rails_app_generator 0.2.28 → 0.2.31
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/after_templates/addons/brakeman/_.rb +70 -0
- data/after_templates/addons/brakeman/app/controllers/home_controller.rb +16 -0
- data/after_templates/addons/brakeman/app/controllers/posts_controller.rb +65 -0
- data/after_templates/addons/brakeman/app/views/home/examples.html.erb +43 -0
- data/after_templates/addons/brakeman/app/views/home/index.html.erb +93 -0
- data/after_templates/addons/brakeman/app/views/home/output.html.erb +145 -0
- data/after_templates/addons/brakeman/app/views/layouts/_footer.html.erb +1 -0
- data/after_templates/addons/brakeman/app/views/layouts/_navbar.html.erb +4 -0
- data/after_templates/addons/brakeman/app/views/layouts/application.html.erb +29 -0
- data/after_templates/addons/brakeman/db/seeds.rb +7 -0
- data/after_templates/addons/rolify/_.rb +49 -0
- data/after_templates/addons/rolify/app/controllers/home_controller.rb +35 -0
- data/after_templates/addons/rolify/app/controllers/rolify_controller.rb +26 -0
- data/after_templates/addons/rolify/app/models/post.rb +3 -0
- data/after_templates/addons/rolify/app/models/user.rb +25 -0
- data/after_templates/addons/rolify/app/views/home/_roles.html.erb +5 -0
- data/after_templates/addons/rolify/app/views/home/bossy_boots.html.erb +5 -0
- data/after_templates/addons/rolify/app/views/home/index.html.erb +37 -0
- data/after_templates/addons/rolify/app/views/home/super_hero.html.erb +5 -0
- data/after_templates/addons/rolify/app/views/home/use_in_moderation.html.erb +5 -0
- data/after_templates/addons/rolify/app/views/home/use_me.html.erb +5 -0
- data/after_templates/addons/rolify/app/views/layouts/_footer.html.erb +1 -0
- data/after_templates/addons/rolify/app/views/layouts/_navbar.html.erb +18 -0
- data/after_templates/addons/rolify/app/views/layouts/application.html.erb +52 -0
- data/after_templates/addons/rolify/app/views/rolify/_form.html.erb +61 -0
- data/after_templates/addons/rolify/app/views/rolify/_user.html.erb +34 -0
- data/after_templates/addons/rolify/app/views/rolify/edit.html.erb +4 -0
- data/after_templates/addons/rolify/app/views/rolify/show.html.erb +5 -0
- data/after_templates/addons/rolify/db/seeds.rb +19 -0
- data/docs/last_run/app_generator_class.json +16 -0
- data/docs/last_run/app_generator_data.json +7 -5
- data/docs/last_run/rails_options_class.json +16 -0
- data/docs/last_run/rails_options_data.json +7 -5
- data/lib/rails_app_generator/addons/brakeman.rb +13 -0
- data/lib/rails_app_generator/addons/devise.rb +12 -3
- data/lib/rails_app_generator/addons/rolify.rb +3 -22
- data/lib/rails_app_generator/app_generator.rb +1 -0
- data/lib/rails_app_generator/rag_initializer.rb +1 -0
- data/lib/rails_app_generator/version.rb +1 -1
- data/package-lock.json +2 -2
- data/package.json +1 -1
- data/profiles/addons/brakeman.json +13 -0
- data/profiles/addons/rolify.json +17 -0
- data/templates/thor_task/profile/profile.json.tt +1 -0
- metadata +34 -4
- data/28: +0 -0
- data/app:template +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 15c23f59cc83f0c3dd3ff9cabeef80af80d2a14bd18d8d890dbb100640bab22a
|
4
|
+
data.tar.gz: 8acba70cf8a79185c8395f96762caa575968fb3521967ca4d1e80f282014d816
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 137bc8d24086e7914baf7f332c7a1ff6bf7db9845771b007e545e9882895c886a1379da9f97fd5156a07902bf849ca2bac720cc981843cabba032107e8588714
|
7
|
+
data.tar.gz: 8856d3e93f801687e6c9f3ec5a7581387c1109cfa224b3db479587527ec209ca09c2220b54a960ab29108c5fc6372aaad0c7eda71eed6761eaf876e51150f47d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,24 @@
|
|
1
|
+
## [0.2.30](https://github.com/klueless-io/rails_app_generator/compare/v0.2.29...v0.2.30) (2022-08-19)
|
2
|
+
|
3
|
+
|
4
|
+
### Bug Fixes
|
5
|
+
|
6
|
+
* add brakeman addon ([1dcc1c2](https://github.com/klueless-io/rails_app_generator/commit/1dcc1c2b904d35f557daa688111baeaa0fa71495))
|
7
|
+
|
8
|
+
## [0.2.29](https://github.com/klueless-io/rails_app_generator/compare/v0.2.28...v0.2.29) (2022-08-19)
|
9
|
+
|
10
|
+
|
11
|
+
### Bug Fixes
|
12
|
+
|
13
|
+
* add rolify profile ([af0579e](https://github.com/klueless-io/rails_app_generator/commit/af0579e3c707c53e423ff9ce2e1b25a2715a75a5))
|
14
|
+
|
15
|
+
## [0.2.28](https://github.com/klueless-io/rails_app_generator/compare/v0.2.27...v0.2.28) (2022-08-17)
|
16
|
+
|
17
|
+
|
18
|
+
### Bug Fixes
|
19
|
+
|
20
|
+
* add rolify addon ([804ecf1](https://github.com/klueless-io/rails_app_generator/commit/804ecf1ba1fe1a56512b6d335a77558b0da3ad97))
|
21
|
+
|
1
22
|
## [0.2.27](https://github.com/klueless-io/rails_app_generator/compare/v0.2.26...v0.2.27) (2022-08-17)
|
2
23
|
|
3
24
|
|
@@ -0,0 +1,70 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Description goes here
|
4
|
+
#
|
5
|
+
# exe/rag addons/brakeman
|
6
|
+
|
7
|
+
self.local_template_path = File.dirname(__FILE__)
|
8
|
+
|
9
|
+
gac 'base rails 7 image created'
|
10
|
+
|
11
|
+
prepare_environment
|
12
|
+
|
13
|
+
after_bundle do
|
14
|
+
scaffolds
|
15
|
+
setup_customizations
|
16
|
+
setup_db
|
17
|
+
end
|
18
|
+
|
19
|
+
def scaffolds
|
20
|
+
add_scaffold('post', 'title', 'body:text')
|
21
|
+
# add_scaffold('people', 'first_name', 'last_name', 'age:integer', 'address:text')
|
22
|
+
# add_scaffold('product', 'name', 'price:integer')
|
23
|
+
end
|
24
|
+
|
25
|
+
def setup_customizations
|
26
|
+
route("root 'home#index'")
|
27
|
+
|
28
|
+
force_copy
|
29
|
+
|
30
|
+
add_controller('home', 'index', 'examples', 'output')
|
31
|
+
|
32
|
+
directory "app/controllers"
|
33
|
+
directory "app/models"
|
34
|
+
directory "app/views"
|
35
|
+
template 'app/views/layouts/application.html.erb' , 'app/views/layouts/application.html.erb'
|
36
|
+
end
|
37
|
+
|
38
|
+
def setup_db
|
39
|
+
template 'db/seeds.rb' , 'db/seeds.rb'
|
40
|
+
|
41
|
+
db_migrate
|
42
|
+
db_seed
|
43
|
+
end
|
44
|
+
|
45
|
+
# Other template command examples
|
46
|
+
# prepare_environment
|
47
|
+
# bundle_install
|
48
|
+
# css_install('tailwind')
|
49
|
+
# rails_command('db:migrate')
|
50
|
+
# rails_command('db:migrate')
|
51
|
+
# bundle_add('hotwire-rails')
|
52
|
+
# rails_command('hotwire:install')
|
53
|
+
# run('bin/importmap pin sortablejs')
|
54
|
+
# run('npm install daisyui')
|
55
|
+
# rubocop
|
56
|
+
#
|
57
|
+
# directory 'app/assets/images'
|
58
|
+
# create_file 'app/assets/stylesheets/custom-bootstrap-import.scss' , read_template('custom-bootstrap-import.scss')
|
59
|
+
# append_to_file 'app/assets/config/manifest.js' , read_template('manifest.js')
|
60
|
+
# insert_into_file 'app/views/layouts/application.html.erb', read_template('application.html.erb'),
|
61
|
+
# before: %( <%= javascript_include_tag "application", "data-turbo-track": "reload", defer: true %>)
|
62
|
+
# gsub_file 'app/views/layouts/application.html.erb', %(container mx-auto mt-28 px-5 flex), 'container mx-auto px-5'
|
63
|
+
# template 'home.css', 'app/assets/stylesheets/home.css'
|
64
|
+
#
|
65
|
+
# add_controller('page', 'benefits', 'faq', 'terms', 'privacy', '--skip-routes')
|
66
|
+
# route(<<-'RUBY')
|
67
|
+
# PageController.action_methods.each do |action|
|
68
|
+
# get "/#{action}", to: "page##{action}", as: "page_#{action}"
|
69
|
+
# end
|
70
|
+
# RUBY
|
@@ -0,0 +1,16 @@
|
|
1
|
+
class HomeController < ApplicationController
|
2
|
+
def index
|
3
|
+
xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
|
4
|
+
puts send(xmen_or_avengers.to_sym)
|
5
|
+
end
|
6
|
+
|
7
|
+
private
|
8
|
+
|
9
|
+
def xmen
|
10
|
+
'Wolverine'
|
11
|
+
end
|
12
|
+
|
13
|
+
def avengers
|
14
|
+
'Captain America'
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
class PostsController < ApplicationController
|
2
|
+
before_action :set_post, only: %i[ show edit update destroy ]
|
3
|
+
|
4
|
+
def index
|
5
|
+
@posts = Post.all
|
6
|
+
end
|
7
|
+
|
8
|
+
# Dangerous Evaluation - User input in an eval statement is VERY dangerous
|
9
|
+
def show
|
10
|
+
message = params[:message] || 'hello world'
|
11
|
+
|
12
|
+
eval("echo '#{message}'")
|
13
|
+
end
|
14
|
+
|
15
|
+
def new
|
16
|
+
@post = Post.new
|
17
|
+
end
|
18
|
+
|
19
|
+
def edit
|
20
|
+
end
|
21
|
+
|
22
|
+
def create
|
23
|
+
@post = Post.new(post_params)
|
24
|
+
|
25
|
+
respond_to do |format|
|
26
|
+
if @post.save
|
27
|
+
format.html { redirect_to post_url(@post), notice: "Post was successfully created." }
|
28
|
+
format.json { render :show, status: :created, location: @post }
|
29
|
+
else
|
30
|
+
format.html { render :new, status: :unprocessable_entity }
|
31
|
+
format.json { render json: @post.errors, status: :unprocessable_entity }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def update
|
37
|
+
respond_to do |format|
|
38
|
+
if @post.update(post_params)
|
39
|
+
format.html { redirect_to post_url(@post), notice: "Post was successfully updated." }
|
40
|
+
format.json { render :show, status: :ok, location: @post }
|
41
|
+
else
|
42
|
+
format.html { render :edit, status: :unprocessable_entity }
|
43
|
+
format.json { render json: @post.errors, status: :unprocessable_entity }
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def destroy
|
49
|
+
@post.destroy
|
50
|
+
|
51
|
+
respond_to do |format|
|
52
|
+
format.html { redirect_to posts_url, notice: "Post was successfully destroyed." }
|
53
|
+
format.json { head :no_content }
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
private
|
58
|
+
def set_post
|
59
|
+
@post = Post.find(params[:id])
|
60
|
+
end
|
61
|
+
|
62
|
+
def post_params
|
63
|
+
params.require(:post).permit(:title, :body)
|
64
|
+
end
|
65
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Examples</h2>
|
4
|
+
|
5
|
+
<p>Run the brakeman command from the root of your rails application</p>
|
6
|
+
|
7
|
+
<pre><code>brakeman</code></pre>
|
8
|
+
|
9
|
+
<h2>Example code that fails analysis</h2>
|
10
|
+
|
11
|
+
<h3>Dangerous Evaluation - User input in an eval statement is VERY dangerous</h3>
|
12
|
+
|
13
|
+
<code>app/controllers/posts_controller.rb</code>
|
14
|
+
|
15
|
+
<pre><code> def show
|
16
|
+
message = params[:message] || 'hello world'
