tainted_love 0.4.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +2 -1
- data/lib/tainted_love.rb +3 -0
- data/lib/tainted_love/replacer/replace_active_record.rb +6 -2
- data/lib/tainted_love/replacer/replace_string.rb +1 -23
- data/lib/tainted_love/version.rb +1 -1
- data/tests/rails/Gemfile.lock +1 -1
- data/tests/rails/test/replacers/replace_active_record_test.rb +7 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8d0dcb453bcce3f13b5655307c9ce22bbe47f8232dc2b8920a887aa0da301b08
|
|
4
|
+
data.tar.gz: 9d9fd135566c29aa7fb4e1703a95f5d4cf55a4e3a86f3741d82d7a8e43c1a9e4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7479db0de47a8dd343855a7ccfd928c42d7abf401e99d78d44ed2300725f401e385db01ff99285cd0c2af5c15395af58043623ed803e54c44b4efd10b7e59943
|
|
7
|
+
data.tar.gz: 075ef8c8b4df823d281ac1bab1ba593dd75acbb040e7c4037a8431a32072e77b6b5b4e3b11a41ca70c2b593dde1b888a7088483ec82cdf429fd05986b3da5db4
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -4,6 +4,8 @@
|
|
|
4
4
|
|
|
5
5
|
# TaintedLove
|
|
6
6
|
|
|
7
|
+
Note: [Ruby 2.7+ removed support of the taint checking mechanism](https://blog.saeloun.com/2020/02/18/ruby-2-7-access-and-setting-of-safe-warned-will-become-global-variable)
|
|
8
|
+
|
|
7
9
|
TaintedLove is a dynamic security analysis tool for Ruby. It leverages Ruby's object tainting and monkey patching features to identify vulnerable code paths at runtime.
|
|
8
10
|
|
|
9
11
|
- [Getting Started](https://github.com/Shopify/tainted_love/wiki/Getting-Started)
|
|
@@ -83,7 +85,6 @@ Model.order(tainted_input)
|
|
|
83
85
|
|
|
84
86
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
|
85
87
|
|
|
86
|
-
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
87
88
|
To install this gem onto your local machine, run `bundle exec rake install`.
|
|
88
89
|
|
|
89
90
|
## Contributing
|
data/lib/tainted_love.rb
CHANGED
|
@@ -40,8 +40,12 @@ module TaintedLove
|
|
|
40
40
|
mod = Module.new do
|
|
41
41
|
[:find_by_sql, :count_by_sql].each do |method|
|
|
42
42
|
define_method(method) do |*args|
|
|
43
|
-
|
|
44
|
-
|
|
43
|
+
|
|
44
|
+
# skip if find_by_sql is coming from find_by because the where monkey-patch will catch it
|
|
45
|
+
unless Thread.current.backtrace(3).take(1).first["in `find_by'"]
|
|
46
|
+
if args.first.tainted?
|
|
47
|
+
TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string")
|
|
48
|
+
end
|
|
45
49
|
end
|
|
46
50
|
|
|
47
51
|
super(*args)
|
|
@@ -2,7 +2,7 @@ module TaintedLove
|
|
|
2
2
|
module Replacer
|
|
3
3
|
class ReplaceString < Base
|
|
4
4
|
WRAP_METHODS = [
|
|
5
|
-
:+, :*, :[], :[]= , :
|
|
5
|
+
:+, :*, :[], :[]= , :replace, :strip, :strip!, :inspect
|
|
6
6
|
]
|
|
7
7
|
|
|
8
8
|
def replace!
|
|
@@ -27,28 +27,6 @@ module TaintedLove
|
|
|
27
27
|
wrap_call(sym)
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
def gsub(*args, &block)
|
|
31
|
-
# Context for this hack: https://stackoverflow.com/a/52783055/3349159
|
|
32
|
-
|
|
33
|
-
match(args.first)
|
|
34
|
-
|
|
35
|
-
unless block.nil?
|
|
36
|
-
block.binding.tap do |b|
|
|
37
|
-
b.local_variable_set(:_tainted_love_tilde_variable, $~)
|
|
38
|
-
b.eval("$~ = _tainted_love_tilde_variable")
|
|
39
|
-
end
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
result = super(*args, &block)
|
|
43
|
-
|
|
44
|
-
result.tainted_love_tags += tainted_love_tags if tainted?
|
|
45
|
-
args.select(&:tainted?).each do |arg|
|
|
46
|
-
result.tainted_love_tags += arg.tainted_love_tags
|
|
47
|
-
end
|
|
48
|
-
|
|
49
|
-
result
|
|
50
|
-
end
|
|
51
|
-
|
|
52
30
|
def split(*args)
|
|
53
31
|
result = super(*args)
|
|
54
32
|
|
data/lib/tainted_love/version.rb
CHANGED
data/tests/rails/Gemfile.lock
CHANGED
|
@@ -12,6 +12,11 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
|
|
|
12
12
|
assert_report do
|
|
13
13
|
Product.where("id = ?".taint, 1)
|
|
14
14
|
Product.where("id = ?", 1)
|
|
15
|
+
|
|
16
|
+
# these should not report
|
|
17
|
+
Product.where(id: 1)
|
|
18
|
+
Product.where(id: "1")
|
|
19
|
+
Product.where(id: "1".taint)
|
|
15
20
|
end
|
|
16
21
|
end
|
|
17
22
|
|
|
@@ -23,9 +28,10 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
|
|
|
23
28
|
end
|
|
24
29
|
|
|
25
30
|
test "doesn't report when a hash is used with find_by" do
|
|
26
|
-
assert_report
|
|
31
|
+
assert_report do
|
|
27
32
|
Product.find_by(id: 1)
|
|
28
33
|
Product.find_by(name: "name".taint)
|
|
34
|
+
Product.find_by("name".taint) # this should report
|
|
29
35
|
end
|
|
30
36
|
end
|
|
31
37
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: tainted_love
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Benoit Cote-Jodoin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-02-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|