'
+      - !ruby/object:Gem::Version
+        segments:
+        - 2
+        - 6
+        version: "2.6"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943790
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency
   name: haml
-  requirement: &76943560 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version
+        segments:
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943560
-- !ruby/object:Gem::Dependency
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency
   name: sass
-  requirement: &76943330 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.0'
+      - !ruby/object:Gem::Version
+        segments:
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
-  prerelease: false
-  version_requirements: *76943330
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications
-  via static analysis.
+  version_requirements: *id007
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email:
-executables:
+executables:
 - brakeman
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -147,6 +173,7 @@ files:
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_execute.rb
 - lib/brakeman/checks/check_filter_skipping.rb
 - lib/brakeman/checks/check_mail_to.rb
@@ -168,28 +195,37 @@ files:
 - lib/brakeman/processor.rb
 - lib/brakeman.rb
 - lib/brakeman/format/style.css
+has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      version: "0"
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.10
+rubygems_version: 1.3.7
 signing_key:
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []