rails_app_generator 0.2.30 → 0.2.31
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/after_templates/addons/brakeman/_.rb +70 -0
- data/after_templates/addons/brakeman/app/controllers/home_controller.rb +16 -0
- data/after_templates/addons/brakeman/app/controllers/posts_controller.rb +65 -0
- data/after_templates/addons/brakeman/app/views/home/examples.html.erb +43 -0
- data/after_templates/addons/brakeman/app/views/home/index.html.erb +93 -0
- data/after_templates/addons/brakeman/app/views/home/output.html.erb +145 -0
- data/after_templates/addons/brakeman/app/views/layouts/_footer.html.erb +1 -0
- data/after_templates/addons/brakeman/app/views/layouts/_navbar.html.erb +4 -0
- data/after_templates/addons/brakeman/app/views/layouts/application.html.erb +29 -0
- data/after_templates/addons/brakeman/db/seeds.rb +7 -0
- data/docs/last_run/app_generator_class.json +8 -0
- data/docs/last_run/app_generator_data.json +7 -6
- data/docs/last_run/rails_options_class.json +8 -0
- data/docs/last_run/rails_options_data.json +7 -6
- data/lib/rails_app_generator/addons/brakeman.rb +1 -1
- data/lib/rails_app_generator/version.rb +1 -1
- data/package-lock.json +2 -2
- data/package.json +1 -1
- data/profiles/addons/brakeman.json +13 -0
- data/templates/thor_task/profile/profile.json.tt +1 -0
- metadata +12 -3
- data/28: +0 -0
- data/app:template +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 15c23f59cc83f0c3dd3ff9cabeef80af80d2a14bd18d8d890dbb100640bab22a
|
4
|
+
data.tar.gz: 8acba70cf8a79185c8395f96762caa575968fb3521967ca4d1e80f282014d816
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 137bc8d24086e7914baf7f332c7a1ff6bf7db9845771b007e545e9882895c886a1379da9f97fd5156a07902bf849ca2bac720cc981843cabba032107e8588714
|
7
|
+
data.tar.gz: 8856d3e93f801687e6c9f3ec5a7581387c1109cfa224b3db479587527ec209ca09c2220b54a960ab29108c5fc6372aaad0c7eda71eed6761eaf876e51150f47d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
## [0.2.30](https://github.com/klueless-io/rails_app_generator/compare/v0.2.29...v0.2.30) (2022-08-19)
|
2
|
+
|
3
|
+
|
4
|
+
### Bug Fixes
|
5
|
+
|
6
|
+
* add brakeman addon ([1dcc1c2](https://github.com/klueless-io/rails_app_generator/commit/1dcc1c2b904d35f557daa688111baeaa0fa71495))
|
7
|
+
|
1
8
|
## [0.2.29](https://github.com/klueless-io/rails_app_generator/compare/v0.2.28...v0.2.29) (2022-08-19)
|
2
9
|
|
3
10
|
|
@@ -0,0 +1,70 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Description goes here
|
4
|
+
#
|
5
|
+
# exe/rag addons/brakeman
|
6
|
+
|
7
|
+
self.local_template_path = File.dirname(__FILE__)
|
8
|
+
|
9
|
+
gac 'base rails 7 image created'
|
10
|
+
|
11
|
+
prepare_environment
|
12
|
+
|
13
|
+
after_bundle do
|
14
|
+
scaffolds
|
15
|
+
setup_customizations
|
16
|
+
setup_db
|
17
|
+
end
|
18
|
+
|
19
|
+
def scaffolds
|
20
|
+
add_scaffold('post', 'title', 'body:text')
|
21
|
+
# add_scaffold('people', 'first_name', 'last_name', 'age:integer', 'address:text')
|
22
|
+
# add_scaffold('product', 'name', 'price:integer')
|
23
|
+
end
|
24
|
+
|
25
|
+
def setup_customizations
|
26
|
+
route("root 'home#index'")
|
27
|
+
|
28
|
+
force_copy
|
29
|
+
|
30
|
+
add_controller('home', 'index', 'examples', 'output')
|
31
|
+
|
32
|
+
directory "app/controllers"
|
33
|
+
directory "app/models"
|
34
|
+
directory "app/views"
|
35
|
+
template 'app/views/layouts/application.html.erb' , 'app/views/layouts/application.html.erb'
|
36
|
+
end
|
37
|
+
|
38
|
+
def setup_db
|
39
|
+
template 'db/seeds.rb' , 'db/seeds.rb'
|
40
|
+
|
41
|
+
db_migrate
|
42
|
+
db_seed
|
43
|
+
end
|
44
|
+
|
45
|
+
# Other template command examples
|
46
|
+
# prepare_environment
|
47
|
+
# bundle_install
|
48
|
+
# css_install('tailwind')
|
49
|
+
# rails_command('db:migrate')
|
50
|
+
# rails_command('db:migrate')
|
51
|
+
# bundle_add('hotwire-rails')
|
52
|
+
# rails_command('hotwire:install')
|
53
|
+
# run('bin/importmap pin sortablejs')
|
54
|
+
# run('npm install daisyui')
|
55
|
+
# rubocop
|
56
|
+
#
|
57
|
+
# directory 'app/assets/images'
|
58
|
+
# create_file 'app/assets/stylesheets/custom-bootstrap-import.scss' , read_template('custom-bootstrap-import.scss')
|
59
|
+
# append_to_file 'app/assets/config/manifest.js' , read_template('manifest.js')
|
60
|
+
# insert_into_file 'app/views/layouts/application.html.erb', read_template('application.html.erb'),
|
61
|
+
# before: %( <%= javascript_include_tag "application", "data-turbo-track": "reload", defer: true %>)
|
62
|
+
# gsub_file 'app/views/layouts/application.html.erb', %(container mx-auto mt-28 px-5 flex), 'container mx-auto px-5'
|
63
|
+
# template 'home.css', 'app/assets/stylesheets/home.css'
|
64
|
+
#
|
65
|
+
# add_controller('page', 'benefits', 'faq', 'terms', 'privacy', '--skip-routes')
|
66
|
+
# route(<<-'RUBY')
|
67
|
+
# PageController.action_methods.each do |action|
|
68
|
+
# get "/#{action}", to: "page##{action}", as: "page_#{action}"
|
69
|
+
# end
|
70
|
+
# RUBY
|
@@ -0,0 +1,16 @@
|
|
1
|
+
class HomeController < ApplicationController
|
2
|
+
def index
|
3
|
+
xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
|
4
|
+
puts send(xmen_or_avengers.to_sym)
|
5
|
+
end
|
6
|
+
|
7
|
+
private
|
8
|
+
|
9
|
+
def xmen
|
10
|
+
'Wolverine'
|
11
|
+
end
|
12
|
+
|
13
|
+
def avengers
|
14
|
+
'Captain America'
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
class PostsController < ApplicationController
|
2
|
+
before_action :set_post, only: %i[ show edit update destroy ]
|
3
|
+
|
4
|
+
def index
|
5
|
+
@posts = Post.all
|
6
|
+
end
|
7
|
+
|
8
|
+
# Dangerous Evaluation - User input in an eval statement is VERY dangerous
|
9
|
+
def show
|
10
|
+
message = params[:message] || 'hello world'
|
11
|
+
|
12
|
+
eval("echo '#{message}'")
|
13
|
+
end
|
14
|
+
|
15
|
+
def new
|
16
|
+
@post = Post.new
|
17
|
+
end
|
18
|
+
|
19
|
+
def edit
|
20
|
+
end
|
21
|
+
|
22
|
+
def create
|
23
|
+
@post = Post.new(post_params)
|
24
|
+
|
25
|
+
respond_to do |format|
|
26
|
+
if @post.save
|
27
|
+
format.html { redirect_to post_url(@post), notice: "Post was successfully created." }
|
28
|
+
format.json { render :show, status: :created, location: @post }
|
29
|
+
else
|
30
|
+
format.html { render :new, status: :unprocessable_entity }
|
31
|
+
format.json { render json: @post.errors, status: :unprocessable_entity }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def update
|
37
|
+
respond_to do |format|
|
38
|
+
if @post.update(post_params)
|
39
|
+
format.html { redirect_to post_url(@post), notice: "Post was successfully updated." }
|
40
|
+
format.json { render :show, status: :ok, location: @post }
|
41
|
+
else
|
42
|
+
format.html { render :edit, status: :unprocessable_entity }
|
43
|
+
format.json { render json: @post.errors, status: :unprocessable_entity }
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def destroy
|
49
|
+
@post.destroy
|
50
|
+
|
51
|
+
respond_to do |format|
|
52
|
+
format.html { redirect_to posts_url, notice: "Post was successfully destroyed." }
|
53
|
+
format.json { head :no_content }
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
private
|
58
|
+
def set_post
|
59
|
+
@post = Post.find(params[:id])
|
60
|
+
end
|
61
|
+
|
62
|
+
def post_params
|
63
|
+
params.require(:post).permit(:title, :body)
|
