brakeman 3.1.3 → 3.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +8 -0
- data/bin/brakeman +1 -1
- data/lib/brakeman.rb +9 -7
- data/lib/brakeman/app_tree.rb +2 -2
- data/lib/brakeman/checks/base_check.rb +1 -1
- data/lib/brakeman/checks/check_cross_site_scripting.rb +1 -7
- data/lib/brakeman/checks/check_detailed_exceptions.rb +2 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +5 -0
- data/lib/brakeman/checks/check_number_to_currency.rb +6 -1
- data/lib/brakeman/checks/check_send.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +2 -1
- data/lib/brakeman/processors/alias_processor.rb +2 -1
- data/lib/brakeman/processors/lib/render_path.rb +2 -2
- data/lib/brakeman/report/ignore/config.rb +1 -1
- data/lib/brakeman/report/report_base.rb +11 -11
- data/lib/brakeman/report/report_codeclimate.rb +1 -0
- data/lib/brakeman/rescanner.rb +1 -1
- data/lib/brakeman/scanner.rb +1 -1
- data/lib/brakeman/tracker/config.rb +2 -0
- data/lib/brakeman/version.rb +1 -1
- data/lib/ruby_parser/bm_sexp.rb +2 -3
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e2f73f15176bd0a6f4d9dfcc629f2c058b30d837
|
4
|
+
data.tar.gz: b3eb152ea1d579034ccae53d8c0ae2a5765533af
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9b576a52670e2fe3b3ae035d6f4da88c94635da2c20bab6214fdec4301ae19b30d056a8541742e6ef4abaac801214c65a6438ca94588c44d8cf5b3546602125b
|
7
|
+
data.tar.gz: 1d807d4acc2b35e8aaa6d938a669d953347be9aace422fdd5ce2c9fb4e6b840665b916d34cc52dee2c37d25caab0b6642e1de26b6c37cead2619f14e4cc665a0
|
data/CHANGES
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 3.1.4
|
2
|
+
|
3
|
+
* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
|
4
|
+
* Ignore secrets.yml if in .gitignore
|
5
|
+
* Clean up Ruby warnings (Andy Waite)
|
6
|
+
* Increase test coverage for option parsing (Zander Mackie)
|
7
|
+
* Work around safe_yaml error
|
8
|
+
|
1
9
|
# 3.1.3
|
2
10
|
|
3
11
|
* Check for session secret in secrets.yml
|
data/bin/brakeman
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -1,5 +1,4 @@
|
|
1
1
|
require 'rubygems'
|
2
|
-
require 'safe_yaml/load'
|
3
2
|
require 'set'
|
4
3
|
|
5
4
|
module Brakeman
|
@@ -93,6 +92,8 @@ module Brakeman
|
|
93
92
|
|
94
93
|
#Load configuration file
|
95
94
|
if config = config_file(custom_location, app_path)
|
95
|
+
require 'date' # https://github.com/dtao/safe_yaml/issues/80
|
96
|
+
require 'safe_yaml/load'
|
96
97
|
options = SafeYAML.load_file config, :deserialize_symbols => true
|
97
98
|
|
98
99
|
if options
|
@@ -262,15 +263,15 @@ module Brakeman
|
|
262
263
|
task_path = File.join("lib", "tasks", "brakeman.rake")
|
263
264
|
end
|
264
265
|
|
265
|
-
if not File.
|
266
|
+
if not File.exist? rake_path
|
266
267
|
raise RakeInstallError, "No Rakefile detected"
|
267
|
-
elsif File.
|
268
|
+
elsif File.exist? task_path
|
268
269
|
raise RakeInstallError, "Task already exists"
|
269
270
|
end
|
270
271
|
|
271
272
|
require 'fileutils'
|
272
273
|
|
273
|
-
if not File.
|
274
|
+
if not File.exist? "lib/tasks"
|
274
275
|
notify "Creating lib/tasks"
|
275
276
|
FileUtils.mkdir_p "lib/tasks"
|
276
277
|
end
|
@@ -279,7 +280,7 @@ module Brakeman
|
|
279
280
|
|
280
281
|
FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
|
281
282
|
|
282
|
-
if File.
