brakeman 3.0.1 → 3.0.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: d05a06e338f3309b5430c67decda380b5bccd1e9
4
+ data.tar.gz: 79f70db112bdbcfa605b841f8375adeff1480220
5
+ SHA512:
6
+ metadata.gz: 2b2d46615e3e2c2510db8d14eebea2c9da264eb2580e3307f2b7a176d4718447a637ba30898d009871df313dc775d9f0d0c0a17c8993db08b0cd1d947f8fb490
7
+ data.tar.gz: f046fd2458e86d5986149e3b6af15b611e992cae6c9cb5b65624a56ea1ead3faddc55b04e989f0060cf6445e1f1cf2b2a912dc00172faf207f3ea4a88bf7f6ab
checksums.yaml.gz.sig ADDED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/CHANGES CHANGED
@@ -1,3 +1,19 @@
1
+ # 3.0.2
2
+
3
+ * Alias process methods called in class scope on models
4
+ * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
5
+ * Fix using --compare and --add-checks-path together
6
+ * Avoid warning about mass assignment with string literals
7
+ * Only report original regex DoS locations
8
+ * Improve render path information implementation
9
+ * Report correct file for simple_format usage CVE warning
10
+ * Remove URI.escape from HTML reports with GitHub repos
11
+ * Update ruby_parser to ~> 3.6.2
12
+ * Remove formatting newlines in HAML template output
13
+ * Ignore case value in XSS checks
14
+ * Fix CSV output when there are no warnings
15
+ * Handle processing of explictly shadowed block arguments
16
+
1
17
  # 3.0.1
2
18
 
3
19
  * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
data/lib/brakeman.rb CHANGED
@@ -399,8 +399,6 @@ module Brakeman
399
399
  require 'brakeman/differ'
400
400
  raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]
401
401
 
402
- add_external_checks options
403
-
404
402
  begin
405
403
  previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
406
404
  rescue MultiJson::DecodeError
@@ -260,6 +260,19 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
260
260
  exp
261
261
  end
262
262
 
263
+ def process_case exp
264
+ #Ignore user input in case value
265
+ #TODO: also ignore when values
266
+
267
+ current = 2
268
+ while current < exp.length
269
+ process exp[current] if exp[current]
270
+ current += 1
271
+ end
272
+
273
+ exp
274
+ end
275
+
263
276
  def setup
264
277
  @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
265
278
  :field_field, :fields_for, :h, :hidden_field,
@@ -82,6 +82,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
82
82
  confidence = CONFIDENCE[:low]
83
83
  user_input = input.match
84
84
  end
85
+ elsif node_type? call.first_arg, :lit, :str
86
+ return
85
87
  else
86
88
  confidence = CONFIDENCE[:low]
87
89
  user_input = nil
@@ -26,7 +26,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
26
26
 
27
27
  #Warns if regex includes user input
28
28
  def process_result result
29
- return if duplicate? result
29
+ return if duplicate? result or result[:call].original_line
30
30
  add_result result
31
31
 
32
32
  call = result[:call]
@@ -53,7 +53,6 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
53
53
  :warning_code => :CVE_2013_6416_call,
54
54
  :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
55
55
  :confidence => CONFIDENCE[:high],
56
- :gem_info => gemfile_or_environment,
57
56
  :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
58
57
  :user_input => match.match
59
58
  end
@@ -549,7 +549,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
549
549
  :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
550
550
  :sanitize_sql_for_conditions, :sanitize_sql_hash,
551
551
  :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
552
- :to_sql, :sanitize, :exists]
552
+ :to_sql, :sanitize, :exists, :primary_key, :table_name_prefix, :table_name_suffix]
553
553
 
554
554
  def safe_value? exp
555
555
  return true unless sexp? exp
@@ -558,7 +558,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
558
558
  when :str, :lit, :const, :colon2, :nil, :true, :false
559
559
  true
560
560
  when :call
561
- if exp.method == :to_s
561
+ if exp.method == :to_s or exp.method == :to_sym
562
562
  safe_value? exp.target
563
563
  else
564
564
  IGNORE_METHODS_IN_SQL.include? exp.method or
@@ -75,7 +75,7 @@ module Brakeman
75
75
  Brakeman.load_brakeman_dependency 'sass'
76
76
 
77
77
  Haml::Engine.new(text,
78
- :escape_html => !!tracker.config[:escape_html]).precompiled
78
+ :escape_html => !!tracker.config[:escape_html]).precompiled.gsub(/([^\\])\\n/, '\1')
79
79
  end
80
80
 
