brakeman 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +1 -0
- data/lib/brakeman.rb +4 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +10 -6
- data/lib/brakeman/checks/check_link_to.rb +2 -2
- data/lib/brakeman/checks/check_link_to_href.rb +2 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +30 -0
- data/lib/brakeman/checks/check_select_vulnerability.rb +55 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +51 -0
- data/lib/brakeman/checks/check_sql.rb +10 -11
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -3
- data/lib/brakeman/processors/lib/route_helper.rb +10 -3
- data/lib/brakeman/processors/params_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +1 -1
- data/lib/brakeman/util.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +118 -72
data/README.md
CHANGED
|
@@ -140,6 +140,7 @@ The `-c` option can be used to specify a configuration file to use.
|
|
|
140
140
|
The MIT License
|
|
141
141
|
|
|
142
142
|
Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
|
|
143
|
+
Copyright (c) 2012, Twitter, Inc.
|
|
143
144
|
|
|
144
145
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
145
146
|
of this software and associated documentation files (the "Software"), to deal
|
data/lib/brakeman.rb
CHANGED
|
@@ -138,6 +138,8 @@ module Brakeman
|
|
|
138
138
|
:to_pdf
|
|
139
139
|
when :tabs, :to_tabs
|
|
140
140
|
:to_tabs
|
|
141
|
+
when :json, :to_json
|
|
142
|
+
:to_json
|
|
141
143
|
else
|
|
142
144
|
:to_s
|
|
143
145
|
end
|
|
@@ -151,6 +153,8 @@ module Brakeman
|
|
|
151
153
|
:to_pdf
|
|
152
154
|
when /\.tabs$/i
|
|
153
155
|
:to_tabs
|
|
156
|
+
when /\.json$/i
|
|
157
|
+
:to_json
|
|
154
158
|
else
|
|
155
159
|
:to_s
|
|
156
160
|
end
|
|
@@ -17,9 +17,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
|
17
17
|
@description = "Checks for unescaped output in views"
|
|
18
18
|
|
|
19
19
|
#Model methods which are known to be harmless
|
|
20
|
-
IGNORE_MODEL_METHODS = Set
|
|
20
|
+
IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
|
|
21
21
|
|
|
22
|
-
MODEL_METHODS = Set
|
|
22
|
+
MODEL_METHODS = Set[:all, :find, :first, :last, :new]
|
|
23
23
|
|
|
24
24
|
IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
|
|
25
25
|
|
|
@@ -35,18 +35,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
|
35
35
|
|
|
36
36
|
#Run check
|
|
37
37
|
def run_check
|
|
38
|
-
@ignore_methods = Set
|
|
38
|
+
@ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
|
|
39
39
|
:field_field, :fields_for, :h, :hidden_field,
|
|
40
40
|
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
|
41
|
-
:link_to, :mail_to, :radio_button,
|
|
41
|
+
:link_to, :mail_to, :radio_button,
|
|
42
42
|
:submit_tag, :text_area, :text_field,
|
|
43
43
|
:text_field_tag, :url_encode, :url_for,
|
|
44
|
-
:will_paginate]
|
|
44
|
+
:will_paginate].merge tracker.options[:safe_methods]
|
|
45
45
|
|
|
46
46
|
@models = tracker.models.keys
|
|
47
47
|
@inspect_arguments = tracker.options[:check_arguments]
|
|
48
48
|
|
|
49
|
-
@known_dangerous = Set
|
|
49
|
+
@known_dangerous = Set[:truncate, :concat]
|
|
50
50
|
|
|
51
51
|
if version_between? "2.0.0", "3.0.5"
|
|
52
52
|
@known_dangerous << :auto_link
|
|
@@ -54,6 +54,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
|
54
54
|
