spektr 0.3.4 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2cdf9a898d4a20fa90d72e813ccc4436cd4d3c38c5fd1e56c87114f1bf54947e
-  data.tar.gz: b9fd5966623eca1f37bb8d7bec7a4611a2fcc83e8df8c8a8ef8824cda07a8093
+  metadata.gz: 5efc76d3f9085d5aa78df1f4f0573e8b57bf6a19a80fe80366ffb9dc5f5b0ffe
+  data.tar.gz: 285b537f82854ec9a0dd24291478386c89118895ecb14151826078289d97e071
 SHA512:
-  metadata.gz: d482d3aa9da794f3fb46705c80773965c996aa740e694ae1e99304bd71cf0627d63962241da296b2473b28a1a43405725ee112433e084703fa1fd2e07914cac9
-  data.tar.gz: b2732871040b9abc246991e58684b0c09e6228637ee1671d81e90e2db14ce74112ea08945a2215557645060cee0f6aa52cfb33360abef0a99a9411ed2bf3111a
+  metadata.gz: 34d8eaf274fb3ebe686357bee5db03de636c12ae870426c9f1804ef26a1038122b3ef9746c66c2f7121d7af74631d12186e63cb5b8007aade6450252fceacaca
+  data.tar.gz: 0c51dfaf5a328e3f60b14c21296d684308b073b222101fb5294fc9189a5c699f00e7b417c7246d5a4fd1d2dfa7e36b152fbaacbe4271c7d6c318948e7a844d72

data/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ## Unreleased
 
+## 0.4.1
+
+* fix core extension eager loading
+
+## 0.4.0
+
+* make XSS check work without a Rails version
+* change parent class extraction to support Structs
+* fix parsing errors
+
 ## 0.3.4
 
 * Relax dependencies, to help with using spektr as a gem

data/lib/spektr/checks/base.rb

@@ -88,7 +88,7 @@ module Spektr
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
         end
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         ast.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
@@ -125,7 +125,7 @@ module Spektr
         return true if _send.receiver && model_names.include?(_send.receiver.name)
       when :const
         return true if model_names.include? item.name
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         item.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if model_attribute?(child)

data/lib/spektr/checks/content_tag_xss.rb

@@ -23,6 +23,7 @@ module Spektr
 
       def run
         return unless super
+        return unless @app.rails_version
         calls = @target.find_calls(:content_tag)
         # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
         cve_2016_6316_check(calls)

data/lib/spektr/cli.rb

@@ -52,6 +52,7 @@ module Spektr
         case params[:output_format]
         when 'json'
           puts JSON.pretty_generate report
+          exit 1 if report[:advisories].any?
         end
       end
     end

data/lib/spektr/processors/base.rb

@@ -16,13 +16,25 @@ module Spektr::Processors
     end
 
     def parent_name
-      @parent_parts.shift if @parent_parts.first.to_s == name
-      @parent_parts.join('::')
+      parent_parts.join('::')
+    end
+
+    def parent_parts
+      result = @parent_parts.dup
+      result.pop if part_matches_self?(result.last.to_s)
+      result
+    end
+
+    def part_matches_self?(part)
+      (part == name || part_with_module(part) == name)
+    end
+
+    def part_with_module(part)
+      (@parent_modules | [part]).join('::')
     end
 
     def parent_name_with_modules
-      parts = @parent_modules | @parent_parts
-      parts.shift if parts.first.to_s == name
+      parts = @parent_modules | parent_parts
       parts.join('::')
     end
 
@@ -39,17 +51,12 @@ module Spektr::Processors
     end
 
     def extract_parent_parts(node)
-      if node.children[1] && node.children[1].is_a?(Parser::AST::Node)
-        node.children[1].children.each do |child|
-          if child.is_a?(Parser::AST::Node)
-            extract_parent_parts(child)
-            @parent_parts << child.children.last
-          elsif child.is_a? Symbol
-            @parent_parts << child.to_s
-          end
+      return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
+      @parent_parts.prepend(node.children.last) if node.type == :const
+      if node.children.any?
+        node.children.each do |child|
+          extract_parent_parts(child)
         end
-      elsif node&.children&.first&.children&.last
-        @parent_parts << node.children.first.children.last
       end
     end
 

data/lib/spektr/targets/base.rb

@@ -100,9 +100,9 @@ module Spektr
           Exp::Send.new(ast)
         when :def
           Exp::Definition.new(ast)
-        when :ivasgn
+        when :ivasgn, :ivar
           Exp::Ivasgin.new(ast)
-        when :lvasign
+        when :lvasign, :lvar
           Exp::Lvasign.new(ast)
         when :const
           Exp::Const.new(ast)

data/lib/spektr/version.rb

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.3.4'
+  VERSION = '0.4.1'
 end

data/lib/spektr.rb

@@ -12,6 +12,7 @@ require 'spektr/core_ext/string'
 require 'zeitwerk'
 loader = Zeitwerk::Loader.for_gem
 loader.collapse("#{__dir__}/processors")
+loader.do_not_eager_load("#{__dir__}/spektr/core_ext")
 loader.setup
 
 module Spektr
@@ -21,7 +22,7 @@ module Spektr
     pastel = Pastel.new
     @output_format = output_format
     start_spinner('Initializing')
-    if debug
+    @log_level = if debug
       Logger::DEBUG
     elsif terminal?
       Logger::ERROR

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.4.1
 platform: ruby
 authors:
 - Greg Molnar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-10 00:00:00.000000000 Z
+date: 2023-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erubi
@@ -344,7 +344,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Rails static code analyzer for security issues