brakeman 2.3.1 → 2.4.0

Sign up to get free protection for your applications and to get access to all the features.
data.tar.gz.sig CHANGED
Binary file
data/CHANGES CHANGED
@@ -1,3 +1,18 @@
1
+ # 2.4.0
2
+
3
+ * Detect Rails LTS versions
4
+ * Reduce false positives for SQL injection in string building
5
+ * More accurate user input marking for SQL injection warnings
6
+ * Detect SQL injection in `delete_all`/`destroy_all`
7
+ * Detect SQL injection raw SQL queries using `connection`
8
+ * Parse exact versions from Gemfile.lock for all gems
9
+ * Ignore generators
10
+ * Update to RubyParser 3.4.0
11
+ * Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
12
+ * Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
13
+ * No longer raise exceptions if a class name cannot be determined
14
+ * Fingerprint attribute warnings individually (Case Taintor)
15
+
1
16
  # 2.3.1
2
17
 
3
18
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
data/README.md CHANGED
@@ -171,7 +171,7 @@ The `-c` option can be used to specify a configuration file to use.
171
171
  * [New Relic](http://newrelic.com)
172
172
  * [Twitter](https://twitter.com/)
173
173
 
174
- [..and more!](http://brakeman.org/brakeman_users)
174
+ [..and more!](http://brakemanscanner.org/brakeman_users)
175
175
 
176
176
  # License
177
177
 
@@ -71,7 +71,7 @@ module Brakeman
71
71
  end
72
72
 
73
73
  def lib_paths
74
- @lib_files ||= find_paths("lib")
74
+ @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" }
75
75
  end
76
76
 
77
77
  private
@@ -432,13 +432,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
432
432
  if exp.is_a? Symbol
433
433
  @models.include? exp
434
434
  elsif sexp? exp
435
- klass = nil
436
- begin
437
- klass = class_name exp
438
- rescue StandardError
439
- end
440
-
441
- klass and @models.include? klass
435
+ @models.include? class_name(exp)
442
436
  else
443
437
  false
444
438
  end
@@ -458,10 +452,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
458
452
  #Returns true if low_version <= RAILS_VERSION <= high_version
459
453
  #
460
454
  #If the Rails version is unknown, returns false.
461
- def version_between? low_version, high_version
462
- return false unless tracker.config[:rails_version]
455
+ def version_between? low_version, high_version, current_version = nil
456
+ current_version ||= tracker.config[:rails_version]
457
+ return false unless current_version
463
458
 
464
- version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
459
+ version = current_version.split(".").map! { |n| n.to_i }
465
460
  low_version = low_version.split(".").map! { |n| n.to_i }
466
461
  high_version = high_version.split(".").map! { |n| n.to_i }
467
462
 
@@ -484,6 +479,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
484
479
  true
485
480
  end
486
481
 
482
+ def lts_version? version
483
+ tracker.config[:gems] and
484
+ tracker.config[:gems][:'railslts-version'] and
485
+ version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
486
+ end
487
+
487
488
  def gemfile_or_environment
488
489
  if @app_tree.exists?("Gemfile")
489
490
  "Gemfile"
@@ -29,8 +29,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
29
29
  :file => model[:file],
30
30
  :warning_type => "Mass Assignment",
31
31
  :warning_code => :dangerous_attr_accessible,
32
- :message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
33
- :confidence => confidence
32
+ :message => "Potentially dangerous attribute available for mass assignment",
33
+ :confidence => confidence,
34
+ :code => Sexp.new(:lit, attribute)
34
35
  break # Prevent from matching single attr multiple times
35
36
  end
36
37
  end
@@ -6,6 +6,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
6
6
  @description = "Checks for number_to_currency XSS vulnerability in certain versions"
7
7
 
8
8
  def run_check
9
+ return if lts_version? '2.3.18.6'
10
+
9
11
  if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
10
12
  check_number_to_currency_usage
11
13
 
@@ -16,20 +16,32 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
16
16
  def run_check
17
17
  @rails_version = tracker.config[:rails_version]
18
18
 
19
- @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
19
+ @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
20
20
  :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
21
21
  @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
22
22
 
