spektr 0.3.3 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/CHANGELOG.md +11 -0
- data/lib/spektr/checks/base.rb +2 -2
- data/lib/spektr/checks/content_tag_xss.rb +1 -0
- data/lib/spektr/processors/base.rb +21 -14
- data/lib/spektr/targets/base.rb +2 -2
- data/lib/spektr/version.rb +1 -1
- data/lib/spektr.rb +1 -2
- data/spektr.gemspec +4 -5
- metadata +14 -27
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 36b0bd72a136d6af28c36ef6c14943fadeb061271abfc152d442754ad2356d0e
|
|
4
|
+
data.tar.gz: a85bb727b8457e55338b842b483cbddd18fe2596412168d7aa9eeef788c403a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2d8342a2567d22c458cb9316fa6643de595422ae7e3a30d002181de2f2436a8d08c493dedb783aa1d3b8df93d3ab555b7797e427b067c00fcb38191562f62662
|
|
7
|
+
data.tar.gz: 8fc8196c6cf809b44691b88ab7a1b856102d7cba7062b97474beaf97c465d02134721478484127f0b260a1fe1b1bdbaf7497cb29227211974af9a1ecff5cab2d
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,17 @@
|
|
|
2
2
|
|
|
3
3
|
## Unreleased
|
|
4
4
|
|
|
5
|
+
## 0.4.0
|
|
6
|
+
|
|
7
|
+
* make XSS check work without a Rails version
|
|
8
|
+
* change parent class extraction to support Structs
|
|
9
|
+
* fix parsing errors
|
|
10
|
+
|
|
11
|
+
## 0.3.4
|
|
12
|
+
|
|
13
|
+
* Relax dependencies, to help with using spektr as a gem
|
|
14
|
+
* Fix executable
|
|
15
|
+
|
|
5
16
|
## 0.3.3
|
|
6
17
|
|
|
7
18
|
* Remove hard dependency of haml 5
|
data/lib/spektr/checks/base.rb
CHANGED
|
@@ -88,7 +88,7 @@ module Spektr
|
|
|
88
88
|
next unless child.is_a?(Parser::AST::Node)
|
|
89
89
|
return true if user_input?(child.type, child.children.last, child)
|
|
90
90
|
end
|
|
91
|
-
when :block, :pair, :hash, :if
|
|
91
|
+
when :block, :pair, :hash, :array, :if, :or
|
|
92
92
|
ast.children.each do |child|
|
|
93
93
|
next unless child.is_a?(Parser::AST::Node)
|
|
94
94
|
return true if user_input?(child.type, child.children.last, child)
|
|
@@ -125,7 +125,7 @@ module Spektr
|
|
|
125
125
|
return true if _send.receiver && model_names.include?(_send.receiver.name)
|
|
126
126
|
when :const
|
|
127
127
|
return true if model_names.include? item.name
|
|
128
|
-
when :block, :pair, :hash, :if
|
|
128
|
+
when :block, :pair, :hash, :array, :if, :or
|
|
129
129
|
item.children.each do |child|
|
|
130
130
|
next unless child.is_a?(Parser::AST::Node)
|
|
131
131
|
return true if model_attribute?(child)
|
|
@@ -16,13 +16,25 @@ module Spektr::Processors
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def parent_name
|
|
19
|
-
|
|
20
|
-
|
|
19
|
+
parent_parts.join('::')
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def parent_parts
|
|
23
|
+
result = @parent_parts.dup
|
|
24
|
+
result.pop if part_matches_self?(result.last.to_s)
|
|
25
|
+
result
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def part_matches_self?(part)
|
|
29
|
+
(part == name || part_with_module(part) == name)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def part_with_module(part)
|
|
33
|
+
(@parent_modules | [part]).join('::')
|
|
21
34
|
end
|
|
22
35
|
|
|
23
36
|
def parent_name_with_modules
|
|
24
|
-
parts = @parent_modules |
|
|
25
|
-
parts.shift if parts.first.to_s == name
|
|
37
|
+
parts = @parent_modules | parent_parts
|
|
26
38
|
parts.join('::')
|
|
27
39
|
end
|
|
28
40
|
|
|
@@ -39,17 +51,12 @@ module Spektr::Processors
|
|
|
39
51
|
end
|
|
40
52
|
|
|
41
53
|
def extract_parent_parts(node)
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
elsif child.is_a? Symbol
|
|
48
|
-
@parent_parts << child.to_s
|
|
49
|
-
end
|
|
54
|
+
return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
|
|
55
|
+
@parent_parts.prepend(node.children.last) if node.type == :const
|
|
56
|
+
if node.children.any?
|
|
57
|
+
node.children.each do |child|
|
|
58
|
+
extract_parent_parts(child)
|
|
50
59
|
end
|
|
51
|
-
elsif node&.children&.first&.children&.last
|
|
52
|
-
@parent_parts << node.children.first.children.last
|
|
53
60
|
end
|
|
54
61
|
end
|
|
55
62
|
|
data/lib/spektr/targets/base.rb
CHANGED
|
@@ -100,9 +100,9 @@ module Spektr
|
|
|
100
100
|
Exp::Send.new(ast)
|
|
101
101
|
when :def
|
|
102
102
|
Exp::Definition.new(ast)
|
|
103
|
-
when :ivasgn
|
|
103
|
+
when :ivasgn, :ivar
|
|
104
104
|
Exp::Ivasgin.new(ast)
|
|
105
|
-
when :lvasign
|
|
105
|
+
when :lvasign, :lvar
|
|
106
106
|
Exp::Lvasign.new(ast)
|
|
107
107
|
when :const
|
|
108
108
|
Exp::Const.new(ast)
|
data/lib/spektr/version.rb
CHANGED
data/lib/spektr.rb
CHANGED
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
require 'bundler'
|
|
4
4
|
require 'parser'
|
|
5
5
|
require 'parser/current'
|
|
6
|
-
require 'unparser'
|
|
7
6
|
require 'erb'
|
|
8
7
|
require 'haml'
|
|
9
8
|
require 'logger'
|
|
@@ -22,7 +21,7 @@ module Spektr
|
|
|
22
21
|
pastel = Pastel.new
|
|
23
22
|
@output_format = output_format
|
|
24
23
|
start_spinner('Initializing')
|
|
25
|
-
if debug
|
|
24
|
+
@log_level = if debug
|
|
26
25
|
Logger::DEBUG
|
|
27
26
|
elsif terminal?
|
|
28
27
|
Logger::ERROR
|
data/spektr.gemspec
CHANGED
|
@@ -24,21 +24,20 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
`git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
|
25
25
|
end
|
|
26
26
|
spec.bindir = 'bin'
|
|
27
|
-
spec.executables =
|
|
27
|
+
spec.executables = 'spektr'
|
|
28
28
|
spec.require_paths = ['lib']
|
|
29
29
|
|
|
30
30
|
spec.add_dependency 'erubi'
|
|
31
31
|
spec.add_dependency 'haml'
|
|
32
|
-
spec.add_dependency 'parser', '
|
|
32
|
+
spec.add_dependency 'parser', '>= 2.6.0'
|
|
33
33
|
spec.add_dependency 'pastel'
|
|
34
|
-
spec.add_dependency 'ruby_parser', '
|
|
34
|
+
spec.add_dependency 'ruby_parser', '>= 3.0'
|
|
35
35
|
spec.add_dependency 'slim'
|
|
36
36
|
spec.add_dependency 'tty-color'
|
|
37
37
|
spec.add_dependency 'tty-option'
|
|
38
38
|
spec.add_dependency 'tty-spinner'
|
|
39
39
|
spec.add_dependency 'tty-table'
|
|
40
|
-
spec.add_dependency '
|
|
41
|
-
spec.add_dependency 'zeitwerk'
|
|
40
|
+
spec.add_dependency 'zeitwerk', '>= 2.6'
|
|
42
41
|
|
|
43
42
|
spec.add_development_dependency 'byebug'
|
|
44
43
|
spec.add_development_dependency 'guard'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spektr
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Greg Molnar
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-01-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: erubi
|
|
@@ -42,16 +42,16 @@ dependencies:
|
|
|
42
42
|
name: parser
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- - "
|
|
45
|
+
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version:
|
|
47
|
+
version: 2.6.0
|
|
48
48
|
type: :runtime
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
|
-
- - "
|
|
52
|
+
- - ">="
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version:
|
|
54
|
+
version: 2.6.0
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: pastel
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -70,16 +70,16 @@ dependencies:
|
|
|
70
70
|
name: ruby_parser
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
72
72
|
requirements:
|
|
73
|
-
- - "
|
|
73
|
+
- - ">="
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: '3.
|
|
75
|
+
version: '3.0'
|
|
76
76
|
type: :runtime
|
|
77
77
|
prerelease: false
|
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
79
|
requirements:
|
|
80
|
-
- - "
|
|
80
|
+
- - ">="
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: '3.
|
|
82
|
+
version: '3.0'
|
|
83
83
|
- !ruby/object:Gem::Dependency
|
|
84
84
|
name: slim
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -150,34 +150,20 @@ dependencies:
|
|
|
150
150
|
- - ">="
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
152
|
version: '0'
|
|
153
|
-
- !ruby/object:Gem::Dependency
|
|
154
|
-
name: unparser
|
|
155
|
-
requirement: !ruby/object:Gem::Requirement
|
|
156
|
-
requirements:
|
|
157
|
-
- - "~>"
|
|
158
|
-
- !ruby/object:Gem::Version
|
|
159
|
-
version: 0.6.0
|
|
160
|
-
type: :runtime
|
|
161
|
-
prerelease: false
|
|
162
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
163
|
-
requirements:
|
|
164
|
-
- - "~>"
|
|
165
|
-
- !ruby/object:Gem::Version
|
|
166
|
-
version: 0.6.0
|
|
167
153
|
- !ruby/object:Gem::Dependency
|
|
168
154
|
name: zeitwerk
|
|
169
155
|
requirement: !ruby/object:Gem::Requirement
|
|
170
156
|
requirements:
|
|
171
157
|
- - ">="
|
|
172
158
|
- !ruby/object:Gem::Version
|
|
173
|
-
version: '
|
|
159
|
+
version: '2.6'
|
|
174
160
|
type: :runtime
|
|
175
161
|
prerelease: false
|
|
176
162
|
version_requirements: !ruby/object:Gem::Requirement
|
|
177
163
|
requirements:
|
|
178
164
|
- - ">="
|
|
179
165
|
- !ruby/object:Gem::Version
|
|
180
|
-
version: '
|
|
166
|
+
version: '2.6'
|
|
181
167
|
- !ruby/object:Gem::Dependency
|
|
182
168
|
name: byebug
|
|
183
169
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -265,7 +251,8 @@ dependencies:
|
|
|
265
251
|
description: Rails static code analyzer for security issues
|
|
266
252
|
email:
|
|
267
253
|
- molnargerg@gmail.com
|
|
268
|
-
executables:
|
|
254
|
+
executables:
|
|
255
|
+
- spektr
|
|
269
256
|
extensions: []
|
|
270
257
|
extra_rdoc_files: []
|
|
271
258
|
files:
|