81
81
  def parse_slim text
@@ -179,10 +179,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
179
179
  exp.block_args.each do |e|
180
180
  #Force block arg(s) to be local
181
181
  if node_type? e, :lasgn
182
- env.current[Sexp.new(:lvar, e.lhs)] = e.rhs
182
+ env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
183
183
  elsif node_type? e, :kwarg
184
184
  env.current[Sexp.new(:lvar, e[1])] = e[2]
185
- elsif node_type? e, :masgn
185
+ elsif node_type? e, :masgn, :shadow
186
186
  e[1..-1].each do |var|
187
187
  local = Sexp.new(:lvar, var)
188
188
  env.current[local] = local
@@ -1,5 +1,6 @@
1
1
  require 'brakeman/processors/alias_processor'
2
2
  require 'brakeman/processors/lib/render_helper'
3
+ require 'brakeman/processors/lib/render_path'
3
4
  require 'brakeman/processors/lib/find_return_value'
4
5
 
5
6
  #Processes aliasing in controllers, but includes following
@@ -170,7 +171,8 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
170
171
 
171
172
  #Process template and add the current class and method name as called_from info
172
173
  def process_template name, args
173
- super name, args, ["#@current_class##@current_method"]
174
+ render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method)
175
+ super name, args, render_path
174
176
  end
175
177
 
176
178
  #Turns a method name into a template name
@@ -0,0 +1,100 @@
1
+ module Brakeman
2
+ class RenderPath
3
+ attr_reader :path
4
+
5
+ def initialize
6
+ @path = []
7
+ end
8
+
9
+ def add_controller_render controller_name, method_name
10
+ method_name ||= ""
11
+
12
+ @path << { :type => :controller,
13
+ :class => controller_name.to_sym,
14
+ :method => method_name.to_sym }
15
+
16
+ self
17
+ end
18
+
19
+ def add_template_render template_name
20
+ @path << { :type => :template,
21
+ :name => template_name.to_sym }
22
+
23
+ self
24
+ end
25
+
26
+ def include_template? name
27
+ name = name.to_sym
28
+
29
+ @path.any? do |loc|
30
+ loc[:type] == :template and loc[:name] == name
31
+ end
32
+ end
33
+
34
+ def include_controller? klass
35
+ klass = klass.to_sym
36
+
37
+ @path.any? do |loc|
38
+ loc[:type] == :controller and loc[:class] == klass
39
+ end
40
+ end
41
+
42
+ def include_any_method? method_names
43
+ names = method_names.map(&:to_sym)
44
+
45
+ @path.any? do |loc|
46
+ loc[:type] == :controller and names.include? loc[:method]
47
+ end
48
+ end
49
+
50
+ def rendered_from_controller?
51
+ @path.any? do |loc|
52
+ loc[:type] == :controller
53
+ end
54
+ end
55
+
56
+ def each &block
57
+ @path.each &block
58
+ end
59
+
60
+ def join *args
61
+ self.to_a.join *args
62
+ end
63
+
64
+ def length
65
+ @path.length
66
+ end
67
+
68
+ def to_a
69
+ @path.map do |loc|
70
+ case loc[:type]
71
+ when :template
72
+ "Template:#{loc[:name]}"
73
+ when :controller
74
+ "#{loc[:class]}##{loc[:method]}"
75
+ end
76
+ end
77
+ end
78
+
79
+ def last
80
+ self.to_a.last
81
+ end
82
+
83
+ def to_s
84
+ self.to_a.to_s
85
+ end
86
+
87
+ def to_sym
88
+ self.to_s.to_sym
89
+ end
90
+
91
+ def to_json *args
92
+ MultiJson.dump(self.to_a)
93
+ end
94
+
95
+ def initialize_copy original
96
+ @path = original.path.dup
97
+ self
98
+ end
99
+ end
100
+ end
@@ -170,7 +170,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
170
170
  end
171
171
  end
172
172
  end
173
- ignore
173
+
174
+ exp
174
175
  else
175
176
  call = make_call target, method, process_all!(exp.args)
176
177
  call.line(exp.line)
@@ -1,6 +1,7 @@
1
1
  require 'set'
2
2
  require 'brakeman/processors/alias_processor'
3
3
  require 'brakeman/processors/lib/render_helper'
4
+ require 'brakeman/processors/lib/render_path'
4
5
  require 'brakeman/tracker'
5
6
 
6
7
  #Processes aliasing in templates.
@@ -19,14 +20,14 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
19
20
  #Process template
20
21
  def process_template name, args
21
22
  if @called_from
22
- unless @called_from.grep(/Template:#{name}$/).empty?
23
+ if @called_from.include_template? name
23
24
  Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
24
25
  return
25
26
  end
26
27
 
27
- super name, args, @called_from + ["Template:#{@template[:name]}"]
28
+ super name, args, @called_from.dup.add_template_render(@template[:name])
28
29
  else
29
- super name, args, ["Template:#{@template[:name]}"]
30
+ super name, args, Brakeman::RenderPath.new.add_template_render(@template[:name])
30
31
  end
31
32
  end
32
33
 
@@ -195,7 +195,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
195
195
 
196
196
  if warning.file
197
197
  github_url = github_url warning.file, warning.line
198
- message.gsub!(/(near line \d+)/, "<a href='#{URI.escape github_url, /'/}' target='_blank'>\\1</a>") if github_url
198
+ message.gsub!(/(near line \d+)/, "<a href=\"#{github_url}\" target='_blank'>\\1</a>") if github_url
199
199
  end
200
200
 