64
|
+
end
|
65
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Examples</h2>
|
4
|
+
|
5
|
+
<p>Run the brakeman command from the root of your rails application</p>
|
6
|
+
|
7
|
+
<pre><code>brakeman</code></pre>
|
8
|
+
|
9
|
+
<h2>Example code that fails analysis</h2>
|
10
|
+
|
11
|
+
<h3>Dangerous Evaluation - User input in an eval statement is VERY dangerous</h3>
|
12
|
+
|
13
|
+
<code>app/controllers/posts_controller.rb</code>
|
14
|
+
|
15
|
+
<pre><code> def show
|
16
|
+
message = params[:message] || 'hello world'
|
17
|
+
|
18
|
+
eval("echo '#{message}'")
|
19
|
+
end
|
20
|
+
</code></pre>
|
21
|
+
|
22
|
+
|
23
|
+
<h3>Dangerous Send - Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.</h3>
|
24
|
+
|
25
|
+
<code>app/controllers/home_controller.rb</code>
|
26
|
+
|
27
|
+
<pre><code>class HomeController < ApplicationController
|
28
|
+
def index
|
29
|
+
xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
|
30
|
+
puts send(xmen_or_avengers.to_sym)
|
31
|
+
end
|
32
|
+
|
33
|
+
private
|
34
|
+
|
35
|
+
def xmen
|
36
|
+
'Wolverine'
|
37
|
+
end
|
38
|
+
|
39
|
+
def avengers
|
40
|
+
'Captain America'
|
41
|
+
end
|
42
|
+
end
|
43
|
+
</code></pre>
|
@@ -0,0 +1,93 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Usage</h2>
|
4
|
+
|
5
|
+
<p>Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications</p>
|
6
|
+
|
7
|
+
<pre>
|
8
|
+
<code>
|
9
|
+
Usage: brakeman [options] rails/root/path
|
10
|
+
-n, --no-threads Run checks and file parsing sequentially
|
11
|
+
--[no-]progress Show progress reports
|
12
|
+
-p, --path PATH Specify path to Rails application
|
13
|
+
-q, --[no-]quiet Suppress informational messages
|
14
|
+
-z, --[no-]exit-on-warn Exit code is non-zero if warnings found (Default)
|
15
|
+
--[no-]exit-on-error Exit code is non-zero if errors raised (Default)
|
16
|
+
--ensure-latest Fail when Brakeman is outdated
|
17
|
+
--ensure-ignore-notes Fail when an ignored warnings does not include a note
|
18
|
+
-3, --rails3 Force Rails 3 mode
|
19
|
+
-4, --rails4 Force Rails 4 mode
|
20
|
+
-5, --rails5 Force Rails 5 mode
|
21
|
+
-6, --rails6 Force Rails 6 mode
|
22
|
+
-7, --rails7 Force Rails 7 mode
|
23
|
+
|
24
|
+
Scanning options:
|
25
|
+
-A, --run-all-checks Run all default and optional checks
|
26
|
+
-a, --[no-]assume-routes Assume all controller methods are actions (Default)
|
27
|
+
-e, --escape-html Escape HTML by default
|
28
|
+
--faster Faster, but less accurate scan
|
29
|
+
--ignore-model-output Consider model attributes XSS-safe
|
30
|
+
--ignore-protected Consider models with attr_protected safe
|
31
|
+
--[no-]index-libs Add libraries to call index (Default)
|
32
|
+
--interprocedural Process method calls to known methods
|
33
|
+
--no-branching Disable flow sensitivity on conditionals
|
34
|
+
--branch-limit LIMIT Limit depth of values in branches (-1 for no limit)
|
35
|
+
--parser-timeout SECONDS Set parse timeout (Default: 10)
|
36
|
+
-r, --report-direct Only report direct use of untrusted data
|
37
|
+
-s meth1,meth2,etc, Set methods as safe for unescaped output in views
|
38
|
+
--safe-methods
|
39
|
+
--sql-safe-methods meth1,meth2,etc
|
40
|
+
Do not warn of SQL if the input is wrapped in a safe method
|
41
|
+
--url-safe-methods method1,method2,etc
|
42
|
+
Do not warn of XSS if the link_to href parameter is wrapped in a safe method
|
43
|
+
--skip-files file1,path2,etc Skip processing of these files/directories. Directories are application relative and must end in "/"
|
44
|
+
--only-files file1,path2,etc Process only these files/directories. Directories are application relative and must end in "/"