23
+ @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
24
+ :select_rows, :select_value, :select_values]
25
+
26
+ if tracker.options[:rails3]
27
+ @connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
28
+ else
29
+ @connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
30
+ end
31
+
23
32
  Brakeman.debug "Finding possible SQL calls on models"
24
33
  calls = tracker.find_call :targets => active_record_models.keys,
25
34
  :methods => @sql_targets,
26
35
  :chained => true
27
36
 
28
37
  Brakeman.debug "Finding possible SQL calls with no target"
29
- calls.concat tracker.find_call(:target => nil, :method => @sql_targets)
38
+ calls.concat tracker.find_call(:target => nil, :methods => @sql_targets)
30
39
 
31
40
  Brakeman.debug "Finding possible SQL calls using constantized()"
32
- calls.concat tracker.find_call(:method => @sql_targets).select { |result| constantize_call? result }
41
+ calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
42
+
43
+ connect_targets = active_record_models.keys + [nil, :"ActiveRecord::Base"]
44
+ calls.concat tracker.find_call(:targets => connect_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
33
45
 
34
46
  Brakeman.debug "Finding calls to named_scope or scope"
35
47
  calls.concat find_scope_calls
@@ -134,6 +146,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
134
146
  #
135
147
  def process_result result
136
148
  return if duplicate?(result) or result[:call].original_line
149
+ return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
150
+
137
151
 
138
152
  call = result[:call]
139
153
  method = call.method
@@ -141,7 +155,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
141
155
  dangerous_value = case method
142
156
  when :find
143
157
  check_find_arguments call.second_arg
144
- when :exists?
158
+ when :exists?, :delete_all, :destroy_all
145
159
  check_find_arguments call.first_arg
146
160
  when :named_scope, :scope
147
161
  check_scope_arguments call
@@ -171,6 +185,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
171
185
  unsafe_sql? call.first_arg
172
186
  when :update_all
173
187
  check_update_all_arguments call.args
188
+ when *@connection_calls
189
+ check_by_sql_arguments call.first_arg
174
190
  else
175
191
  Brakeman.debug "Unhandled SQL method: #{method}"
176
192
  end
@@ -340,12 +356,46 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
340
356
  #unless safe_value? explicitly returns true.
341
357
  def check_string_interp arg
342
358
  arg.each do |exp|
343
- return exp.value if node_type?(exp, :string_eval, :evstr) and not safe_value?(exp.value)
359
+ if dangerous = unsafe_string_interp?(exp)
360
+ return dangerous
361
+ end
344
362
  end
345
363
 
346
364
  nil
347
365
  end
348
366
 
367
+ #Returns value if interpolated value is not something safe
368
+ def unsafe_string_interp? exp
369
+ if node_type? exp, :string_eval, :evstr
370
+ value = exp.value
371
+ else
372
+ value = exp
373
+ end
374
+
375
+ if not sexp? value
376
+ nil
377
+ elsif call? value and value.method == :to_s
378
+ unsafe_string_interp? value.target
379
+ else
380
+ case value.node_type
381
+ when :or
382
+ unsafe_string_interp?(value.lhs) || unsafe_string_interp?(value.rhs)
383
+ when :string_interp, :dstr
384
+ if dangerous = check_string_interp(value)
385
+ return dangerous
386
+ end
387
+ else
388
+ if safe_value? value
389
+ nil
390
+ elsif string_building? value
391
+ check_for_string_building value
392
+ else
393
+ value
394
+ end
395
+ end
396
+ end
397
+ end
398
+
349
399
  #Checks the given expression for unsafe SQL values. If an unsafe value is
350
400
  #found, returns that value (may be the given _exp_ or a subexpression).
351
401
  #
@@ -441,14 +491,47 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
441
491
 
442
492
  target = exp.target
443
493
  method = exp.method
494
+ arg = exp.first_arg
495
+
496
+ if STRING_METHODS.include? method
497
+ if string? target
498
+ check_string_arg arg
499
+ elsif string? arg
500
+ check_string_arg target
501
+ elsif call? target
502
+ check_for_string_building target
503
+ elsif node_type? target, :string_interp, :dstr or
504
+ node_type? arg, :string_interp, :dstr
505
+
506
+ check_string_arg target and
507
+ check_string_arg arg
508
+ end
509
+ else
510
+ nil
511
+ end
512
+ end
444
513
 
