RubyGems - spektr - Versions diffs - 0.5.4 → 0.5.5 - Mend

spektr 0.5.4 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -1
data/lib/spektr/checks/base.rb +3 -3
data/lib/spektr/checks/mass_assignment.rb +13 -6
data/lib/spektr/checks/sqli.rb +3 -1
data/lib/spektr/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3856f34c87bf7f347c90149e5cc0a824e68d80df6c6a4704a204e4862ea3e54b
-  data.tar.gz: f0c98f054f09841c3de0e7f756c80537b5d0a409a2fe0a70d555b63715958691
+  metadata.gz: b3f2e35ede68f8a611ce58a5ad3a4fc251e3d18191b9f1bc7fb314666d789063
+  data.tar.gz: 908740bb4515316fa1c5a69a0b583ea282251a3483fc33a704f83e63521fe249
 SHA512:
-  metadata.gz: fb99134225086acbaab6417f03594c7cb1b44893bdd413faf5056d3990afdd8e6bea3812c6a5a61344fc518e7d47b78bdbe49dfdb49e75722f6c5303df43101a
-  data.tar.gz: 7c20a2d6f2ec1a7c1a5e006b2ce4bb41e527a55fae099fd66d4e120f7fdffd9c6849496269abd998226f303b4602b5ac23b703a8be448abcd851a4f25bdb974a
+  metadata.gz: f92ec1f4949da94bad355d9062b825fbb96480bdf6fe9fb424a421afbaa132cae4b9d0313d0f7af902e25b6ac6141ddc871ecd01cc8f4e4118bd0e7082f362d3
+  data.tar.gz: b6e240e0449e4fb858ae591aaeec936a18502741e105b56b30f00c05c6286a7ce690cfb3ae7d66ce07c5f53c64eb8f6bff55420b0f016d2764d30cba5bb090eb

data/CHANGELOG.md CHANGED Viewed

@@ -2,11 +2,14 @@
 ## Unreleased
+## 0.5.5
+* fix false positives
 ## 0.5.4
 * more parser fixes
 ## 0.5.3
 * parser fixes

data/lib/spektr/checks/base.rb CHANGED Viewed

@@ -106,10 +106,10 @@ module Spektr
         node.body.body.each do |item|
           return user_input? item
         end
-      when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node, :and_node
+      when :string_node, :symbol_node, :constant_read_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
         # do nothing
       else
-        Spektr::Logger.debug "Unknown argument type #{node.type.inspect} #{node.inspect}"
+        ::Spektr.logger.debug "Unknown argument type #{node.type.inspect} #{node.inspect}"
       end
       false
     end
@@ -199,7 +199,7 @@ module Spektr
       when :string_node, :symbol_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
         # do nothing
       else
-        Spektr::Logger.debug "Unknown argument type #{node.type}"
+        Spektr.logger.debug "Unknown argument type #{node.type}"
       end
     end

data/lib/spektr/checks/mass_assignment.rb CHANGED Viewed

@@ -23,13 +23,20 @@ module Spektr
           argument = call.arguments&.arguments&.first
           next if argument.nil?
           ::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
-          if user_input?(argument)
-            # we check for permit! separately
-            next if argument.respond_to?(:name) && argument.name == :permit!
-            # check for permit with arguments
-            next if argument.respond_to?(:name) && argument.name == :permit && argument.arguments
-            warn! @target, self, call.location, "Mass assignment"
+          next unless user_input?(argument)
+          if argument.type == :local_variable_read_node
+            variable = @target.lvars.find do |n|
+              n.name == argument.name
+            end
+            param = variable.value
+          else
+            param = argument
           end
+          # we check for permit! separately
+          next if param.respond_to?(:name) && param.name == :permit!
+          # check for permit with arguments
+          next if param.respond_to?(:name) && param.name == :permit && param.arguments
+          warn! @target, self, call.location, "Mass assignment"
         end
         @target.find_calls(:permit!).each do |call|
           unless call.arguments

data/lib/spektr/checks/sqli.rb CHANGED Viewed

@@ -19,7 +19,9 @@ module Spektr
         ].each do |m|
           @target.find_calls(m).each do |call|
-            check_argument(call.arguments&.arguments&.first, m, call)
+            arguments = call.arguments&.arguments&.first
+            next if arguments && arguments.type == :keyword_hash_node
+            check_argument(arguments, m, call)
           end
         end
         [:calculate].each do |m|

data/lib/spektr/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.5.4'
+  VERSION = '0.5.5'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.5
 platform: ruby
 authors:
 - Greg Molnar