brakeman 2.3.1 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data.tar.gz.sig +0 -0
- data/CHANGES +15 -0
- data/README.md +1 -1
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/base_check.rb +11 -10
- data/lib/brakeman/checks/check_model_attr_accessible.rb +3 -2
- data/lib/brakeman/checks/check_number_to_currency.rb +2 -0
- data/lib/brakeman/checks/check_sql.rb +139 -16
- data/lib/brakeman/checks/check_ssl_verify.rb +31 -0
- data/lib/brakeman/checks/check_translate_bug.rb +1 -0
- data/lib/brakeman/processors/controller_processor.rb +1 -7
- data/lib/brakeman/processors/gem_processor.rb +14 -20
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -5
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -2
- data/lib/brakeman/processors/lib/render_helper.rb +4 -3
- data/lib/brakeman/processors/library_processor.rb +1 -6
- data/lib/brakeman/processors/model_processor.rb +1 -6
- data/lib/brakeman/processors/template_alias_processor.rb +2 -7
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +11 -10
- metadata.gz.sig +0 -0
data.tar.gz.sig
CHANGED
|
Binary file
|
data/CHANGES
CHANGED
|
@@ -1,3 +1,18 @@
|
|
|
1
|
+
# 2.4.0
|
|
2
|
+
|
|
3
|
+
* Detect Rails LTS versions
|
|
4
|
+
* Reduce false positives for SQL injection in string building
|
|
5
|
+
* More accurate user input marking for SQL injection warnings
|
|
6
|
+
* Detect SQL injection in `delete_all`/`destroy_all`
|
|
7
|
+
* Detect SQL injection raw SQL queries using `connection`
|
|
8
|
+
* Parse exact versions from Gemfile.lock for all gems
|
|
9
|
+
* Ignore generators
|
|
10
|
+
* Update to RubyParser 3.4.0
|
|
11
|
+
* Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
|
|
12
|
+
* Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
|
|
13
|
+
* No longer raise exceptions if a class name cannot be determined
|
|
14
|
+
* Fingerprint attribute warnings individually (Case Taintor)
|
|
15
|
+
|
|
1
16
|
# 2.3.1
|
|
2
17
|
|
|
3
18
|
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
|
data/README.md
CHANGED
|
@@ -171,7 +171,7 @@ The `-c` option can be used to specify a configuration file to use.
|
|
|
171
171
|
* [New Relic](http://newrelic.com)
|
|
172
172
|
* [Twitter](https://twitter.com/)
|
|
173
173
|
|
|
174
|
-
[..and more!](http://
|
|
174
|
+
[..and more!](http://brakemanscanner.org/brakeman_users)
|
|
175
175
|
|
|
176
176
|
# License
|
|
177
177
|
|
data/lib/brakeman/app_tree.rb
CHANGED
|
@@ -432,13 +432,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
432
432
|
if exp.is_a? Symbol
|
|
433
433
|
@models.include? exp
|
|
434
434
|
elsif sexp? exp
|
|
435
|
-
|
|
436
|
-
begin
|
|
437
|
-
klass = class_name exp
|
|
438
|
-
rescue StandardError
|
|
439
|
-
end
|
|
440
|
-
|
|
441
|
-
klass and @models.include? klass
|
|
435
|
+
@models.include? class_name(exp)
|
|
442
436
|
else
|
|
443
437
|
false
|
|
444
438
|
end
|
|
@@ -458,10 +452,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
458
452
|
#Returns true if low_version <= RAILS_VERSION <= high_version
|
|
459
453
|
#
|
|
460
454
|
#If the Rails version is unknown, returns false.