|
45
|
+
--[no-]skip-vendor Skip processing vendor directory (Default)
|
46
|
+
--skip-libs Skip processing lib directory
|
47
|
+
--add-libs-path path1,path2,etc
|
48
|
+
An application relative lib directory (ex. app/mailers) to process
|
49
|
+
--add-engines-path path1,path2,etc
|
50
|
+
Include these engines in the scan
|
51
|
+
-E, --enable Check1,Check2,etc Enable the specified checks
|
52
|
+
-t, --test Check1,Check2,etc Only run the specified checks
|
53
|
+
-x, --except Check1,Check2,etc Skip the specified checks
|
54
|
+
--add-checks-path path1,path2,etc
|
55
|
+
A directory containing additional out-of-tree checks to run
|
56
|
+
|
57
|
+
Output options:
|
58
|
+
-d, --debug Lots of output
|
59
|
+
-f, --format TYPE Specify output formats. Default is text
|
60
|
+
--css-file CSSFile Specify CSS to use for HTML output
|
61
|
+
-i, --ignore-config IGNOREFILE Use configuration to ignore warnings
|
62
|
+
-I, --interactive-ignore Interactively ignore warnings
|
63
|
+
-l, --[no-]combine-locations Combine warning locations (Default)
|
64
|
+
--[no-]highlights Highlight user input in report
|
65
|
+
--[no-]color Use ANSI colors in report (Default)
|
66
|
+
-m, --routes Report controller information
|
67
|
+
--message-limit LENGTH Limit message length in HTML report
|
68
|
+
--[no-]pager Use pager for output to terminal (Default)
|
69
|
+
--table-width WIDTH Limit table width in text report
|
70
|
+
-o, --output FILE Specify files for output. Defaults to stdout. Multiple '-o's allowed
|
71
|
+
--[no-]separate-models Warn on each model without attr_accessible (Default)
|
72
|
+
--[no-]summary Only output summary of warnings
|
73
|
+
--absolute-paths Output absolute file paths in reports
|
74
|
+
--github-repo USER/REPO[/PATH][@REF]
|
75
|
+
Output links to GitHub in markdown and HTML reports using specified repo
|
76
|
+
--text-fields field1,field2,etc.
|
77
|
+
Specify fields for text report format
|
78
|
+
-w, --confidence-level LEVEL Set minimal confidence level (1 - 3)
|
79
|
+
--compare FILE Compare the results of a previous Brakeman scan (only JSON is supported)
|
80
|
+
|
81
|
+
Configuration files:
|
82
|
+
-c, --config-file FILE Use specified configuration file
|
83
|
+
-C, --create-config [FILE] Output configuration file based on options
|
84
|
+
--allow-check-paths-in-config
|
85
|
+
Allow loading checks from configuration file (Unsafe)
|
86
|
+
|
87
|
+
-k, --checks List all available vulnerability checks
|
88
|
+
--optional-checks List optional checks
|
89
|
+
-v, --version Show Brakeman version
|
90
|
+
--force-scan Scan application even if rails is not detected
|
91
|
+
-h, --help Display this message
|
92
|
+
</code>
|
93
|
+
</pre>
|
@@ -0,0 +1,145 @@
|
|
1
|
+
<h1>Brakeman</h1>
|
2
|
+
|
3
|
+
<h2>Output</h2>
|
4
|
+
|
5
|
+
<p>Run <code>brakeman</code> against this sample Rails 7 application</p>
|
6
|
+
|
7
|
+
<pre>
|
8
|
+
<code>brakeman
|
9
|
+
Loading scanner...
|
10
|
+
Processing application in /Users/davidcruwys/dev/kgems/rails_app_generator/a/addons/r7_brakeman
|
11
|
+
Processing gems...
|
12
|
+
[Notice] Detected Rails 7 application
|
13
|
+
Processing configuration...
|
14
|
+
[Notice] Escaping HTML by default
|
15
|
+
Parsing files...
|
16
|
+
Detecting file types...
|
17
|
+
Processing initializers...
|
18
|
+
Processing libs...
|
19
|
+
Processing routes...
|
20
|
+
Processing templates...
|
21
|
+
Processing data flow in templates...
|
22
|
+
Processing models...
|
23
|
+
Processing controllers...
|
24
|
+
Processing data flow in controllers...
|
25
|
+
Indexing call sites...
|
26
|
+
Running checks in parallel...
