railroader 4.3.7 → 4.3.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +14 -1
- data/README.md +1 -0
- data/lib/railroader/checks/check_content_tag.rb +6 -6
- data/lib/railroader/checks/check_cross_site_scripting.rb +6 -6
- data/lib/railroader/checks/check_execute.rb +5 -5
- data/lib/railroader/checks/check_link_to.rb +6 -6
- data/lib/railroader/checks/check_link_to_href.rb +6 -6
- data/lib/railroader/checks/check_mass_assignment.rb +8 -13
- data/lib/railroader/checks/check_sql.rb +6 -6
- data/lib/railroader/checks/check_without_protection.rb +5 -6
- data/lib/railroader/options.rb +6 -6
- data/lib/railroader/processors/alias_processor.rb +5 -5
- data/lib/railroader/processors/base_processor.rb +5 -5
- data/lib/railroader/report/report_html.rb +2 -2
- data/lib/railroader/report/report_tabs.rb +1 -1
- data/lib/railroader/rescanner.rb +1 -1
- data/lib/railroader/tracker.rb +3 -3
- data/lib/railroader/version.rb +1 -1
- data/lib/railroader/warning.rb +2 -2
- data/lib/ruby_parser/bm_sexp.rb +4 -4
- metadata +8 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 63c5753f1d828b85647b29a336f2e1a7b546a3daf1059ae3779bb539ec87f59e
|
4
|
+
data.tar.gz: 92e322786b4fcb354700bbde88384aada983108663988a041a772a2311eb333c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2a3b22e608487251cd6f9d6a5c03566f946d9a93e7ead6dc11980c4448c2c9806cf94d750d8e722d7f455e08fec6515ca40f24185fce37a4e9d80899be3ac663
|
7
|
+
data.tar.gz: 9b8a383e9ff2221731ee53b98d31986b6ca8b630ba8db43958146f6f89679e6269e25558482db407636f8e8aa84dd94597b222fa31b968c6c85954bc075398fe
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
# 4.3.8
|
2
|
+
|
3
|
+
* Temporarily prevent use of `sexp_processor` version 4.12.1,
|
4
|
+
because it causes an error at
|
5
|
+
`lib/railroader/processors/alias_processor.rb:50:in process_safely'`.
|
6
|
+
We want to get back to working order quickly, and we can then
|
7
|
+
fix things more leisurely.
|
8
|
+
* Various code cleanups, trying to make the code easier to read.
|
9
|
+
|
10
|
+
|
1
11
|
# 4.3.7
|
2
12
|
|
3
13
|
* We earned a CII Best Practices badge! Show its badge on the README.
|
@@ -5,7 +15,7 @@
|
|
5
15
|
* Add information on how to report vulnerabilities in the Railroader
|
6
16
|
application itself.
|
7
17
|
* Update `ruby_parser` to version 3.13.1. This improves and fixes handling of
|
8
|
-
some Ruby constructs, but it also means that we
|
18
|
+
some Ruby constructs, but it also means that we no longer support
|
9
19
|
running on Ruby 1.9. The last branch of Ruby 1.9 (1.9.3)
|
10
20
|
ended all support on 23 Feb 2015, after a one-year warning, per:
|
11
21
|
https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/
|
@@ -13,6 +23,9 @@
|
|
13
23
|
4 years after support ended, we think this is reasonable.
|
14
24
|
If you really need to run something on Ruby 1.9, forcibly select
|
15
25
|
an older version of Railroader such as 4.3.5.
|
26
|
+
It would be possible to support Ruby 1.9 with some extra effort,
|
27
|
+
so I've left in a number of stubs for handling Ruby 1.9 in case we do so.
|
28
|
+
I suspect we won't bother, but patches welcome.
|
16
29
|
|
17
30
|
# 4.3.5
|
18
31
|
|
data/README.md
CHANGED
@@ -3,6 +3,7 @@
|
|
3
3
|
[![Build Status](https://travis-ci.org/david-a-wheeler/railroader.svg?branch=master)](https://travis-ci.org/david-a-wheeler/railroader)
|
4
4
|
[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/david-a-wheeler/railroader/maintainability)
|
5
5
|
[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/david-a-wheeler/railroader/test_coverage)
|
6
|
+
[![License](https://img.shields.io/:license-mit-blue.svg)](https://badges.mit-license.org)
|
6
7
|
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2514/badge)](https://bestpractices.coreinfrastructure.org/projects/2514)
|
7
8
|
<!-- [![Gitter](https://badges.gitter.im/david-a-wheeler/railroader.svg)](https://gitter.im/david-a-wheeler/railroader) -->
|
8
9
|
|
@@ -20,12 +20,12 @@ class Railroader::CheckContentTag < Railroader::CheckCrossSiteScripting
|
|
20
20
|
|
21
21
|
def run_check
|
22
22
|
@ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
23
|
+
:field_field, :fields_for, :h, :hidden_field,
|
24
|
+
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
25
|
+
:mail_to, :radio_button, :select,
|
26
|
+
:submit_tag, :text_area, :text_field,
|
27
|
+
:text_field_tag, :url_encode, :u, :url_for,
|
28
|
+
:will_paginate].merge tracker.options[:safe_methods]
|
29
29
|
|
30
30
|
@known_dangerous = []
|
31
31
|
@content_tags = tracker.find_call :target => false, :method => :content_tag
|
@@ -282,12 +282,12 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
|
|
282
282
|
|
283
283
|
def setup
|
284
284
|
@ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
|
285
|
-
|
286
|
-
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
285
|
+
:field_field, :fields_for, :h, :hidden_field,
|
286
|
+
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
287
|
+
:link_to, :mail_to, :radio_button, :select,
|
288
|
+
:submit_tag, :text_area, :text_field,
|
289
|
+
:text_field_tag, :url_encode, :u, :url_for,
|
290
|
+
:will_paginate].merge tracker.options[:safe_methods]
|
291
291
|
|
292
292
|
@models = tracker.models.keys
|
293
293
|
@inspect_arguments = tracker.options[:check_arguments]
|
@@ -14,9 +14,9 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
14
14
|
@description = "Finds instances of possible command injection"
|
15
15
|
|
16
16
|
SAFE_VALUES = [s(:const, :RAILS_ROOT),
|
17
|
-
|
18
|
-
|
19
|
-
|
17
|
+
s(:call, s(:const, :Rails), :root),
|
18
|
+
s(:call, s(:const, :Rails), :env),
|
19
|
+
s(:call, s(:const, :Process), :pid)]
|
20
20
|
|
21
21
|
SHELL_ESCAPES = [:escape, :shellescape, :join]
|
22
22
|
|
@@ -32,8 +32,8 @@ class Railroader::CheckExecute < Railroader::BaseCheck
|
|
32
32
|
Railroader.debug "Finding other system calls"
|
33
33
|
calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
|
34
34
|
:methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
|
35
|
-
|
36
|
-
|
35
|
+
:pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
|
36
|
+
:popen3, :spawn, :syscall, :system], :nested => true
|
37
37
|
|
38
38
|
Railroader.debug "Processing system calls"
|
39
39
|
calls.each do |result|
|
@@ -13,12 +13,12 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
|
|
13
13
|
return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?
|
14
14
|
|
15
15
|
@ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
16
|
+
:field_field, :fields_for, :h, :hidden_field,
|
17
|
+
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
18
|
+
:mail_to, :radio_button, :select,
|
19
|
+
:submit_tag, :text_area, :text_field,
|
20
|
+
:text_field_tag, :url_encode, :u, :url_for,
|
21
|
+
:will_paginate].merge tracker.options[:safe_methods]
|
22
22
|
|
23
23
|
@known_dangerous = []
|
24
24
|
# Ideally, I think this should also check to see if people are setting
|
@@ -13,12 +13,12 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
|
|
13
13
|
|
14
14
|
def run_check
|
15
15
|
@ignore_methods = Set[:button_to, :check_box,
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
16
|
+
:field_field, :fields_for, :hidden_field,
|
17
|
+
:hidden_field, :hidden_field_tag, :image_tag, :label,
|
18
|
+
:mail_to, :polymorphic_url, :radio_button, :select, :slice,
|
19
|
+
:submit_tag, :text_area, :text_field,
|
20
|
+
:text_field_tag, :url_encode, :u,
|
21
|
+
:will_paginate].merge(tracker.options[:url_safe_methods] || [])
|
22
22
|
|
23
23
|
@models = tracker.models.keys
|
24
24
|
@inspect_arguments = tracker.options[:check_arguments]
|
@@ -35,19 +35,14 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
|
|
35
35
|
return [] if models.empty?
|
36
36
|
|
37
37
|
Railroader.debug "Finding possible mass assignment calls on #{models.length} models"
|
38
|
-
@mass_assign_calls = tracker.find_call :chained => true,
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
:first_or_create!,
|
47
|
-
:first_or_initialize!,
|
48
|
-
:assign_attributes,
|
49
|
-
:update
|
50
|
-
]
|
38
|
+
@mass_assign_calls = tracker.find_call :chained => true,
|
39
|
+
:targets => models,
|
40
|
+
:methods => [
|
41
|
+
:new, :attributes=, :update_attributes,
|
42
|
+
:update_attributes!, :create, :create!, :build,
|
43
|
+
:first_or_create, :first_or_create!,
|
44
|
+
:first_or_initialize!, :assign_attributes, :update
|
45
|
+
]
|
51
46
|
end
|
52
47
|
|
53
48
|
def check_mass_assignment
|
@@ -30,7 +30,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
|
|
30
30
|
end
|
31
31
|
|
32
32
|
@connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
|
33
|
-
|
33
|
+
:select_rows, :select_value, :select_values]
|
34
34
|
|
35
35
|
if tracker.options[:rails3]
|
36
36
|
@connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
|
@@ -574,11 +574,11 @@ class Railroader::CheckSQL < Railroader::BaseCheck
|
|
574
574
|
end
|
575
575
|
|
576
576
|
IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
|
577
|
-
|
578
|
-
|
579
|
-
|
580
|
-
|
581
|
-
|
577
|
+
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
|
578
|
+
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
|
579
|
+
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
580
|
+
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
|
581
|
+
:where_values_hash, :foreign_key
|
582
582
|
]
|
583
583
|
|
584
584
|
def safe_value? exp
|
@@ -17,12 +17,11 @@ class Railroader::CheckWithoutProtection < Railroader::BaseCheck
|
|
17
17
|
return if active_record_models.empty?
|
18
18
|
|
19
19
|
Railroader.debug "Finding all mass assignments"
|
20
|
-
calls = tracker.find_call :targets => active_record_models.keys,
|
21
|
-
:
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
:create!]
|
20
|
+
calls = tracker.find_call :targets => active_record_models.keys,
|
21
|
+
:methods => [
|
22
|
+
:new, :attributes=, :update_attributes, :update_attributes!,
|
23
|
+
:create, :create!
|
24
|
+
]
|
26
25
|
|
27
26
|
Railroader.debug "Processing all mass assignments"
|
28
27
|
calls.each do |result|
|
data/lib/railroader/options.rb
CHANGED
@@ -204,9 +204,9 @@ module Railroader::Options
|
|
204
204
|
end
|
205
205
|
|
206
206
|
opts.on "-f",
|
207
|
-
|
208
|
-
|
209
|
-
|
207
|
+
"--format TYPE",
|
208
|
+
[:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
|
209
|
+
"Specify output formats. Default is text" do |type|
|
210
210
|
|
211
211
|
type = "s" if type == :text
|
212
212
|
options[:output_format] = ("to_" << type.to_s).to_sym
|
@@ -282,9 +282,9 @@ module Railroader::Options
|
|
282
282
|
end
|
283
283
|
|
284
284
|
opts.on "-w",
|
285
|
-
|
286
|
-
|
287
|
-
|
285
|
+
"--confidence-level LEVEL",
|
286
|
+
["1", "2", "3"],
|
287
|
+
"Set minimal confidence level (1 - 3)" do |level|
|
288
288
|
|
289
289
|
options[:min_confidence] = 3 - level.to_i
|
290
290
|
end
|
@@ -670,11 +670,11 @@ class Railroader::AliasProcessor < Railroader::SexpProcessor
|
|
670
670
|
|
671
671
|
if @tracker
|
672
672
|
@tracker.add_constant exp.lhs,
|
673
|
-
|
674
|
-
|
675
|
-
|
676
|
-
|
677
|
-
|
673
|
+
exp.rhs,
|
674
|
+
:file => current_file_name,
|
675
|
+
:module => @current_module,
|
676
|
+
:class => @current_class,
|
677
|
+
:method => @current_method
|
678
678
|
end
|
679
679
|
|
680
680
|
if exp.lhs.is_a? Symbol
|
@@ -181,11 +181,11 @@ class Railroader::BaseProcessor < Railroader::SexpProcessor
|
|
181
181
|
def process_cdecl exp
|
182
182
|
if @tracker
|
183
183
|
@tracker.add_constant exp.lhs,
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
184
|
+
exp.rhs,
|
185
|
+
:file => current_file_name,
|
186
|
+
:module => @current_module,
|
187
|
+
:class => @current_class,
|
188
|
+
:method => @current_method
|
189
189
|
end
|
190
190
|
|