|
17
|
+
|
18
|
+
eval("echo '#{message}'")
|
19
|
+
end
|
20
|
+
</code></pre>
|
21
|
+
|
22
|
+
|
23
|
+
<h3>Dangerous Send - Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.</h3>
|
24
|
+
|
25
|
+
<code>app/controllers/home_controller.rb</code>
|
26
|
+
|
27
|
+
<pre><code>class HomeController < ApplicationController
|
28
|
+
def index
|
29
|
+
xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
|
30
|
+
puts send(xmen_or_avengers.to_sym)
|
31
|
+
end
|
32
|
+
|
33
|
+
private
|
34
|
+
|
35
|
+
def xmen
|
36
|
+
'Wolverine'
|
37
|
+
end
|
38
|
+
|
39
|
+
def avengers
|
40
|
+
'Captain America'
|
41
|
+
end
|
42
|
+
end
|
43
|
+
</code></pre>
|
@@ -0,0 +1,93 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Usage</h2>
|
4
|
+
|
5
|
+
<p>Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications</p>
|
6
|
+
|
7
|
+
<pre>
|
8
|
+
<code>
|
9
|
+
Usage: brakeman [options] rails/root/path
|
10
|
+
-n, --no-threads Run checks and file parsing sequentially
|
11
|
+
--[no-]progress Show progress reports
|
12
|
+
-p, --path PATH Specify path to Rails application
|
13
|
+
-q, --[no-]quiet Suppress informational messages
|
14
|
+
-z, --[no-]exit-on-warn Exit code is non-zero if warnings found (Default)
|
15
|
+
--[no-]exit-on-error Exit code is non-zero if errors raised (Default)
|
16
|
+
--ensure-latest Fail when Brakeman is outdated
|
17
|
+
--ensure-ignore-notes Fail when an ignored warnings does not include a note
|
18
|
+
-3, --rails3 Force Rails 3 mode
|
19
|
+
-4, --rails4 Force Rails 4 mode
|
20
|
+
-5, --rails5 Force Rails 5 mode
|
21
|
+
-6, --rails6 Force Rails 6 mode
|
22
|
+
-7, --rails7 Force Rails 7 mode
|
23
|
+
|
24
|
+
Scanning options:
|
25
|
+
-A, --run-all-checks Run all default and optional checks
|
26
|
+
-a, --[no-]assume-routes Assume all controller methods are actions (Default)
|
27
|
+
-e, --escape-html Escape HTML by default
|
28
|
+
--faster Faster, but less accurate scan
|
29
|
+
--ignore-model-output Consider model attributes XSS-safe
|
30
|
+
--ignore-protected Consider models with attr_protected safe
|
31
|
+
--[no-]index-libs Add libraries to call index (Default)
|
32
|
+
--interprocedural Process method calls to known methods
|
33
|
+
--no-branching Disable flow sensitivity on conditionals
|
34
|
+
--branch-limit LIMIT Limit depth of values in branches (-1 for no limit)
|
35
|
+
--parser-timeout SECONDS Set parse timeout (Default: 10)
|
36
|
+
-r, --report-direct Only report direct use of untrusted data
|
37
|
+
-s meth1,meth2,etc, Set methods as safe for unescaped output in views
|
38
|
+
--safe-methods
|
39
|
+
--sql-safe-methods meth1,meth2,etc
|
40
|
+
Do not warn of SQL if the input is wrapped in a safe method
|
41
|
+
--url-safe-methods method1,method2,etc
|
42
|
+
Do not warn of XSS if the link_to href parameter is wrapped in a safe method
|
43
|
+
--skip-files file1,path2,etc Skip processing of these files/directories. Directories are application relative and must end in "/"
|
44
|
+
--only-files file1,path2,etc Process only these files/directories. Directories are application relative and must end in "/"
|
45
|
+
--[no-]skip-vendor Skip processing vendor directory (Default)
|
46
|
+
--skip-libs Skip processing lib directory
|
47
|
+
--add-libs-path path1,path2,etc
|
48
|
+
An application relative lib directory (ex. app/mailers) to process
|
49
|
+
--add-engines-path path1,path2,etc
|
50
|
+
Include these engines in the scan
|
51
|
+
-E, --enable Check1,Check2,etc Enable the specified checks
|
52
|
+
-t, --test Check1,Check2,etc Only run the specified checks
|
53
|
+
-x, --except Check1,Check2,etc Skip the specified checks
|
54
|
+
--add-checks-path path1,path2,etc
|
55
|
+
A directory containing additional out-of-tree checks to run
|
56
|
+
|
57
|
+
Output options:
|
58
|
+
-d, --debug Lots of output
|
59
|
+
-f, --format TYPE Specify output formats. Default is text
|
60
|
+
--css-file CSSFile Specify CSS to use for HTML output
|
61
|
+
-i, --ignore-config IGNOREFILE Use configuration to ignore warnings
|
62
|
+
-I, --interactive-ignore Interactively ignore warnings
|
63
|
+
-l, --[no-]combine-locations Combine warning locations (Default)
|
64
|
+
--[no-]highlights Highlight user input in report
|
65
|
+
--[no-]color Use ANSI colors in report (Default)
|
66
|
+
-m, --routes Report controller information
|
67
|
+
--message-limit LENGTH Limit message length in HTML report
|
68
|
+
--[no-]pager Use pager for output to terminal (Default)
|
69
|
+
--table-width WIDTH Limit table width in text report
|
70
|
+
-o, --output FILE Specify files for output. Defaults to stdout. Multiple '-o's allowed
|
71
|
+
--[no-]separate-models Warn on each model without attr_accessible (Default)
|
72
|
+
--[no-]summary Only output summary of warnings
|
73
|
+
--absolute-paths Output absolute file paths in reports
|
74
|
+
--github-repo USER/REPO[/PATH][@REF]
|
75
|
+
Output links to GitHub in markdown and HTML reports using specified repo
|
76
|
+
--text-fields field1,field2,etc.
|
77
|
+
Specify fields for text report format
|
78
|
+
-w, --confidence-level LEVEL Set minimal confidence level (1 - 3)
|
79
|
+
--compare FILE Compare the results of a previous Brakeman scan (only JSON is supported)
|
80
|
+
|
81
|
+
Configuration files:
|
82
|
+
-c, --config-file FILE Use specified configuration file
|
83
|
+
-C, --create-config [FILE] Output configuration file based on options
|
84
|
+
--allow-check-paths-in-config
|
85
|
+
Allow loading checks from configuration file (Unsafe)
|
86
|
+
|
87
|
+
-k, --checks List all available vulnerability checks
|
88
|
+
--optional-checks List optional checks
|
89
|
+
-v, --version Show Brakeman version
|
90
|
+
--force-scan Scan application even if rails is not detected
|
91
|
+
-h, --help Display this message
|
92
|
+
</code>
|
93
|
+
</pre>
|
@@ -0,0 +1,145 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Output</h2>
|
4
|
+
|
5
|
+
<p>Run <code>brakeman</code> against this sample Rails 7 application</p>
|
6
|
+
|
7
|
+
<pre>
|
8
|
+
<code>brakeman
|
9
|
+
Loading scanner...
|
10
|
+
Processing application in /Users/davidcruwys/dev/kgems/rails_app_generator/a/addons/r7_brakeman
|
11
|
+
Processing gems...
|
12
|
+
[Notice] Detected Rails 7 application
|
13
|
+
Processing configuration...
|
14
|
+
[Notice] Escaping HTML by default
|
15
|
+
Parsing files...
|
16
|
+
Detecting file types...
|
17
|
+
Processing initializers...
|
18
|
+
Processing libs...
|
19
|
+
Processing routes...
|
20
|
+
Processing templates...
|
21
|
+
Processing data flow in templates...
|
22
|
+
Processing models...
|
23
|
+
Processing controllers...
|
24
|
+
Processing data flow in controllers...
|
25
|
+
Indexing call sites...
|
26
|
+
Running checks in parallel...
|
27
|
+
- CheckBasicAuth
|
28
|
+
- CheckBasicAuthTimingAttack
|
29
|
+
- CheckCrossSiteScripting
|
30
|
+
- CheckContentTag
|
31
|
+
- CheckCookieSerialization
|
32
|
+
- CheckCreateWith
|
33
|
+
- CheckCSRFTokenForgeryCVE
|
34
|
+
- CheckDefaultRoutes
|
35
|
+
- CheckDeserialize
|
36
|
+
- CheckDetailedExceptions
|
37
|
+
- CheckDigestDoS
|
38
|
+
- CheckDynamicFinders
|
39
|
+
- CheckEOLRails
|
40
|
+
- CheckEOLRuby
|
41
|
+
- CheckEscapeFunction
|
42
|
+
- CheckEvaluation
|
43
|
+
- CheckExecute
|
44
|
+
- CheckFileAccess
|
45
|
+
- CheckFileDisclosure
|
46
|
+
- CheckFilterSkipping
|
47
|
+
- CheckForgerySetting
|
48
|
+
- CheckHeaderDoS
|
49
|
+
- CheckI18nXSS
|
50
|
+
- CheckJRubyXML
|
51
|
+
- CheckJSONEncoding
|
52
|
+
- CheckJSONEntityEscape
|
53
|
+
- CheckJSONParsing
|
54
|
+
- CheckLinkTo
|
55
|
+
- CheckLinkToHref
|
56
|
+
- CheckMailTo
|
57
|
+
- CheckMassAssignment
|
58
|
+
- CheckMimeTypeDoS
|
59
|
+
- CheckModelAttrAccessible
|
60
|
+
- CheckModelAttributes
|
61
|
+
- CheckModelSerialize
|
62
|
+
- CheckNestedAttributes
|
63
|
+
- CheckNestedAttributesBypass
|
64
|
+
- CheckNumberToCurrency
|
65
|
+
- CheckPageCachingCVE
|
66
|
+
- CheckPermitAttributes
|
67
|
+
- CheckQuoteTableName
|
68
|
+
- CheckRedirect
|
69
|
+
- CheckRegexDoS
|
70
|
+
- CheckRender
|
71
|
+
- CheckRenderDoS
|
72
|
+
- CheckRenderInline
|
73
|
+
- CheckResponseSplitting
|
74
|
+
- CheckRouteDoS
|
75
|
+
- CheckSafeBufferManipulation
|
76
|
+
- CheckSanitizeConfigCve
|
77
|
+
- CheckSanitizeMethods
|
78
|
+
- CheckSelectTag
|
79
|
+
- CheckSelectVulnerability
|
80
|
+
- CheckSend
|
81
|
+
- CheckSendFile
|
82
|
+
- CheckSessionManipulation
|
83
|
+
- CheckSessionSettings
|
84
|
+
- CheckSimpleFormat
|
85
|
+
- CheckSingleQuotes
|
86
|
+
- CheckSkipBeforeFilter
|
87
|
+
- CheckSprocketsPathTraversal
|
88
|
+
- CheckSQL
|
89
|
+
- CheckSQLCVEs
|
90
|
+
- CheckSSLVerify
|
91
|
+
- CheckStripTags
|
92
|
+
- CheckSymbolDoSCVE
|
93
|
+
- CheckTemplateInjection
|
94
|
+
- CheckTranslateBug
|
95
|
+
- CheckUnsafeReflection
|
96
|
+
- CheckUnsafeReflectionMethods
|
97
|
+
- CheckValidationRegex
|
98
|
+
- CheckVerbConfusion
|
99
|
+
- CheckWithoutProtection
|
100
|
+
- CheckXMLDoS
|
101
|
+
- CheckYAMLParsing
|
102
|
+
Checks finished, collecting results...
|
103
|
+
Generating report...
|
104
|
+
|
105
|
+
== Brakeman Report ==
|
106
|
+
|
107
|
+
Application Path: /Users/davidcruwys/dev/kgems/rails_app_generator/a/addons/r7_brakeman
|
108
|
+
Rails Version: 7.0.3.1
|
109
|
+
Brakeman Version: 5.3.1
|
110
|
+
Scan Date: 2022-08-19 14:19:28 +1000
|
111
|
+
Duration: 0.228864 seconds
|
112
|
+
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WithoutProtection, XMLDoS, YAMLParsing
|
113
|
+
|
114
|
+
== Overview ==
|
115
|
+
|
116
|
+
Controllers: 3
|
117
|
+
Models: 2
|
118
|
+
Templates: 13
|
119
|
+
Errors: 0
|
120
|
+
Security Warnings: 2
|
121
|
+
|
122
|
+
== Warning Types ==
|
123
|
+
|
124
|
+
Dangerous Eval: 1
|
125
|
+
Dangerous Send: 1
|
126
|
+
|
127
|
+
== Warnings ==
|
128
|
+
|
129
|
+
Confidence: High
|
130
|
+
Category: Dangerous Eval
|
131
|
+
Check: Evaluation
|
132
|
+
Message: User input in eval
|
133
|
+
Code: eval("echo '#{(params[:message] or "hello world")}'")
|
134
|
+
File: app/controllers/posts_controller.rb
|
135
|
+
Line: 12
|
136
|
+
|
137
|
+
Confidence: High
|
138
|
+
Category: Dangerous Send
|
139
|
+
Check: Send
|
140
|
+
Message: User controlled method execution
|
141
|
+
Code: send((params[:xmen_or_avengers] or "xmen").to_sym)
|
142
|
+
File: app/controllers/home_controller.rb
|
143
|
+
Line: 4
|
144
|
+
</code>
|
145
|
+
</pre>
|
@@ -0,0 +1 @@
|
|
1
|
+
<hr />
|
@@ -0,0 +1,29 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title><%= camelized %></title>
|
5
|
+
<meta name="viewport" content="width=device-width,initial-scale=1">
|
6
|
+
<%%= csrf_meta_tags %>
|
7
|
+
<%%= csp_meta_tag %>
|
8
|
+
|
9
|
+
<%- if options[:skip_hotwire] || options[:skip_javascript] -%>
|
10
|
+
<%%= stylesheet_link_tag "application" %>
|
11
|
+
<%- else -%>
|
12
|
+
<%%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
|
13
|
+
<%- end -%>
|
14
|
+
</head>
|
15
|
+
|
16
|
+
<body>
|
17
|
+
<header>
|
18
|
+
<%%= render 'layouts/navbar' %>
|
19
|
+
<hr />
|
20
|
+
</header>
|
21
|
+
<main>
|
22
|
+
<%%= yield %>
|
23
|
+
</main>
|
24
|
+
<footer>
|
25
|
+
<%%= render 'layouts/footer' %>
|
26
|
+
</footer>
|
27
|
+
</body>
|
28
|
+
</html>
|
29
|
+
|
@@ -0,0 +1,7 @@
|
|
1
|
+
# david = User.create(email: 'david@site.com', name: 'david', password: 'password')
|
2
|
+
# james = User.create(email: 'james@site.com', name: 'james', password: 'password')
|
3
|
+
# sally = User.create(email: 'sally@site.com', name: 'sally', password: 'password')
|
4
|
+
|
5
|
+
# 10.times do |i|
|
6
|
+
# Post.create(title: "Post #{i}", body: "This is the body of post #{i}", user: User.all.sample)
|
7
|
+
# end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Role management library with resource scoping
|
4
|
+
#
|
5
|
+
# exe/rag addons/rolify
|
6
|
+
#
|
7
|
+
# source: https://youtu.be/URDKxGn0pxo
|
8
|
+
# need to complete this profile by supporting resource level roles, go to 29 minutes on video
|
9
|
+
# source: https://youtu.be/URDKxGn0pxo?t=1101
|
10
|
+
|
11
|
+
self.local_template_path = File.dirname(__FILE__)
|
12
|
+
|
13
|
+
gac 'base rails 7 image created'
|
14
|
+
|
15
|
+
prepare_environment
|
16
|
+
|
17
|
+
after_bundle do
|
18
|
+
scaffolds
|
19
|
+
setup_customizations
|
20
|
+
setup_db
|
21
|
+
end
|
22
|
+
|
23
|
+
def scaffolds
|
24
|
+
add_scaffold('post', 'title', 'body:text')
|
25
|
+
end
|
26
|
+
|
27
|
+
def setup_customizations
|
28
|
+
route("root 'home#index'")
|
29
|
+
route("get 'home/quick_sign_in/:user_id', to: 'home#quick_sign_in', as: 'quick_sign_in'")
|
30
|
+
route("get 'rolify/:id', to: 'rolify#show', as: 'rolify'")
|
31
|
+
route("get 'rolify/:id/edit', to: 'rolify#edit', as: 'edit_rolify'")
|
32
|
+
route("patch 'rolify/:id', to: 'rolify#update'")
|
33
|
+
|
34
|
+
force_copy
|
35
|
+
|
36
|
+
add_controller('home', 'index', 'quick_sign_in', 'bossy_boots', 'use_in_moderation', 'use_me', 'super_hero')
|
37
|
+
|
38
|
+
directory "app/controllers"
|
39
|
+
directory "app/models"
|
40
|
+
directory "app/views"
|
41
|
+
template 'app/views/layouts/application.html.erb' , 'app/views/layouts/application.html.erb'
|
42
|
+
end
|
43
|
+
|
44
|
+
def setup_db
|
45
|
+
template 'db/seeds.rb' , 'db/seeds.rb'
|
46
|
+
|
47
|
+
db_migrate
|
48
|
+
db_seed
|
49
|
+
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
class HomeController < ApplicationController
|
2
|
+
before_action :require_permission, except: %i[index quick_sign_in]
|
3
|
+
|
4
|
+
def index
|
5
|
+
end
|
6
|
+
|
7
|
+
def quick_sign_in
|
8
|
+
user = User.find(params[:user_id])
|
9
|
+
sign_in(user)
|
10
|
+
redirect_to root_path
|
11
|
+
end
|
12
|
+
|
13
|
+
def bossy_boots
|
14
|
+
end
|
15
|
+
|
16
|
+
def use_in_moderation
|
17
|
+
end
|
18
|
+
|
19
|
+
def use_me
|
20
|
+
end
|
21
|
+
|
22
|
+
def super_hero
|
23
|
+
end
|
24
|
+
|
25
|
+
def require_permission
|
26
|
+
return if current_user&.is_super_user?
|
27
|
+
return if current_user&.is_admin? && action_name == "bossy_boots"
|
28
|
+
return if current_user&.is_moderator? && action_name == "use_in_moderation"
|
29
|
+
return if current_user&.is_user? && action_name == "use_me"
|
30
|
+
|
31
|
+
flash.alert = "You do not have permission to access #{action_name.titleize}"
|
32
|
+
|
33
|
+
redirect_to root_path
|
34
|
+
end
|
35
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
class RolifyController < ApplicationController
|
2
|
+
before_action :set_user, only: %i[ show edit update ]
|
3
|
+
|
4
|
+
def show
|
5
|
+
end
|
6
|
+
|
7
|
+
def edit
|
8
|
+
end
|
9
|
+
|
10
|
+
def update
|
11
|
+
if @user.update(user_params)
|
12
|
+
redirect_to root_path, notice: "User was successfully updated."
|
13
|
+
else
|
14
|
+
render :edit, status: :unprocessable_entity
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
private
|
19
|
+
def set_user
|
20
|
+
@user = User.find(params[:id])
|
21
|
+
end
|
22
|
+
|
23
|
+
def user_params
|
24
|
+
params.require(:user).permit(role_ids: [])
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
class User < ApplicationRecord
|
2
|
+
# Rolify needs to be called before assigning default role due to a bug in Rolify
|
3
|
+
# see: https://github.com/RolifyCommunity/rolify/issues/518#issuecomment-1218705389
|
4
|
+
rolify
|
5
|
+
|
6
|
+
after_create :assign_default_role
|
7
|
+
|
8
|
+
devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable
|
9
|
+
|
10
|
+
validate :must_have_role, on: :update
|
11
|
+
|
12
|
+
def assign_default_role
|
13
|
+
self.add_role(:user) if self.roles.blank?
|
14
|
+
end
|
15
|
+
|
16
|
+
def role_names
|
17
|
+
roles.distinct.pluck(:name)
|
18
|
+
end
|
19
|
+
|
20
|
+
def must_have_role
|
21
|
+
if self.roles.blank?
|
22
|
+
errors.add(:roles, "User must have at least one role")
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|