445
- if string? target or string? exp.first_arg
446
- return exp if STRING_METHODS.include? method
447
- elsif STRING_METHODS.include? method and call? target
448
- return unsafe_sql? target
514
+ def check_string_arg exp
515
+ if safe_value? exp
516
+ nil
517
+ elsif string_building? exp
518
+ check_for_string_building exp
519
+ elsif node_type? exp, :string_interp, :dstr
520
+ check_string_interp exp
521
+ elsif call? exp and exp.method == :to_s
522
+ check_string_arg exp.target
523
+ else
524
+ exp
449
525
  end
526
+ end
450
527
 
451
- nil
528
+ def string_building? exp
529
+ return false unless call? exp and STRING_METHODS.include? exp.method
530
+
531
+ node_type? exp.target, :str, :dstr, :string_interp or
532
+ node_type? exp.first_arg, :str, :dstr, :string_interp or
533
+ string_building? exp.target or
534
+ string_building? exp.first_arg
452
535
  end
453
536
 
454
537
  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
@@ -464,7 +547,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
464
547
  when :str, :lit, :const, :colon2, :nil, :true, :false
465
548
  true
466
549
  when :call
467
- IGNORE_METHODS_IN_SQL.include? exp.method
550
+ if exp.method == :to_s
551
+ safe_value? exp.target
552
+ else
553
+ IGNORE_METHODS_IN_SQL.include? exp.method or
554
+ quote_call? exp or
555
+ exp.method.to_s.end_with? "_id"
556
+ end
468
557
  when :if
469
558
  safe_value? exp.then_clause and safe_value? exp.else_clause
470
559
  when :block, :rlist
@@ -476,6 +565,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
476
565
  end
477
566
  end
478
567
 
568
+ QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
569
+
570
+ def quote_call? exp
571
+ if call? exp.target
572
+ exp.target.method == :connection and QUOTE_METHODS.include? exp.method
573
+ elsif exp.target.nil?
574
+ exp.method == :quote_value
575
+ end
576
+ end
577
+
479
578
  #Check call for string building
480
579
  def check_call exp
481
580
  return unless call? exp
@@ -521,6 +620,24 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
521
620
  call? call.target and call.target.method == :constantize
522
621
  end
523
622
 
623
+ SELF_CLASS = s(:call, s(:self), :class)
624
+
625
+ def connect_call? result
626
+ call = result[:call]
627
+ target = call.target
628
+
629
+ if call? target and target.method == :connection
630
+ target = target.target
631
+ klass = class_name(target)
632
+
633
+ target.nil? or
634
+ target == SELF_CLASS or
635
+ node_type? target, :self or
636
+ klass == :"ActiveRecord::Base" or
637
+ active_record_models.include? klass
638
+ end
639
+ end
640
+
524
641
  def upgrade_version? versions
525
642
  versions.each do |low, high, upgrade|
526
643
  return upgrade if version_between? low, high
@@ -529,8 +646,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
529
646
  false
530
647
  end
531
648
 
532
- def check_rails_versions_against_cve_issues
533
- [
649
+ def check_rails_versions_against_cve_issues
650
+ issues = [
534
651
  {
535
652
  :cve => "CVE-2012-2660",
536
653
  :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
@@ -556,12 +673,18 @@ def check_rails_versions_against_cve_issues
556
673
  :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
557
674
  :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
558
675
  },
559
- {
676
+
677
+ ]
678
+
679
+ unless lts_version? '2.3.18.6'
680
+ issues << {
560
681
  :cve => "CVE-2013-6417",
561
682
  :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
562
683
  :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
563
- },
564
- ].each do |cve_issue|
684
+ }
685
+ end
686
+
687
+ issues.each do |cve_issue|
565
688
  cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
566
689
  end
567
690
  end
@@ -0,0 +1,31 @@
1
+ require 'brakeman/checks/base_check'
2
+
3
+ # Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
4
+
5
+ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
6
+ Brakeman::Checks.add self
7
+
8
+ SSL_VERIFY_NONE = s(:colon2, s(:colon2, s(:const, :OpenSSL), :SSL), :VERIFY_NONE)
9
+
10
+ @description = "Checks for OpenSSL::SSL::VERIFY_NONE"
11
+
12
+ def run_check
13
+ check_open_ssl_verify_none
14
+ end
15
+
16
+ def check_open_ssl_verify_none
17
+ tracker.find_call(:method => :verify_mode=).each {|call| process_result(call)}
18
+ end
19
+
20
+ def process_result(result)
21
+ return if duplicate?(result)
22
+ if result[:call].last_arg == SSL_VERIFY_NONE
23
+ add_result result
24
+ warn :result => result,
25
+ :warning_type => "SSL Verification Bypass",
26
+ :warning_code => :ssl_verification_bypass,
27
+ :message => "SSL certificate verification was bypassed",
28
+ :confidence => CONFIDENCE[:high]
29
+ end
30
+ end
31
+ end
@@ -7,6 +7,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
7
7
  @description = "Report XSS vulnerability in translate helper"
8
8
 