|
|
461
|
-
def version_between? low_version, high_version
|
|
462
|
-
|
|
455
|
+
def version_between? low_version, high_version, current_version = nil
|
|
456
|
+
current_version ||= tracker.config[:rails_version]
|
|
457
|
+
return false unless current_version
|
|
463
458
|
|
|
464
|
-
version =
|
|
459
|
+
version = current_version.split(".").map! { |n| n.to_i }
|
|
465
460
|
low_version = low_version.split(".").map! { |n| n.to_i }
|
|
466
461
|
high_version = high_version.split(".").map! { |n| n.to_i }
|
|
467
462
|
|
|
@@ -484,6 +479,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
484
479
|
true
|
|
485
480
|
end
|
|
486
481
|
|
|
482
|
+
def lts_version? version
|
|
483
|
+
tracker.config[:gems] and
|
|
484
|
+
tracker.config[:gems][:'railslts-version'] and
|
|
485
|
+
version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
|
|
486
|
+
end
|
|
487
|
+
|
|
487
488
|
def gemfile_or_environment
|
|
488
489
|
if @app_tree.exists?("Gemfile")
|
|
489
490
|
"Gemfile"
|
|
@@ -29,8 +29,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
|
29
29
|
:file => model[:file],
|
|
30
30
|
:warning_type => "Mass Assignment",
|
|
31
31
|
:warning_code => :dangerous_attr_accessible,
|
|
32
|
-
:message => "Potentially dangerous attribute
|
|
33
|
-
:confidence => confidence
|
|
32
|
+
:message => "Potentially dangerous attribute available for mass assignment",
|
|
33
|
+
:confidence => confidence,
|
|
34
|
+
:code => Sexp.new(:lit, attribute)
|
|
34
35
|
break # Prevent from matching single attr multiple times
|
|
35
36
|
end
|
|
36
37
|
end
|
|
@@ -6,6 +6,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
|
6
6
|
@description = "Checks for number_to_currency XSS vulnerability in certain versions"
|
|
7
7
|
|
|
8
8
|
def run_check
|
|
9
|
+
return if lts_version? '2.3.18.6'
|
|
10
|
+
|
|
9
11
|
if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
|
|
10
12
|
check_number_to_currency_usage
|
|
11
13
|
|
|
@@ -16,20 +16,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
16
16
|
def run_check
|
|
17
17
|
@rails_version = tracker.config[:rails_version]
|
|
18
18
|
|
|
19
|
-
@sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
|
|
19
|
+
@sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
|
|
20
20
|
:find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
|
|
21
21
|
@sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
|
|
22
22
|
|
|
23
|
+
@connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
|
|
24
|
+
:select_rows, :select_value, :select_values]
|
|
25
|
+
|
|
26
|
+
if tracker.options[:rails3]
|
|
27
|
+
@connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
|
|
28
|
+
else
|
|
29
|
+
@connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
|
|
30
|
+
end
|
|
31
|
+
|
|
23
32
|
Brakeman.debug "Finding possible SQL calls on models"
|
|
24
33
|
calls = tracker.find_call :targets => active_record_models.keys,
|
|
25
34
|
:methods => @sql_targets,
|
|
26
35
|
:chained => true
|
|
27
36
|
|
|
28
37
|
Brakeman.debug "Finding possible SQL calls with no target"
|
|
29
|
-
calls.concat tracker.find_call(:target => nil, :
|
|
38
|
+
calls.concat tracker.find_call(:target => nil, :methods => @sql_targets)
|
|
30
39
|
|
|
31
40
|
Brakeman.debug "Finding possible SQL calls using constantized()"
|
|
32
|
-
calls.concat tracker.find_call(:
|
|
41
|
+
calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
|
|
42
|
+
|
|
43
|
+
connect_targets = active_record_models.keys + [nil, :"ActiveRecord::Base"]
|
|
44
|
+
calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
|
|
33
45
|
|
|
34
46
|
Brakeman.debug "Finding calls to named_scope or scope"
|
|
35
47
|
calls.concat find_scope_calls
|
|
@@ -134,6 +146,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
134
146
|
#
|
|
135
147
|
def process_result result
|
|
136
148
|
return if duplicate?(result) or result[:call].original_line
|
|
149
|
+
return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
|
|
150
|
+
|
|
137
151
|
|
|
138
152
|
call = result[:call]
|
|
139
153
|
method = call.method
|
|
@@ -141,7 +155,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
141
155
|
dangerous_value = case method
|
|
142
156
|
when :find
|
|
143
157
|
check_find_arguments call.second_arg
|
|
144
|
-
when :exists
|
|
158
|
+
when :exists?, :delete_all, :destroy_all
|
|
145
159
|
check_find_arguments call.first_arg
|
|
146
160
|
when :named_scope, :scope
|
|
147
161
|
check_scope_arguments call
|
|
@@ -171,6 +185,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
171
185
|
unsafe_sql? call.first_arg
|
|
172
186
|
when :update_all
|
|
173
187
|
check_update_all_arguments call.args
|
|
188
|
+
when *@connection_calls
|
|
189
|
+
check_by_sql_arguments call.first_arg
|
|
174
190
|
else
|
|
175
191
|
Brakeman.debug "Unhandled SQL method: #{method}"
|
|
176
192
|
end
|
|
@@ -340,12 +356,46 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
340
356
|
#unless safe_value? explicitly returns true.
