spektr 0.3.3 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +1 -0
  3. data/CHANGELOG.md +11 -0
  4. data/lib/spektr/checks/base.rb +2 -2
  5. data/lib/spektr/checks/content_tag_xss.rb +1 -0
  6. data/lib/spektr/processors/base.rb +21 -14
  7. data/lib/spektr/targets/base.rb +2 -2
  8. data/lib/spektr/version.rb +1 -1
  9. data/lib/spektr.rb +1 -2
  10. data/spektr.gemspec +4 -5
  11. metadata +14 -27
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1afb80e4a1c5d9cc60a44031a5f3e0b467728f0d5edc75c5ba96dc905afcad6b
4
- data.tar.gz: a92f43e5cc7865642641df39ba697609c926e67bdbc3cf14130ee2aed186c106
3
+ metadata.gz: 36b0bd72a136d6af28c36ef6c14943fadeb061271abfc152d442754ad2356d0e
4
+ data.tar.gz: a85bb727b8457e55338b842b483cbddd18fe2596412168d7aa9eeef788c403a1
5
5
  SHA512:
6
- metadata.gz: e3369c1e335efd31cd527bd81b6848f50fe718dce399feef67ec3e5afe669629b09fce1acd0e09e5fc45b4fefaed6f5ac592918619306a750381b6aae9843e21
7
- data.tar.gz: 6750ac48db9693f2b02448b13127456d0a8384f94e84d7d1c7d06ecc5f5320246d8c9bb6471a18d5c75bc7adf421b48d4f3145ba3e14a483cf0079e995734744
6
+ metadata.gz: 2d8342a2567d22c458cb9316fa6643de595422ae7e3a30d002181de2f2436a8d08c493dedb783aa1d3b8df93d3ab555b7797e427b067c00fcb38191562f62662
7
+ data.tar.gz: 8fc8196c6cf809b44691b88ab7a1b856102d7cba7062b97474beaf97c465d02134721478484127f0b260a1fe1b1bdbaf7497cb29227211974af9a1ecff5cab2d
data/.gitignore CHANGED
@@ -7,3 +7,4 @@
7
7
  /spec/reports/
8
8
  /tmp/
9
9
  .byebug_history
10
+ Gemfile.lock
data/CHANGELOG.md CHANGED
@@ -2,6 +2,17 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## 0.4.0
6
+
7
+ * make XSS check work without a Rails version
8
+ * change parent class extraction to support Structs
9
+ * fix parsing errors
10
+
11
+ ## 0.3.4
12
+
13
+ * Relax dependencies, to help with using spektr as a gem
14
+ * Fix executable
15
+
5
16
  ## 0.3.3
6
17
 
7
18
  * Remove hard dependency of haml 5
data/lib/spektr/checks/base.rb CHANGED
@@ -88,7 +88,7 @@ module Spektr
88
88
  next unless child.is_a?(Parser::AST::Node)
89
89
  return true if user_input?(child.type, child.children.last, child)
90
90
  end
91
- when :block, :pair, :hash, :if
91
+ when :block, :pair, :hash, :array, :if, :or
92
92
  ast.children.each do |child|
93
93
  next unless child.is_a?(Parser::AST::Node)
94
94
  return true if user_input?(child.type, child.children.last, child)
@@ -125,7 +125,7 @@ module Spektr
125
125
  return true if _send.receiver && model_names.include?(_send.receiver.name)
126
126
  when :const
127
127
  return true if model_names.include? item.name
128
- when :block, :pair, :hash, :if
128
+ when :block, :pair, :hash, :array, :if, :or
129
129
  item.children.each do |child|
130
130
  next unless child.is_a?(Parser::AST::Node)
131
131
  return true if model_attribute?(child)
data/lib/spektr/checks/content_tag_xss.rb CHANGED
@@ -23,6 +23,7 @@ module Spektr
23
23
 
24
24
  def run
25
25
  return unless super
26
+ return unless @app.rails_version
26
27
  calls = @target.find_calls(:content_tag)
27
28
  # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
28
29
  cve_2016_6316_check(calls)
data/lib/spektr/processors/base.rb CHANGED
@@ -16,13 +16,25 @@ module Spektr::Processors
16
16
  end
17
17
 
18
18
  def parent_name
19
- @parent_parts.shift if @parent_parts.first.to_s == name
20
- @parent_parts.join('::')
19
+ parent_parts.join('::')
20
+ end
21
+
22
+ def parent_parts
23
+ result = @parent_parts.dup
24
+ result.pop if part_matches_self?(result.last.to_s)
25
+ result
26
+ end
27
+
28
+ def part_matches_self?(part)
29
+ (part == name || part_with_module(part) == name)
30
+ end
31
+
32
+ def part_with_module(part)
33
+ (@parent_modules | [part]).join('::')
21
34
  end
22
35
 
23
36
  def parent_name_with_modules
24
- parts = @parent_modules | @parent_parts
25
- parts.shift if parts.first.to_s == name
37
+ parts = @parent_modules | parent_parts
26
38
  parts.join('::')
27
39
  end
28
40
 