191
191
|
exp
|
@@ -2,8 +2,8 @@ require 'cgi'
|
|
2
2
|
|
3
3
|
class Railroader::Report::HTML < Railroader::Report::Base
|
4
4
|
HTML_CONFIDENCE = [ "<span class='high-confidence'>High</span>",
|
5
|
-
|
6
|
-
|
5
|
+
"<span class='med-confidence'>Medium</span>",
|
6
|
+
"<span class='weak-confidence'>Weak</span>" ]
|
7
7
|
|
8
8
|
def initialize *args
|
9
9
|
super
|
@@ -3,7 +3,7 @@
|
|
3
3
|
class Railroader::Report::Tabs < Railroader::Report::Base
|
4
4
|
def generate_report
|
5
5
|
[[:generic_warnings, "General"], [:controller_warnings, "Controller"],
|
6
|
-
|
6
|
+
[:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
|
7
7
|
|
8
8
|
self.send(meth).map do |w|
|
9
9
|
line = w.line || 0
|
data/lib/railroader/rescanner.rb
CHANGED
@@ -7,7 +7,7 @@ class Railroader::Rescanner < Railroader::Scanner
|
|
7
7
|
include Railroader::Util
|
8
8
|
KNOWN_TEMPLATE_EXTENSIONS = Railroader::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
|
9
9
|
SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
|
10
|
-
|
10
|
+
:model, :controller]
|
11
11
|
|
12
12
|
# Create new Rescanner to scan changed files
|
13
13
|
def initialize options, processor, changed_files
|
data/lib/railroader/tracker.rb
CHANGED
@@ -10,9 +10,9 @@ require 'railroader/tracker/constants'
|
|
10
10
|
# The Tracker keeps track of all the processed information.
|
11
11
|
class Railroader::Tracker
|
12
12
|
attr_accessor :controllers, :constants, :templates, :models, :errors,
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
:checks, :initializers, :config, :routes, :processor, :libs,
|
14
|
+
:template_cache, :options, :filter_cache, :start_time, :end_time,
|
15
|
+
:duration, :ignored_filter
|
16
16
|
|
17
17
|
# Place holder when there should be a model, but it is not
|
18
18
|
# clear what model it will be.
|
data/lib/railroader/version.rb
CHANGED
data/lib/railroader/warning.rb
CHANGED
@@ -5,8 +5,8 @@ require 'railroader/warning_codes'
|
|
5
5
|
# The Warning class stores information about warnings
|
6
6
|
class Railroader::Warning
|
7
7
|
attr_reader :called_from, :check, :class, :confidence, :controller,
|
8
|
-
|
9
|
-
|
8
|
+
:line, :method, :model, :template, :user_input, :user_input_type,
|
9
|
+
:warning_code, :warning_set, :warning_type
|
10
10
|
|
11
11
|
attr_accessor :code, :context, :file, :message, :relative_path
|
12
12
|
|
data/lib/ruby_parser/bm_sexp.rb
CHANGED
@@ -597,10 +597,10 @@ end
|
|
597
597
|
|
598
598
|
# Invalidate hash cache if the Sexp changes
|
599
599
|
[:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
|
600
|
-
|
601
|
-
|
602
|
-
|
603
|
-
|
600
|
+
:delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
|
601
|
+
:keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
|
602
|
+
:select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
|
603
|
+
:uniq!, :unshift].each do |method|
|
604
604
|
|
605
605
|
Sexp.class_eval <<-RUBY
|
606
606
|
def #{method} *args
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: railroader
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.3.
|
4
|
+
version: 4.3.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David A. Wheeler and Justin Collins
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain:
|
11
11
|
- railroader-public_cert.pem
|
12
|
-
date: 2019-
|
12
|
+
date: 2019-06-10 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: ruby_parser
|
@@ -32,6 +32,9 @@ dependencies:
|
|
32
32
|
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
34
|
version: '4.7'
|
35
|
+
- - "!="
|
36
|
+
- !ruby/object:Gem::Version
|
37
|
+
version: 4.12.1
|
35
38
|
type: :runtime
|
36
39
|
prerelease: false
|
37
40
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -39,6 +42,9 @@ dependencies:
|
|
39
42
|
- - "~>"
|
40
43
|
- !ruby/object:Gem::Version
|
41
44
|
version: '4.7'
|
45
|
+
- - "!="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: 4.12.1
|
42
48
|
- !ruby/object:Gem::Dependency
|
43
49
|
name: ruby2ruby
|
44
50
|
requirement: !ruby/object:Gem::Requirement
|