201
201
  if @highlight_user_input and warning.user_input
@@ -113,7 +113,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
113
113
  if controller[:files].include?(path)
114
114
  tracker.templates.each do |template_name, template|
115
115
  next unless template[:caller]
116
- unless template[:caller].grep(/^#{name}#/).empty?
116
+ if template[:caller].include_controller? name
117
117
  tracker.reset_template template_name
118
118
  end
119
119
  end
@@ -142,21 +142,18 @@ class Brakeman::Rescanner < Brakeman::Scanner
142
142
 
143
143
  rescan = Set.new
144
144
 
145
- template_matcher = /^Template:(.+)/
146
- controller_matcher = /^(.+Controller)#(.+)/
147
- template_name_matcher = /^#{template_name}\./
148
-
149
145
  #Search for processed template and process it.
150
146
  #Search for rendered versions of template and re-render (if necessary)
151
147
  tracker.templates.each do |name, template|
152
148
  if template[:file] == path or template[:file].nil?
153
- next unless template[:caller] and name.to_s.match(template_name_matcher)
149
+ next unless template[:caller] and template[:name].to_sym == template_name.to_sym
154
150
 
155
151
  template[:caller].each do |from|
156
- if from.match(template_matcher)
157
- rescan << [:template, $1.to_sym]
158
- elsif from.match(controller_matcher)
159
- rescan << [:controller, $1.to_sym, $2.to_sym]
152
+ case from[:type]
153
+ when :template
154
+ rescan << [:template, from[:name]]
155
+ when :controller
156
+ rescan << [:controller, from[:class], from[:method]]
160
157
  end
161
158
  end
162
159
  end
@@ -272,13 +269,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
272
269
 
273
270
  #Remove any rendered versions, or partials rendered from it
274
271
  tracker.templates.delete_if do |name, template|
275
- if template[:file] == path
276
- true
277
- elsif template[:file].nil?
278
- name = name.to_s
279
-
280
- name.match(rendered_from_controller) or name.match(rendered_from_view)
281
- end
272
+ template[:file] == path or template[:name].to_sym == template_name.to_sym
282
273
  end
283
274
  end
284
275
 
@@ -356,8 +347,6 @@ class Brakeman::Rescanner < Brakeman::Scanner
356
347
  end
357
348
  end
358
349
 
359
- method_matcher = /##{method_names.map {|n| Regexp.escape(n.to_s)}.join('|')}$/
360
-
361
350
  to_rescan = []
362
351
 
363
352
  #Rescan controllers that mixed in library
@@ -384,7 +373,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
384
373
  tracker.templates.each do |name, template|
385
374
  next unless template[:caller]
386
375
 
387
- unless template[:caller].grep(method_matcher).empty?
376
+ if template[:caller].include_any_method? method_names
388
377
  name.to_s.match /^([^.]+)/
389
378
 
390
379
  original = tracker.templates[$1.to_sym]
@@ -257,7 +257,7 @@ class Brakeman::Tracker
257
257
  def reset_templates options = { :only_rendered => false }
258
258
  if options[:only_rendered]
259
259
  @templates.delete_if do |name, template|
260
- name.to_s.include? "Controller#"
260
+ template[:caller] and template[:caller].rendered_from_controller?
261
261
  end
262
262
  else
263
263
  @templates = {}
@@ -311,11 +311,10 @@ class Brakeman::Tracker
311
311
  @controllers.each do |name, controller|
312
312
  if controller[:files].include?(path)
313
313
  controller_name = name
314
- template_matcher = /^#{name}#/
315
314
 
316
315
  #Remove templates rendered from this controller
317
316
  @templates.each do |template_name, template|
318
- if template[:caller] and not template[:caller].grep(template_matcher).empty?
317
+ if template[:caller] and template[:caller].include_controller? name
319
318
  reset_template template_name
320
319
  @call_index.remove_template_indexes template_name
321
320
  end
data/lib/brakeman/util.rb CHANGED
@@ -423,6 +423,8 @@ module Brakeman::Util
423
423
 
