brakeman 2.3.1 → 2.4.0
Sign up to get free protection for your applications and to get access to all the features.
- data.tar.gz.sig +0 -0
- data/CHANGES +15 -0
- data/README.md +1 -1
- data/lib/brakeman/app_tree.rb +1 -1
- data/lib/brakeman/checks/base_check.rb +11 -10
- data/lib/brakeman/checks/check_model_attr_accessible.rb +3 -2
- data/lib/brakeman/checks/check_number_to_currency.rb +2 -0
- data/lib/brakeman/checks/check_sql.rb +139 -16
- data/lib/brakeman/checks/check_ssl_verify.rb +31 -0
- data/lib/brakeman/checks/check_translate_bug.rb +1 -0
- data/lib/brakeman/processors/controller_processor.rb +1 -7
- data/lib/brakeman/processors/gem_processor.rb +14 -20
- data/lib/brakeman/processors/lib/find_all_calls.rb +1 -5
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -2
- data/lib/brakeman/processors/lib/render_helper.rb +4 -3
- data/lib/brakeman/processors/library_processor.rb +1 -6
- data/lib/brakeman/processors/model_processor.rb +1 -6
- data/lib/brakeman/processors/template_alias_processor.rb +2 -7
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +1 -0
- metadata +11 -10
- metadata.gz.sig +0 -0
data.tar.gz.sig
CHANGED
|
Binary file
|
data/CHANGES
CHANGED
|
@@ -1,3 +1,18 @@
|
|
|
1
|
+
# 2.4.0
|
|
2
|
+
|
|
3
|
+
* Detect Rails LTS versions
|
|
4
|
+
* Reduce false positives for SQL injection in string building
|
|
5
|
+
* More accurate user input marking for SQL injection warnings
|
|
6
|
+
* Detect SQL injection in `delete_all`/`destroy_all`
|
|
7
|
+
* Detect SQL injection raw SQL queries using `connection`
|
|
8
|
+
* Parse exact versions from Gemfile.lock for all gems
|
|
9
|
+
* Ignore generators
|
|
10
|
+
* Update to RubyParser 3.4.0
|
|
11
|
+
* Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
|
|
12
|
+
* Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
|
|
13
|
+
* No longer raise exceptions if a class name cannot be determined
|
|
14
|
+
* Fingerprint attribute warnings individually (Case Taintor)
|
|
15
|
+
|
|
1
16
|
# 2.3.1
|
|
2
17
|
|
|
3
18
|
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
|
data/README.md
CHANGED
|
@@ -171,7 +171,7 @@ The `-c` option can be used to specify a configuration file to use.
|
|
|
171
171
|
* [New Relic](http://newrelic.com)
|
|
172
172
|
* [Twitter](https://twitter.com/)
|
|
173
173
|
|
|
174
|
-
[..and more!](http://
|
|
174
|
+
[..and more!](http://brakemanscanner.org/brakeman_users)
|
|
175
175
|
|
|
176
176
|
# License
|
|
177
177
|
|
data/lib/brakeman/app_tree.rb
CHANGED
|
@@ -432,13 +432,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
432
432
|
if exp.is_a? Symbol
|
|
433
433
|
@models.include? exp
|
|
434
434
|
elsif sexp? exp
|
|
435
|
-
|
|
436
|
-
begin
|
|
437
|
-
klass = class_name exp
|
|
438
|
-
rescue StandardError
|
|
439
|
-
end
|
|
440
|
-
|
|
441
|
-
klass and @models.include? klass
|
|
435
|
+
@models.include? class_name(exp)
|
|
442
436
|
else
|
|
443
437
|
false
|
|
444
438
|
end
|
|
@@ -458,10 +452,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
458
452
|
#Returns true if low_version <= RAILS_VERSION <= high_version
|
|
459
453
|
#
|
|
460
454
|
#If the Rails version is unknown, returns false.
|
|
461
|
-
def version_between? low_version, high_version
|
|
462
|
-
|
|
455
|
+
def version_between? low_version, high_version, current_version = nil
|
|
456
|
+
current_version ||= tracker.config[:rails_version]
|
|
457
|
+
return false unless current_version
|
|
463
458
|
|
|
464
|
-
version =
|
|
459
|
+
version = current_version.split(".").map! { |n| n.to_i }
|
|
465
460
|
low_version = low_version.split(".").map! { |n| n.to_i }
|
|
466
461
|
high_version = high_version.split(".").map! { |n| n.to_i }
|
|
467
462
|
|
|
@@ -484,6 +479,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
|
484
479
|
true
|
|
485
480
|
end
|
|
486
481
|
|
|
482
|
+
def lts_version? version
|
|
483
|
+
tracker.config[:gems] and
|
|
484
|
+
tracker.config[:gems][:'railslts-version'] and
|
|
485
|
+
version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
|
|
486
|
+
end
|
|
487
|
+
|
|
487
488
|
def gemfile_or_environment
|
|
488
489
|
if @app_tree.exists?("Gemfile")
|
|
489
490
|
"Gemfile"
|
|
@@ -29,8 +29,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
|
|
29
29
|
:file => model[:file],
|
|
30
30
|
:warning_type => "Mass Assignment",
|
|
31
31
|
:warning_code => :dangerous_attr_accessible,
|
|
32
|
-
:message => "Potentially dangerous attribute
|
|
33
|
-
:confidence => confidence
|
|
32
|
+
:message => "Potentially dangerous attribute available for mass assignment",
|
|
33
|
+
:confidence => confidence,
|
|
34
|
+
:code => Sexp.new(:lit, attribute)
|
|
34
35
|
break # Prevent from matching single attr multiple times
|
|
35
36
|
end
|
|
36
37
|
end
|
|
@@ -6,6 +6,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
|
6
6
|
@description = "Checks for number_to_currency XSS vulnerability in certain versions"
|
|
7
7
|
|
|
8
8
|
def run_check
|
|
9
|
+
return if lts_version? '2.3.18.6'
|
|
10
|
+
|
|
9
11
|
if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
|
|
10
12
|
check_number_to_currency_usage
|
|
11
13
|
|
|
@@ -16,20 +16,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
16
16
|
def run_check
|
|
17
17
|
@rails_version = tracker.config[:rails_version]
|
|
18
18
|
|
|
19
|
-
@sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
|
|
19
|
+
@sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
|
|
20
20
|
:find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
|
|
21
21
|
@sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
|
|
22
22
|
|
|
23
|
+
@connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
|
|
24
|
+
:select_rows, :select_value, :select_values]
|
|
25
|
+
|
|
26
|
+
if tracker.options[:rails3]
|
|
27
|
+
@connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
|
|
28
|
+
else
|
|
29
|
+
@connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
|
|
30
|
+
end
|
|
31
|
+
|
|
23
32
|
Brakeman.debug "Finding possible SQL calls on models"
|
|
24
33
|
calls = tracker.find_call :targets => active_record_models.keys,
|
|
25
34
|
:methods => @sql_targets,
|
|
26
35
|
:chained => true
|
|
27
36
|
|
|
28
37
|
Brakeman.debug "Finding possible SQL calls with no target"
|
|
29
|
-
calls.concat tracker.find_call(:target => nil, :
|
|
38
|
+
calls.concat tracker.find_call(:target => nil, :methods => @sql_targets)
|
|
30
39
|
|
|
31
40
|
Brakeman.debug "Finding possible SQL calls using constantized()"
|
|
32
|
-
calls.concat tracker.find_call(:
|
|
41
|
+
calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
|
|
42
|
+
|
|
43
|
+
connect_targets = active_record_models.keys + [nil, :"ActiveRecord::Base"]
|
|
44
|
+
calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
|
|
33
45
|
|
|
34
46
|
Brakeman.debug "Finding calls to named_scope or scope"
|
|
35
47
|
calls.concat find_scope_calls
|
|
@@ -134,6 +146,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
134
146
|
#
|
|
135
147
|
def process_result result
|
|
136
148
|
return if duplicate?(result) or result[:call].original_line
|
|
149
|
+
return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
|
|
150
|
+
|
|
137
151
|
|
|
138
152
|
call = result[:call]
|
|
139
153
|
method = call.method
|
|
@@ -141,7 +155,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
141
155
|
dangerous_value = case method
|
|
142
156
|
when :find
|
|
143
157
|
check_find_arguments call.second_arg
|
|
144
|
-
when :exists
|
|
158
|
+
when :exists?, :delete_all, :destroy_all
|
|
145
159
|
check_find_arguments call.first_arg
|
|
146
160
|
when :named_scope, :scope
|
|
147
161
|
check_scope_arguments call
|
|
@@ -171,6 +185,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
171
185
|
unsafe_sql? call.first_arg
|
|
172
186
|
when :update_all
|
|
173
187
|
check_update_all_arguments call.args
|
|
188
|
+
when *@connection_calls
|
|
189
|
+
check_by_sql_arguments call.first_arg
|
|
174
190
|
else
|
|
175
191
|
Brakeman.debug "Unhandled SQL method: #{method}"
|
|
176
192
|
end
|
|
@@ -340,12 +356,46 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
340
356
|
#unless safe_value? explicitly returns true.
|
|
341
357
|
def check_string_interp arg
|
|
342
358
|
arg.each do |exp|
|
|
343
|
-
|
|
359
|
+
if dangerous = unsafe_string_interp?(exp)
|
|
360
|
+
return dangerous
|
|
361
|
+
end
|
|
344
362
|
end
|
|
345
363
|
|
|
346
364
|
nil
|
|
347
365
|
end
|
|
348
366
|
|
|
367
|
+
#Returns value if interpolated value is not something safe
|
|
368
|
+
def unsafe_string_interp? exp
|
|
369
|
+
if node_type? exp, :string_eval, :evstr
|
|
370
|
+
value = exp.value
|
|
371
|
+
else
|
|
372
|
+
value = exp
|
|
373
|
+
end
|
|
374
|
+
|
|
375
|
+
if not sexp? value
|
|
376
|
+
nil
|
|
377
|
+
elsif call? value and value.method == :to_s
|
|
378
|
+
unsafe_string_interp? value.target
|
|
379
|
+
else
|
|
380
|
+
case value.node_type
|
|
381
|
+
when :or
|
|
382
|
+
unsafe_string_interp?(value.lhs) || unsafe_string_interp?(value.rhs)
|
|
383
|
+
when :string_interp, :dstr
|
|
384
|
+
if dangerous = check_string_interp(value)
|
|
385
|
+
return dangerous
|
|
386
|
+
end
|
|
387
|
+
else
|
|
388
|
+
if safe_value? value
|
|
389
|
+
nil
|
|
390
|
+
elsif string_building? value
|
|
391
|
+
check_for_string_building value
|
|
392
|
+
else
|
|
393
|
+
value
|
|
394
|
+
end
|
|
395
|
+
end
|
|
396
|
+
end
|
|
397
|
+
end
|
|
398
|
+
|
|
349
399
|
#Checks the given expression for unsafe SQL values. If an unsafe value is
|
|
350
400
|
#found, returns that value (may be the given _exp_ or a subexpression).
