spektr 0.5.1 → 0.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/spektr/checks/base.rb +46 -6
- data/lib/spektr/checks/link_to_href.rb +5 -1
- data/lib/spektr/checks/mass_assignment.rb +3 -3
- data/lib/spektr/checks/xss.rb +6 -1
- data/lib/spektr/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 67409372de77e0e8bf4117c53e8589c393250ce270720735e6f306aabe97dd3f
|
|
4
|
+
data.tar.gz: db4149f62a076ae7ce005b72a3daf1e9cbbf26d860f092ff8e0259923c4736bb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05c35aff0fb9d5453585f302febdcdfe1e5a778925cc59caa958a1a41ad8b4de657bb1f9ff47aa895f0cc382c09accc731cd0095fbf51b5a7c33dad4c1bbc137
|
|
7
|
+
data.tar.gz: 1a9ccf43fc043a6d66574d195a45ee6351c0fe98937928a17f3452e4ad184dd70565fc878f63f5008475cc3ae07740665fa8e624b327b2734e6855af45de04a1
|
data/CHANGELOG.md
CHANGED
data/lib/spektr/checks/base.rb
CHANGED
|
@@ -54,11 +54,11 @@ module Spektr
|
|
|
54
54
|
return true if user_input?(argument)
|
|
55
55
|
end
|
|
56
56
|
end
|
|
57
|
-
when :embedded_statements_node
|
|
57
|
+
when :embedded_statements_node, :if_node, :else_node
|
|
58
58
|
node.statements.body.each do |item|
|
|
59
59
|
return true if user_input? item
|
|
60
60
|
end
|
|
61
|
-
when :interpolated_string_node, :interpolated_x_string_node
|
|
61
|
+
when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
|
|
62
62
|
node.parts.each do |part|
|
|
63
63
|
return true if user_input?(part)
|
|
64
64
|
end
|
|
@@ -67,6 +67,10 @@ module Spektr
|
|
|
67
67
|
return true if user_input?(element.key)
|
|
68
68
|
return true if user_input?(element.value)
|
|
69
69
|
end
|
|
70
|
+
when :array_node
|
|
71
|
+
node.elements.each do |element|
|
|
72
|
+
return true if user_input?(element)
|
|
73
|
+
end
|
|
70
74
|
# TODO: make this better. ivars can be overridden in the view as well and
|
|
71
75
|
# can be set in non controller targets too
|
|
72
76
|
when :instance_variable_read_node
|
|
@@ -84,15 +88,25 @@ module Spektr
|
|
|
84
88
|
end
|
|
85
89
|
end
|
|
86
90
|
when :local_variable_read_node
|
|
87
|
-
|
|
91
|
+
variable = @target.lvars.find do |n|
|
|
92
|
+
n.name == node.name
|
|
93
|
+
end
|
|
94
|
+
return if variable && variable.location.start_line == node.location.start_line
|
|
95
|
+
return user_input?(variable)
|
|
96
|
+
when :local_variable_or_write_node
|
|
97
|
+
return user_input?(node.value)
|
|
98
|
+
when :and_node, :or_node
|
|
99
|
+
return user_input?(node.left)
|
|
100
|
+
return user_input?(node.right)
|
|
88
101
|
when :instance_variable_write_node, :local_variable_write_node
|
|
89
102
|
return user_input? node.value
|
|
103
|
+
when :splat_node
|
|
104
|
+
return user_input? node.expression
|
|
90
105
|
when :parentheses_node
|
|
91
106
|
node.body.body.each do |item|
|
|
92
107
|
return user_input? item
|
|
93
108
|
end
|
|
94
|
-
|
|
95
|
-
when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node
|
|
109
|
+
when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
96
110
|
# do nothing
|
|
97
111
|
else
|
|
98
112
|
raise "Unknown argument type #{node.type.inspect} #{node.inspect}"
|
|
@@ -120,6 +134,11 @@ module Spektr
|
|
|
120
134
|
end
|
|
121
135
|
end
|
|
122
136
|
end
|
|
137
|
+
when :local_variable_or_write_node
|
|
138
|
+
return model_attribute?(node.value)
|
|
139
|
+
when :and_node, :or_node
|
|
140
|
+
return model_attribute?(node.left)
|
|
141
|
+
return model_attribute?(node.right)
|
|
123
142
|
when :call_node
|
|
124
143
|
return model_attribute?(node.receiver) if node.receiver
|
|
125
144
|
if node.arguments
|
|
@@ -127,17 +146,38 @@ module Spektr
|
|
|
127
146
|
return true if model_attribute?(argument)
|
|
128
147
|
end
|
|
129
148
