spektr 0.3.4 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/lib/spektr/checks/base.rb +2 -2
  4. data/lib/spektr/checks/content_tag_xss.rb +1 -0
  5. data/lib/spektr/cli.rb +1 -0
  6. data/lib/spektr/processors/base.rb +21 -14
  7. data/lib/spektr/targets/base.rb +2 -2
  8. data/lib/spektr/version.rb +1 -1
  9. data/lib/spektr.rb +2 -1
  10. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2cdf9a898d4a20fa90d72e813ccc4436cd4d3c38c5fd1e56c87114f1bf54947e
4
- data.tar.gz: b9fd5966623eca1f37bb8d7bec7a4611a2fcc83e8df8c8a8ef8824cda07a8093
3
+ metadata.gz: 5efc76d3f9085d5aa78df1f4f0573e8b57bf6a19a80fe80366ffb9dc5f5b0ffe
4
+ data.tar.gz: 285b537f82854ec9a0dd24291478386c89118895ecb14151826078289d97e071
5
5
  SHA512:
6
- metadata.gz: d482d3aa9da794f3fb46705c80773965c996aa740e694ae1e99304bd71cf0627d63962241da296b2473b28a1a43405725ee112433e084703fa1fd2e07914cac9
7
- data.tar.gz: b2732871040b9abc246991e58684b0c09e6228637ee1671d81e90e2db14ce74112ea08945a2215557645060cee0f6aa52cfb33360abef0a99a9411ed2bf3111a
6
+ metadata.gz: 34d8eaf274fb3ebe686357bee5db03de636c12ae870426c9f1804ef26a1038122b3ef9746c66c2f7121d7af74631d12186e63cb5b8007aade6450252fceacaca
7
+ data.tar.gz: 0c51dfaf5a328e3f60b14c21296d684308b073b222101fb5294fc9189a5c699f00e7b417c7246d5a4fd1d2dfa7e36b152fbaacbe4271c7d6c318948e7a844d72
data/CHANGELOG.md CHANGED
@@ -2,6 +2,16 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## 0.4.1
6
+
7
+ * fix core extension eager loading
8
+
9
+ ## 0.4.0
10
+
11
+ * make XSS check work without a Rails version
12
+ * change parent class extraction to support Structs
13
+ * fix parsing errors
14
+
5
15
  ## 0.3.4
6
16
 
7
17
  * Relax dependencies, to help with using spektr as a gem
data/lib/spektr/checks/base.rb CHANGED
@@ -88,7 +88,7 @@ module Spektr
88
88
  next unless child.is_a?(Parser::AST::Node)
89
89
  return true if user_input?(child.type, child.children.last, child)
90
90
  end
91
- when :block, :pair, :hash, :if
91
+ when :block, :pair, :hash, :array, :if, :or
92
92
  ast.children.each do |child|
93
93
  next unless child.is_a?(Parser::AST::Node)
94
94
  return true if user_input?(child.type, child.children.last, child)
@@ -125,7 +125,7 @@ module Spektr
125
125
  return true if _send.receiver && model_names.include?(_send.receiver.name)
126
126
  when :const
127
127
  return true if model_names.include? item.name
128
- when :block, :pair, :hash, :if
128
+ when :block, :pair, :hash, :array, :if, :or
129
129
  item.children.each do |child|
130
130
  next unless child.is_a?(Parser::AST::Node)
131
131
  return true if model_attribute?(child)
data/lib/spektr/checks/content_tag_xss.rb CHANGED
@@ -23,6 +23,7 @@ module Spektr
23
23
 
24
24
  def run
25
25
  return unless super
26
+ return unless @app.rails_version
26
27
  calls = @target.find_calls(:content_tag)
27
28
  # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
28
29
  cve_2016_6316_check(calls)
data/lib/spektr/cli.rb CHANGED
@@ -52,6 +52,7 @@ module Spektr
52
52
  case params[:output_format]
53
53
  when 'json'
54
54
  puts JSON.pretty_generate report
55
+ exit 1 if report[:advisories].any?
55
56
  end
56
57
  end
57
58
  end
data/lib/spektr/processors/base.rb CHANGED
@@ -16,13 +16,25 @@ module Spektr::Processors
16
16
  end
17
17
 
18
18
  def parent_name
19
- @parent_parts.shift if @parent_parts.first.to_s == name
20
- @parent_parts.join('::')
19
+ parent_parts.join('::')
20
+ end
21
+
22
+ def parent_parts
23
+ result = @parent_parts.dup
24
+ result.pop if part_matches_self?(result.last.to_s)
25
+ result
26
+ end
27
+
28
+ def part_matches_self?(part)
29
+ (part == name || part_with_module(part) == name)
30
+ end
31
+
32
+ def part_with_module(part)
33
+ (@parent_modules | [part]).join('::')
21
34
  end
22
35
 
23
36
  def parent_name_with_modules
24
- parts = @parent_modules | @parent_parts
25
- parts.shift if parts.first.to_s == name
37
+ parts = @parent_modules | parent_parts
26
38
  parts.join('::')
27
39
  end
28
40
 
@@ -39,17 +51,12 @@ module Spektr::Processors
39
51
  end
40
52
 
41
53
  def extract_parent_parts(node)
42
- if node.children[1] && node.children[1].is_a?(Parser::AST::Node)
43
- node.children[1].children.each do |child|
44
- if child.is_a?(Parser::AST::Node)
45
- extract_parent_parts(child)
46
- @parent_parts << child.children.last
47
- elsif child.is_a? Symbol
48
- @parent_parts << child.to_s
49
- end
54
+ return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
55
+ @parent_parts.prepend(node.children.last) if node.type == :const
56
+ if node.children.any?
57
+ node.children.each do |child|
58
+ extract_parent_parts(child)
50
59
  end
51
- elsif node&.children&.first&.children&.last
52
- @parent_parts << node.children.first.children.last
53
60
  end
54
61
  end
55
62
 
data/lib/spektr/targets/base.rb CHANGED
@@ -100,9 +100,9 @@ module Spektr
100
100
  Exp::Send.new(ast)
101
101
  when :def
102
102
  Exp::Definition.new(ast)
103
- when :ivasgn
103
+ when :ivasgn, :ivar
104
104
  Exp::Ivasgin.new(ast)
105
- when :lvasign
105
+ when :lvasign, :lvar
106
106
  Exp::Lvasign.new(ast)
107
107
  when :const
108
108
  Exp::Const.new(ast)
data/lib/spektr/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Spektr
2
- VERSION = '0.3.4'
2
+ VERSION = '0.4.1'
3
3
  end
data/lib/spektr.rb CHANGED
@@ -12,6 +12,7 @@ require 'spektr/core_ext/string'
12
12
  require 'zeitwerk'
13
13
  loader = Zeitwerk::Loader.for_gem
14
14
  loader.collapse("#{__dir__}/processors")
15
+ loader.do_not_eager_load("#{__dir__}/spektr/core_ext")
15
16
  loader.setup
16
17
 
17
18
  module Spektr
@@ -21,7 +22,7 @@ module Spektr
21
22
  pastel = Pastel.new
22
23
  @output_format = output_format
23
24
  start_spinner('Initializing')
24
- if debug
25
+ @log_level = if debug
25
26
  Logger::DEBUG
26
27
  elsif terminal?
27
28
  Logger::ERROR
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: spektr
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.4
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Greg Molnar
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-11-10 00:00:00.000000000 Z
11
+ date: 2023-03-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: erubi
@@ -344,7 +344,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
344
344
  - !ruby/object:Gem::Version
345
345
  version: '0'
346
346
  requirements: []
347
- rubygems_version: 3.1.4
347
+ rubygems_version: 3.4.6
348
348
  signing_key:
349
349
  specification_version: 4
350
350
  summary: Rails static code analyzer for security issues