|
|
341
357
|
def check_string_interp arg
|
|
342
358
|
arg.each do |exp|
|
|
343
|
-
|
|
359
|
+
if dangerous = unsafe_string_interp?(exp)
|
|
360
|
+
return dangerous
|
|
361
|
+
end
|
|
344
362
|
end
|
|
345
363
|
|
|
346
364
|
nil
|
|
347
365
|
end
|
|
348
366
|
|
|
367
|
+
#Returns value if interpolated value is not something safe
|
|
368
|
+
def unsafe_string_interp? exp
|
|
369
|
+
if node_type? exp, :string_eval, :evstr
|
|
370
|
+
value = exp.value
|
|
371
|
+
else
|
|
372
|
+
value = exp
|
|
373
|
+
end
|
|
374
|
+
|
|
375
|
+
if not sexp? value
|
|
376
|
+
nil
|
|
377
|
+
elsif call? value and value.method == :to_s
|
|
378
|
+
unsafe_string_interp? value.target
|
|
379
|
+
else
|
|
380
|
+
case value.node_type
|
|
381
|
+
when :or
|
|
382
|
+
unsafe_string_interp?(value.lhs) || unsafe_string_interp?(value.rhs)
|
|
383
|
+
when :string_interp, :dstr
|
|
384
|
+
if dangerous = check_string_interp(value)
|
|
385
|
+
return dangerous
|
|
386
|
+
end
|
|
387
|
+
else
|
|
388
|
+
if safe_value? value
|
|
389
|
+
nil
|
|
390
|
+
elsif string_building? value
|
|
391
|
+
check_for_string_building value
|
|
392
|
+
else
|
|
393
|
+
value
|
|
394
|
+
end
|
|
395
|
+
end
|
|
396
|
+
end
|
|
397
|
+
end
|
|
398
|
+
|
|
349
399
|
#Checks the given expression for unsafe SQL values. If an unsafe value is
|
|
350
400
|
#found, returns that value (may be the given _exp_ or a subexpression).
