brakeman 1.9.0.pre1 → 1.9.0.pre2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. data/lib/brakeman/checks/check_execute.rb +1 -1
  2. data/lib/brakeman/checks/check_session_settings.rb +46 -12
  3. data/lib/brakeman/processors/alias_processor.rb +1 -23
  4. data/lib/brakeman/processors/controller_alias_processor.rb +1 -1
  5. data/lib/brakeman/version.rb +1 -1
  6. metadata +4 -4
data/lib/brakeman/checks/check_execute.rb CHANGED
@@ -43,7 +43,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
43
43
  if failure and not duplicate? result
44
44
  add_result result
45
45
 
46
- if @string_interp
46
+ if failure.type == :interp #Not from user input
47
47
  confidence = CONFIDENCE[:med]
48
48
  else
49
49
  confidence = CONFIDENCE[:high]
data/lib/brakeman/checks/check_session_settings.rb CHANGED
@@ -42,7 +42,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
42
42
  #in Rails 3.x apps
43
43
  def process_call exp
44
44
  if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
45
- check_for_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
45
+ check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
46
46
  end
47
47
 
48
48
  exp
@@ -59,27 +59,61 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
59
59
 
60
60
  def check_for_issues settings, file
61
61
  if settings and hash? settings
62
- if value = hash_access(settings, :session_http_only)
62
+ if value = (hash_access(settings, :session_http_only) ||
63
+ hash_access(settings, :http_only) ||
64
+ hash_access(settings, :httponly))
65
+
63
66
  if false? value
64
- warn :warning_type => "Session Setting",
65
- :message => "Session cookies should be set to HTTP only",
66
- :confidence => CONFIDENCE[:high],
67
- :line => value.line,
68
- :file => file
67
+ warn_about_http_only value, file
69
68
  end
70
69
  end
71
70
 
72
71
  if value = hash_access(settings, :secret)
73
72
  if string? value and value.value.length < 30
73
+ warn_about_secret_length value, file
74
+ end
75
+ end
76
+ end
77
+ end
74
78
 
75
- warn :warning_type => "Session Setting",
76
- :message => "Session secret should be at least 30 characters long",
77
- :confidence => CONFIDENCE[:high],
78
- :line => value.line,
79
- :file => file
79
+ def check_for_rails3_issues settings, file
80
+ if settings and hash? settings
81
+ if value = hash_access(settings, :httponly)
82
+ if false? value
83
+ warn_about_http_only value, file
84
+ end
85
+ end
80
86
 
87
+ if value = hash_access(settings, :secure)
88
+ if false? value
89
+ warn_about_secure_only value, file
81
90
  end
82
91
  end
83
92
  end
84
93
  end
94
+
95
+ def warn_about_http_only value, file
96
+ warn :warning_type => "Session Setting",
97
+ :message => "Session cookies should be set to HTTP only",
98
+ :confidence => CONFIDENCE[:high],
99
+ :line => value.line,
100
+ :file => file
101
+
102
+ end
103
+
104
+ def warn_about_secret_length value, file
105
+ warn :warning_type => "Session Setting",
106
+ :message => "Session secret should be at least 30 characters long",
107
+ :confidence => CONFIDENCE[:high],
108
+ :line => value.line,
109
+ :file => file
110
+ end
111
+
112
+ def warn_about_secure_only value, file
113
+ warn :warning_type => "Session Setting",
114
+ :message => "Session cookie should be set to secure only",
115
+ :confidence => CONFIDENCE[:high],
116
+ :line => value.line,
117
+ :file => file
118
+ end
85
119
  end
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -38,31 +38,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
38
38
  #This method returns a new Sexp with variables replaced with their values,
39
39
  #where possible.
40
40
  def process_safely src, set_env = nil
41
- @env = Marshal.load(Marshal.dump(set_env)) if set_env
41
+ @env = set_env || SexpProcessor::Environment.new
42
42
  @result = src.deep_clone
43
43
  process @result
44
-
45
- #Process again to propogate replaced variables and process more.
46
- #For example,
47
- # x = [1,2]
48
- # y = [3,4]
49
- # z = x + y
50
- #
51
- #After first pass:
52
- #
53
- # z = [1,2] + [3,4]
54
- #
55
- #After second pass:
56
- #
57
- # z = [1,2,3,4]
58
- if set_env
59
- @env = set_env
60
- else
61
- @env = SexpProcessor::Environment.new
62
- end
63
-
64
- process @result
65
-
66
44
  @result
67
45
  end
68
46
 
data/lib/brakeman/processors/controller_alias_processor.rb CHANGED
@@ -158,7 +158,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
158
158
  end
159
159
  else
160
160
  processor = Brakeman::AliasProcessor.new @tracker
161
- processor.process_safely(method.body_list)
161
+ processor.process_safely(method.body_list, only_ivars(:include_request_vars))
162
162
 
163
163
  ivars = processor.only_ivars(:include_request_vars).all
164
164
 
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "1.9.0.pre1"
2
+ Version = "1.9.0.pre2"
3
3
  end
metadata CHANGED
@@ -1,15 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: -4135741142
4
+ hash: 1770954203
5
5
  prerelease: 6
6
6
  segments:
7
7
  - 1
8
8
  - 9
9
9
  - 0
10
10
  - pre
11
- - 1
12
- version: 1.9.0.pre1
11
+ - 2
12
+ version: 1.9.0.pre2
13
13
  platform: ruby
14
14
  authors:
15
15
  - Justin Collins
@@ -17,7 +17,7 @@ autorequire:
17
17
  bindir: bin
18
18
  cert_chain: []
19
19
 
20
- date: 2012-12-21 00:00:00 Z
20
+ date: 2012-12-24 00:00:00 Z
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency
23
23
  name: activesupport