|
|
351
401
|
#
|
|
@@ -441,14 +491,47 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
441
491
|
|
|
442
492
|
target = exp.target
|
|
443
493
|
method = exp.method
|
|
494
|
+
arg = exp.first_arg
|
|
495
|
+
|
|
496
|
+
if STRING_METHODS.include? method
|
|
497
|
+
if string? target
|
|
498
|
+
check_string_arg arg
|
|
499
|
+
elsif string? arg
|
|
500
|
+
check_string_arg target
|
|
501
|
+
elsif call? target
|
|
502
|
+
check_for_string_building target
|
|
503
|
+
elsif node_type? target, :string_interp, :dstr or
|
|
504
|
+
node_type? arg, :string_interp, :dstr
|
|
505
|
+
|
|
506
|
+
check_string_arg target and
|
|
507
|
+
check_string_arg arg
|
|
508
|
+
end
|
|
509
|
+
else
|
|
510
|
+
nil
|
|
511
|
+
end
|
|
512
|
+
end
|
|
444
513
|
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
514
|
+
def check_string_arg exp
|
|
515
|
+
if safe_value? exp
|
|
516
|
+
nil
|
|
517
|
+
elsif string_building? exp
|
|
518
|
+
check_for_string_building exp
|
|
519
|
+
elsif node_type? exp, :string_interp, :dstr
|
|
520
|
+
check_string_interp exp
|
|
521
|
+
elsif call? exp and exp.method == :to_s
|
|
522
|
+
check_string_arg exp.target
|
|
523
|
+
else
|
|
524
|
+
exp
|
|
449
525
|
end
|
|
526
|
+
end
|
|
450
527
|
|
|
451
|
-
|
|
528
|
+
def string_building? exp
|
|
529
|
+
return false unless call? exp and STRING_METHODS.include? exp.method
|
|
530
|
+
|
|
531
|
+
node_type? exp.target, :str, :dstr, :string_interp or
|
|
532
|
+
node_type? exp.first_arg, :str, :dstr, :string_interp or
|
|
533
|
+
string_building? exp.target or
|
|
534
|
+
string_building? exp.first_arg
|
|
452
535
|
end
|
|
453
536
|
|
|
454
537
|
IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
|
|
@@ -464,7 +547,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
464
547
|
when :str, :lit, :const, :colon2, :nil, :true, :false
|
|
465
548
|
true
|
|
466
549
|
when :call
|
|
467
|
-
|
|
550
|
+
if exp.method == :to_s
|
|
551
|
+
safe_value? exp.target
|
|
552
|
+
else
|
|
553
|
+
IGNORE_METHODS_IN_SQL.include? exp.method or
|
|
554
|
+
quote_call? exp or
|
|
555
|
+
exp.method.to_s.end_with? "_id"
|
|
556
|
+
end
|
|
468
557
|
when :if
|
|
469
558
|
safe_value? exp.then_clause and safe_value? exp.else_clause
|
|
470
559
|
when :block, :rlist
|
|
@@ -476,6 +565,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
476
565
|
end
|
|
477
566
|
end
|
|
478
567
|
|
|
568
|
+
QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
|
|
569
|
+
|
|
570
|
+
def quote_call? exp
|
|
571
|
+
if call? exp.target
|
|
572
|
+
exp.target.method == :connection and QUOTE_METHODS.include? exp.method
|
|
573
|
+
elsif exp.target.nil?
|
|
574
|
+
exp.method == :quote_value
|
|
575
|
+
end
|
|
576
|
+
end
|
|
577
|
+
|
|
479
578
|
#Check call for string building
|
|
480
579
|
def check_call exp
|
|
481
580
|
return unless call? exp
|
|
@@ -521,6 +620,24 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
521
620
|
call? call.target and call.target.method == :constantize
|
|
522
621
|
end
|
|
523
622
|
|
|
623
|
+
SELF_CLASS = s(:call, s(:self), :class)
|
|
624
|
+
|
|
625
|
+
def connect_call? result
|
|
626
|
+
call = result[:call]
|
|
627
|
+
target = call.target
|
|
628
|
+
|
|
629
|
+
if call? target and target.method == :connection
|
|
630
|
+
target = target.target
|
|
631
|
+
klass = class_name(target)
|
|
632
|
+
|
|
633
|
+
target.nil? or
|
|
634
|
+
target == SELF_CLASS or
|
|
635
|
+
node_type? target, :self or
|
|
636
|
+
klass == :"ActiveRecord::Base" or
|
|
