brakeman 1.9.0.pre1 → 1.9.0.pre2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. data/lib/brakeman/checks/check_execute.rb +1 -1
  2. data/lib/brakeman/checks/check_session_settings.rb +46 -12
  3. data/lib/brakeman/processors/alias_processor.rb +1 -23
  4. data/lib/brakeman/processors/controller_alias_processor.rb +1 -1
  5. data/lib/brakeman/version.rb +1 -1
  6. metadata +4 -4
data/lib/brakeman/checks/check_execute.rb CHANGED
@@ -43,7 +43,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
43
43
  if failure and not duplicate? result
44
44
  add_result result
45
45
 
46
- if @string_interp
46
+ if failure.type == :interp #Not from user input
47
47
  confidence = CONFIDENCE[:med]
48
48
  else
49
49
  confidence = CONFIDENCE[:high]
data/lib/brakeman/checks/check_session_settings.rb CHANGED
@@ -42,7 +42,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
42
42
  #in Rails 3.x apps
43
43
  def process_call exp
44
44
  if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
45
- check_for_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
45
+ check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
46
46
  end
47
47
 
48
48
  exp
@@ -59,27 +59,61 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
59
59
 
60
60
  def check_for_issues settings, file
61
61
  if settings and hash? settings
62
- if value = hash_access(settings, :session_http_only)
62
+ if value = (hash_access(settings, :session_http_only) ||
63
+ hash_access(settings, :http_only) ||
64
+ hash_access(settings, :httponly))
65
+
63
66
  if false? value
64
- warn :warning_type => "Session Setting",
65
- :message => "Session cookies should be set to HTTP only",
66
- :confidence => CONFIDENCE[:high],
67
- :line => value.line,
68
- :file => file
67
+ warn_about_http_only value, file
69
68
  end
70
69
  end
71
70
 
72
71
  if value = hash_access(settings, :secret)
73
72
  if string? value and value.value.length < 30
73
+ warn_about_secret_length value, file
74
+ end
75
+ end
76
+ end
77
+ end
74
78
 
75
- warn :warning_type => "Session Setting",
76
- :message => "Session secret should be at least 30 characters long",
77
- :confidence => CONFIDENCE[:high],
78
- :line => value.line,
79
- :file => file
79
+ def check_for_rails3_issues settings, file
80
+ if settings and hash? settings
81
+ if value = hash_access(settings, :httponly)
82
+ if false? value
83
+ warn_about_http_only value, file
84
+ end
85
+ end
80
86
 
87
+ if value = hash_access(settings, :secure)
88
+ if false? value
89
+ warn_about_secure_only value, file
81
90
  end
82
91
  end
83
92
  end
84
93
  end
94
+
95
+ def warn_about_http_only value, file
96
+ warn :warning_type => "Session Setting",
97
+ :message => "Session cookies should be set to HTTP only",
98
+ :confidence => CONFIDENCE[:high],
99
+ :line => value.line,
100
+ :file => file
101
+
102
+ end
103
+
104
+ def warn_about_secret_length value, file
105
+ warn :warning_type => "Session Setting",
106
+ :message => "Session secret should be at least 30 characters long",
107
+ :confidence => CONFIDENCE[:high],
108
+ :line => value.line,
109
+ :file => file
110
+ end
111
+
112
+ def warn_about_secure_only value, file
113
+ warn :warning_type => "Session Setting",
114
+ :message => "Session cookie should be set to secure only",
115
+ :confidence => CONFIDENCE[:high],
116
+ :line => value.line,
117
+ :file => file
118
+ end
85
119
  end
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -38,31 +38,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
38
38
  #This method returns a new Sexp with variables replaced with their values,
39
39
  #where possible.
40
40
  def process_safely src, set_env = nil
41
- @env = Marshal.load(Marshal.dump(set_env)) if set_env
41
+ @env = set_env || SexpProcessor::Environment.new
42
42
  @result = src.deep_clone
43
43
  process @result
44
-
45
- #Process again to propogate replaced variables and process more.
46
- #For example,
47
- # x = [1,2]
48
- # y = [3,4]
49
- # z = x + y
50
- #
51
- #After first pass:
52
- #
53
- # z = [1,2] + [3,4]
54
- #
55
- #After second pass:
56
- #
57
- # z = [1,2,3,4]
58
- if set_env
59
- @env = set_env
60
- else
61
- @env = SexpProcessor::Environment.new
62
- end
63
-
64
- process @result
65
-
66
44
  @result
67
45
  end
68
46
 
data/lib/brakeman/processors/controller_alias_processor.rb CHANGED
@@ -158,7 +158,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
158
158
  end
159
159
  else
160
160
  processor = Brakeman::AliasProcessor.new @tracker
161
- processor.process_safely(method.body_list)
161
+ processor.process_safely(method.body_list, only_ivars(:include_request_vars))
162
162
 
163
163
  ivars = processor.only_ivars(:include_request_vars).all
164
164
 
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "1.9.0.pre1"
2
+ Version = "1.9.0.pre2"
3
3
  end
metadata CHANGED
@@ -1,15 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: -4135741142
4
+ hash: 1770954203
5
5
  prerelease: 6
6
6
  segments:
7
7
  - 1
8
8
  - 9
9
9
  - 0
10
10
  - pre
11
- - 1
12
- version: 1.9.0.pre1
11
+ - 2
12
+ version: 1.9.0.pre2
13
13
  platform: ruby
14
14
  authors:
15
15
  - Justin Collins
@@ -17,7 +17,7 @@ autorequire:
17
17
  bindir: bin
18
18
  cert_chain: []
19
19
 
20
- date: 2012-12-21 00:00:00 Z
20
+ date: 2012-12-24 00:00:00 Z
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency
23
23
  name: activesupport