RubyGems - spektr - Versions diffs - 0.3.4 → 0.4.0 - Mend

spektr 0.3.4 → 0.4.0

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/spektr/checks/base.rb +2 -2
data/lib/spektr/checks/content_tag_xss.rb +1 -0
data/lib/spektr/processors/base.rb +21 -14
data/lib/spektr/targets/base.rb +2 -2
data/lib/spektr/version.rb +1 -1
data/lib/spektr.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2cdf9a898d4a20fa90d72e813ccc4436cd4d3c38c5fd1e56c87114f1bf54947e
-  data.tar.gz: b9fd5966623eca1f37bb8d7bec7a4611a2fcc83e8df8c8a8ef8824cda07a8093
+  metadata.gz: 36b0bd72a136d6af28c36ef6c14943fadeb061271abfc152d442754ad2356d0e
+  data.tar.gz: a85bb727b8457e55338b842b483cbddd18fe2596412168d7aa9eeef788c403a1
 SHA512:
-  metadata.gz: d482d3aa9da794f3fb46705c80773965c996aa740e694ae1e99304bd71cf0627d63962241da296b2473b28a1a43405725ee112433e084703fa1fd2e07914cac9
-  data.tar.gz: b2732871040b9abc246991e58684b0c09e6228637ee1671d81e90e2db14ce74112ea08945a2215557645060cee0f6aa52cfb33360abef0a99a9411ed2bf3111a
+  metadata.gz: 2d8342a2567d22c458cb9316fa6643de595422ae7e3a30d002181de2f2436a8d08c493dedb783aa1d3b8df93d3ab555b7797e427b067c00fcb38191562f62662
+  data.tar.gz: 8fc8196c6cf809b44691b88ab7a1b856102d7cba7062b97474beaf97c465d02134721478484127f0b260a1fe1b1bdbaf7497cb29227211974af9a1ecff5cab2d

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 ## Unreleased
+## 0.4.0
+* make XSS check work without a Rails version
+* change parent class extraction to support Structs
+* fix parsing errors
 ## 0.3.4
 * Relax dependencies, to help with using spektr as a gem

data/lib/spektr/checks/base.rb CHANGED Viewed

@@ -88,7 +88,7 @@ module Spektr
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
         end
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         ast.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
@@ -125,7 +125,7 @@ module Spektr
         return true if _send.receiver && model_names.include?(_send.receiver.name)
       when :const
         return true if model_names.include? item.name
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         item.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if model_attribute?(child)

data/lib/spektr/checks/content_tag_xss.rb CHANGED Viewed

@@ -23,6 +23,7 @@ module Spektr
       def run
         return unless super
+        return unless @app.rails_version
         calls = @target.find_calls(:content_tag)
         # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
         cve_2016_6316_check(calls)

data/lib/spektr/processors/base.rb CHANGED Viewed

@@ -16,13 +16,25 @@ module Spektr::Processors
     end
     def parent_name
-      @parent_parts.shift if @parent_parts.first.to_s == name
-      @parent_parts.join('::')
+      parent_parts.join('::')
+    end
+    def parent_parts
+      result = @parent_parts.dup
+      result.pop if part_matches_self?(result.last.to_s)
+      result
+    end
+    def part_matches_self?(part)
+      (part == name || part_with_module(part) == name)
+    end
+    def part_with_module(part)
+      (@parent_modules | [part]).join('::')
     end
     def parent_name_with_modules
-      parts = @parent_modules | @parent_parts
-      parts.shift if parts.first.to_s == name
+      parts = @parent_modules | parent_parts
       parts.join('::')
     end
@@ -39,17 +51,12 @@ module Spektr::Processors
     end
     def extract_parent_parts(node)
-      if node.children[1] && node.children[1].is_a?(Parser::AST::Node)
-        node.children[1].children.each do |child|
-          if child.is_a?(Parser::AST::Node)
-            extract_parent_parts(child)
-            @parent_parts << child.children.last
-          elsif child.is_a? Symbol
-            @parent_parts << child.to_s
-          end
+      return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
+      @parent_parts.prepend(node.children.last) if node.type == :const
+      if node.children.any?
+        node.children.each do |child|
+          extract_parent_parts(child)
         end
-      elsif node&.children&.first&.children&.last
-        @parent_parts << node.children.first.children.last
       end
     end

data/lib/spektr/targets/base.rb CHANGED Viewed

@@ -100,9 +100,9 @@ module Spektr
           Exp::Send.new(ast)
         when :def
           Exp::Definition.new(ast)
-        when :ivasgn
+        when :ivasgn, :ivar
           Exp::Ivasgin.new(ast)
-        when :lvasign
+        when :lvasign, :lvar
           Exp::Lvasign.new(ast)
         when :const
           Exp::Const.new(ast)

data/lib/spektr/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.3.4'
+  VERSION = '0.4.0'
 end

data/lib/spektr.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module Spektr
     pastel = Pastel.new
     @output_format = output_format
     start_spinner('Initializing')
-    if debug
+    @log_level = if debug
       Logger::DEBUG
     elsif terminal?
       Logger::ERROR

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.4.0
 platform: ruby
 authors:
 - Greg Molnar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-10 00:00:00.000000000 Z
+date: 2023-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erubi