@@ -39,17 +51,12 @@ module Spektr::Processors
39
51
  end
40
52
 
41
53
  def extract_parent_parts(node)
42
- if node.children[1] && node.children[1].is_a?(Parser::AST::Node)
43
- node.children[1].children.each do |child|
44
- if child.is_a?(Parser::AST::Node)
45
- extract_parent_parts(child)
46
- @parent_parts << child.children.last
47
- elsif child.is_a? Symbol
48
- @parent_parts << child.to_s
49
- end
54
+ return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
55
+ @parent_parts.prepend(node.children.last) if node.type == :const
56
+ if node.children.any?
57
+ node.children.each do |child|
58
+ extract_parent_parts(child)
50
59
  end
51
- elsif node&.children&.first&.children&.last
52
- @parent_parts << node.children.first.children.last
53
60
  end
54
61
  end
55
62
 
data/lib/spektr/targets/base.rb CHANGED
@@ -100,9 +100,9 @@ module Spektr
100
100
  Exp::Send.new(ast)
101
101
  when :def
102
102
  Exp::Definition.new(ast)
103
- when :ivasgn
103
+ when :ivasgn, :ivar
104
104
  Exp::Ivasgin.new(ast)
105
- when :lvasign
105
+ when :lvasign, :lvar
106
106
  Exp::Lvasign.new(ast)
107
107
  when :const
108
108
  Exp::Const.new(ast)
data/lib/spektr/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Spektr
2
- VERSION = '0.3.3'
2
+ VERSION = '0.4.0'
3
3
  end
data/lib/spektr.rb CHANGED
@@ -3,7 +3,6 @@
3
3
  require 'bundler'
4
4
  require 'parser'
5
5
  require 'parser/current'
6
- require 'unparser'
7
6
  require 'erb'
8
7
  require 'haml'
9
8
  require 'logger'
@@ -22,7 +21,7 @@ module Spektr
22
21
  pastel = Pastel.new
23
22
  @output_format = output_format
24
23
  start_spinner('Initializing')
25
- if debug
24
+ @log_level = if debug
26
25
  Logger::DEBUG
27
26
  elsif terminal?
28
27
  Logger::ERROR
data/spektr.gemspec CHANGED
@@ -24,21 +24,20 @@ Gem::Specification.new do |spec|
24
24
  `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
25
25
  end
26
26
  spec.bindir = 'bin'
27
- spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
27
+ spec.executables = 'spektr'
28
28
  spec.require_paths = ['lib']
29
29
 
30
30
  spec.add_dependency 'erubi'
31
31
  spec.add_dependency 'haml'
32
- spec.add_dependency 'parser', '~> 3.0.0'
32
+ spec.add_dependency 'parser', '>= 2.6.0'
33
33
  spec.add_dependency 'pastel'
34
- spec.add_dependency 'ruby_parser', '~>3.13'
34
+ spec.add_dependency 'ruby_parser', '>= 3.0'
35
35
  spec.add_dependency 'slim'
36
36
  spec.add_dependency 'tty-color'
37
37
  spec.add_dependency 'tty-option'
38
38
  spec.add_dependency 'tty-spinner'
39
39
  spec.add_dependency 'tty-table'
40
- spec.add_dependency 'unparser', '~> 0.6.0'
41
- spec.add_dependency 'zeitwerk'
40
+ spec.add_dependency 'zeitwerk', '>= 2.6'
42
41
 
43
42
  spec.add_development_dependency 'byebug'
44
43
  spec.add_development_dependency 'guard'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: spektr
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.3
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Greg Molnar
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-11-10 00:00:00.000000000 Z
11
+ date: 2023-01-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: erubi
@@ -42,16 +42,16 @@ dependencies:
42
42
  name: parser
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - "~>"
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
- version: 3.0.0
47
+ version: 2.6.0
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - "~>"
52
+ - - ">="
53
53
  - !ruby/object:Gem::Version
54
- version: 3.0.0
54
+ version: 2.6.0
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: pastel
57
57
  requirement: !ruby/object:Gem::Requirement
@@ -70,16 +70,16 @@ dependencies:
70
70
  name: ruby_parser
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
- - - "~>"
73
+ - - ">="
74
74
  - !ruby/object:Gem::Version
75
- version: '3.13'
75
+ version: '3.0'
76
76
  type: :runtime
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
- - - "~>"
80
+ - - ">="
81
81
  - !ruby/object:Gem::Version
82
- version: '3.13'
82
+ version: '3.0'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: slim
85
85
  requirement: !ruby/object:Gem::Requirement
@@ -150,34 +150,20 @@ dependencies:
150
150
  - - ">="
151
151
  - !ruby/object:Gem::Version
152
152
  version: '0'
153
- - !ruby/object:Gem::Dependency
154
- name: unparser
155
- requirement: !ruby/object:Gem::Requirement
156
- requirements:
157
- - - "~>"
158
- - !ruby/object:Gem::Version
159
- version: 0.6.0
160
- type: :runtime
161
- prerelease: false
162
- version_requirements: !ruby/object:Gem::Requirement
163
- requirements:
164
- - - "~>"
165
- - !ruby/object:Gem::Version
166
- version: 0.6.0
167
153
  - !ruby/object:Gem::Dependency
168
154
  name: zeitwerk
169
155
  requirement: !ruby/object:Gem::Requirement
170
156
  requirements:
171
157
  - - ">="
172
158
  - !ruby/object:Gem::Version
173
- version: '0'
159
+ version: '2.6'
174
160
  type: :runtime
175
161
  prerelease: false
176
162
  version_requirements: !ruby/object:Gem::Requirement
177
163
  requirements:
178
164
  - - ">="
179
165
  - !ruby/object:Gem::Version
180
- version: '0'
166
+ version: '2.6'
181
167
  - !ruby/object:Gem::Dependency
182
168
  name: byebug
183
169
  requirement: !ruby/object:Gem::Requirement
@@ -265,7 +251,8 @@ dependencies:
265
251
  description: Rails static code analyzer for security issues
266
252
  email:
267
253
  - molnargerg@gmail.com
268
- executables: []
254
+ executables:
255
+ - spektr
269
256
  extensions: []
270
257
  extra_rdoc_files: []
271
258
  files: