railroader 4.3.7 → 4.3.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (22) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +14 -1
  3. data/README.md +1 -0
  4. data/lib/railroader/checks/check_content_tag.rb +6 -6
  5. data/lib/railroader/checks/check_cross_site_scripting.rb +6 -6
  6. data/lib/railroader/checks/check_execute.rb +5 -5
  7. data/lib/railroader/checks/check_link_to.rb +6 -6
  8. data/lib/railroader/checks/check_link_to_href.rb +6 -6
  9. data/lib/railroader/checks/check_mass_assignment.rb +8 -13
  10. data/lib/railroader/checks/check_sql.rb +6 -6
  11. data/lib/railroader/checks/check_without_protection.rb +5 -6
  12. data/lib/railroader/options.rb +6 -6
  13. data/lib/railroader/processors/alias_processor.rb +5 -5
  14. data/lib/railroader/processors/base_processor.rb +5 -5
  15. data/lib/railroader/report/report_html.rb +2 -2
  16. data/lib/railroader/report/report_tabs.rb +1 -1
  17. data/lib/railroader/rescanner.rb +1 -1
  18. data/lib/railroader/tracker.rb +3 -3
  19. data/lib/railroader/version.rb +1 -1
  20. data/lib/railroader/warning.rb +2 -2
  21. data/lib/ruby_parser/bm_sexp.rb +4 -4
  22. metadata +8 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7f3e3d1142109902243a69df249c4914e374a904da6b861d89ce89e581a6a1e2
4
- data.tar.gz: cea84ff58d67cae53ac7d3e754a8f61115ad6db779078d4e46ef0dffe0f6b5c8
3
+ metadata.gz: 63c5753f1d828b85647b29a336f2e1a7b546a3daf1059ae3779bb539ec87f59e
4
+ data.tar.gz: 92e322786b4fcb354700bbde88384aada983108663988a041a772a2311eb333c
5
5
  SHA512:
6
- metadata.gz: 22d88d8de4ddb0aae8b402309dd73f495780ed4134f9ba098a1fe8e0c21751b2119103470dd3f4d4a3998438c4faa7858e41c4e2cb6f6cab19814b2472438d51
7
- data.tar.gz: bd58f1f7d270a32ea5720b009418d7f49c3179b9c8a4837faa1ba56ae4449b4fe4bbfb0bf6f2c20c650d4b05312302c272489735e80c1e2b080e2796faf87957
6
+ metadata.gz: 2a3b22e608487251cd6f9d6a5c03566f946d9a93e7ead6dc11980c4448c2c9806cf94d750d8e722d7f455e08fec6515ca40f24185fce37a4e9d80899be3ac663
7
+ data.tar.gz: 9b8a383e9ff2221731ee53b98d31986b6ca8b630ba8db43958146f6f89679e6269e25558482db407636f8e8aa84dd94597b222fa31b968c6c85954bc075398fe
data/CHANGES.md CHANGED
@@ -1,3 +1,13 @@
1
+ # 4.3.8
2
+
3
+ * Temporarily prevent use of `sexp_processor` version 4.12.1,
4
+ because it causes an error at
5
+ `lib/railroader/processors/alias_processor.rb:50:in process_safely'`.
6
+ We want to get back to working order quickly, and we can then
7
+ fix things more leisurely.
8
+ * Various code cleanups, trying to make the code easier to read.
9
+
10
+
1
11
  # 4.3.7
2
12
 
3
13
  * We earned a CII Best Practices badge! Show its badge on the README.
@@ -5,7 +15,7 @@
5
15
  * Add information on how to report vulnerabilities in the Railroader
6
16
  application itself.
7
17
  * Update `ruby_parser` to version 3.13.1. This improves and fixes handling of
8
- some Ruby constructs, but it also means that we now longer support
18
+ some Ruby constructs, but it also means that we no longer support
9
19
  running on Ruby 1.9. The last branch of Ruby 1.9 (1.9.3)
10
20
  ended all support on 23 Feb 2015, after a one-year warning, per:
11
21
  https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/
@@ -13,6 +23,9 @@
13
23
  4 years after support ended, we think this is reasonable.
14
24
  If you really need to run something on Ruby 1.9, forcibly select
15
25
  an older version of Railroader such as 4.3.5.
26
+ It would be possible to support Ruby 1.9 with some extra effort,
27
+ so I've left in a number of stubs for handling Ruby 1.9 in case we do so.
28
+ I suspect we won't bother, but patches welcome.
16
29
 
