spektr 0.5.2 → 0.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/spektr/checks/base.rb +46 -5
- data/lib/spektr/checks/link_to_href.rb +5 -1
- data/lib/spektr/checks/mass_assignment.rb +3 -3
- data/lib/spektr/checks/xss.rb +6 -1
- data/lib/spektr/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 67409372de77e0e8bf4117c53e8589c393250ce270720735e6f306aabe97dd3f
|
|
4
|
+
data.tar.gz: db4149f62a076ae7ce005b72a3daf1e9cbbf26d860f092ff8e0259923c4736bb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05c35aff0fb9d5453585f302febdcdfe1e5a778925cc59caa958a1a41ad8b4de657bb1f9ff47aa895f0cc382c09accc731cd0095fbf51b5a7c33dad4c1bbc137
|
|
7
|
+
data.tar.gz: 1a9ccf43fc043a6d66574d195a45ee6351c0fe98937928a17f3452e4ad184dd70565fc878f63f5008475cc3ae07740665fa8e624b327b2734e6855af45de04a1
|
data/CHANGELOG.md
CHANGED
data/lib/spektr/checks/base.rb
CHANGED
|
@@ -54,11 +54,11 @@ module Spektr
|
|
|
54
54
|
return true if user_input?(argument)
|
|
55
55
|
end
|
|
56
56
|
end
|
|
57
|
-
when :embedded_statements_node
|
|
57
|
+
when :embedded_statements_node, :if_node, :else_node
|
|
58
58
|
node.statements.body.each do |item|
|
|
59
59
|
return true if user_input? item
|
|
60
60
|
end
|
|
61
|
-
when :interpolated_string_node, :interpolated_x_string_node
|
|
61
|
+
when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
|
|
62
62
|
node.parts.each do |part|
|
|
63
63
|
return true if user_input?(part)
|
|
64
64
|
end
|
|
@@ -67,6 +67,10 @@ module Spektr
|
|
|
67
67
|
return true if user_input?(element.key)
|
|
68
68
|
return true if user_input?(element.value)
|
|
69
69
|
end
|
|
70
|
+
when :array_node
|
|
71
|
+
node.elements.each do |element|
|
|
72
|
+
return true if user_input?(element)
|
|
73
|
+
end
|
|
70
74
|
# TODO: make this better. ivars can be overridden in the view as well and
|
|
71
75
|
# can be set in non controller targets too
|
|
72
76
|
when :instance_variable_read_node
|
|
@@ -84,14 +88,25 @@ module Spektr
|
|
|
84
88
|
end
|
|
85
89
|
end
|
|
86
90
|
when :local_variable_read_node
|
|
87
|
-
|
|
91
|
+
variable = @target.lvars.find do |n|
|
|
92
|
+
n.name == node.name
|
|
93
|
+
end
|
|
94
|
+
return if variable && variable.location.start_line == node.location.start_line
|
|
95
|
+
return user_input?(variable)
|
|
96
|
+
when :local_variable_or_write_node
|
|
97
|
+
return user_input?(node.value)
|
|
98
|
+
when :and_node, :or_node
|
|
99
|
+
return user_input?(node.left)
|
|
100
|
+
return user_input?(node.right)
|
|
88
101
|
when :instance_variable_write_node, :local_variable_write_node
|
|
89
102
|
return user_input? node.value
|
|
103
|
+
when :splat_node
|
|
104
|
+
return user_input? node.expression
|
|
90
105
|
when :parentheses_node
|
|
91
106
|
node.body.body.each do |item|
|
|
92
107
|
return user_input? item
|
|
93
108
|
end
|
|
94
|
-
when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node, :nil_node
|
|
109
|
+
when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
95
110
|
# do nothing
|
|
96
111
|
else
|
|
97
112
|
raise "Unknown argument type #{node.type.inspect} #{node.inspect}"
|
|
@@ -119,6 +134,11 @@ module Spektr
|
|
|
119
134
|
end
|
|
120
135
|
end
|
|
121
136
|
end
|
|
137
|
+
when :local_variable_or_write_node
|
|
138
|
+
return model_attribute?(node.value)
|
|
139
|
+
when :and_node, :or_node
|
|
140
|
+
return model_attribute?(node.left)
|
|
141
|
+
return model_attribute?(node.right)
|
|
122
142
|
when :call_node
|
|
123
143
|
return model_attribute?(node.receiver) if node.receiver
|
|
124
144
|
if node.arguments
|
|
@@ -126,17 +146,38 @@ module Spektr
|
|
|
126
146
|
return true if model_attribute?(argument)
|
|
127
147
|
end
|
|
128
148