637
|
+
active_record_models.include? klass
|
|
638
|
+
end
|
|
639
|
+
end
|
|
640
|
+
|
|
524
641
|
def upgrade_version? versions
|
|
525
642
|
versions.each do |low, high, upgrade|
|
|
526
643
|
return upgrade if version_between? low, high
|
|
@@ -529,8 +646,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
529
646
|
false
|
|
530
647
|
end
|
|
531
648
|
|
|
532
|
-
def check_rails_versions_against_cve_issues
|
|
533
|
-
[
|
|
649
|
+
def check_rails_versions_against_cve_issues
|
|
650
|
+
issues = [
|
|
534
651
|
{
|
|
535
652
|
:cve => "CVE-2012-2660",
|
|
536
653
|
:versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
|
|
@@ -556,12 +673,18 @@ def check_rails_versions_against_cve_issues
|
|
|
556
673
|
:versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
|
|
557
674
|
:url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
|
|
558
675
|
},
|
|
559
|
-
|
|
676
|
+
|
|
677
|
+
]
|
|
678
|
+
|
|
679
|
+
unless lts_version? '2.3.18.6'
|
|
680
|
+
issues << {
|
|
560
681
|
:cve => "CVE-2013-6417",
|
|
561
682
|
:versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
|
|
562
683
|
:url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
|
|
563
|
-
}
|
|
564
|
-
|
|
684
|
+
}
|
|
685
|
+
end
|
|
686
|
+
|
|
687
|
+
issues.each do |cve_issue|
|
|
565
688
|
cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
|
|
566
689
|
end
|
|
567
690
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'brakeman/checks/base_check'
|
|
2
|
+
|
|
3
|
+
# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
|
|
4
|
+
|
|
5
|
+
class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
|
|
6
|
+
Brakeman::Checks.add self
|
|
7
|
+
|
|
8
|
+
SSL_VERIFY_NONE = s(:colon2, s(:colon2, s(:const, :OpenSSL), :SSL), :VERIFY_NONE)
|
|
9
|
+
|
|
10
|
+
@description = "Checks for OpenSSL::SSL::VERIFY_NONE"
|
|
11
|
+
|
|
12
|
+
def run_check
|
|
13
|
+
check_open_ssl_verify_none
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def check_open_ssl_verify_none
|
|
17
|
+
tracker.find_call(:method => :verify_mode=).each {|call| process_result(call)}
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def process_result(result)
|
|
21
|
+
return if duplicate?(result)
|
|
22
|
+
if result[:call].last_arg == SSL_VERIFY_NONE
|
|
23
|
+
add_result result
|
|
24
|
+
warn :result => result,
|
|
25
|
+
:warning_type => "SSL Verification Bypass",
|
|
26
|
+
:warning_code => :ssl_verification_bypass,
|
|
27
|
+
:message => "SSL certificate verification was bypassed",
|
|
28
|
+
:confidence => CONFIDENCE[:high]
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -7,6 +7,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
|
|
|
7
7
|
@description = "Report XSS vulnerability in translate helper"
|
|
8
8
|
|
|
9
9
|
def run_check
|
|
10
|
+
return if lts_version? '2.3.18.6'
|
|
10
11
|
if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
|
|
11
12
|
version_between?('3.0.0', '3.0.10') or
|
|
12
13
|
version_between?('3.1.0', '3.1.1')
|
|
@@ -23,13 +23,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
|
23
23
|
#s(:class, NAME, PARENT, s(:scope ...))
|
|
24
24
|
def process_class exp
|
|
25
25
|
name = class_name(exp.class_name)
|
|
26
|
-
|
|
27
|
-
begin
|
|
28
|
-
parent = class_name exp.parent_name
|
|
29
|
-
rescue StandardError => e
|
|
30
|
-
Brakeman.debug e
|
|
31
|
-
parent = nil
|
|
32
|
-
end
|
|
26
|
+
parent = class_name(exp.parent_name)
|
|
33
27
|
|
|
34
28
|
#If inside a real controller, treat any other classes as libraries.