|
283
|
+
if File.exist? task_path
|
283
284
|
notify "Task created in #{task_path}"
|
284
285
|
notify "Usage: rake brakeman:run[output_file]"
|
285
286
|
else
|
@@ -289,6 +290,7 @@ module Brakeman
|
|
289
290
|
|
290
291
|
#Output configuration to YAML
|
291
292
|
def self.dump_config options
|
293
|
+
require 'yaml'
|
292
294
|
if options[:create_config].is_a? String
|
293
295
|
file = options[:create_config]
|
294
296
|
else
|
@@ -407,7 +409,7 @@ module Brakeman
|
|
407
409
|
def self.compare options
|
408
410
|
require 'multi_json'
|
409
411
|
require 'brakeman/differ'
|
410
|
-
raise ArgumentError.new("Comparison file doesn't exist") unless File.
|
412
|
+
raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
|
411
413
|
|
412
414
|
begin
|
413
415
|
previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
|
@@ -431,7 +433,7 @@ module Brakeman
|
|
431
433
|
rescue LoadError => e
|
432
434
|
$stderr.puts e.message
|
433
435
|
$stderr.puts "Please install the appropriate dependency: #{name}."
|
434
|
-
exit!
|
436
|
+
exit!(-1)
|
435
437
|
end
|
436
438
|
end
|
437
439
|
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -43,12 +43,12 @@ module Brakeman
|
|
43
43
|
end
|
44
44
|
|
45
45
|
def exists?(path)
|
46
|
-
File.
|
46
|
+
File.exist?(File.join(@root, path))
|
47
47
|
end
|
48
48
|
|
49
49
|
# This is a pair for #read_path. Again, would like to kill these
|
50
50
|
def path_exists?(path)
|
51
|
-
File.
|
51
|
+
File.exist?(path)
|
52
52
|
end
|
53
53
|
|
54
54
|
def initializer_paths
|
@@ -348,7 +348,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
348
348
|
if @safe_input_attributes.include? method
|
349
349
|
false
|
350
350
|
elsif call? target and not method.to_s[-1,1] == "?"
|
351
|
-
if
|
351
|
+
if has_immediate_model?(target, out)
|
352
352
|
exp
|
353
353
|
else
|
354
354
|
false
|
@@ -105,12 +105,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
105
105
|
warning_code = :xss_to_json
|
106
106
|
end
|
107
107
|
|
108
|
-
code = if match == out
|
109
|
-
nil
|
110
|
-
else
|
111
|
-
match
|
112
|
-
end
|
113
|
-
|
114
108
|
warn :template => @current_template,
|
115
109
|
:warning_type => "Cross Site Scripting",
|
116
110
|
:warning_code => warning_code,
|
@@ -314,7 +308,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
|
|
314
308
|
initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
|
315
309
|
initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
|
316
310
|
|
317
|
-
if tracker.config.escape_html_entities_in_json?
|
311
|
+
if tracker.config.escape_html_entities_in_json?
|
318
312
|
json_escape_on = true
|
319
313
|
elsif version_between? "4.0.0", "5.0.0"
|
320
314
|
json_escape_on = true
|
@@ -25,12 +25,12 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
25
25
|
|
26
26
|
def check_detailed_exceptions
|
27
27
|
tracker.controllers.each do |name, controller|
|
28
|
-
controller.methods_public.each do |
|
28
|
+
controller.methods_public.each do |method_name, definition|
|
29
29
|
src = definition[:src]
|
30
30
|
body = src.body.last
|
31
31
|
next unless body
|
32
32
|
|
33
|
-
if
|
33
|
+
if method_name == :show_detailed_exceptions? and not safe? body
|
34
34
|
if true? body
|
35
35
|
confidence = CONFIDENCE[:high]
|
36
36
|
else
|
@@ -5,6 +5,11 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
5
5
|
|
6
6
|
@description = "Checks for number helpers XSS vulnerabilities in certain versions"
|
7
7
|
|
8
|
+
def initialize(*)
|
9
|
+
super
|
10
|
+
@found_any = false
|
11
|
+
end
|
12
|
+
|
8
13
|
def run_check
|
9
14
|
if version_between? "2.0.0", "2.3.18" or
|
10
15
|
version_between? "3.0.0", "3.2.16" or
|
@@ -35,7 +40,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
|
|
35
40
|
end
|
36
41
|
|
37
42
|
def check_number_helper_usage
|
38
|
-
number_methods = [:number_to_currency, :number_to_percentage, :number_to_human]
|
43
|
+
number_methods = [:number_to_currency, :number_to_percentage, :number_to_human]