@ignore_methods << :auto_link
|
|
55
55
|
end
|
|
56
56
|
|
|
57
|
+
if tracker.config[:rails3]
|
|
58
|
+
@ignore_methods << :select
|
|
59
|
+
end
|
|
60
|
+
|
|
57
61
|
tracker.each_template do |name, template|
|
|
58
62
|
@current_template = template
|
|
59
63
|
template[:outputs].each do |out|
|
|
@@ -12,13 +12,13 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
|
|
|
12
12
|
def run_check
|
|
13
13
|
return unless version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
|
|
14
14
|
|
|
15
|
-
@ignore_methods = Set
|
|
15
|
+
@ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
|
|
16
16
|
:field_field, :fields_for, :h, :hidden_field,
|
|
17
17
|
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
|
18
18
|
:mail_to, :radio_button, :select,
|
|
19
19
|
:submit_tag, :text_area, :text_field,
|
|
20
20
|
:text_field_tag, :url_encode, :url_for,
|
|
21
|
-
:will_paginate]
|
|
21
|
+
:will_paginate].merge tracker.options[:safe_methods]
|
|
22
22
|
|
|
23
23
|
@known_dangerous = []
|
|
24
24
|
#Ideally, I think this should also check to see if people are setting
|
|
@@ -12,13 +12,13 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
|
|
|
12
12
|
@description = "Checks to see if values used for hrefs are sanitized using a :url_safe_method to protect against javascript:/data: XSS"
|
|
13
13
|
|
|
14
14
|
def run_check
|
|
15
|
-
@ignore_methods = Set
|
|
15
|
+
@ignore_methods = Set[:button_to, :check_box,
|
|
16
16
|
:field_field, :fields_for, :hidden_field,
|
|
17
17
|
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
|
18
18
|
:mail_to, :radio_button, :select,
|
|
19
19
|
:submit_tag, :text_area, :text_field,
|
|
20
20
|
:text_field_tag, :url_encode, :url_for,
|
|
21
|
-
:will_paginate]
|
|
21
|
+
:will_paginate].merge(tracker.options[:url_safe_methods] || [])
|
|
22
22
|
|
|
23
23
|
@models = tracker.models.keys
|
|
24
24
|
@inspect_arguments = tracker.options[:check_arguments]
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
require 'brakeman/checks/base_check'
|
|
2
|
+
|
|
3
|
+
#Check for unsafe manipulation of strings
|
|
4
|
+
#Right now this is just a version check for
|
|
5
|
+
#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
|
|
6
|
+
class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
|
|
7
|
+
Brakeman::Checks.add self
|
|
8
|
+
|
|
9
|
+
@description = "Check for Rails versions with SafeBuffer bug"
|
|
10
|
+
|
|
11
|
+
def run_check
|
|
12
|
+
|
|
13
|
+
if version_between? "3.0.0", "3.0.11"
|
|
14
|
+
suggested_version = "3.0.12"
|
|
15
|
+
elsif version_between? "3.1.0", "3.1.3"
|
|
16
|
+
suggested_version = "3.1.4"
|
|
17
|
+
elsif version_between? "3.2.0", "3.2.1"
|
|
18
|
+
suggested_version = "3.2.2"
|
|
19
|
+
else
|
|
20
|
+
return
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
message = "Rails #{tracker.config[:rails_version]} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
|
|
24
|
+
|
|
25
|
+
warn :warning_type => "Cross Site Scripting",
|
|
26
|
+
:message => message,
|
|
27
|
+
:confidence => CONFIDENCE[:med],
|
|
28
|
+
:file => gemfile_or_environment
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
require 'brakeman/checks/base_check'
|
|
2
|
+
|
|
3
|
+
#Checks for select() helper vulnerability in some versions of Rails 3
|
|
4
|
+