|
27
|
+
- CheckBasicAuth
|
28
|
+
- CheckBasicAuthTimingAttack
|
29
|
+
- CheckCrossSiteScripting
|
30
|
+
- CheckContentTag
|
31
|
+
- CheckCookieSerialization
|
32
|
+
- CheckCreateWith
|
33
|
+
- CheckCSRFTokenForgeryCVE
|
34
|
+
- CheckDefaultRoutes
|
35
|
+
- CheckDeserialize
|
36
|
+
- CheckDetailedExceptions
|
37
|
+
- CheckDigestDoS
|
38
|
+
- CheckDynamicFinders
|
39
|
+
- CheckEOLRails
|
40
|
+
- CheckEOLRuby
|
41
|
+
- CheckEscapeFunction
|
42
|
+
- CheckEvaluation
|
43
|
+
- CheckExecute
|
44
|
+
- CheckFileAccess
|
45
|
+
- CheckFileDisclosure
|
46
|
+
- CheckFilterSkipping
|
47
|
+
- CheckForgerySetting
|
48
|
+
- CheckHeaderDoS
|
49
|
+
- CheckI18nXSS
|
50
|
+
- CheckJRubyXML
|
51
|
+
- CheckJSONEncoding
|
52
|
+
- CheckJSONEntityEscape
|
53
|
+
- CheckJSONParsing
|
54
|
+
- CheckLinkTo
|
55
|
+
- CheckLinkToHref
|
56
|
+
- CheckMailTo
|
57
|
+
- CheckMassAssignment
|
58
|
+
- CheckMimeTypeDoS
|
59
|
+
- CheckModelAttrAccessible
|
60
|
+
- CheckModelAttributes
|
61
|
+
- CheckModelSerialize
|
62
|
+
- CheckNestedAttributes
|
63
|
+
- CheckNestedAttributesBypass
|
64
|
+
- CheckNumberToCurrency
|
65
|
+
- CheckPageCachingCVE
|
66
|
+
- CheckPermitAttributes
|
67
|
+
- CheckQuoteTableName
|
68
|
+
- CheckRedirect
|
69
|
+
- CheckRegexDoS
|
70
|
+
- CheckRender
|
71
|
+
- CheckRenderDoS
|
72
|
+
- CheckRenderInline
|
73
|
+
- CheckResponseSplitting
|
74
|
+
- CheckRouteDoS
|
75
|
+
- CheckSafeBufferManipulation
|
76
|
+
- CheckSanitizeConfigCve
|
77
|
+
- CheckSanitizeMethods
|
78
|
+
- CheckSelectTag
|
79
|
+
- CheckSelectVulnerability
|
80
|
+
- CheckSend
|
81
|
+
- CheckSendFile
|
82
|
+
- CheckSessionManipulation
|
83
|
+
- CheckSessionSettings
|
84
|
+
- CheckSimpleFormat
|
85
|
+
- CheckSingleQuotes
|
86
|
+
- CheckSkipBeforeFilter
|
87
|
+
- CheckSprocketsPathTraversal
|
88
|
+
- CheckSQL
|
89
|
+
- CheckSQLCVEs
|
90
|
+
- CheckSSLVerify
|
91
|
+
- CheckStripTags
|
92
|
+
- CheckSymbolDoSCVE
|
93
|
+
- CheckTemplateInjection
|
94
|
+
- CheckTranslateBug
|
95
|
+
- CheckUnsafeReflection
|
96
|
+
- CheckUnsafeReflectionMethods
|
97
|
+
- CheckValidationRegex
|
98
|
+
- CheckVerbConfusion
|
99
|
+
- CheckWithoutProtection
|
100
|
+
- CheckXMLDoS
|
101
|
+
- CheckYAMLParsing
|
102
|
+
Checks finished, collecting results...
|
103
|
+
Generating report...