9
9
  def run_check
10
+ return if lts_version? '2.3.18.6'
10
11
  if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
11
12
  version_between?('3.0.0', '3.0.10') or
12
13
  version_between?('3.1.0', '3.1.1')
@@ -23,13 +23,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
23
23
  #s(:class, NAME, PARENT, s(:scope ...))
24
24
  def process_class exp
25
25
  name = class_name(exp.class_name)
26
-
27
- begin
28
- parent = class_name exp.parent_name
29
- rescue StandardError => e
30
- Brakeman.debug e
31
- parent = nil
32
- end
26
+ parent = class_name(exp.parent_name)
33
27
 
34
28
  #If inside a real controller, treat any other classes as libraries.
35
29
  #But if not inside a controller already, then the class may include
@@ -5,7 +5,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
5
5
 
6
6
  def initialize *args
7
7
  super
8
-
8
+ @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
9
9
  @tracker.config[:gems] ||= {}
10
10
  end
11
11
 
@@ -13,9 +13,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
13
13
  process src
14
14
 
15
15
  if gem_lock
16
- get_rails_version gem_lock
17
- get_json_version gem_lock
18
- get_i18n_version gem_lock
16
+ process_gem_lock gem_lock
17
+ @tracker.config[:rails_version] = @tracker.config[:gems][:rails]
19
18
  elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
20
19
  @tracker.config[:rails_version] = $1
21
20
  end
@@ -35,6 +34,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
35
34
  def process_call exp
36
35
  if exp.target == nil and exp.method == :gem
37
36
  gem_name = exp.first_arg
37
+ return exp unless string? gem_name
38
+
38
39
  gem_version = exp.second_arg
39
40
 
40
41
  if string? gem_version
@@ -46,24 +47,17 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
46
47
 
47
48
  exp
48
49
  end
49
-
50
- # Supports .rc2 but not ~>, >=, or <=
51
- def get_version name, gem_lock
52
- if gem_lock =~ /\s#{name} \((\w(\.\w+)*)\)(?:\n|\r\n)/
53
- $1
54
- end
55
- end
56
50
 
57
- def get_rails_version gem_lock
58
- @tracker.config[:rails_version] = get_version("rails", gem_lock)
59
- end
60
-
61
- def get_json_version gem_lock
62
- @tracker.config[:gems][:json] = get_version("json", gem_lock)
63
- @tracker.config[:gems][:json_pure] = get_version("json_pure", gem_lock)
51
+ def process_gem_lock gem_lock
52
+ gem_lock.each_line do |line|
53
+ set_gem_version line
54
+ end
64
55
  end
65
56
 
66
- def get_i18n_version gem_lock
67
- @tracker.config[:gems][:i18n] = get_version("i18n", gem_lock)
57
+ # Supports .rc2 but not ~>, >=, or <=
58
+ def set_gem_version line
59
+ if line =~ @gem_name_version
60
+ @tracker.config[:gems][$1.to_sym] = $2
61
+ end
68
62
  end
69
63
  end
@@ -122,11 +122,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
122
122
  when :true, :false
123
123
  exp[0]
124
124
  when :colon2
125
- begin
126
- class_name exp
127
- rescue StandardError
128
- exp
129
- end
125
+ class_name exp
130
126
  when :self
131
127
  @current_class || @current_module || nil
132
128
  else
@@ -52,6 +52,7 @@ module Brakeman::ProcessorHelper
52
52
  end
53
53
 