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
|
|
5
|
+
class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
|
|
6
|
+
Brakeman::Checks.add self
|
|
7
|
+
|
|
8
|
+
@description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
|
|
9
|
+
|
|
10
|
+
def run_check
|
|
11
|
+
|
|
12
|
+
if version_between? "3.0.0", "3.0.11"
|
|
13
|
+
suggested_version = "3.0.12"
|
|
14
|
+
elsif version_between? "3.1.0", "3.1.3"
|
|
15
|
+
suggested_version = "3.1.4"
|
|
16
|
+
elsif version_between? "3.2.0", "3.2.1"
|
|
17
|
+
suggested_version = "3.2.2"
|
|
18
|
+
else
|
|
19
|
+
return
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
@message = "Upgrade to Rails #{suggested_version}, #{tracker.config[:rails_version]} select() helper is vulnerable"
|
|
23
|
+
|
|
24
|
+
calls = tracker.find_call(:target => nil, :method => :select).select do |result|
|
|
25
|
+
result[:location][0] == :template
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
calls.each do |result|
|
|
29
|
+
process_result result
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def process_result result
|
|
34
|
+
return if duplicate? result
|
|
35
|
+
|
|
36
|
+
args = result[:call][3]
|
|
37
|
+
|
|
38
|
+
#Check for user input in options parameter
|
|
39
|
+
if sexp? args[3] and include_user_input? args[3]
|
|
40
|
+
add_result result
|
|
41
|
+
|
|
42
|
+
if node_type? args[3], :string_interp, :dstr
|
|
43
|
+
confidence = CONFIDENCE[:med]
|
|
44
|
+
else
|
|
45
|
+
confidence = CONFIDENCE[:low]
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
warn :template => result[:location][1],
|
|
49
|
+
:warning_type => "Cross Site Scripting",
|
|
50
|
+
:result => result,
|
|
51
|
+
:message => @message,
|
|
52
|
+
:confidence => confidence
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
require 'brakeman/checks/base_check'
|
|
2
|
+
|
|
3
|
+
#At the moment, this looks for
|
|
4
|
+
#
|
|
5
|
+
# skip_before_filter :verify_authenticity_token, :except => [...]
|
|
6
|
+
#
|
|
7
|
+
#which is essentially a blacklist approach (no actions are checked EXCEPT the
|
|
8
|
+
#ones listed) versus a whitelist approach (ONLY the actions listed will skip
|
|
9
|
+
#the check)
|
|
10
|
+
class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
11
|
+
Brakeman::Checks.add self
|
|
12
|
+
|
|
13
|
+
@description = "Warn when skipping CSRF check by default"
|
|
14
|
+
|
|
15
|
+
def run_check
|
|
16
|
+
tracker.controllers.each do |name, controller|
|
|
17
|
+
if filter_skips = (controller[:options][:skip_before_filter] or controller[:options][:skip_filter])
|
|
18
|
+
filter_skips.each do |filter|
|
|
19
|
+
process_skip_filter filter, controller
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def process_skip_filter filter, controller
|
|
26
|
+
if skip_verify_except? filter
|
|
27
|
+
warn :class => controller[:name],
|
|
28
|
+
:warning_type => "Cross-Site Request Forgery",
|
|
29
|
+
:message => "Use whitelist (:only => [..]) when skipping CSRF check",
|
|
30
|
+
:line => filter.line,
|
|
31
|
+
:code => filter,
|
|
32
|
+
:confidence => CONFIDENCE[:med]
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def skip_verify_except? filter
|
|
37
|
+
return false unless call? filter
|
|
38
|
+
|
|
39
|
+
args = filter[3]
|
|
40
|
+
|
|
41
|
+
if symbol? args[1] and args[1][1] == :verify_authenticity_token and hash? args.last
|
|
42
|
+
hash_iterate args.last do |k, v|
|
|
43
|
+
if symbol? k and k[1] == :except
|
|
44
|
+
return true
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
false
|
|
50
|
+
end
|
|
51
|
+
end
|
|
@@ -16,22 +16,22 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
16
16
|
def run_check
|
|
17
17
|
@rails_version = tracker.config[:rails_version]
|
|
18
18
|
|
|
19
|
-
Brakeman.debug "Finding possible SQL calls on models"
|
|
20
19
|
if tracker.options[:rails3]
|
|
21
|
-
|
|
22
|
-
:methods => /^(find.*|first|last|all|where|order|group|having)$/,
|
|
23
|
-
:chained => true
|
|
20
|
+
@sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
|
|
24
21
|
else
|
|
25
|
-
|
|
26
|
-
:methods => /^(find.*|first|last|all)$/,
|
|
27
|
-
:chained => true
|
|
22
|
+
@sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
|
|
28
23
|
end
|
|
29
24
|
|
|
25
|
+
Brakeman.debug "Finding possible SQL calls on models"
|
|
26
|
+
calls = tracker.find_call :targets => tracker.models.keys,
|
|
27
|
+
:methods => @sql_targets,
|
|
28
|
+
:chained => true
|
|
29
|
+
|
|
30
30
|
Brakeman.debug "Finding possible SQL calls with no target"
|
|
31
|
-
calls.concat tracker.find_call(:target => nil, :method =>
|
|
31
|
+
calls.concat tracker.find_call(:target => nil, :method => @sql_targets)
|
|
32
32
|
|
|
33
33
|
Brakeman.debug "Finding possible SQL calls using constantized()"
|
|
34
|
-
calls.concat tracker.find_call(:method =>
|
|
34
|
+
calls.concat tracker.find_call(:method => @sql_targets).select { |result| constantize_call? result }
|
|
35
35
|
|
|
36
36
|
Brakeman.debug "Finding calls to named_scope or scope"
|
|
37
37
|
calls.concat find_scope_calls
|
|
@@ -90,8 +90,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
90
90
|
find_calls.process_source block, model_name, scope_name
|
|
91
91
|
|
|
92
92
|
find_calls.calls.each do |call|
|
|
93
|
-
if call[:method].to_s =~
|
|
94
|
-
puts "Looks like #{call.inspect}"
|
|
93
|
+
if call[:method].to_s =~ @sql_targets
|
|
95
94
|
process_result call
|
|
96
95
|
end
|
|
97
96
|
end
|
data/lib/brakeman/options.rb
CHANGED
|
@@ -30,9 +30,8 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
|
|
|
30
30
|
def process_call exp
|
|
31
31
|
target = exp[1]
|
|
32
32
|
|
|
33
|
-
if target == map or target == nested
|
|
33
|
+
if target == map or (not target.nil? and target == nested)
|
|
34
34
|
process_map exp
|
|
35
|
-
|
|
36
35
|
else
|
|
37
36
|
process_default exp
|
|
38
37
|
end
|
|
@@ -193,7 +192,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
|
|
|
193
192
|
#This -seems- redundant, but people might connect actions
|
|
194
193
|
#to a controller which already allows them all
|
|
195
194
|
return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
|
|
196
|
-
|
|
195
|
+
|
|
197
196
|
exp[-1].each_with_index do |e,i|
|
|
198
197
|
if symbol? e and e[1] == :action
|
|
199
198
|
@tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym
|
|
@@ -23,12 +23,19 @@ module Brakeman::RouteHelper
|
|
|
23
23
|
|
|
24
24
|
#Add default routes
|
|
25
25
|
def add_resources_routes
|
|
26
|
-
@tracker.routes[@current_controller]
|
|
27
|
-
end
|
|
26
|
+
existing_routes = @tracker.routes[@current_controller]