17
30
  # 4.3.5
18
31
 
data/README.md CHANGED
@@ -3,6 +3,7 @@
3
3
  [![Build Status](https://travis-ci.org/david-a-wheeler/railroader.svg?branch=master)](https://travis-ci.org/david-a-wheeler/railroader)
4
4
  [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/david-a-wheeler/railroader/maintainability)
5
5
  [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/david-a-wheeler/railroader/test_coverage)
6
+ [![License](https://img.shields.io/:license-mit-blue.svg)](https://badges.mit-license.org)
6
7
  [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2514/badge)](https://bestpractices.coreinfrastructure.org/projects/2514)
7
8
  <!-- [![Gitter](https://badges.gitter.im/david-a-wheeler/railroader.svg)](https://gitter.im/david-a-wheeler/railroader) -->
8
9
 
data/lib/railroader/checks/check_content_tag.rb CHANGED
@@ -20,12 +20,12 @@ class Railroader::CheckContentTag < Railroader::CheckCrossSiteScripting
20
20
 
21
21
  def run_check
22
22
  @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
23
- :field_field, :fields_for, :h, :hidden_field,
24
- :hidden_field, :hidden_field_tag, :image_tag, :label,
25
- :mail_to, :radio_button, :select,
26
- :submit_tag, :text_area, :text_field,
27
- :text_field_tag, :url_encode, :u, :url_for,
28
- :will_paginate].merge tracker.options[:safe_methods]
23
+ :field_field, :fields_for, :h, :hidden_field,
24
+ :hidden_field, :hidden_field_tag, :image_tag, :label,
25
+ :mail_to, :radio_button, :select,
26
+ :submit_tag, :text_area, :text_field,
27
+ :text_field_tag, :url_encode, :u, :url_for,
28
+ :will_paginate].merge tracker.options[:safe_methods]
29
29
 
30
30
  @known_dangerous = []
31
31
  @content_tags = tracker.find_call :target => false, :method => :content_tag
data/lib/railroader/checks/check_cross_site_scripting.rb CHANGED
@@ -282,12 +282,12 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
282
282
 
283
283
  def setup
284
284
  @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
285
- :field_field, :fields_for, :h, :hidden_field,
286
- :hidden_field, :hidden_field_tag, :image_tag, :label,
287
- :link_to, :mail_to, :radio_button, :select,
288
- :submit_tag, :text_area, :text_field,
289
- :text_field_tag, :url_encode, :u, :url_for,
290
- :will_paginate].merge tracker.options[:safe_methods]
285
+ :field_field, :fields_for, :h, :hidden_field,
286
+ :hidden_field, :hidden_field_tag, :image_tag, :label,
287
+ :link_to, :mail_to, :radio_button, :select,
288
+ :submit_tag, :text_area, :text_field,
289
+ :text_field_tag, :url_encode, :u, :url_for,
290
+ :will_paginate].merge tracker.options[:safe_methods]
291
291
 
292
292
  @models = tracker.models.keys
293
293
  @inspect_arguments = tracker.options[:check_arguments]
data/lib/railroader/checks/check_execute.rb CHANGED
@@ -14,9 +14,9 @@ class Railroader::CheckExecute < Railroader::BaseCheck
14
14
  @description = "Finds instances of possible command injection"
15
15
 
16
16
  SAFE_VALUES = [s(:const, :RAILS_ROOT),
17
- s(:call, s(:const, :Rails), :root),
18
- s(:call, s(:const, :Rails), :env),
19
- s(:call, s(:const, :Process), :pid)]
17
+ s(:call, s(:const, :Rails), :root),
18
+ s(:call, s(:const, :Rails), :env),
19
+ s(:call, s(:const, :Process), :pid)]
20
20
 
21
21
  SHELL_ESCAPES = [:escape, :shellescape, :join]
22
22
 
@@ -32,8 +32,8 @@ class Railroader::CheckExecute < Railroader::BaseCheck
32
32
  Railroader.debug "Finding other system calls"
33
33
  calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
34
34
  :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
35
- :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
36
- :popen3, :spawn, :syscall, :system], :nested => true
35
+ :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
36
+ :popen3, :spawn, :syscall, :system], :nested => true
37
37
 
38
38
  Railroader.debug "Processing system calls"
39
39
  calls.each do |result|
data/lib/railroader/checks/check_link_to.rb CHANGED
@@ -13,12 +13,12 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
13
13
  return unless version_between?("2.0.0", "2.9.9") and not tracker.config.escape_html?
14
14
 
15
15
  @ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
16
- :field_field, :fields_for, :h, :hidden_field,
17
- :hidden_field, :hidden_field_tag, :image_tag, :label,
18
- :mail_to, :radio_button, :select,
19
- :submit_tag, :text_area, :text_field,
20
- :text_field_tag, :url_encode, :u, :url_for,
21
- :will_paginate].merge tracker.options[:safe_methods]
16
+ :field_field, :fields_for, :h, :hidden_field,
17
+ :hidden_field, :hidden_field_tag, :image_tag, :label,
18
+ :mail_to, :radio_button, :select,
19
+ :submit_tag, :text_area, :text_field,
20
+ :text_field_tag, :url_encode, :u, :url_for,
21
+ :will_paginate].merge tracker.options[:safe_methods]
22
22
 
23
23
  @known_dangerous = []
24
24
  # Ideally, I think this should also check to see if people are setting
data/lib/railroader/checks/check_link_to_href.rb CHANGED
@@ -13,12 +13,12 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
13
13
 
14
14
  def run_check
15
15
  @ignore_methods = Set[:button_to, :check_box,
16
- :field_field, :fields_for, :hidden_field,
17
- :hidden_field, :hidden_field_tag, :image_tag, :label,
18
- :mail_to, :polymorphic_url, :radio_button, :select, :slice,
19
- :submit_tag, :text_area, :text_field,
20
- :text_field_tag, :url_encode, :u,
21
- :will_paginate].merge(tracker.options[:url_safe_methods] || [])
16
+ :field_field, :fields_for, :hidden_field,
17
+ :hidden_field, :hidden_field_tag, :image_tag, :label,
18
+ :mail_to, :polymorphic_url, :radio_button, :select, :slice,
19
+ :submit_tag, :text_area, :text_field,
20
+ :text_field_tag, :url_encode, :u,
21
+ :will_paginate].merge(tracker.options[:url_safe_methods] || [])
22
22
 
23
23
  @models = tracker.models.keys
24
24
  @inspect_arguments = tracker.options[:check_arguments]
data/lib/railroader/checks/check_mass_assignment.rb CHANGED
@@ -35,19 +35,14 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
35
35
  return [] if models.empty?
36
36
 
37
37
  Railroader.debug "Finding possible mass assignment calls on #{models.length} models"
38
- @mass_assign_calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
39
- :attributes=,
40
- :update_attributes,
41
- :update_attributes!,
42
- :create,
43
- :create!,
44
- :build,
45
- :first_or_create,
46
- :first_or_create!,
47
- :first_or_initialize!,
48
- :assign_attributes,
49
- :update
50
- ]
38
+ @mass_assign_calls = tracker.find_call :chained => true,
39
+ :targets => models,
40
+ :methods => [
41
+ :new, :attributes=, :update_attributes,
42
+ :update_attributes!, :create, :create!, :build,
43
+ :first_or_create, :first_or_create!,
44
+ :first_or_initialize!, :assign_attributes, :update
45
+ ]
51
46
  end
52
47
 
53
48
  def check_mass_assignment
data/lib/railroader/checks/check_sql.rb CHANGED
@@ -30,7 +30,7 @@ class Railroader::CheckSQL < Railroader::BaseCheck
30
30
  end
31
31
 
32
32
  @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
33
- :select_rows, :select_value, :select_values]
33
+ :select_rows, :select_value, :select_values]
34
34
 