|
|
351
401
|
#
|
|
@@ -441,14 +491,47 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
441
491
|
|
|
442
492
|
target = exp.target
|
|
443
493
|
method = exp.method
|
|
494
|
+
arg = exp.first_arg
|
|
495
|
+
|
|
496
|
+
if STRING_METHODS.include? method
|
|
497
|
+
if string? target
|
|
498
|
+
check_string_arg arg
|
|
499
|
+
elsif string? arg
|
|
500
|
+
check_string_arg target
|
|
501
|
+
elsif call? target
|
|
502
|
+
check_for_string_building target
|
|
503
|
+
elsif node_type? target, :string_interp, :dstr or
|
|
504
|
+
node_type? arg, :string_interp, :dstr
|
|
505
|
+
|
|
506
|
+
check_string_arg target and
|
|
507
|
+
check_string_arg arg
|
|
508
|
+
end
|
|
509
|
+
else
|
|
510
|
+
nil
|
|
511
|
+
end
|
|
512
|
+
end
|
|
444
513
|
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
514
|
+
def check_string_arg exp
|
|
515
|
+
if safe_value? exp
|
|
516
|
+
nil
|
|
517
|
+
elsif string_building? exp
|
|
518
|
+
check_for_string_building exp
|
|
519
|
+
elsif node_type? exp, :string_interp, :dstr
|
|
520
|
+
check_string_interp exp
|
|
521
|
+
elsif call? exp and exp.method == :to_s
|
|
522
|
+
check_string_arg exp.target
|
|
523
|
+
else
|
|
524
|
+
exp
|
|
449
525
|
end
|
|
526
|
+
end
|
|
450
527
|
|
|
451
|
-
|
|
528
|
+
def string_building? exp
|
|
529
|
+
return false unless call? exp and STRING_METHODS.include? exp.method
|
|
530
|
+
|
|
531
|
+
node_type? exp.target, :str, :dstr, :string_interp or
|
|
532
|
+
node_type? exp.first_arg, :str, :dstr, :string_interp or
|
|
533
|
+
string_building? exp.target or
|
|
534
|
+
string_building? exp.first_arg
|
|
452
535
|
end
|
|
453
536
|
|
|
454
537
|
IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
|
|
@@ -464,7 +547,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
464
547
|
when :str, :lit, :const, :colon2, :nil, :true, :false
|
|
465
548
|
true
|
|
466
549
|
when :call
|
|
467
|
-
|
|
550
|
+
if exp.method == :to_s
|
|
551
|
+
safe_value? exp.target
|
|
552
|
+
else
|
|
553
|
+
IGNORE_METHODS_IN_SQL.include? exp.method or
|
|
554
|
+
quote_call? exp or
|
|
555
|
+
exp.method.to_s.end_with? "_id"
|
|
556
|
+
end
|
|
468
557
|
when :if
|
|
469
558
|
safe_value? exp.then_clause and safe_value? exp.else_clause
|
|
470
559
|
when :block, :rlist
|
|
@@ -476,6 +565,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
476
565
|
end
|
|
477
566
|
end
|
|
478
567
|
|
|
568
|
+
QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
|
|
569
|
+
|
|
570
|
+
def quote_call? exp
|
|
571
|
+
if call? exp.target
|
|
572
|
+
exp.target.method == :connection and QUOTE_METHODS.include? exp.method
|
|
573
|
+
elsif exp.target.nil?
|
|
574
|
+
exp.method == :quote_value
|
|
575
|
+
end
|
|
576
|
+
end
|
|
577
|
+
|
|
479
578
|
#Check call for string building
|
|
480
579
|
def check_call exp
|
|
481
580
|
return unless call? exp
|
|
@@ -521,6 +620,24 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
521
620
|
call? call.target and call.target.method == :constantize
|
|
522
621
|
end
|
|
523
622
|
|
|
623
|
+
SELF_CLASS = s(:call, s(:self), :class)
|
|
624
|
+
|
|
625
|
+
def connect_call? result
|
|
626
|
+
call = result[:call]
|
|
627
|
+
target = call.target
|
|
628
|
+
|
|
629
|
+
if call? target and target.method == :connection
|
|
630
|
+
target = target.target
|
|
631
|
+
klass = class_name(target)
|
|
632
|
+
|
|
633
|
+
target.nil? or
|
|
634
|
+
target == SELF_CLASS or
|
|
635
|
+
node_type? target, :self or
|
|
636
|
+
klass == :"ActiveRecord::Base" or
|
|