|
end
|
|
149
|
+
when :keyword_hash_node, :hash_node
|
|
150
|
+
node.elements.each do |element|
|
|
151
|
+
return true if model_attribute?(element.key)
|
|
152
|
+
return true if model_attribute?(element.value)
|
|
153
|
+
end
|
|
154
|
+
when :array_node
|
|
155
|
+
node.elements.each do |element|
|
|
156
|
+
return true if model_attribute?(element)
|
|
157
|
+
end
|
|
130
158
|
when :parentheses_node
|
|
131
159
|
node.body.body.each do |item|
|
|
132
160
|
return model_attribute? item
|
|
133
161
|
end
|
|
162
|
+
when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
|
|
163
|
+
node.parts.each do |part|
|
|
164
|
+
return true if model_attribute?(part)
|
|
165
|
+
end
|
|
166
|
+
when :embedded_statements_node, :if_node, :else_node
|
|
167
|
+
node.statements.body.each do |item|
|
|
168
|
+
return true if model_attribute? item
|
|
169
|
+
end
|
|
170
|
+
when :instance_variable_write_node, :local_variable_write_node
|
|
171
|
+
return model_attribute? node.value
|
|
134
172
|
when :constant_read_node
|
|
135
173
|
return true if model_names.include? node.name.to_s
|
|
136
174
|
when :interpolated_string_node
|
|
137
175
|
node.parts.each do |item|
|
|
138
176
|
return model_attribute? item
|
|
139
177
|
end
|
|
140
|
-
when :
|
|
178
|
+
when :splat_node
|
|
179
|
+
return model_attribute? node.expression
|
|
180
|
+
when :string_node, :symbol_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
141
181
|
# do nothing
|
|
142
182
|
else
|
|
143
183
|
raise "Unknown argument type #{node.type}"
|
|
@@ -26,7 +26,11 @@ module Spektr
|
|
|
26
26
|
next unless call.arguments
|
|
27
27
|
::Spektr.logger.debug "#{@target.path} #{call.location.start_line} #{call.arguments.arguments[1].inspect}"
|
|
28
28
|
next unless call.arguments.arguments[1]
|
|
29
|
-
|
|
29
|
+
require 'byebug'
|
|
30
|
+
if call.arguments.arguments[1] && call.arguments.arguments[1].respond_to?(:name)
|
|
31
|
+
name = call.arguments.arguments[1].name
|
|
32
|
+
end
|
|
33
|
+
next if name && name =~ /_url$|_path$/
|
|
30
34
|
if user_input? call.arguments.arguments[1]
|
|
31
35
|
warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
|
|
32
36
|
end
|
|
@@ -16,7 +16,7 @@ module Spektr
|
|
|
16
16
|
calls = []
|
|
17
17
|
model_names.each do |receiver|
|
|
18
18
|
[:new, :build, :create].each do |method|
|
|
19
|
-
calls.concat @target.find_calls(method, receiver
|
|
19
|
+
calls.concat @target.find_calls(method, receiver&.to_sym)
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
calls.each do |call|
|
|
@@ -25,9 +25,9 @@ module Spektr
|
|
|
25
25
|
::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
|
|
26
26
|
if user_input?(argument)
|
|
27
27
|
# we check for permit! separately
|
|
28
|
-
next if argument.name == :permit!
|
|
28
|
+
next if argument.respond_to?(:name) && argument.name == :permit!
|
|
29
29
|
# check for permit with arguments
|
|
30
|
-
next if argument.name == :permit && argument.arguments
|
|
30
|
+
next if argument.respond_to?(:name) && argument.name == :permit && argument.arguments
|
|
31
31
|
warn! @target, self, call.location, "Mass assignment"
|
|
32
32
|
end
|
|
33
33
|
end
|
data/lib/spektr/checks/xss.rb
CHANGED
|
@@ -43,7 +43,12 @@ module Spektr
|
|
|
43
43
|
warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
|
|
44
44
|
end
|
|
45
45
|
if model_attribute?(call.receiver)
|
|
46
|
-
|
|
46
|
+
name = if call.receiver.respond_to?(:name)
|
|
47
|
+
call.receiver.name
|
|
48
|
+
else
|
|
49
|
+
""
|
|
50
|
+
end
|
|
51
|
+
warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{name}"
|
|
47
52
|
end
|
|
48
53
|
end
|
|
49
54
|
end
|
data/lib/spektr/version.rb
CHANGED