|
104
|
+
|
105
|
+
== Brakeman Report ==
|
106
|
+
|
107
|
+
Application Path: /Users/davidcruwys/dev/kgems/rails_app_generator/a/addons/r7_brakeman
|
108
|
+
Rails Version: 7.0.3.1
|
109
|
+
Brakeman Version: 5.3.1
|
110
|
+
Scan Date: 2022-08-19 14:19:28 +1000
|
111
|
+
Duration: 0.228864 seconds
|
112
|
+
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WithoutProtection, XMLDoS, YAMLParsing
|
113
|
+
|
114
|
+
== Overview ==
|
115
|
+
|
116
|
+
Controllers: 3
|
117
|
+
Models: 2
|
118
|
+
Templates: 13
|
119
|
+
Errors: 0
|
120
|
+
Security Warnings: 2
|
121
|
+
|
122
|
+
== Warning Types ==
|
123
|
+
|
124
|
+
Dangerous Eval: 1
|
125
|
+
Dangerous Send: 1
|
126
|
+
|
127
|
+
== Warnings ==
|
128
|
+
|
129
|
+
Confidence: High
|
130
|
+
Category: Dangerous Eval
|
131
|
+
Check: Evaluation
|
132
|
+
Message: User input in eval
|
133
|
+
Code: eval("echo '#{(params[:message] or "hello world")}'")
|
134
|
+
File: app/controllers/posts_controller.rb
|
135
|
+
Line: 12
|
136
|
+
|
137
|
+
Confidence: High
|
138
|
+
Category: Dangerous Send
|
139
|
+
Check: Send
|
140
|
+
Message: User controlled method execution
|
141
|
+
Code: send((params[:xmen_or_avengers] or "xmen").to_sym)
|
142
|
+
File: app/controllers/home_controller.rb
|
143
|
+
Line: 4
|
144
|
+
</code>
|
145
|
+
</pre>
|
@@ -0,0 +1 @@
|
|
1
|
+
<hr />
|
@@ -0,0 +1,29 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title><%= camelized %></title>
|
5
|
+
<meta name="viewport" content="width=device-width,initial-scale=1">
|
6
|
+
<%%= csrf_meta_tags %>
|
7
|
+
<%%= csp_meta_tag %>
|
8
|
+
|
9
|
+
<%- if options[:skip_hotwire] || options[:skip_javascript] -%>
|
10
|
+
<%%= stylesheet_link_tag "application" %>
|
11
|
+
<%- else -%>
|
12
|
+
<%%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
|
13
|
+
<%- end -%>
|
14
|
+
</head>
|
15
|
+
|
16
|
+
<body>
|
17
|
+
<header>
|
18
|
+
<%%= render 'layouts/navbar' %>
|
19
|
+
<hr />
|
20
|
+
</header>
|
21
|
+
<main>
|
22
|
+
<%%= yield %>
|
23
|
+
</main>
|
24
|
+
<footer>
|
25
|
+
<%%= render 'layouts/footer' %>
|
26
|
+
</footer>
|
27
|
+
</body>
|
28
|
+
</html>
|
29
|
+
|
@@ -0,0 +1,7 @@
|
|
1
|
+
# david = User.create(email: 'david@site.com', name: 'david', password: 'password')
|
2
|
+
# james = User.create(email: 'james@site.com', name: 'james', password: 'password')
|
3
|
+
# sally = User.create(email: 'sally@site.com', name: 'sally', password: 'password')
|
4
|
+
|
5
|
+
# 10.times do |i|
|
6
|
+
# Post.create(title: "Post #{i}", body: "This is the body of post #{i}", user: User.all.sample)
|
7
|
+
# end
|
@@ -45,6 +45,7 @@
|
|
45
45
|
"add_annotate",
|
46
46
|
"add_avo",
|
47
47
|
"add_bcrypt",
|
48
|
+
"add_brakeman",
|
48
49
|
"add_browser",
|
49
50
|
"add_chartkick",
|
50
51
|
"add_devise",
|
@@ -385,6 +386,13 @@
|
|
385
386
|
"default": false,
|
386
387
|
"required": false
|
387
388
|
},
|
389
|
+
{
|
390
|
+
"name": "add_brakeman",
|
391
|
+
"description": "Indicates when to generate add brakeman",
|
392
|
+
"type": "boolean",
|
393
|
+
"default": false,
|
394
|
+
"required": false
|
395
|
+
},
|
388
396
|
{
|
389
397
|
"name": "add_browser",
|
390
398
|
"description": "Indicates when to generate add browser",
|
@@ -26,21 +26,22 @@
|
|
26
26
|
"main": false,
|
27
27
|
"no_rc": false,
|
28
28
|
"api": false,
|
29
|
-
"javascript": "
|
29
|
+
"javascript": "importmap",
|
30
30
|
"skip_bundle": false,
|
31
31
|
"note": "",
|
32
32
|
"test": "rspec",
|
33
33
|
"add_acts_as_list": false,
|
34
34
|
"add_administrate": false,
|
35
|
-
"add_annotate":
|
35
|
+