|
|
28
27
|
|
|
28
|
+
unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
|
|
29
|
+
existing_routes.merge [:index, :new, :create, :show, :edit, :update, :destroy]
|
|
30
|
+
end
|
|
31
|
+
end
|
|
29
32
|
|
|
30
33
|
#Add default routes minus :index
|
|
31
34
|
def add_resource_routes
|
|
32
|
-
@tracker.routes[@current_controller]
|
|
35
|
+
existing_routes = @tracker.routes[@current_controller]
|
|
36
|
+
|
|
37
|
+
unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
|
|
38
|
+
existing_routes.merge [:new, :create, :show, :edit, :update, :destroy]
|
|
39
|
+
end
|
|
33
40
|
end
|
|
34
41
|
end
|
|
@@ -15,7 +15,7 @@ class Brakeman::ParamsProcessor < SexpProcessor
|
|
|
15
15
|
@result = []
|
|
16
16
|
@matched = false
|
|
17
17
|
@mark = false
|
|
18
|
-
@watch_nodes = Set
|
|
18
|
+
@watch_nodes = Set[:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn]
|
|
19
19
|
@params = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
|
|
20
20
|
end
|
|
21
21
|
|
|
@@ -7,7 +7,7 @@ require 'brakeman/processors/lib/render_helper'
|
|
|
7
7
|
class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
8
8
|
include Brakeman::RenderHelper
|
|
9
9
|
|
|
10
|
-
FORM_METHODS = Set
|
|
10
|
+
FORM_METHODS = Set[:form_for, :remote_form_for, :form_remote_for]
|
|
11
11
|
|
|
12
12
|
def initialize tracker, template
|
|
13
13
|
super()
|
data/lib/brakeman/util.rb
CHANGED
|
@@ -19,7 +19,7 @@ module Brakeman::Util
|
|
|
19
19
|
|
|
20
20
|
SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
|
|
21
21
|
|
|
22
|
-
ALL_PARAMETERS = Set
|
|
22
|
+
ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS]
|
|
23
23
|
|
|
24
24
|
#Convert a string from "something_like_this" to "SomethingLikeThis"
|
|
25
25
|
#
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,101 +1,134 @@
|
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
|
-
version: !ruby/object:Gem::Version
|
|
4
|
-
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
hash: 3
|
|
5
5
|
prerelease:
|
|
6
|
+
segments:
|
|
7
|
+
- 1
|
|
8
|
+
- 5
|
|
9
|
+
- 0
|
|
10
|
+
version: 1.5.0
|
|
6
11
|
platform: ruby
|
|
7
|
-
authors:
|
|
12
|
+
authors:
|
|
8
13
|
- Justin Collins
|
|
9
14
|
autorequire:
|
|
10
15
|
bindir: bin
|
|
11
16
|
cert_chain: []
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
17
|
+
|
|
18
|
+
date: 2012-03-02 00:00:00 Z
|
|
19
|
+
dependencies:
|
|
20
|
+
- !ruby/object:Gem::Dependency
|
|
15
21
|
name: activesupport
|
|
16
|
-
|
|
22
|
+
prerelease: false
|
|
23
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
|
17
24
|
none: false
|
|
18
|
-
requirements:
|
|
19
|
-
- -
|
|
20
|
-
- !ruby/object:Gem::Version
|
|
21
|
-
|
|
25
|
+
requirements:
|
|
26
|
+
- - ">="
|
|
27
|
+
- !ruby/object:Gem::Version
|
|
28
|
+
hash: 3
|
|
29
|
+
segments:
|
|
30
|
+
- 0
|
|
31
|
+
version: "0"
|
|
22
32
|
type: :runtime
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
- !ruby/object:Gem::Dependency
|
|
33
|
+
version_requirements: *id001
|
|
34
|
+
- !ruby/object:Gem::Dependency
|
|
26
35
|
name: i18n
|
|
27
|
-
|
|
36
|
+
prerelease: false
|
|
37
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
|
28
38
|
none: false
|
|
29
|
-
requirements:
|
|
30
|
-
- -
|
|
31
|
-
- !ruby/object:Gem::Version
|
|
32
|
-
|
|
39