|
|
35
29
|
#But if not inside a controller already, then the class may include
|
|
@@ -5,7 +5,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
5
5
|
|
|
6
6
|
def initialize *args
|
|
7
7
|
super
|
|
8
|
-
|
|
8
|
+
@gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
|
|
9
9
|
@tracker.config[:gems] ||= {}
|
|
10
10
|
end
|
|
11
11
|
|
|
@@ -13,9 +13,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
13
13
|
process src
|
|
14
14
|
|
|
15
15
|
if gem_lock
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
get_i18n_version gem_lock
|
|
16
|
+
process_gem_lock gem_lock
|
|
17
|
+
@tracker.config[:rails_version] = @tracker.config[:gems][:rails]
|
|
19
18
|
elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
|
|
20
19
|
@tracker.config[:rails_version] = $1
|
|
21
20
|
end
|
|
@@ -35,6 +34,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
35
34
|
def process_call exp
|
|
36
35
|
if exp.target == nil and exp.method == :gem
|
|
37
36
|
gem_name = exp.first_arg
|
|
37
|
+
return exp unless string? gem_name
|
|
38
|
+
|
|
38
39
|
gem_version = exp.second_arg
|
|
39
40
|
|
|
40
41
|
if string? gem_version
|
|
@@ -46,24 +47,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
|
|
|
46
47
|
|
|
47
48
|
exp
|
|
48
49
|
end
|
|
49
|
-
|
|
50
|
-
# Supports .rc2 but not ~>, >=, or <=
|
|
51
|
-
def get_version name, gem_lock
|
|
52
|
-
if gem_lock =~ /\s#{name} \((\w(\.\w+)*)\)(?:\n|\r\n)/
|
|
53
|
-
$1
|
|
54
|
-
end
|
|
55
|
-
end
|
|
56
50
|
|
|
57
|
-
def
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
def get_json_version gem_lock
|
|
62
|
-
@tracker.config[:gems][:json] = get_version("json", gem_lock)
|
|
63
|
-
@tracker.config[:gems][:json_pure] = get_version("json_pure", gem_lock)
|
|
51
|
+
def process_gem_lock gem_lock
|
|
52
|
+
gem_lock.each_line do |line|
|
|
53
|
+
set_gem_version line
|
|
54
|
+
end
|
|
64
55
|
end
|
|
65
56
|
|
|
66
|
-
|
|
67
|
-
|
|
57
|
+
# Supports .rc2 but not ~>, >=, or <=
|
|
58
|
+
def set_gem_version line
|
|
59
|
+
if line =~ @gem_name_version
|
|
60
|
+
@tracker.config[:gems][$1.to_sym] = $2
|
|
61
|
+
end
|
|
68
62
|
end
|
|
69
63
|
end
|
|
@@ -122,11 +122,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
|
|
|
122
122
|
when :true, :false
|
|
123
123
|
exp[0]
|
|
124
124
|
when :colon2
|
|
125
|
-
|
|
126
|
-
class_name exp
|
|
127
|
-
rescue StandardError
|
|
128
|
-
exp
|
|
129
|
-
end
|
|
125
|
+
class_name exp
|
|
130
126
|
when :self
|
|
131
127
|
@current_class || @current_module || nil
|
|
132
128
|
else
|
|
@@ -52,6 +52,7 @@ module Brakeman::ProcessorHelper
|
|
|
52
52
|
end
|
|
53
53
|
|
|
54
54
|
#Returns a class name as a Symbol.
|
|
55
|
+
#If class name cannot be determined, returns _exp_.
|
|
55
56
|
def class_name exp
|
|
56
57
|
case exp
|
|
57
58
|
when Sexp
|
|
@@ -69,14 +70,14 @@ module Brakeman::ProcessorHelper
|
|
|
69
70
|
when :self
|
|
70
71
|
@current_class || @current_module || nil
|
|
71
72
|
else
|
|
72
|
-
|
|
73
|
+
exp
|
|
73
74
|
end
|
|
74
75
|
when Symbol
|
|
75
76
|
exp
|
|
76
77
|
when nil
|
|
77
78
|
nil
|
|
78
79
|
else
|
|
79
|
-
|
|
80
|
+
exp
|
|
80
81
|
end
|
|
81
82
|
end
|
|
82
83
|
end
|
|
@@ -30,12 +30,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
|
|
30
30
|
if @tracker.libs[name]
|
|
31
31
|
@current_class = @tracker.libs[name]
|
|
32
32
|
else
|
|
33
|
-
|
|
34
|
-
parent = class_name exp.parent_name
|
|
35
|
-
rescue StandardError => e
|
|
36
|
-
Brakeman.debug e
|
|
37
|
-
parent = nil
|
|
38
|
-
end
|
|
33
|
+
parent = class_name exp.parent_name
|
|
39
34
|
|
|
40
35
|
@current_class = { :name => name,
|
|
41
36
|
:parent => parent,
|
|
@@ -27,12 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
|
27
27
|
Brakeman.debug "[Notice] Skipping inner class: #{name}"
|
|
28
28
|
ignore
|
|
29
29
|
else
|
|
30
|
-
|
|
31
|
-
parent = class_name exp.parent_name
|
|
32
|
-
rescue StandardError => e
|
|
33
|
-
Brakeman.debug e
|
|
34
|
-
parent = nil
|
|
35
|
-
end
|
|
30
|
+
parent = class_name exp.parent_name
|
|
36
31
|
|
|
37
32
|
@model = { :name => name,
|
|
38
33
|
:parent => parent,
|
|
@@ -85,13 +85,8 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
|
85
85
|
|
|
86
86
|
if exp.method == :all or exp.method.to_s[0,4] == "find"
|
|
87
87
|
models = Set.new @tracker.models.keys
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
name = class_name target
|
|
91
|
-
return target if models.include?(name)
|
|
92
|
-
rescue StandardError
|
|
93
|
-
end
|
|
94
|
-
|
|
88
|
+
name = class_name target
|
|
89
|
+
return target if models.include?(name)
|
|
95
90
|
end
|
|
96
91
|
|
|
97
92
|
return get_model_target(target)
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 31
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 2
|
|
8
|
-
-
|
|
9
|
-
-
|
|
10
|
-
version: 2.
|
|
8
|
+
- 4
|
|
9
|
+
- 0
|
|
10
|
+
version: 2.4.0
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- Justin Collins
|
|
@@ -36,7 +36,7 @@ cert_chain:
|
|
|
36
36
|
bdw=
|
|
37
37
|
-----END CERTIFICATE-----
|
|
38
38
|
|
|
39
|
-
date:
|
|
39
|
+
date: 2014-02-05 00:00:00 Z
|
|
40
40
|
dependencies:
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: ruby_parser
|
|
@@ -46,12 +46,12 @@ dependencies:
|
|
|
46
46
|
requirements:
|
|
47
47
|
- - ~>
|
|
48
48
|
- !ruby/object:Gem::Version
|
|
49
|
-
hash:
|
|
49
|
+
hash: 23
|
|
50
50
|
segments:
|
|
51
51
|
- 3
|
|
52
|
-
-
|
|
53
|
-
-
|
|
54
|
-
version: 3.
|
|
52
|
+
- 4
|
|
53
|
+
- 0
|
|
54
|
+
version: 3.4.0
|
|
55
55
|
type: :runtime
|
|
56
56
|
version_requirements: *id001
|
|
57
57
|
- !ruby/object:Gem::Dependency
|
|
@@ -265,6 +265,7 @@ files:
|
|
|
265
265
|
- lib/brakeman/checks/check_single_quotes.rb
|
|
266
266
|
- lib/brakeman/checks/check_skip_before_filter.rb
|
|
267
267
|
- lib/brakeman/checks/check_sql.rb
|
|
268
|
+
- lib/brakeman/checks/check_ssl_verify.rb
|
|
268
269
|
- lib/brakeman/checks/check_strip_tags.rb
|
|
269
270
|
- lib/brakeman/checks/check_symbol_dos.rb
|
|
270
271
|
- lib/brakeman/checks/check_translate_bug.rb
|
|
@@ -369,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
369
370
|
requirements: []
|
|
370
371
|
|
|
371
372
|
rubyforge_project:
|
|
372
|
-
rubygems_version: 1.8.
|
|
373
|
+
rubygems_version: 1.8.15
|
|
373
374
|
signing_key:
|
|
374
375
|
specification_version: 3
|
|
375
376
|
summary: Security vulnerability scanner for Ruby on Rails.
|
metadata.gz.sig
CHANGED
|
Binary file
|