|
end
|
|
149
|
+
when :keyword_hash_node, :hash_node
|
|
150
|
+
node.elements.each do |element|
|
|
151
|
+
return true if model_attribute?(element.key)
|
|
152
|
+
return true if model_attribute?(element.value)
|
|
153
|
+
end
|
|
154
|
+
when :array_node
|
|
155
|
+
node.elements.each do |element|
|
|
156
|
+
return true if model_attribute?(element)
|
|
157
|
+
end
|
|
129
158
|
when :parentheses_node
|
|
130
159
|
node.body.body.each do |item|
|
|
131
160
|
return model_attribute? item
|
|
132
161
|
end
|
|
162
|
+
when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
|
|
163
|
+
node.parts.each do |part|
|
|
164
|
+
return true if model_attribute?(part)
|
|
165
|
+
end
|
|
166
|
+
when :embedded_statements_node, :if_node, :else_node
|
|
167
|
+
node.statements.body.each do |item|
|
|
168
|
+
return true if model_attribute? item
|
|
169
|
+
end
|
|
170
|
+
when :instance_variable_write_node, :local_variable_write_node
|
|
171
|
+
return model_attribute? node.value
|
|
133
172
|
when :constant_read_node
|
|
134
173
|
return true if model_names.include? node.name.to_s
|
|
135
174
|
when :interpolated_string_node
|
|
136
175
|
node.parts.each do |item|
|
|
137
176
|
return model_attribute? item
|
|
138
177
|
end
|
|
139
|
-
when :
|
|
178
|
+
when :splat_node
|
|
179
|
+
return model_attribute? node.expression
|
|
180
|
+
when :string_node, :symbol_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
140
181
|
# do nothing
|
|
141
182
|
else
|
|
142
183
|
raise "Unknown argument type #{node.type}"
|
|
@@ -26,7 +26,11 @@ module Spektr
|
|
|
26
26
|
next unless call.arguments
|
|
27
27
|
::Spektr.logger.debug "#{@target.path} #{call.location.start_line} #{call.arguments.arguments[1].inspect}"
|
|
28
28
|
next unless call.arguments.arguments[1]
|
|
29
|
-
|
|
29
|
+
require 'byebug'
|
|
30
|
+
if call.arguments.arguments[1] && call.arguments.arguments[1].respond_to?(:name)
|
|
31
|
+
name = call.arguments.arguments[1].name
|
|
32
|
+
end
|
|
33
|
+
next if name && name =~ /_url$|_path$/
|
|
30
34
|
if user_input? call.arguments.arguments[1]
|
|
31
35
|
warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
|
|
32
36
|
end
|
|
@@ -16,7 +16,7 @@ module Spektr
|
|
|
16
16
|
calls = []
|
|
17
17
|
model_names.each do |receiver|
|
|
18
18
|
[:new, :build, :create].each do |method|
|
|
19
|
-
calls.concat @target.find_calls(method, receiver
|
|
19
|
+
calls.concat @target.find_calls(method, receiver&.to_sym)
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
calls.each do |call|
|
|
@@ -25,9 +25,9 @@ module Spektr
|
|
|
25
25
|
::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
|
|
26
26
|
if user_input?(argument)
|
|
27
27
|
# we check for permit! separately
|
|
28
|
-
next if argument.name == :permit!
|
|
28
|
+
next if argument.respond_to?(:name) && argument.name == :permit!
|
|
29
29
|
# check for permit with arguments
|
|
30
|
-
next if argument.name == :permit && argument.arguments
|
|
30
|
+
next if argument.respond_to?(:name) && argument.name == :permit && argument.arguments
|
|
31
31
|
warn! @target, self, call.location, "Mass assignment"
|
|
32
32
|
end
|
|
33
33
|
end
|
data/lib/spektr/checks/xss.rb
CHANGED
|
@@ -43,7 +43,12 @@ module Spektr
|
|
|
43
43
|
warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
|
|
44
44
|
end
|
|
45
45
|
if model_attribute?(call.receiver)
|
|
46
|
-
|
|
46
|
+
name = if call.receiver.respond_to?(:name)
|
|
47
|
+
call.receiver.name
|
|
48
|
+
else
|
|
49
|
+
""
|
|
50
|
+
end
|
|
51
|
+
warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{name}"
|
|
47
52
|
end
|
|
48
53
|
end
|
|
49
54
|
end
|
data/lib/spektr/version.rb
CHANGED