"add_annotate": false,
|
36
36
|
"add_avo": false,
|
37
37
|
"add_bcrypt": false,
|
38
|
+
"add_brakeman": true,
|
38
39
|
"add_browser": false,
|
39
40
|
"add_chartkick": false,
|
40
|
-
"add_devise":
|
41
|
+
"add_devise": false,
|
41
42
|
"add_devise_masquerade": false,
|
42
43
|
"add_dotenv": false,
|
43
|
-
"add_faker":
|
44
|
+
"add_faker": false,
|
44
45
|
"add_groupdate": false,
|
45
46
|
"add_hexapdf": false,
|
46
47
|
"add_httparty": false,
|
@@ -55,9 +56,9 @@
|
|
55
56
|
"add_public_suffix": false,
|
56
57
|
"add_rails_html_sanitizer": false,
|
57
58
|
"add_redcarpet": false,
|
58
|
-
"add_rolify":
|
59
|
+
"add_rolify": false,
|
59
60
|
"add_rubocop": false,
|
60
61
|
"add_twilio_ruby": false,
|
61
|
-
"template": "/Users/davidcruwys/dev/kgems/rails_app_generator/after_templates/addons/
|
62
|
+
"template": "/Users/davidcruwys/dev/kgems/rails_app_generator/after_templates/addons/brakeman/_.rb"
|
62
63
|
}
|
63
64
|
}
|
@@ -45,6 +45,7 @@
|
|
45
45
|
"add_annotate",
|
46
46
|
"add_avo",
|
47
47
|
"add_bcrypt",
|
48
|
+
"add_brakeman",
|
48
49
|
"add_browser",
|
49
50
|
"add_chartkick",
|
50
51
|
"add_devise",
|
@@ -385,6 +386,13 @@
|
|
385
386
|
"default": false,
|
386
387
|
"required": false
|
387
388
|
},
|
389
|
+
{
|
390
|
+
"name": "add_brakeman",
|
391
|
+
"description": "",
|
392
|
+
"type": "boolean",
|
393
|
+
"default": false,
|
394
|
+
"required": false
|
395
|
+
},
|
388
396
|
{
|
389
397
|
"name": "add_browser",
|
390
398
|
"description": "",
|
@@ -7,7 +7,7 @@
|
|
7
7
|
"quiet": false,
|
8
8
|
"skip": false,
|
9
9
|
"ruby": "/Users/davidcruwys/.asdf/installs/ruby/2.7.6/bin/ruby",
|
10
|
-
"template": "/Users/davidcruwys/dev/kgems/rails_app_generator/after_templates/addons/
|
10
|
+
"template": "/Users/davidcruwys/dev/kgems/rails_app_generator/after_templates/addons/brakeman/_.rb",
|
11
11
|
"database": "sqlite3",
|
12
12
|
"skip_git": true,
|
13
13
|
"skip_keeps": false,
|
@@ -35,22 +35,23 @@
|
|
35
35
|
"version": false,
|
36
36
|
"api": false,
|
37
37
|
"minimal": false,
|
38
|
-
"javascript": "
|
38
|
+
"javascript": "importmap",
|
39
39
|
"css": "",
|
40
40
|
"skip_bundle": false,
|
41
41
|
"note": "",
|
42
42
|
"test": "rspec",
|
43
43
|
"add_acts_as_list": false,
|
44
44
|
"add_administrate": false,
|
45
|
-
"add_annotate":
|
45
|
+
"add_annotate": false,
|
46
46
|
"add_avo": false,
|
47
47
|
"add_bcrypt": false,
|
48
|
+
"add_brakeman": true,
|
48
49
|
"add_browser": false,
|
49
50
|
"add_chartkick": false,
|
50
|
-
"add_devise":
|
51
|
+
"add_devise": false,
|
51
52
|
"add_devise_masquerade": false,
|
52
53
|
"add_dotenv": false,
|
53
|
-
"add_faker":
|
54
|
+
"add_faker": false,
|
54
55
|
"add_groupdate": false,
|
55
56
|
"add_hexapdf": false,
|
56
57
|
"add_httparty": false,
|
@@ -65,7 +66,7 @@
|
|
65
66
|
"add_public_suffix": false,
|
66
67
|
"add_rails_html_sanitizer": false,
|
67
68
|
"add_redcarpet": false,
|
68
|
-
"add_rolify":
|
69
|
+
"add_rolify": false,
|
69
70
|
"add_rubocop": false,
|
70
71
|
"add_twilio_ruby": false
|
71
72
|
}
|
@@ -5,7 +5,7 @@ module RailsAppGenerator
|
|
5
5
|
module AddOns
|
6
6
|
# Add Brakeman to rails application
|
7
7
|
class Brakeman < RailsAppGenerator::Addon
|
8
|
-
required_gem gem.version('brakeman', '5.3.1', 'Brakeman is a
|
8
|
+
required_gem gem.version('brakeman', '5.3.1', 'Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications')
|
9
9
|
|
10
10
|
def apply; end
|
11
11
|
end
|
data/package-lock.json
CHANGED
@@ -1,12 +1,12 @@
|
|
1
1
|
{
|
2
2
|
"name": "rails_app_generator",
|
3
|
-
"version": "0.2.