|
+
requirements:
|
|
40
|
+
- - ">="
|
|
41
|
+
- !ruby/object:Gem::Version
|
|
42
|
+
hash: 3
|
|
43
|
+
segments:
|
|
44
|
+
- 0
|
|
45
|
+
version: "0"
|
|
33
46
|
type: :runtime
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
- !ruby/object:Gem::Dependency
|
|
47
|
+
version_requirements: *id002
|
|
48
|
+
- !ruby/object:Gem::Dependency
|
|
37
49
|
name: ruby2ruby
|
|
38
|
-
|
|
50
|
+
prerelease: false
|
|
51
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
|
39
52
|
none: false
|
|
40
|
-
requirements:
|
|
53
|
+
requirements:
|
|
41
54
|
- - ~>
|
|
42
|
-
- !ruby/object:Gem::Version
|
|
43
|
-
|
|
55
|
+
- !ruby/object:Gem::Version
|
|
56
|
+
hash: 11
|
|
57
|
+
segments:
|
|
58
|
+
- 1
|
|
59
|
+
- 2
|
|
60
|
+
version: "1.2"
|
|
44
61
|
type: :runtime
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
- !ruby/object:Gem::Dependency
|
|
62
|
+
version_requirements: *id003
|
|
63
|
+
- !ruby/object:Gem::Dependency
|
|
48
64
|
name: ruport
|
|
49
|
-
|
|
65
|
+
prerelease: false
|
|
66
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
|
50
67
|
none: false
|
|
51
|
-
requirements:
|
|
68
|
+
requirements:
|
|
52
69
|
- - ~>
|
|
53
|
-
- !ruby/object:Gem::Version
|
|
54
|
-
|
|
70
|
+
- !ruby/object:Gem::Version
|
|
71
|
+
hash: 3
|
|
72
|
+
segments:
|
|
73
|
+
- 1
|
|
74
|
+
- 6
|
|
75
|
+
version: "1.6"
|
|
55
76
|
type: :runtime
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
- !ruby/object:Gem::Dependency
|
|
77
|
+
version_requirements: *id004
|
|
78
|
+
- !ruby/object:Gem::Dependency
|
|
59
79
|
name: erubis
|
|
60
|
-
|
|
80
|
+
prerelease: false
|
|
81
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
|
61
82
|
none: false
|
|
62
|
-
requirements:
|
|
83
|
+
requirements:
|
|
63
84
|
- - ~>
|
|
64
|
-
- !ruby/object:Gem::Version
|
|
65
|
-
|
|
85
|
+
- !ruby/object:Gem::Version
|
|
86
|
+
hash: 15
|
|
87
|
+
segments:
|
|
88
|
+
- 2
|
|
89
|
+
- 6
|
|
90
|
+
version: "2.6"
|
|
66
91
|
type: :runtime
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
- !ruby/object:Gem::Dependency
|
|
92
|
+
version_requirements: *id005
|
|
93
|
+
- !ruby/object:Gem::Dependency
|
|
70
94
|
name: haml
|
|
71
|
-
|
|
95
|
+
prerelease: false
|
|
96
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
|
72
97
|
none: false
|
|
73
|
-
requirements:
|
|
98
|
+
requirements:
|
|
74
99
|
- - ~>
|
|
75
|
-
- !ruby/object:Gem::Version
|
|
76
|
-
|
|
100
|
+
- !ruby/object:Gem::Version
|
|
101
|
+
hash: 7
|
|
102
|
+
segments:
|
|
103
|
+
- 3
|
|
104
|
+
- 0
|
|
105
|
+
version: "3.0"
|
|
77
106
|
type: :runtime
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
- !ruby/object:Gem::Dependency
|
|
107
|
+
version_requirements: *id006
|
|
108
|
+
- !ruby/object:Gem::Dependency
|
|
81
109
|
name: sass
|
|
82
|
-
|
|
110
|
+
prerelease: false
|
|
111
|
+
requirement: &id007 !ruby/object:Gem::Requirement
|
|
83
112
|
none: false
|
|
84
|
-
requirements:
|
|
113
|
+
requirements:
|
|
85
114
|
- - ~>
|
|
86
|
-
- !ruby/object:Gem::Version
|
|
87
|
-
|
|
115
|
+
- !ruby/object:Gem::Version
|
|
116
|
+
hash: 7
|
|
117
|
+
segments:
|
|
118
|
+
- 3
|
|
119
|
+
- 0
|
|
120
|
+
version: "3.0"
|
|
88
121
|
type: :runtime
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
|
92
|
-
via static analysis.