35
35
  if tracker.options[:rails3]
36
36
  @connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
@@ -574,11 +574,11 @@ class Railroader::CheckSQL < Railroader::BaseCheck
574
574
  end
575
575
 
576
576
  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
577
- :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
578
- :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
579
- :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
580
- :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
581
- :where_values_hash, :foreign_key
577
+ :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
578
+ :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
579
+ :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
580
+ :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
581
+ :where_values_hash, :foreign_key
582
582
  ]
583
583
 
584
584
  def safe_value? exp
data/lib/railroader/checks/check_without_protection.rb CHANGED
@@ -17,12 +17,11 @@ class Railroader::CheckWithoutProtection < Railroader::BaseCheck
17
17
  return if active_record_models.empty?
18
18
 
19
19
  Railroader.debug "Finding all mass assignments"
20
- calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
21
- :attributes=,
22
- :update_attributes,
23
- :update_attributes!,
24
- :create,
25
- :create!]
20
+ calls = tracker.find_call :targets => active_record_models.keys,
21
+ :methods => [
22
+ :new, :attributes=, :update_attributes, :update_attributes!,
23
+ :create, :create!
24
+ ]
26
25
 
27
26
  Railroader.debug "Processing all mass assignments"
28
27
  calls.each do |result|
data/lib/railroader/options.rb CHANGED
@@ -204,9 +204,9 @@ module Railroader::Options
204
204
  end
205
205
 
206
206
  opts.on "-f",
207
- "--format TYPE",
208
- [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
209
- "Specify output formats. Default is text" do |type|
207
+ "--format TYPE",
208
+ [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
209
+ "Specify output formats. Default is text" do |type|
210
210
 
211
211
  type = "s" if type == :text
212
212
  options[:output_format] = ("to_" << type.to_s).to_sym
@@ -282,9 +282,9 @@ module Railroader::Options
282
282
  end
283
283
 
284
284
  opts.on "-w",
285
- "--confidence-level LEVEL",
286
- ["1", "2", "3"],
287
- "Set minimal confidence level (1 - 3)" do |level|
285
+ "--confidence-level LEVEL",
286
+ ["1", "2", "3"],
287
+ "Set minimal confidence level (1 - 3)" do |level|
288
288
 
289
289
  options[:min_confidence] = 3 - level.to_i
290
290
  end
data/lib/railroader/processors/alias_processor.rb CHANGED
@@ -670,11 +670,11 @@ class Railroader::AliasProcessor < Railroader::SexpProcessor
670
670
 
671
671
  if @tracker
672
672
  @tracker.add_constant exp.lhs,
673
- exp.rhs,
674
- :file => current_file_name,
675
- :module => @current_module,
676
- :class => @current_class,
677
- :method => @current_method
673
+ exp.rhs,
674
+ :file => current_file_name,
675
+ :module => @current_module,
676
+ :class => @current_class,
677
+ :method => @current_method
678
678
  end
679
679
 
680
680
  if exp.lhs.is_a? Symbol
data/lib/railroader/processors/base_processor.rb CHANGED
@@ -181,11 +181,11 @@ class Railroader::BaseProcessor < Railroader::SexpProcessor
181
181
  def process_cdecl exp
182
182
  if @tracker
183
183
  @tracker.add_constant exp.lhs,
184
- exp.rhs,
185
- :file => current_file_name,
186
- :module => @current_module,
187
- :class => @current_class,
188
- :method => @current_method
184
+ exp.rhs,
185
+ :file => current_file_name,
186
+ :module => @current_module,
187
+ :class => @current_class,
188
+ :method => @current_method
189
189
  end
190
190
 
191
191
  exp
data/lib/railroader/report/report_html.rb CHANGED
@@ -2,8 +2,8 @@ require 'cgi'
2
2
 
3
3
  class Railroader::Report::HTML < Railroader::Report::Base
4
4
  HTML_CONFIDENCE = [ "<span class='high-confidence'>High</span>",
5
- "<span class='med-confidence'>Medium</span>",
6
- "<span class='weak-confidence'>Weak</span>" ]
5
+ "<span class='med-confidence'>Medium</span>",
6
+ "<span class='weak-confidence'>Weak</span>" ]
7
7
 
8
8
  def initialize *args
9
9
  super
data/lib/railroader/report/report_tabs.rb CHANGED
@@ -3,7 +3,7 @@
3
3
  class Railroader::Report::Tabs < Railroader::Report::Base
4
4
  def generate_report
5
5
  [[:generic_warnings, "General"], [:controller_warnings, "Controller"],
6
- [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
6
+ [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
7
7
 
8
8
  self.send(meth).map do |w|
9
9
  line = w.line || 0
data/lib/railroader/rescanner.rb CHANGED
@@ -7,7 +7,7 @@ class Railroader::Rescanner < Railroader::Scanner
7
7
  include Railroader::Util
8
8
  KNOWN_TEMPLATE_EXTENSIONS = Railroader::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
9
9
  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
10
- :model, :controller]
10
+ :model, :controller]
11
11
 
12
12
  # Create new Rescanner to scan changed files
13
13
  def initialize options, processor, changed_files
data/lib/railroader/tracker.rb CHANGED
@@ -10,9 +10,9 @@ require 'railroader/tracker/constants'
10
10
  # The Tracker keeps track of all the processed information.
11
11
  class Railroader::Tracker
12
12
  attr_accessor :controllers, :constants, :templates, :models, :errors,
13
- :checks, :initializers, :config, :routes, :processor, :libs,
14
- :template_cache, :options, :filter_cache, :start_time, :end_time,
15
- :duration, :ignored_filter
13
+ :checks, :initializers, :config, :routes, :processor, :libs,
14
+ :template_cache, :options, :filter_cache, :start_time, :end_time,
15
+ :duration, :ignored_filter
16
16
 
17
17
  # Place holder when there should be a model, but it is not
18
18
  # clear what model it will be.
data/lib/railroader/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Railroader
2
- Version = "4.3.7"
2
+ Version = "4.3.8"
3
3
  end
data/lib/railroader/warning.rb CHANGED
@@ -5,8 +5,8 @@ require 'railroader/warning_codes'
5
5
  # The Warning class stores information about warnings
6
6
  class Railroader::Warning
7
7
  attr_reader :called_from, :check, :class, :confidence, :controller,
8
- :line, :method, :model, :template, :user_input, :user_input_type,
9
- :warning_code, :warning_set, :warning_type
8
+ :line, :method, :model, :template, :user_input, :user_input_type,
9
+ :warning_code, :warning_set, :warning_type
10
10
 
11
11
  attr_accessor :code, :context, :file, :message, :relative_path
12
12
 
data/lib/ruby_parser/bm_sexp.rb CHANGED
@@ -597,10 +597,10 @@ end
597
597
 
598
598
  # Invalidate hash cache if the Sexp changes
599
599
  [:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
600
- :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
601
- :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
602
- :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
603
- :uniq!, :unshift].each do |method|
600
+ :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
601
+ :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
602
+ :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
603
+ :uniq!, :unshift].each do |method|
604
604
 
605
605
  Sexp.class_eval <<-RUBY
606
606
  def #{method} *args
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: railroader
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.7
4
+ version: 4.3.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - David A. Wheeler and Justin Collins
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain:
11
11
  - railroader-public_cert.pem
12
- date: 2019-05-11 00:00:00.000000000 Z
12
+ date: 2019-06-10 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: ruby_parser
@@ -32,6 +32,9 @@ dependencies:
32
32
  - - "~>"
33
33
  - !ruby/object:Gem::Version
34
34
  version: '4.7'
35
+ - - "!="
36
+ - !ruby/object:Gem::Version
37
+ version: 4.12.1
35
38
  type: :runtime
36
39
  prerelease: false
37
40
  version_requirements: !ruby/object:Gem::Requirement
@@ -39,6 +42,9 @@ dependencies:
39
42
  - - "~>"
40
43
  - !ruby/object:Gem::Version
41
44
  version: '4.7'
45
+ - - "!="
46
+ - !ruby/object:Gem::Version
47
+ version: 4.12.1
42
48
  - !ruby/object:Gem::Dependency
43
49
  name: ruby2ruby
44
50
  requirement: !ruby/object:Gem::Requirement