54
54
  #Returns a class name as a Symbol.
55
+ #If class name cannot be determined, returns _exp_.
55
56
  def class_name exp
56
57
  case exp
57
58
  when Sexp
@@ -69,14 +70,14 @@ module Brakeman::ProcessorHelper
69
70
  when :self
70
71
  @current_class || @current_module || nil
71
72
  else
72
- raise "Error: Cannot get class name from #{exp}"
73
+ exp
73
74
  end
74
75
  when Symbol
75
76
  exp
76
77
  when nil
77
78
  nil
78
79
  else
79
- raise "Error: Cannot get class name from #{exp}"
80
+ exp
80
81
  end
81
82
  end
82
83
  end
@@ -161,9 +161,10 @@ module Brakeman::RenderHelper
161
161
  if call? sexp
162
162
  get_class_target sexp.target
163
163
  else
164
- begin
165
- class_name sexp
166
- rescue
164
+ klass = class_name sexp
165
+ if klass.is_a? Symbol
166
+ klass
167
+ else
167
168
  nil
168
169
  end
169
170
  end
@@ -30,12 +30,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
30
30
  if @tracker.libs[name]
31
31
  @current_class = @tracker.libs[name]
32
32
  else
33
- begin
34
- parent = class_name exp.parent_name
35
- rescue StandardError => e
36
- Brakeman.debug e
37
- parent = nil
38
- end
33
+ parent = class_name exp.parent_name
39
34
 
40
35
  @current_class = { :name => name,
41
36
  :parent => parent,
@@ -27,12 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
27
27
  Brakeman.debug "[Notice] Skipping inner class: #{name}"
28
28
  ignore
29
29
  else
30
- begin
31
- parent = class_name exp.parent_name
32
- rescue StandardError => e
33
- Brakeman.debug e
34
- parent = nil
35
- end
30
+ parent = class_name exp.parent_name
36
31
 
37
32
  @model = { :name => name,
38
33
  :parent => parent,
@@ -85,13 +85,8 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
85
85
 
86
86
  if exp.method == :all or exp.method.to_s[0,4] == "find"
87
87
  models = Set.new @tracker.models.keys
88
-
89
- begin
90
- name = class_name target
91
- return target if models.include?(name)
92
- rescue StandardError
93
- end
94
-
88
+ name = class_name target
89
+ return target if models.include?(name)
95
90
  end
96
91
 
97
92
  return get_model_target(target)
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.3.1"
2
+ Version = "2.4.0"
3
3
  end
@@ -71,6 +71,7 @@ module Brakeman::WarningCodes
71
71
  :CVE_2013_6416_call => 68,
72
72
  :CVE_2013_6417 => 69,
73
73
  :mass_assign_permit! => 70,
74
+ :ssl_verification_bypass => 71
74
75
  }
75
76
 
76
77
  def self.code name
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 1
4
+ hash: 31
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
- - 3
9
- - 1
10
- version: 2.3.1
8
+ - 4
9
+ - 0
10
+ version: 2.4.0
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -36,7 +36,7 @@ cert_chain:
36
36
  bdw=
37
37
  -----END CERTIFICATE-----
38
38
 
39
- date: 2013-12-13 00:00:00 Z
39
+ date: 2014-02-05 00:00:00 Z
40
40
  dependencies:
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: ruby_parser
@@ -46,12 +46,12 @@ dependencies:
46
46
  requirements:
47
47
  - - ~>
48
48
  - !ruby/object:Gem::Version
49
- hash: 11
49
+ hash: 23
50
50
  segments:
51
51
  - 3
52
- - 2
53
- - 2
54
- version: 3.2.2
52
+ - 4
53
+ - 0
54
+ version: 3.4.0
55
55
  type: :runtime
56
56
  version_requirements: *id001
57
57
  - !ruby/object:Gem::Dependency
@@ -265,6 +265,7 @@ files:
265
265
  - lib/brakeman/checks/check_single_quotes.rb
266
266
  - lib/brakeman/checks/check_skip_before_filter.rb
267
267
  - lib/brakeman/checks/check_sql.rb
268
+ - lib/brakeman/checks/check_ssl_verify.rb
268
269
  - lib/brakeman/checks/check_strip_tags.rb
269
270
  - lib/brakeman/checks/check_symbol_dos.rb
270
271
  - lib/brakeman/checks/check_translate_bug.rb
@@ -369,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
369
370
  requirements: []
370
371
 
371
372
  rubyforge_project:
372
- rubygems_version: 1.8.25
373
+ rubygems_version: 1.8.15
373
374
  signing_key:
374
375
  specification_version: 3
375
376
  summary: Security vulnerability scanner for Ruby on Rails.
metadata.gz.sig CHANGED
Binary file