637
|
+
active_record_models.include? klass
|
|
638
|
+
end
|
|
639
|
+
end
|
|
640
|
+
|
|
524
641
|
def upgrade_version? versions
|
|
525
642
|
versions.each do |low, high, upgrade|
|
|
526
643
|
return upgrade if version_between? low, high
|
|
@@ -529,8 +646,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
529
646
|
false
|
|
530
647
|
end
|
|
531
648
|
|
|
532
|
-
def check_rails_versions_against_cve_issues
|
|
533
|
-
[
|
|
649
|
+
def check_rails_versions_against_cve_issues
|
|
650
|
+
issues = [
|
|
534
651
|
{
|
|
535
652
|
:cve => "CVE-2012-2660",
|
|
536
653
|
:versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
|
|
@@ -556,12 +673,18 @@ def check_rails_versions_against_cve_issues
|
|
|
556
673
|
:versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
|
|
557
674
|
:url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
|
|
558
675
|
},
|
|
559
|
-
|
|
676
|
+
|
|
677
|
+
]
|
|
678
|
+
|
|
679
|
+
unless lts_version? '2.3.18.6'
|
|
680
|
+
issues << {
|
|
560
681
|
:cve => "CVE-2013-6417",
|
|
561
682
|
:versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
|
|
562
683
|
:url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
|
|
563
|
-
}
|
|
564
|
-
|
|
684
|
+
}
|
|
685
|
+
end
|
|
686
|
+
|
|
687
|
+
issues.each do |cve_issue|
|
|
565
688
|
cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
|
|
566
689
|
end
|
|
567
690
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'brakeman/checks/base_check'
|
|
2
|
+
|
|
3
|
+
# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
|
|
4
|
+
|
|
5
|
+
class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
|
|
6
|
+
Brakeman::Checks.add self
|
|
7
|
+
|
|
8
|
+
SSL_VERIFY_NONE = s(:colon2, s(:colon2, s(:const, :OpenSSL), :SSL), :VERIFY_NONE)
|
|
9
|
+
|
|
10
|
+
@description = "Checks for OpenSSL::SSL::VERIFY_NONE"
|
|
11
|
+
|
|
12
|
+
def run_check
|
|
13
|
+
check_open_ssl_verify_none
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def check_open_ssl_verify_none
|
|
17
|
+
tracker.find_call(:method => :verify_mode=).each {|call| process_result(call)}
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def process_result(result)
|
|
21
|
+
return if duplicate?(result)
|
|
22
|
+
if result[:call].last_arg == SSL_VERIFY_NONE
|
|
23
|
+
add_result result
|
|
24
|
+
warn :result => result,
|
|
25
|
+
:warning_type => "SSL Verification Bypass",
|
|
26
|
+
:warning_code => :ssl_verification_bypass,
|
|
27
|
+
:message => "SSL certificate verification was bypassed",
|
|
28
|
+
:confidence => CONFIDENCE[:high]
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -7,6 +7,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
|
|
|
7
7
|
@description = "Report XSS vulnerability in translate helper"
|
|
8
8
|
|
|
9
9
|
def run_check
|
|
10
|
+
return if lts_version? '2.3.18.6'
|
|
10
11
|
if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
|
|
11
12
|
version_between?('3.0.0', '3.0.10') or
|
|
12
13
|
version_between?('3.1.0', '3.1.1')
|
|
@@ -23,13 +23,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
23
23
|
#s(:class, NAME, PARENT, s(:scope ...))
|
|
24
24
|
def process_class exp
|
|
25
25
|
name = class_name(exp.class_name)
|
|
26
|
-
|
|
27
|
-
begin
|
|
28
|
-
parent = class_name exp.parent_name
|
|
29
|
-
rescue StandardError => e
|
|
30
|
-
Brakeman.debug e
|
|
31
|
-
parent = nil
|
|
32
|
-
end
|
|
26
|
+
parent = class_name(exp.parent_name)
|
|
33
27
|
|
|
34
28
|
#If inside a real controller, treat any other classes as libraries.
|
|
35
29
|
#But if not inside a controller already, then the class may include
|
|
@@ -5,7 +5,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
5
5
|
|
|
6
6
|
def initialize *args
|
|
7
7
|
super
|
|
8
|
-
|
|
8
|
+
@gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
|
|
9
9
|
@tracker.config[:gems] ||= {}
|
|
10
10
|
end
|
|
11
11
|
|
|
@@ -13,9 +13,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
13
13
|
process src
|
|
14
14
|
|
|
15
15
|
if gem_lock
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
get_i18n_version gem_lock
|
|
16
|
+
process_gem_lock gem_lock
|
|
17
|
+
@tracker.config[:rails_version] = @tracker.config[:gems][:rails]
|
|
19
18
|
elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
|
|
20
19
|
@tracker.config[:rails_version] = $1
|
|
21
20
|
end
|
|
@@ -35,6 +34,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
35
34
|
def process_call exp
|
|
36
35
|
if exp.target == nil and exp.method == :gem
|
|
37
36
|
gem_name = exp.first_arg
|
|
37
|
+
return exp unless string? gem_name
|
|
38
|
+
|
|
38
39
|
gem_version = exp.second_arg
|
|
39
40
|
|
|
40
41
|
if string? gem_version
|
|
@@ -46,24 +47,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
46
47
|
|
|
47
48
|
exp
|
|
48
49
|
end
|
|
49
|
-
|
|
50
|
-
# Supports .rc2 but not ~>, >=, or <=
|
|
51
|
-
def get_version name, gem_lock
|
|
52
|
-
if gem_lock =~ /\s#{name} \((\w(\.\w+)*)\)(?:\n|\r\n)/
|
|
53
|
-
$1
|
|
54
|
-
end
|
|
55
|
-
end
|
|
56
50
|
|
|
57
|
-
def
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
def get_json_version gem_lock
|
|
62
|
-
@tracker.config[:gems][:json] = get_version("json", gem_lock)
|
|
63
|
-
@tracker.config[:gems][:json_pure] = get_version("json_pure", gem_lock)
|
|
51
|
+
def process_gem_lock gem_lock
|
|
52
|
+
gem_lock.each_line do |line|
|
|
53
|
+
set_gem_version line
|
|
54
|
+
end
|
|
64
55
|
end
|
|
65
56
|
|
|
66
|
-
|
|
67
|
-
|
|
57
|
+
# Supports .rc2 but not ~>, >=, or <=
|
|
58
|
+
def set_gem_version line
|
|
59
|
+
if line =~ @gem_name_version
|
|
60
|
+
@tracker.config[:gems][$1.to_sym] = $2
|
|
61
|
+
end
|
|
68
62
|
end
|
|
69
63
|
end
|
|
@@ -122,11 +122,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
|
|
|
122
122
|
when :true, :false
|
|
123
123
|
exp[0]
|
|
124
124
|
when :colon2
|
|
125
|
-
|
|
126
|
-
class_name exp
|
|
127
|
-
rescue StandardError
|
|
128
|
-
exp
|
|
129
|
-
end
|
|
125
|
+
class_name exp
|
|
130
126
|
when :self
|
|
131
127
|
@current_class || @current_module || nil
|
|
132
128
|
else
|
|
@@ -52,6 +52,7 @@ module Brakeman::ProcessorHelper
|
|
|
52
52
|
end
|
|
53
53
|
|
|
54
54
|
#Returns a class name as a Symbol.
|
|
55
|
+
#If class name cannot be determined, returns _exp_.
|
|
55
56
|
def class_name exp
|
|
56
57
|
case exp
|
|
57
58
|
when Sexp
|
|
@@ -69,14 +70,14 @@ module Brakeman::ProcessorHelper
|
|
|
69
70
|
when :self
|
|
70
71
|
@current_class || @current_module || nil
|
|
71
72
|
else
|
|
72
|
-
|
|
73
|
+
exp
|
|
73
74
|
end
|
|
74
75
|
when Symbol
|
|
75
76
|
exp
|
|
76
77
|
when nil
|
|
77
78
|
nil
|
|
78
79
|
else
|
|
79
|
-
|
|
80
|
+
exp
|
|
80
81
|
end
|
|
81
82
|
end
|
|
82
83
|
end
|
|
@@ -30,12 +30,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
|
|
30
30
|
if @tracker.libs[name]
|
|
31
31
|
@current_class = @tracker.libs[name]
|
|
32
32
|
else
|
|
33
|
-
|
|
34
|
-
parent = class_name exp.parent_name
|
|
35
|
-
rescue StandardError => e
|
|
36
|
-
Brakeman.debug e
|
|
37
|
-
parent = nil
|
|
38
|
-
end
|
|
33
|
+
parent = class_name exp.parent_name
|
|
39
34
|
|
|
40
35
|
@current_class = { :name => name,
|
|
41
36
|
:parent => parent,
|
|
@@ -27,12 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
|
27
27
|
Brakeman.debug "[Notice] Skipping inner class: #{name}"
|
|
28
28
|
ignore
|
|
29
29
|
else
|
|
30
|
-
|
|
31
|
-
parent = class_name exp.parent_name
|
|
32
|
-
rescue StandardError => e
|
|
33
|
-
Brakeman.debug e
|
|
34
|
-
parent = nil
|
|
35
|
-
end
|
|
30
|
+
parent = class_name exp.parent_name
|
|
36
31
|
|
|
37
32
|
@model = { :name => name,
|
|
38
33
|
:parent => parent,
|
|
@@ -85,13 +85,8 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
|
85
85
|
|
|
86
86
|
if exp.method == :all or exp.method.to_s[0,4] == "find"
|
|
87
87
|
models = Set.new @tracker.models.keys
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
name = class_name target
|
|
91
|
-
return target if models.include?(name)
|
|
92
|
-
rescue StandardError
|
|
93
|
-
end
|
|
94
|
-
|
|
88
|
+
name = class_name target
|
|
89
|
+
return target if models.include?(name)
|
|
95
90
|
end
|
|
96
91
|
|
|
97
92
|
return get_model_target(target)
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 31
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 2
|
|
8
|
-
-
|
|
9
|
-
-
|
|
10
|
-
version: 2.
|
|
8
|
+
- 4
|
|
9
|
+
- 0
|
|
10
|
+
version: 2.4.0
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- Justin Collins
|
|
@@ -36,7 +36,7 @@ cert_chain:
|
|
|
36
36
|
bdw=
|
|
37
37
|
-----END CERTIFICATE-----
|
|
38
38
|
|
|
39
|
-
date:
|
|
39
|
+
date: 2014-02-05 00:00:00 Z
|
|
40
40
|
dependencies:
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: ruby_parser
|
|
@@ -46,12 +46,12 @@ dependencies:
|
|
|
46
46
|
requirements:
|
|
47
47
|
- - ~>
|
|
48
48
|
- !ruby/object:Gem::Version
|
|
49
|
-
hash:
|
|
49
|
+
hash: 23
|
|
50
50
|
segments:
|
|
51
51
|
- 3
|
|
52
|
-
-
|
|
53
|
-
-
|
|
54
|
-
version: 3.
|
|
52
|
+
- 4
|
|
53
|
+
- 0
|
|
54
|
+
version: 3.4.0
|
|
55
55
|
type: :runtime
|
|
56
56
|
version_requirements: *id001
|
|
57
57
|
- !ruby/object:Gem::Dependency
|
|
@@ -265,6 +265,7 @@ files:
|
|
|
265
265
|
- lib/brakeman/checks/check_single_quotes.rb
|
|
266
266
|
- lib/brakeman/checks/check_skip_before_filter.rb
|
|
267
267
|
- lib/brakeman/checks/check_sql.rb
|
|
268
|
+
- lib/brakeman/checks/check_ssl_verify.rb
|
|
268
269
|
- lib/brakeman/checks/check_strip_tags.rb
|
|
269
270
|
- lib/brakeman/checks/check_symbol_dos.rb
|
|
270
271
|
- lib/brakeman/checks/check_translate_bug.rb
|
|
@@ -369,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
369
370
|
requirements: []
|
|
370
371
|
|
|
371
372
|
rubyforge_project:
|
|
372
|
-
rubygems_version: 1.8.
|
|
373
|
+
rubygems_version: 1.8.15
|
|
373
374
|
signing_key:
|
|
374
375
|
specification_version: 3
|
|
375
376
|
summary: Security vulnerability scanner for Ruby on Rails.
|
metadata.gz.sig
CHANGED
|
Binary file
|