RubyGems - spektr - Versions diffs - 0.3.4 → 0.4.0 - Mend

spektr 0.3.4 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/spektr/checks/base.rb +2 -2
data/lib/spektr/checks/content_tag_xss.rb +1 -0
data/lib/spektr/processors/base.rb +21 -14
data/lib/spektr/targets/base.rb +2 -2
data/lib/spektr/version.rb +1 -1
data/lib/spektr.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2cdf9a898d4a20fa90d72e813ccc4436cd4d3c38c5fd1e56c87114f1bf54947e
-  data.tar.gz: b9fd5966623eca1f37bb8d7bec7a4611a2fcc83e8df8c8a8ef8824cda07a8093
+  metadata.gz: 36b0bd72a136d6af28c36ef6c14943fadeb061271abfc152d442754ad2356d0e
+  data.tar.gz: a85bb727b8457e55338b842b483cbddd18fe2596412168d7aa9eeef788c403a1
 SHA512:
-  metadata.gz: d482d3aa9da794f3fb46705c80773965c996aa740e694ae1e99304bd71cf0627d63962241da296b2473b28a1a43405725ee112433e084703fa1fd2e07914cac9
-  data.tar.gz: b2732871040b9abc246991e58684b0c09e6228637ee1671d81e90e2db14ce74112ea08945a2215557645060cee0f6aa52cfb33360abef0a99a9411ed2bf3111a
+  metadata.gz: 2d8342a2567d22c458cb9316fa6643de595422ae7e3a30d002181de2f2436a8d08c493dedb783aa1d3b8df93d3ab555b7797e427b067c00fcb38191562f62662
+  data.tar.gz: 8fc8196c6cf809b44691b88ab7a1b856102d7cba7062b97474beaf97c465d02134721478484127f0b260a1fe1b1bdbaf7497cb29227211974af9a1ecff5cab2d

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 ## Unreleased
+## 0.4.0
+* make XSS check work without a Rails version
+* change parent class extraction to support Structs
+* fix parsing errors
 ## 0.3.4
 * Relax dependencies, to help with using spektr as a gem

data/lib/spektr/checks/base.rb CHANGED Viewed

@@ -88,7 +88,7 @@ module Spektr
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
         end
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         ast.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if user_input?(child.type, child.children.last, child)
@@ -125,7 +125,7 @@ module Spektr
         return true if _send.receiver && model_names.include?(_send.receiver.name)
       when :const
         return true if model_names.include? item.name
-      when :block, :pair, :hash, :if
+      when :block, :pair, :hash, :array, :if, :or
         item.children.each do |child|
           next unless child.is_a?(Parser::AST::Node)
           return true if model_attribute?(child)

data/lib/spektr/checks/content_tag_xss.rb CHANGED Viewed

@@ -23,6 +23,7 @@ module Spektr
       def run
         return unless super
+        return unless @app.rails_version
         calls = @target.find_calls(:content_tag)
         # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
         cve_2016_6316_check(calls)

data/lib/spektr/processors/base.rb CHANGED Viewed

@@ -16,13 +16,25 @@ module Spektr::Processors
     end
     def parent_name
-      @parent_parts.shift if @parent_parts.first.to_s == name
-      @parent_parts.join('::')
+      parent_parts.join('::')
+    end
+    def parent_parts
+      result = @parent_parts.dup
+      result.pop if part_matches_self?(result.last.to_s)
+      result
+    end
+    def part_matches_self?(part)
+      (part == name || part_with_module(part) == name)
+    end
+    def part_with_module(part)
+      (@parent_modules | [part]).join('::')
     end
     def parent_name_with_modules
-      parts = @parent_modules | @parent_parts
-      parts.shift if parts.first.to_s == name
+      parts = @parent_modules | parent_parts
       parts.join('::')
     end
@@ -39,17 +51,12 @@ module Spektr::Processors
     end
     def extract_parent_parts(node)
-      if node.children[1] && node.children[1].is_a?(Parser::AST::Node)
-        node.children[1].children.each do |child|
-          if child.is_a?(Parser::AST::Node)
-            extract_parent_parts(child)
-            @parent_parts << child.children.last
-          elsif child.is_a? Symbol
-            @parent_parts << child.to_s
-          end
+      return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
+      @parent_parts.prepend(node.children.last) if node.type == :const
+      if node.children.any?
+        node.children.each do |child|
+          extract_parent_parts(child)
         end
-      elsif node&.children&.first&.children&.last
-        @parent_parts << node.children.first.children.last
       end
     end

data/lib/spektr/targets/base.rb CHANGED Viewed

@@ -100,9 +100,9 @@ module Spektr
           Exp::Send.new(ast)
         when :def
           Exp::Definition.new(ast)
-        when :ivasgn
+        when :ivasgn, :ivar
           Exp::Ivasgin.new(ast)
-        when :lvasign
+        when :lvasign, :lvar
           Exp::Lvasign.new(ast)
         when :const
           Exp::Const.new(ast)

data/lib/spektr/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.3.4'
+  VERSION = '0.4.0'
 end

data/lib/spektr.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module Spektr
     pastel = Pastel.new
     @output_format = output_format
     start_spinner('Initializing')
-    if debug
+    @log_level = if debug
       Logger::DEBUG
     elsif terminal?
       Logger::ERROR

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.4.0
 platform: ruby
 authors:
 - Greg Molnar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-10 00:00:00.000000000 Z
+date: 2023-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erubi