424
424
  # rely on Terminal::Table to build the structure, extract the data out in CSV format
425
425
  def table_to_csv table
426
+ return "" unless table
427
+
426
428
  Brakeman.load_brakeman_dependency 'terminal-table'
427
429
  output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
428
430
  table.rows.each do |row|
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "3.0.1"
2
+ Version = "3.0.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,13 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
- version: !ruby/object:Gem::Version
4
- prerelease:
5
- version: 3.0.1
3
+ version: !ruby/object:Gem::Version
4
+ version: 3.0.2
6
5
  platform: ruby
7
- authors:
6
+ authors:
8
7
  - Justin Collins
9
8
  autorequire:
10
9
  bindir: bin
11
- cert_chain:
10
+ cert_chain:
12
11
  - |
13
12
  -----BEGIN CERTIFICATE-----
14
13
  MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
@@ -31,295 +30,323 @@ cert_chain:
31
30
  bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
32
31
  mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
33
32
  -----END CERTIFICATE-----
34
-
35
- date: 2015-01-23 00:00:00 Z
36
- dependencies:
37
- - !ruby/object:Gem::Dependency
33
+ date: 2015-03-09 00:00:00.000000000 Z
34
+ dependencies:
35
+ - !ruby/object:Gem::Dependency
38
36
  name: test-unit
39
- prerelease: false
40
- requirement: &id001 !ruby/object:Gem::Requirement
41
- none: false
42
- requirements:
37
+ requirement: !ruby/object:Gem::Requirement
38
+ requirements:
43
39
  - - ">="
44
- - !ruby/object:Gem::Version
45
- version: "0"
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
46
42
  type: :development
47
- version_requirements: *id001
48
- - !ruby/object:Gem::Dependency
49
- name: ruby_parser
50
43
  prerelease: false
51
- requirement: &id002 !ruby/object:Gem::Requirement
52
- none: false
53
- requirements:
54
- - - ~>
55
- - !ruby/object:Gem::Version
56
- version: 3.5.0
44
+ version_requirements: !ruby/object:Gem::Requirement
45
+ requirements:
46
+ - - ">="
47
+ - !ruby/object:Gem::Version
48
+ version: '0'
49
+ - !ruby/object:Gem::Dependency
50
+ name: ruby_parser
51
+ requirement: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - "~>"
54
+ - !ruby/object:Gem::Version
55
+ version: 3.6.2
57
56
  type: :runtime
58
- version_requirements: *id002
59
- - !ruby/object:Gem::Dependency
60
- name: ruby2ruby
61
57
  prerelease: false
62
- requirement: &id003 !ruby/object:Gem::Requirement
63
- none: false
64
- requirements:
65
- - - ~>
66
- - !ruby/object:Gem::Version
58
+ version_requirements: !ruby/object:Gem::Requirement
59
+ requirements:
60
+ - - "~>"
61
+ - !ruby/object:Gem::Version
62
+ version: 3.6.2
63
+ - !ruby/object:Gem::Dependency
64
+ name: ruby2ruby
65
+ requirement: !ruby/object:Gem::Requirement
66
+ requirements:
67
+ - - "~>"
68
+ - !ruby/object:Gem::Version
67
69
  version: 2.1.1
68
70
  type: :runtime
69
- version_requirements: *id003
70
- - !ruby/object:Gem::Dependency
71
- name: terminal-table
72
71
  prerelease: false
73
- requirement: &id004 !ruby/object:Gem::Requirement
74
- none: false
75
- requirements:
76
- - - ~>
77
- - !ruby/object:Gem::Version
78
- version: "1.4"
72
+ version_requirements: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - "~>"
75
+ - !ruby/object:Gem::Version
76
+ version: 2.1.1
77
+ - !ruby/object:Gem::Dependency
78
+ name: terminal-table
79
+ requirement: !ruby/object:Gem::Requirement
80
+ requirements:
81
+ - - "~>"
82
+ - !ruby/object:Gem::Version
83
+ version: '1.4'
79
84
  type: :runtime
80
- version_requirements: *id004
81
- - !ruby/object:Gem::Dependency
82
- name: fastercsv
83
85
  prerelease: false
84
- requirement: &id005 !ruby/object:Gem::Requirement
85
- none: false
86
- requirements:
87
- - - ~>
88
- - !ruby/object:Gem::Version
89
- version: "1.5"
86
+ version_requirements: !ruby/object:Gem::Requirement
87
+ requirements:
88
+ - - "~>"
89
+ - !ruby/object:Gem::Version
90
+ version: '1.4'
91
+ - !ruby/object:Gem::Dependency
92
+ name: fastercsv
93
+ requirement: !ruby/object:Gem::Requirement
94
+ requirements:
95
+ - - "~>"
96
+ - !ruby/object:Gem::Version
97
+ version: '1.5'
90
98
  type: :runtime
91
- version_requirements: *id005
