brakeman 1.9.0.pre1 → 1.9.0.pre2
Sign up to get free protection for your applications and to get access to all the features.
@@ -43,7 +43,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
43
43
|
if failure and not duplicate? result
|
44
44
|
add_result result
|
45
45
|
|
46
|
-
if
|
46
|
+
if failure.type == :interp #Not from user input
|
47
47
|
confidence = CONFIDENCE[:med]
|
48
48
|
else
|
49
49
|
confidence = CONFIDENCE[:high]
|
@@ -42,7 +42,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
42
42
|
#in Rails 3.x apps
|
43
43
|
def process_call exp
|
44
44
|
if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
|
45
|
-
|
45
|
+
check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
|
46
46
|
end
|
47
47
|
|
48
48
|
exp
|
@@ -59,27 +59,61 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
59
59
|
|
60
60
|
def check_for_issues settings, file
|
61
61
|
if settings and hash? settings
|
62
|
-
if value = hash_access(settings, :session_http_only)
|
62
|
+
if value = (hash_access(settings, :session_http_only) ||
|
63
|
+
hash_access(settings, :http_only) ||
|
64
|
+
hash_access(settings, :httponly))
|
65
|
+
|
63
66
|
if false? value
|
64
|
-
|
65
|
-
:message => "Session cookies should be set to HTTP only",
|
66
|
-
:confidence => CONFIDENCE[:high],
|
67
|
-
:line => value.line,
|
68
|
-
:file => file
|
67
|
+
warn_about_http_only value, file
|
69
68
|
end
|
70
69
|
end
|
71
70
|
|
72
71
|
if value = hash_access(settings, :secret)
|
73
72
|
if string? value and value.value.length < 30
|
73
|
+
warn_about_secret_length value, file
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
74
78
|
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
79
|
+
def check_for_rails3_issues settings, file
|
80
|
+
if settings and hash? settings
|
81
|
+
if value = hash_access(settings, :httponly)
|
82
|
+
if false? value
|
83
|
+
warn_about_http_only value, file
|
84
|
+
end
|
85
|
+
end
|
80
86
|
|
87
|
+
if value = hash_access(settings, :secure)
|
88
|
+
if false? value
|
89
|
+
warn_about_secure_only value, file
|
81
90
|
end
|
82
91
|
end
|
83
92
|
end
|
84
93
|
end
|
94
|
+
|
95
|
+
def warn_about_http_only value, file
|
96
|
+
warn :warning_type => "Session Setting",
|
97
|
+
:message => "Session cookies should be set to HTTP only",
|
98
|
+
:confidence => CONFIDENCE[:high],
|
99
|
+
:line => value.line,
|
100
|
+
:file => file
|
101
|
+
|
102
|
+
end
|
103
|
+
|
104
|
+
def warn_about_secret_length value, file
|
105
|
+
warn :warning_type => "Session Setting",
|
106
|
+
:message => "Session secret should be at least 30 characters long",
|
107
|
+
:confidence => CONFIDENCE[:high],
|
108
|
+
:line => value.line,
|
109
|
+
:file => file
|
110
|
+
end
|
111
|
+
|
112
|
+
def warn_about_secure_only value, file
|
113
|
+
warn :warning_type => "Session Setting",
|
114
|
+
:message => "Session cookie should be set to secure only",
|
115
|
+
:confidence => CONFIDENCE[:high],
|
116
|
+
:line => value.line,
|
117
|
+
:file => file
|
118
|
+
end
|
85
119
|
end
|
@@ -38,31 +38,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
38
38
|
#This method returns a new Sexp with variables replaced with their values,
|
39
39
|
#where possible.
|
40
40
|
def process_safely src, set_env = nil
|
41
|
-
@env =
|
41
|
+
@env = set_env || SexpProcessor::Environment.new
|
42
42
|
@result = src.deep_clone
|
43
43
|
process @result
|
44
|
-
|
45
|
-
#Process again to propogate replaced variables and process more.
|
46
|
-
#For example,
|
47
|
-
# x = [1,2]
|
48
|
-
# y = [3,4]
|
49
|
-
# z = x + y
|
50
|
-
#
|
51
|
-
#After first pass:
|
52
|
-
#
|
53
|
-
# z = [1,2] + [3,4]
|
54
|
-
#
|
55
|
-
#After second pass:
|
56
|
-
#
|
57
|
-
# z = [1,2,3,4]
|
58
|
-
if set_env
|
59
|
-
@env = set_env
|
60
|
-
else
|
61
|
-
@env = SexpProcessor::Environment.new
|
62
|
-
end
|
63
|
-
|
64
|
-
process @result
|
65
|
-
|
66
44
|
@result
|
67
45
|
end
|
68
46
|
|
@@ -158,7 +158,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
158
158
|
end
|
159
159
|
else
|
160
160
|
processor = Brakeman::AliasProcessor.new @tracker
|
161
|
-
processor.process_safely(method.body_list)
|
161
|
+
processor.process_safely(method.body_list, only_ivars(:include_request_vars))
|
162
162
|
|
163
163
|
ivars = processor.only_ivars(:include_request_vars).all
|
164
164
|
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 1770954203
|
5
5
|
prerelease: 6
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 9
|
9
9
|
- 0
|
10
10
|
- pre
|
11
|
-
-
|
12
|
-
version: 1.9.0.
|
11
|
+
- 2
|
12
|
+
version: 1.9.0.pre2
|
13
13
|
platform: ruby
|
14
14
|
authors:
|
15
15
|
- Justin Collins
|
@@ -17,7 +17,7 @@ autorequire:
|
|
17
17
|
bindir: bin
|
18
18
|
cert_chain: []
|
19
19
|
|
20
|
-
date: 2012-12-
|
20
|
+
date: 2012-12-24 00:00:00 Z
|
21
21
|
dependencies:
|
22
22
|
- !ruby/object:Gem::Dependency
|
23
23
|
name: activesupport
|