|
|
122
|
+
version_requirements: *id007
|
|
123
|
+
description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
|
|
93
124
|
email:
|
|
94
|
-
executables:
|
|
125
|
+
executables:
|
|
95
126
|
- brakeman
|
|
96
127
|
extensions: []
|
|
128
|
+
|
|
97
129
|
extra_rdoc_files: []
|
|
98
|
-
|
|
130
|
+
|
|
131
|
+
files:
|
|
99
132
|
- bin/brakeman
|
|
100
133
|
- WARNING_TYPES
|
|
101
134
|
- FEATURES
|
|
@@ -137,6 +170,7 @@ files:
|
|
|
137
170
|
- lib/brakeman/checks/check_session_settings.rb
|
|
138
171
|
- lib/brakeman/checks/check_nested_attributes.rb
|
|
139
172
|
- lib/brakeman/checks/check_strip_tags.rb
|
|
173
|
+
- lib/brakeman/checks/check_safe_buffer_manipulation.rb
|
|
140
174
|
- lib/brakeman/checks/check_sql.rb
|
|
141
175
|
- lib/brakeman/checks/check_without_protection.rb
|
|
142
176
|
- lib/brakeman/checks/check_mass_assignment.rb
|
|
@@ -144,6 +178,7 @@ files:
|
|
|
144
178
|
- lib/brakeman/checks/check_cross_site_scripting.rb
|
|
145
179
|
- lib/brakeman/checks/check_model_attributes.rb
|
|
146
180
|
- lib/brakeman/checks/check_default_routes.rb
|
|
181
|
+
- lib/brakeman/checks/check_select_vulnerability.rb
|
|
147
182
|
- lib/brakeman/checks/check_evaluation.rb
|
|
148
183
|
- lib/brakeman/checks/check_quote_table_name.rb
|
|
149
184
|
- lib/brakeman/checks/check_validation_regex.rb
|
|
@@ -152,6 +187,7 @@ files:
|
|
|
152
187
|
- lib/brakeman/checks/check_filter_skipping.rb
|
|
153
188
|
- lib/brakeman/checks/check_mail_to.rb
|
|
154
189
|
- lib/brakeman/checks/check_link_to_href.rb
|
|
190
|
+
- lib/brakeman/checks/check_skip_before_filter.rb
|
|
155
191
|
- lib/brakeman/checks/base_check.rb
|
|
156
192
|
- lib/brakeman/checks/check_file_access.rb
|
|
157
193
|
- lib/brakeman/checks/check_response_splitting.rb
|
|
@@ -172,26 +208,36 @@ files:
|
|
|
172
208
|
- lib/brakeman/format/style.css
|
|
173
209
|
homepage: http://brakemanscanner.org
|
|
174
210
|
licenses: []
|
|
211
|
+
|
|
175
212
|
post_install_message:
|
|
176
213
|
rdoc_options: []
|
|
177
|
-
|
|
214
|
+
|
|
215
|
+
require_paths:
|
|
178
216
|
- lib
|
|
179
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
|
217
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
180
218
|
none: false
|
|
181
|
-
requirements:
|
|
182
|
-
- -
|
|
183
|
-
- !ruby/object:Gem::Version
|
|
184
|
-
|
|
185
|
-
|
|
219
|
+
requirements:
|
|
220
|
+
- - ">="
|
|
221
|
+
- !ruby/object:Gem::Version
|
|
222
|
+
hash: 3
|
|
223
|
+
segments:
|
|
224
|
+
- 0
|
|
225
|
+
version: "0"
|
|
226
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
186
227
|
none: false
|
|
187
|
-
requirements:
|
|
188
|
-
- -
|
|
189
|
-
- !ruby/object:Gem::Version
|
|
190
|
-
|
|
228
|
+
requirements:
|
|
229
|
+
- - ">="
|
|
230
|
+
- !ruby/object:Gem::Version
|
|
231
|
+
hash: 3
|
|
232
|
+
segments:
|
|
233
|
+
- 0
|
|
234
|
+
version: "0"
|
|
191
235
|
requirements: []
|
|
236
|
+
|
|
192
237
|
rubyforge_project:
|
|
193
238
|
rubygems_version: 1.8.15
|
|
194
239
|
signing_key:
|
|
195
240
|
specification_version: 3
|
|
196
241
|
summary: Security vulnerability scanner for Ruby on Rails.
|
|
197
242
|
test_files: []
|
|
243
|
+
|