92
- - !ruby/object:Gem::Dependency
93
- name: highline
94
99
  prerelease: false
95
- requirement: &id006 !ruby/object:Gem::Requirement
96
- none: false
97
- requirements:
98
- - - ~>
99
- - !ruby/object:Gem::Version
100
+ version_requirements: !ruby/object:Gem::Requirement
101
+ requirements:
102
+ - - "~>"
103
+ - !ruby/object:Gem::Version
104
+ version: '1.5'
105
+ - !ruby/object:Gem::Dependency
106
+ name: highline
107
+ requirement: !ruby/object:Gem::Requirement
108
+ requirements:
109
+ - - "~>"
110
+ - !ruby/object:Gem::Version
100
111
  version: 1.6.20
101
112
  type: :runtime
102
- version_requirements: *id006
103
- - !ruby/object:Gem::Dependency
104
- name: erubis
105
113
  prerelease: false
106
- requirement: &id007 !ruby/object:Gem::Requirement
107
- none: false
108
- requirements:
109
- - - ~>
110
- - !ruby/object:Gem::Version
111
- version: "2.6"
114
+ version_requirements: !ruby/object:Gem::Requirement
115
+ requirements:
116
+ - - "~>"
117
+ - !ruby/object:Gem::Version
118
+ version: 1.6.20
119
+ - !ruby/object:Gem::Dependency
120
+ name: erubis
121
+ requirement: !ruby/object:Gem::Requirement
122
+ requirements:
123
+ - - "~>"
124
+ - !ruby/object:Gem::Version
125
+ version: '2.6'
112
126
  type: :runtime
113
- version_requirements: *id007
114
- - !ruby/object:Gem::Dependency
115
- name: haml
116
127
  prerelease: false
117
- requirement: &id008 !ruby/object:Gem::Requirement
118
- none: false
119
- requirements:
128
+ version_requirements: !ruby/object:Gem::Requirement
129
+ requirements:
130
+ - - "~>"
131
+ - !ruby/object:Gem::Version
132
+ version: '2.6'
133
+ - !ruby/object:Gem::Dependency
134
+ name: haml
135
+ requirement: !ruby/object:Gem::Requirement
136
+ requirements:
120
137
  - - ">="
121
- - !ruby/object:Gem::Version
122
- version: "3.0"
123
- - - <
124
- - !ruby/object:Gem::Version
125
- version: "5.0"
138
+ - !ruby/object:Gem::Version
139
+ version: '3.0'
140
+ - - "<"
141
+ - !ruby/object:Gem::Version
142
+ version: '5.0'
126
143
  type: :runtime
127
- version_requirements: *id008
128
- - !ruby/object:Gem::Dependency
129
- name: sass
130
144
  prerelease: false
131
- requirement: &id009 !ruby/object:Gem::Requirement
132
- none: false
133
- requirements:
134
- - - ~>
135
- - !ruby/object:Gem::Version
136
- version: "3.0"
145
+ version_requirements: !ruby/object:Gem::Requirement
146
+ requirements:
147
+ - - ">="
148
+ - !ruby/object:Gem::Version
149
+ version: '3.0'
150
+ - - "<"
151
+ - !ruby/object:Gem::Version
152
+ version: '5.0'
153
+ - !ruby/object:Gem::Dependency
154
+ name: sass
155
+ requirement: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - "~>"
158
+ - !ruby/object:Gem::Version
159
+ version: '3.0'
137
160
  type: :runtime
138
- version_requirements: *id009
139
- - !ruby/object:Gem::Dependency
140
- name: multi_json
141
161
  prerelease: false
142
- requirement: &id010 !ruby/object:Gem::Requirement
143
- none: false
144
- requirements:
145
- - - ~>
146
- - !ruby/object:Gem::Version
147
- version: "1.2"
162
+ version_requirements: !ruby/object:Gem::Requirement
163
+ requirements:
164
+ - - "~>"
165
+ - !ruby/object:Gem::Version
166
+ version: '3.0'
167
+ - !ruby/object:Gem::Dependency
168
+ name: multi_json
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - "~>"
172
+ - !ruby/object:Gem::Version
173
+ version: '1.2'
148
174
  type: :runtime
149
- version_requirements: *id010
150
- description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - "~>"
179
+ - !ruby/object:Gem::Version
180
+ version: '1.2'
181
+ description: Brakeman detects security vulnerabilities in Ruby on Rails applications
182
+ via static analysis.
151
183
  email: gem@brakeman.org
152
- executables:
184
+ executables:
153
185
  - brakeman
154
186
  extensions: []
155
-
156
187
  extra_rdoc_files: []
157
-
158
- files:
159
- - bin/brakeman
188
+ files:
160
189
  - CHANGES
161
- - WARNING_TYPES
162
190
  - FEATURES
163
191
  - README.md
192
+ - WARNING_TYPES
193
+ - bin/brakeman
164
194
  - lib/brakeman.rb
165
- - lib/ruby_parser/bm_sexp.rb
166
- - lib/ruby_parser/bm_sexp_processor.rb
167
195
  - lib/brakeman/app_tree.rb
168
- - lib/brakeman/call_index.rb
169
196
  - lib/brakeman/brakeman.rake