|
3
|
+
"version": "0.2.31",
|
4
4
|
"lockfileVersion": 2,
|
5
5
|
"requires": true,
|
6
6
|
"packages": {
|
7
7
|
"": {
|
8
8
|
"name": "rails_app_generator",
|
9
|
-
"version": "0.2.
|
9
|
+
"version": "0.2.31",
|
10
10
|
"dependencies": {
|
11
11
|
"daisyui": "^2.20.0"
|
12
12
|
},
|
data/package.json
CHANGED
@@ -0,0 +1,13 @@
|
|
1
|
+
{
|
2
|
+
"args": {
|
3
|
+
"app_path": "r7_brakeman",
|
4
|
+
"destination_root": "/Users/davidcruwys/dev/kgems/rails_app_generator/a/addons"
|
5
|
+
},
|
6
|
+
"opts": {
|
7
|
+
"skip_git": true,
|
8
|
+
"skip_test": true,
|
9
|
+
"add_minimal_css": true,
|
10
|
+
"template": "/Users/davidcruwys/dev/kgems/rails_app_generator/after_templates/addons/brakeman/_.rb",
|
11
|
+
"add_brakeman": true
|
12
|
+
}
|
13
|
+
}
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails_app_generator
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.31
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Cruwys
|
@@ -166,7 +166,6 @@ files:
|
|
166
166
|
- ".rspec"
|
167
167
|
- ".rubocop.yml"
|
168
168
|
- ".vscode/settings.json"
|
169
|
-
- '28:'
|
170
169
|
- CHANGELOG.md
|
171
170
|
- CODE_OF_CONDUCT.md
|
172
171
|
- Gemfile
|
@@ -224,6 +223,16 @@ files:
|
|
224
223
|
- after_templates/addons/bcrypt/app/views/users/_form.html.erb
|
225
224
|
- after_templates/addons/bcrypt/app/views/users/_user.html.erb
|
226
225
|
- after_templates/addons/bcrypt/db/seeds.rb
|
226
|
+
- after_templates/addons/brakeman/_.rb
|
227
|
+
- after_templates/addons/brakeman/app/controllers/home_controller.rb
|
228
|
+
- after_templates/addons/brakeman/app/controllers/posts_controller.rb
|
229
|
+
- after_templates/addons/brakeman/app/views/home/examples.html.erb
|
230
|
+
- after_templates/addons/brakeman/app/views/home/index.html.erb
|
231
|
+
- after_templates/addons/brakeman/app/views/home/output.html.erb
|
232
|
+
- after_templates/addons/brakeman/app/views/layouts/_footer.html.erb
|
233
|
+
- after_templates/addons/brakeman/app/views/layouts/_navbar.html.erb
|
234
|
+
- after_templates/addons/brakeman/app/views/layouts/application.html.erb
|
235
|
+
- after_templates/addons/brakeman/db/seeds.rb
|
227
236
|
- after_templates/addons/browser/_.rb
|
228
237
|
- after_templates/addons/browser/app/controllers/home_controller.rb
|
229
238
|
- after_templates/addons/browser/app/views/home/index.html.erb
|
@@ -568,7 +577,6 @@ files:
|
|
568
577
|
- after_templates/rag/testy/app/views/layouts/_navbar.html.erb
|
569
578
|
- after_templates/rag/testy/app/views/layouts/application.html.erb
|
570
579
|
- after_templates/rag/testy/db/seeds.rb
|
571
|
-
- app:template
|
572
580
|
- bin/console
|
573
581
|
- bin/setup
|
574
582
|
- docs/images/tailwind.png
|
@@ -677,6 +685,7 @@ files:
|
|
677
685
|
- profiles/addons/annotate.json
|
678
686
|
- profiles/addons/avo.json
|
679
687
|
- profiles/addons/bcrypt.json
|
688
|
+
- profiles/addons/brakeman.json
|
680
689
|
- profiles/addons/browser.json
|
681
690
|
- profiles/addons/chartkick.json
|
682
691
|
- profiles/addons/devise.json
|
data/28:
DELETED
File without changes
|
data/app:template
DELETED
File without changes
|