spektr 0.5.4 → 0.5.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -1
- data/lib/spektr/checks/base.rb +3 -3
- data/lib/spektr/checks/mass_assignment.rb +13 -6
- data/lib/spektr/checks/send.rb +2 -2
- data/lib/spektr/checks/sqli.rb +3 -1
- data/lib/spektr/version.rb +1 -1
- data/lib/spektr.rb +0 -1
- data/spektr.gemspec +0 -1
- metadata +1 -15
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e26ec9d89007e489dcb99102598d93d72d3e6d1acc43451dddc2ecc2dc5f653f
|
|
4
|
+
data.tar.gz: 663f275b4b5e710928729698133f071a8b0bdac65d6598b5aed1959d212f26d6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 816d3c285a9f54ebe75cf9759e301d0dfd169a1a32dfa018afe1e51ed71dd243a3432519c0036ddb4f2a32ec37d50241bbbff12a5eccf61fb538ad3df34fc13e
|
|
7
|
+
data.tar.gz: 0c7ce498c2875fd179cb32f949321ef67aaa82036cbfb76637bc1066f8d06e4264cf8a1f3b4035623c52b9104cc964ce650f8297cd618219b73d7186093aac5e
|
data/CHANGELOG.md
CHANGED
data/lib/spektr/checks/base.rb
CHANGED
|
@@ -106,10 +106,10 @@ module Spektr
|
|
|
106
106
|
node.body.body.each do |item|
|
|
107
107
|
return user_input? item
|
|
108
108
|
end
|
|
109
|
-
when :string_node, :symbol_node, :constant_read_node, :integer_node, :
|
|
109
|
+
when :string_node, :symbol_node, :constant_read_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
110
110
|
# do nothing
|
|
111
111
|
else
|
|
112
|
-
Spektr
|
|
112
|
+
::Spektr.logger.debug "Unknown argument type #{node.type.inspect} #{node.inspect}"
|
|
113
113
|
end
|
|
114
114
|
false
|
|
115
115
|
end
|
|
@@ -199,7 +199,7 @@ module Spektr
|
|
|
199
199
|
when :string_node, :symbol_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
|
|
200
200
|
# do nothing
|
|
201
201
|
else
|
|
202
|
-
Spektr
|
|
202
|
+
Spektr.logger.debug "Unknown argument type #{node.type}"
|
|
203
203
|
end
|
|
204
204
|
end
|
|
205
205
|
|
|
@@ -23,13 +23,20 @@ module Spektr
|
|
|
23
23
|
argument = call.arguments&.arguments&.first
|
|
24
24
|
next if argument.nil?
|
|
25
25
|
::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
26
|
+
next unless user_input?(argument)
|
|
27
|
+
if argument.type == :local_variable_read_node
|
|
28
|
+
variable = @target.lvars.find do |n|
|
|
29
|
+
n.name == argument.name
|
|
30
|
+
end
|
|
31
|
+
param = variable.value
|
|
32
|
+
else
|
|
33
|
+
param = argument
|
|
32
34
|
end
|
|
35
|
+
# we check for permit! separately
|
|
36
|
+
next if param.respond_to?(:name) && param.name == :permit!
|
|
37
|
+
# check for permit with arguments
|
|
38
|
+
next if param.respond_to?(:name) && param.name == :permit && param.arguments
|
|
39
|
+
warn! @target, self, call.location, "Mass assignment"
|
|
33
40
|
end
|
|
34
41
|
@target.find_calls(:permit!).each do |call|
|
|
35
42
|
unless call.arguments
|
data/lib/spektr/checks/send.rb
CHANGED
|
@@ -12,8 +12,8 @@ module Spektr
|
|
|
12
12
|
return unless super
|
|
13
13
|
[:send, :try, :__send__, :public_send].each do |method|
|
|
14
14
|
@target.find_calls(method).each do |call|
|
|
15
|
-
argument = call.arguments
|
|
16
|
-
if user_input?(argument)
|
|
15
|
+
argument = call.arguments&.arguments&.first
|
|
16
|
+
if argument && user_input?(argument)
|
|
17
17
|
warn! @target, self, call.location, "User supplied value in send"
|
|
18
18
|
end
|
|
19
19
|
end
|
data/lib/spektr/checks/sqli.rb
CHANGED
|
@@ -19,7 +19,9 @@ module Spektr
|
|
|
19
19
|
|
|
20
20
|
].each do |m|
|
|
21
21
|
@target.find_calls(m).each do |call|
|
|
22
|
-
|
|
22
|
+
arguments = call.arguments&.arguments&.first
|
|
23
|
+
next if arguments && arguments.type == :keyword_hash_node
|
|
24
|
+
check_argument(arguments, m, call)
|
|
23
25
|
end
|
|
24
26
|
end
|
|
25
27
|
[:calculate].each do |m|
|
data/lib/spektr/version.rb
CHANGED
data/lib/spektr.rb
CHANGED
data/spektr.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spektr
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Greg Molnar
|
|
@@ -23,20 +23,6 @@ dependencies:
|
|
|
23
23
|
- - ">="
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
25
|
version: '0'
|
|
26
|
-
- !ruby/object:Gem::Dependency
|
|
27
|
-
name: herb
|
|
28
|
-
requirement: !ruby/object:Gem::Requirement
|
|
29
|
-
requirements:
|
|
30
|
-
- - ">="
|
|
31
|
-
- !ruby/object:Gem::Version
|
|
32
|
-
version: '0'
|
|
33
|
-
type: :runtime
|
|
34
|
-
prerelease: false
|
|
35
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
36
|
-
requirements:
|
|
37
|
-
- - ">="
|
|
38
|
-
- !ruby/object:Gem::Version
|
|
39
|
-
version: '0'
|
|
40
26
|
- !ruby/object:Gem::Dependency
|
|
41
27
|
name: haml
|
|
42
28
|
requirement: !ruby/object:Gem::Requirement
|