brakeman 8.0.2 → 8.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +7 -0
- data/lib/brakeman/checks/check_sql.rb +2 -1
- data/lib/brakeman/commandline.rb +9 -4
- data/lib/brakeman/options.rb +6 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +10 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +25 -13
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a395362f80d7745fcc8ce87d26fd44b3d14b2fac87f018dbb08cc9ef7d8c9a49
|
|
4
|
+
data.tar.gz: 5bc7d3e269e9616b1c8e529717134898fedc8d80898a7e9ae64fab53f9c4050c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d3d573fb08637217d7fa63b39d7540b205d6a8372f4b5b71646879067051dacd8407ae1d41134db54d342f0d2d7b4e16fcf7f2f9639244a77a07c38247c08dd0
|
|
7
|
+
data.tar.gz: a6c649141045ff4a25fc6fd72d0381bb8197bb8898a0978319a11fa17c7e9ab75c4ea553ee34ea564906a9f7e29503b6c75197d5edc30c7387ccc679a1a87480
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# 8.0.3 - 2026-02-26
|
|
2
|
+
|
|
3
|
+
* Fix `polymorphic_name` SQLi false positive (Fredrico Franco)
|
|
4
|
+
* Fix logger behavior when loading config files
|
|
5
|
+
* Handle application names with module prefixes
|
|
6
|
+
* Add release age option for `--ensure-latest`
|
|
7
|
+
|
|
1
8
|
# 8.0.2 - 2026-02-03
|
|
2
9
|
|
|
3
10
|
* Reline console control should use stderr
|
|
@@ -600,7 +600,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
600
600
|
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
|
|
601
601
|
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
|
602
602
|
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
|
|
603
|
-
:where_values_hash, :foreign_key, :uuid, :escape, :escape_string
|
|
603
|
+
:where_values_hash, :foreign_key, :uuid, :escape, :escape_string,
|
|
604
|
+
:polymorphic_name
|
|
604
605
|
]
|
|
605
606
|
|
|
606
607
|
def ignore_methods_in_sql
|
data/lib/brakeman/commandline.rb
CHANGED
|
@@ -31,7 +31,7 @@ module Brakeman
|
|
|
31
31
|
set_interrupt_handler options
|
|
32
32
|
early_exit_options options
|
|
33
33
|
set_options options, default_app_path
|
|
34
|
-
check_latest if options[:ensure_latest]
|
|
34
|
+
check_latest(options[:ensure_latest]) if options[:ensure_latest]
|
|
35
35
|
run_report options
|
|
36
36
|
|
|
37
37
|
quit
|
|
@@ -39,9 +39,14 @@ module Brakeman
|
|
|
39
39
|
|
|
40
40
|
# Check for the latest version.
|
|
41
41
|
#
|
|
42
|
-
# If the latest version is newer
|
|
43
|
-
|
|
44
|
-
|
|
42
|
+
# If the latest version is newer than the current version
|
|
43
|
+
# and age, exit.
|
|
44
|
+
def check_latest(days_old = 0)
|
|
45
|
+
if days_old == true
|
|
46
|
+
days_old = 0
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
if error = Brakeman.ensure_latest(days_old:)
|
|
45
50
|
quit Brakeman::Not_Latest_Version_Exit_Code, error
|
|
46
51
|
end
|
|
47
52
|
end
|
data/lib/brakeman/options.rb
CHANGED
|
@@ -63,8 +63,12 @@ module Brakeman::Options
|
|
|
63
63
|
options[:exit_on_error] = exit_on_error
|
|
64
64
|
end
|
|
65
65
|
|
|
66
|
-
opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
|
|
67
|
-
|
|
66
|
+
opts.on "--ensure-latest [DAYS]", Integer, "Fail when Brakeman is outdated. Optionally set minimum age in days." do |days|
|
|
67
|
+
if days and not (1..15).include? days
|
|
68
|
+
raise OptionParser::InvalidArgument
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
options[:ensure_latest] = days || true
|
|
68
72
|
end
|
|
69
73
|
|
|
70
74
|
opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
|
|
@@ -17,6 +17,7 @@ require 'brakeman/processors/lib/basic_processor'
|
|
|
17
17
|
#Values for tracker.config.rails will still be Sexps.
|
|
18
18
|
class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
19
19
|
RAILS_CONFIG = Sexp.new(:call, nil, :config)
|
|
20
|
+
RAILS_APPLICATION = Sexp.new(:colon2, s(:const, :Rails), :Application)
|
|
20
21
|
|
|
21
22
|
def initialize *args
|
|
22
23
|
super
|
|
@@ -48,7 +49,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
|
48
49
|
|
|
49
50
|
#Look for class Application < Rails::Application
|
|
50
51
|
def process_class exp
|
|
51
|
-
if exp
|
|
52
|
+
if application_class? exp
|
|
52
53
|
@inside_config = true
|
|
53
54
|
process_all exp.body if sexp? exp.body
|
|
54
55
|
@inside_config = false
|
|
@@ -57,6 +58,14 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
|
57
58
|
exp
|
|
58
59
|
end
|
|
59
60
|
|
|
61
|
+
def application_class? exp
|
|
62
|
+
return unless node_type? exp, :class
|
|
63
|
+
|
|
64
|
+
exp.class_name == :Application or
|
|
65
|
+
(node_type? exp.class_name, :colon2 and exp.class_name.rhs == :Application) or
|
|
66
|
+
(exp.parent_name == RAILS_APPLICATION)
|
|
67
|
+
end
|
|
68
|
+
|
|
60
69
|
#Look for configuration settings that
|
|
61
70
|
#are just a call like
|
|
62
71
|
#
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
|
@@ -167,7 +167,6 @@ module Brakeman
|
|
|
167
167
|
#Load options from YAML file
|
|
168
168
|
def self.load_options line_options
|
|
169
169
|
custom_location = line_options[:config_file]
|
|
170
|
-
quiet = line_options[:quiet]
|
|
171
170
|
app_path = line_options[:app_path]
|
|
172
171
|
|
|
173
172
|
#Load configuration file
|
|
@@ -175,29 +174,28 @@ module Brakeman
|
|
|
175
174
|
require 'yaml'
|
|
176
175
|
options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
|
|
177
176
|
|
|
178
|
-
# Brakeman.logger is probably not set yet
|
|
179
|
-
logger = Brakeman::Logger.get_logger(options || line_options)
|
|
180
|
-
|
|
181
177
|
if options
|
|
182
178
|
options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
|
|
183
179
|
|
|
184
180
|
# After parsing the yaml config file for options, convert any string keys into symbols.
|
|
185
181
|
options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
|
|
186
182
|
|
|
183
|
+
# Brakeman.logger is probably not set yet
|
|
184
|
+
logger = Brakeman::Logger.get_logger(options.merge(line_options))
|
|
185
|
+
|
|
187
186
|
unless line_options[:allow_check_paths_in_config]
|
|
188
187
|
if options.include? :additional_checks_path
|
|
189
188
|
options.delete :additional_checks_path
|
|
190
189
|
|
|
191
|
-
logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow'
|
|
190
|
+
logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow'
|
|
192
191
|
end
|
|
193
192
|
end
|
|
194
193
|
|
|
195
|
-
|
|
196
|
-
# potentially remove these checks now that logger is used
|
|
197
|
-
logger.alert "Using configuration in #{config}" unless (options[:quiet] || quiet)
|
|
194
|
+
logger.alert "Using configuration in #{config}"
|
|
198
195
|
options
|
|
199
196
|
else
|
|
200
|
-
logger
|
|
197
|
+
logger = Brakeman::Logger.get_logger(line_options)
|
|
198
|
+
logger.alert "Empty configuration file: #{config}"
|
|
201
199
|
{}
|
|
202
200
|
end
|
|
203
201
|
else
|
|
@@ -416,11 +414,25 @@ module Brakeman
|
|
|
416
414
|
end
|
|
417
415
|
end
|
|
418
416
|
|
|
419
|
-
|
|
417
|
+
# Returns quit message unless the latest version
|
|
418
|
+
# of Brakeman matches the current version.
|
|
419
|
+
#
|
|
420
|
+
# Optionally checks that the latest version is at least
|
|
421
|
+
# the specified number of days old.
|
|
422
|
+
def self.ensure_latest(days_old: 0)
|
|
420
423
|
current = Brakeman::Version
|
|
421
|
-
latest = Gem.
|
|
422
|
-
|
|
423
|
-
|
|
424
|
+
latest = Gem.latest_spec_for('brakeman')
|
|
425
|
+
release_date = latest.date.to_date
|
|
426
|
+
latest_version = latest.version.to_s
|
|
427
|
+
|
|
428
|
+
if (Date.today - latest.date.to_date) >= days_old
|
|
429
|
+
if current != latest_version
|
|
430
|
+
return "Brakeman #{current} is not the latest version #{latest_version}"
|
|
431
|
+
else
|
|
432
|
+
false
|
|
433
|
+
end
|
|
434
|
+
else
|
|
435
|
+
false
|
|
424
436
|
end
|
|
425
437
|
end
|
|
426
438
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 8.0.
|
|
4
|
+
version: 8.0.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-02-
|
|
11
|
+
date: 2026-02-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: racc
|
|
@@ -700,7 +700,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
700
700
|
- !ruby/object:Gem::Version
|
|
701
701
|
version: '0'
|
|
702
702
|
requirements: []
|
|
703
|
-
rubygems_version: 3.4.
|
|
703
|
+
rubygems_version: 3.4.19
|
|
704
704
|
signing_key:
|
|
705
705
|
specification_version: 4
|
|
706
706
|
summary: Security vulnerability scanner for Ruby on Rails.
|