|
39
44
|
tracker.find_call(:target => false, :methods => number_methods).each do |result|
|
40
45
|
arg = result[:call].second_arg
|
41
46
|
next unless arg
|
@@ -22,7 +22,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
|
|
22
22
|
|
23
23
|
send_call = get_send result[:call]
|
24
24
|
process_call_args send_call
|
25
|
-
|
25
|
+
process send_call.target
|
26
26
|
|
27
27
|
if input = has_immediate_user_input?(send_call.first_arg)
|
28
28
|
warn :result => result,
|
@@ -111,8 +111,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
111
111
|
def check_secrets_yaml
|
112
112
|
secrets_file = "config/secrets.yml"
|
113
113
|
|
114
|
-
if @app_tree.exists? secrets_file
|
114
|
+
if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
|
115
115
|
yaml = @app_tree.read secrets_file
|
116
|
+
require 'date' # https://github.com/dtao/safe_yaml/issues/80
|
116
117
|
require 'safe_yaml/load'
|
117
118
|
secrets = SafeYAML.load yaml
|
118
119
|
|
@@ -27,6 +27,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
27
27
|
@helper_method_cache = {}
|
28
28
|
@helper_method_info = Hash.new({})
|
29
29
|
@or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
|
30
|
+
@meth_env = nil
|
30
31
|
set_env_defaults
|
31
32
|
end
|
32
33
|
|
@@ -63,7 +64,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
63
64
|
end
|
64
65
|
|
65
66
|
result = replace(exp)
|
66
|
-
|
67
|
+
|
67
68
|
@exp_context.pop
|
68
69
|
|
69
70
|
result
|
@@ -119,7 +119,7 @@ module Brakeman
|
|
119
119
|
@already_ignored.each do |w|
|
120
120
|
fingerprint = w[:fingerprint]
|
121
121
|
|
122
|
-
unless @ignored_warnings.find { |
|
122
|
+
unless @ignored_warnings.find { |ignored_warning| ignored_warning.fingerprint == fingerprint }
|
123
123
|
warnings << w
|
124
124
|
end
|
125
125
|
end
|
@@ -142,17 +142,17 @@ class Brakeman::Report::Base
|
|
142
142
|
w = warning.to_row type
|
143
143
|
|
144
144
|
case type
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
145
|
+
when :warning
|
146
|
+
convert_warning w, warning
|
147
|
+
when :template
|
148
|
+
convert_template_warning w, warning
|
149
|
+
when :model
|
150
|
+
convert_model_warning w, warning
|
151
|
+
when :controller
|
152
|
+
convert_controller_warning w, warning
|
153
|
+
when :ignored
|
154
|
+
convert_ignored_warning w, warning
|
155
|
+
end
|
156
156
|
end
|
157
157
|
end
|
158
158
|
|
@@ -19,6 +19,7 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
|
|
19
19
|
type: "Issue",
|
20
20
|
check_name: warning_code_name,
|
21
21
|
description: warning.message,
|
22
|
+
fingerprint: warning.fingerprint,
|
22
23
|
categories: ["Security"],
|
23
24
|
severity: severity_level_for(warning.confidence),
|
24
25
|
remediation_points: remediation_points_for(warning_code_name),
|
data/lib/brakeman/rescanner.rb
CHANGED
data/lib/brakeman/scanner.rb
CHANGED
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -2,7 +2,6 @@
|
|
2
2
|
#and some changes for caching hash value and tracking 'original' line number
|
3
3
|
#of a Sexp.
|
4
4
|
class Sexp
|
5
|
-
attr_reader :paren
|
6
5
|
attr_accessor :original_line, :or_depth
|
7
6
|
ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
|
8
7
|
|
@@ -412,13 +411,13 @@ class Sexp
|
|
412
411
|
# s(:lasgn, :x, s(:lit, 1))
|
413
412
|
# ^--lhs
|
414
413
|
def lhs
|
415
|
-
expect
|
414
|
+
expect(*ASSIGNMENT_BOOL)
|
416
415
|
self[1]
|
417
416
|
end
|
418
417
|
|
419
418
|
#Sets the left hand side of assignment or boolean.
|
420
419
|
def lhs= exp
|
421
|
-
expect
|
420
|
+
expect(*ASSIGNMENT_BOOL)
|
422
421
|
@my_hash_value = nil
|
423
422
|
self[1] = exp
|
424
423
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.1.
|
4
|
+
version: 3.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- brakeman-public_cert.pem
|
12
|
-
date: 2015-12-
|
12
|
+
date: 2015-12-22 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: test-unit
|