170
- - lib/brakeman/scanner.rb
171
- - lib/brakeman/options.rb
172
- - lib/brakeman/warning_codes.rb
173
- - lib/brakeman/differ.rb
174
- - lib/brakeman/checks/check_model_attr_accessible.rb
175
- - lib/brakeman/checks/check_i18n_xss.rb
176
- - lib/brakeman/checks/check_digest_dos.rb
177
- - lib/brakeman/checks/check_session_settings.rb
178
- - lib/brakeman/checks/check_redirect.rb
179
- - lib/brakeman/checks/check_model_serialize.rb
180
- - lib/brakeman/checks/check_regex_dos.rb
181
- - lib/brakeman/checks/check_validation_regex.rb
182
- - lib/brakeman/checks/check_single_quotes.rb
197
+ - lib/brakeman/call_index.rb
198
+ - lib/brakeman/checks.rb
199
+ - lib/brakeman/checks/base_check.rb
200
+ - lib/brakeman/checks/check_basic_auth.rb
201
+ - lib/brakeman/checks/check_content_tag.rb
202
+ - lib/brakeman/checks/check_create_with.rb
203
+ - lib/brakeman/checks/check_cross_site_scripting.rb
204
+ - lib/brakeman/checks/check_default_routes.rb
205
+ - lib/brakeman/checks/check_deserialize.rb
183
206
  - lib/brakeman/checks/check_detailed_exceptions.rb
184
- - lib/brakeman/checks/check_file_access.rb
185
- - lib/brakeman/checks/check_unscoped_find.rb
186
- - lib/brakeman/checks/check_forgery_setting.rb
187
- - lib/brakeman/checks/check_symbol_dos.rb
207
+ - lib/brakeman/checks/check_digest_dos.rb
208
+ - lib/brakeman/checks/check_escape_function.rb
209
+ - lib/brakeman/checks/check_evaluation.rb
188
210
  - lib/brakeman/checks/check_execute.rb
189
- - lib/brakeman/checks/check_safe_buffer_manipulation.rb
190
- - lib/brakeman/checks/check_skip_before_filter.rb
191
- - lib/brakeman/checks/check_default_routes.rb
211
+ - lib/brakeman/checks/check_file_access.rb
192
212
  - lib/brakeman/checks/check_file_disclosure.rb
193
- - lib/brakeman/checks/check_basic_auth.rb
194
- - lib/brakeman/checks/check_render.rb
195
- - lib/brakeman/checks/base_check.rb
196
- - lib/brakeman/checks/check_mass_assignment.rb
197
- - lib/brakeman/checks/check_sanitize_methods.rb
198
- - lib/brakeman/checks/check_simple_format.rb
199
- - lib/brakeman/checks/check_select_vulnerability.rb
200
- - lib/brakeman/checks/check_send_file.rb
201
- - lib/brakeman/checks/check_response_splitting.rb
202
- - lib/brakeman/checks/check_ssl_verify.rb
203
213
  - lib/brakeman/checks/check_filter_skipping.rb
214
+ - lib/brakeman/checks/check_forgery_setting.rb
215
+ - lib/brakeman/checks/check_header_dos.rb
216
+ - lib/brakeman/checks/check_i18n_xss.rb
204
217
  - lib/brakeman/checks/check_jruby_xml.rb
205
- - lib/brakeman/checks/check_escape_function.rb
206
- - lib/brakeman/checks/check_strip_tags.rb
207
218
  - lib/brakeman/checks/check_json_parsing.rb
208
- - lib/brakeman/checks/check_select_tag.rb
209
- - lib/brakeman/checks/check_translate_bug.rb
210
- - lib/brakeman/checks/check_quote_table_name.rb
211
- - lib/brakeman/checks/check_sql.rb
212
- - lib/brakeman/checks/check_yaml_parsing.rb
213
- - lib/brakeman/checks/check_render_inline.rb
214
- - lib/brakeman/checks/check_cross_site_scripting.rb
219
+ - lib/brakeman/checks/check_link_to.rb
215
220
  - lib/brakeman/checks/check_link_to_href.rb
216
- - lib/brakeman/checks/check_deserialize.rb
221
+ - lib/brakeman/checks/check_mail_to.rb
222
+ - lib/brakeman/checks/check_mass_assignment.rb
223
+ - lib/brakeman/checks/check_model_attr_accessible.rb
217
224
  - lib/brakeman/checks/check_model_attributes.rb
218
- - lib/brakeman/checks/check_number_to_currency.rb
219
- - lib/brakeman/checks/check_content_tag.rb
220
- - lib/brakeman/checks/check_symbol_dos_cve.rb
225
+ - lib/brakeman/checks/check_model_serialize.rb
221
226
  - lib/brakeman/checks/check_nested_attributes.rb
227
+ - lib/brakeman/checks/check_number_to_currency.rb
228
+ - lib/brakeman/checks/check_quote_table_name.rb
229
+ - lib/brakeman/checks/check_redirect.rb
230
+ - lib/brakeman/checks/check_regex_dos.rb
231
+ - lib/brakeman/checks/check_render.rb
232
+ - lib/brakeman/checks/check_render_dos.rb
233
+ - lib/brakeman/checks/check_render_inline.rb
234
+ - lib/brakeman/checks/check_response_splitting.rb
235
+ - lib/brakeman/checks/check_safe_buffer_manipulation.rb
236
+ - lib/brakeman/checks/check_sanitize_methods.rb
237
+ - lib/brakeman/checks/check_select_tag.rb
238
+ - lib/brakeman/checks/check_select_vulnerability.rb
222
239
  - lib/brakeman/checks/check_send.rb
223
- - lib/brakeman/checks/check_unsafe_reflection.rb
224
- - lib/brakeman/checks/check_evaluation.rb
240
+ - lib/brakeman/checks/check_send_file.rb
241
+ - lib/brakeman/checks/check_session_settings.rb
242
+ - lib/brakeman/checks/check_simple_format.rb
243
+ - lib/brakeman/checks/check_single_quotes.rb
244
+ - lib/brakeman/checks/check_skip_before_filter.rb
245
+ - lib/brakeman/checks/check_sql.rb
225
246
  - lib/brakeman/checks/check_sql_cves.rb
226
- - lib/brakeman/checks/check_mail_to.rb
247
+ - lib/brakeman/checks/check_ssl_verify.rb
248
+ - lib/brakeman/checks/check_strip_tags.rb
249
+ - lib/brakeman/checks/check_symbol_dos.rb
250
+ - lib/brakeman/checks/check_symbol_dos_cve.rb
251
+ - lib/brakeman/checks/check_translate_bug.rb
252
+ - lib/brakeman/checks/check_unsafe_reflection.rb
253
+ - lib/brakeman/checks/check_unscoped_find.rb
254
+ - lib/brakeman/checks/check_validation_regex.rb
227
255
  - lib/brakeman/checks/check_without_protection.rb
228
- - lib/brakeman/checks/check_create_with.rb
229
- - lib/brakeman/checks/check_header_dos.rb
230
- - lib/brakeman/checks/check_link_to.rb
231
- - lib/brakeman/checks/check_render_dos.rb
232
- - lib/brakeman/processor.rb
256
+ - lib/brakeman/checks/check_yaml_parsing.rb
257
+ - lib/brakeman/differ.rb
233
258
  - lib/brakeman/file_parser.rb
234
- - lib/brakeman/version.rb
235
259
  - lib/brakeman/format/style.css
236
- - lib/brakeman/checks.rb
237
- - lib/brakeman/tracker.rb
238
- - lib/brakeman/parsers/rails3_erubis.rb
260
+ - lib/brakeman/options.rb
239
261
  - lib/brakeman/parsers/rails2_erubis.rb
240
- - lib/brakeman/parsers/template_parser.rb
241
262
  - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
242
- - lib/brakeman/util.rb
243
- - lib/brakeman/report.rb
244
- - lib/brakeman/warning.rb
263
+ - lib/brakeman/parsers/rails3_erubis.rb
264
+ - lib/brakeman/parsers/template_parser.rb
265
+ - lib/brakeman/processor.rb
245
266
  - lib/brakeman/processors/alias_processor.rb
246
- - lib/brakeman/processors/output_processor.rb
247
- - lib/brakeman/processors/template_processor.rb
248
- - lib/brakeman/processors/erubis_template_processor.rb
249
- - lib/brakeman/processors/erb_template_processor.rb
250
- - lib/brakeman/processors/model_processor.rb
251
- - lib/brakeman/processors/template_alias_processor.rb
267
+ - lib/brakeman/processors/base_processor.rb
252
268
  - lib/brakeman/processors/config_processor.rb
253
269
  - lib/brakeman/processors/controller_alias_processor.rb
270
+ - lib/brakeman/processors/controller_processor.rb
271
+ - lib/brakeman/processors/erb_template_processor.rb
272
+ - lib/brakeman/processors/erubis_template_processor.rb
273
+ - lib/brakeman/processors/gem_processor.rb
254
274
  - lib/brakeman/processors/haml_template_processor.rb
255
- - lib/brakeman/processors/base_processor.rb
256
- - lib/brakeman/processors/lib/find_return_value.rb
257
- - lib/brakeman/processors/lib/rails3_route_processor.rb
258
- - lib/brakeman/processors/lib/find_all_calls.rb
259
275
  - lib/brakeman/processors/lib/basic_processor.rb
260
- - lib/brakeman/processors/lib/rails2_route_processor.rb
261
- - lib/brakeman/processors/lib/route_helper.rb
276
+ - lib/brakeman/processors/lib/find_all_calls.rb
262
277
  - lib/brakeman/processors/lib/find_call.rb
263
- - lib/brakeman/processors/lib/render_helper.rb
264
- - lib/brakeman/processors/lib/rails3_config_processor.rb
265
- - lib/brakeman/processors/lib/rails2_config_processor.rb
278
+ - lib/brakeman/processors/lib/find_return_value.rb
266
279
  - lib/brakeman/processors/lib/processor_helper.rb
267
- - lib/brakeman/processors/controller_processor.rb
268
- - lib/brakeman/processors/slim_template_processor.rb
280
+ - lib/brakeman/processors/lib/rails2_config_processor.rb
281
+ - lib/brakeman/processors/lib/rails2_route_processor.rb
282
+ - lib/brakeman/processors/lib/rails3_config_processor.rb
283
+ - lib/brakeman/processors/lib/rails3_route_processor.rb
284
+ - lib/brakeman/processors/lib/render_helper.rb
285
+ - lib/brakeman/processors/lib/render_path.rb
286
+ - lib/brakeman/processors/lib/route_helper.rb
269
287
  - lib/brakeman/processors/library_processor.rb
270
- - lib/brakeman/processors/gem_processor.rb
288
+ - lib/brakeman/processors/model_processor.rb
289
+ - lib/brakeman/processors/output_processor.rb
271
290
  - lib/brakeman/processors/route_processor.rb
272
- - lib/brakeman/report/report_markdown.rb
291
+ - lib/brakeman/processors/slim_template_processor.rb
292
+ - lib/brakeman/processors/template_alias_processor.rb
293
+ - lib/brakeman/processors/template_processor.rb
294
+ - lib/brakeman/report.rb
295
+ - lib/brakeman/report/ignore/config.rb
296
+ - lib/brakeman/report/ignore/interactive.rb
297
+ - lib/brakeman/report/initializers/faster_csv.rb
298
+ - lib/brakeman/report/initializers/multi_json.rb
299
+ - lib/brakeman/report/renderer.rb
273
300
  - lib/brakeman/report/report_base.rb
301
+ - lib/brakeman/report/report_csv.rb
274
302
  - lib/brakeman/report/report_hash.rb
303
+ - lib/brakeman/report/report_html.rb
304
+ - lib/brakeman/report/report_json.rb
305
+ - lib/brakeman/report/report_markdown.rb
306
+ - lib/brakeman/report/report_table.rb
307
+ - lib/brakeman/report/report_tabs.rb
275
308
  - lib/brakeman/report/templates/controller_overview.html.erb
276
- - lib/brakeman/report/templates/security_warnings.html.erb
277
- - lib/brakeman/report/templates/warning_overview.html.erb
278
- - lib/brakeman/report/templates/ignored_warnings.html.erb
279
- - lib/brakeman/report/templates/model_warnings.html.erb
280
309
  - lib/brakeman/report/templates/controller_warnings.html.erb
281
- - lib/brakeman/report/templates/overview.html.erb
282
310
  - lib/brakeman/report/templates/error_overview.html.erb
283
- - lib/brakeman/report/templates/view_warnings.html.erb
284
311
  - lib/brakeman/report/templates/header.html.erb
312
+ - lib/brakeman/report/templates/ignored_warnings.html.erb
313
+ - lib/brakeman/report/templates/model_warnings.html.erb
314
+ - lib/brakeman/report/templates/overview.html.erb
315
+ - lib/brakeman/report/templates/security_warnings.html.erb
285
316
  - lib/brakeman/report/templates/template_overview.html.erb
286
- - lib/brakeman/report/ignore/config.rb
287
- - lib/brakeman/report/ignore/interactive.rb
288
- - lib/brakeman/report/renderer.rb
289
- - lib/brakeman/report/report_table.rb
290
- - lib/brakeman/report/report_html.rb
291
- - lib/brakeman/report/report_csv.rb
292
- - lib/brakeman/report/report_tabs.rb
293
- - lib/brakeman/report/initializers/faster_csv.rb
294
- - lib/brakeman/report/initializers/multi_json.rb
295
- - lib/brakeman/report/report_json.rb
317
+ - lib/brakeman/report/templates/view_warnings.html.erb
318
+ - lib/brakeman/report/templates/warning_overview.html.erb
296
319
  - lib/brakeman/rescanner.rb
320
+ - lib/brakeman/scanner.rb
321
+ - lib/brakeman/tracker.rb
322
+ - lib/brakeman/util.rb
323
+ - lib/brakeman/version.rb
324
+ - lib/brakeman/warning.rb
325
+ - lib/brakeman/warning_codes.rb
326
+ - lib/ruby_parser/bm_sexp.rb
327
+ - lib/ruby_parser/bm_sexp_processor.rb
297
328
  homepage: http://brakemanscanner.org
298
- licenses:
329
+ licenses:
299
330
  - MIT
331
+ metadata: {}
300
332
  post_install_message:
301
333
  rdoc_options: []
302
-
303
- require_paths:
334
+ require_paths:
304
335
  - lib
305
- required_ruby_version: !ruby/object:Gem::Requirement
306
- none: false
307
- requirements:
336
+ required_ruby_version: !ruby/object:Gem::Requirement
337
+ requirements:
308
338
  - - ">="
309
- - !ruby/object:Gem::Version
310
- version: "0"
311
- required_rubygems_version: !ruby/object:Gem::Requirement
312
- none: false
313
- requirements:
339
+ - !ruby/object:Gem::Version
340
+ version: '0'
341
+ required_rubygems_version: !ruby/object:Gem::Requirement
342
+ requirements:
314
343
  - - ">="
315
- - !ruby/object:Gem::Version
316
- version: "0"
344
+ - !ruby/object:Gem::Version
345
+ version: '0'
317
346
  requirements: []
318
-
319
347
  rubyforge_project:
320
- rubygems_version: 1.8.5
348
+ rubygems_version: 2.2.2
321
349
  signing_key:
322
- specification_version: 3
350
+ specification_version: 4
323
351
  summary: Security vulnerability scanner for Ruby on Rails.
324
352
  test_files: []
325
-
metadata.gz.sig CHANGED
Binary file