tainted_love 0.4.0 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea2bb8edc59c047e25dfca2ee1e8375a008ccf93c4e98e4746854c404cc7d11d
4
- data.tar.gz: c23dd71cd581ab0a27e3df8d9e137f91cf203cefabb304b7761bb86f7a44f1b3
3
+ metadata.gz: 8d0dcb453bcce3f13b5655307c9ce22bbe47f8232dc2b8920a887aa0da301b08
4
+ data.tar.gz: 9d9fd135566c29aa7fb4e1703a95f5d4cf55a4e3a86f3741d82d7a8e43c1a9e4
5
5
  SHA512:
6
- metadata.gz: b8ae7c54209f62bc4ecf0257b470bdc2733b93b69f35635b40555cd6f42eb479755a69e0a971016a1d164071801db4af7e7ae5f933b44b211140ab3c4ca5f688
7
- data.tar.gz: c5e76a2da036357ba6a73c3a01c01d717362077adfd29bbfe0b5b2ed4ce0b95fa6fe13e3c05bad779669c8eaf024ea32184e8b5b79aedbdcc435565e94eee6c0
6
+ metadata.gz: 7479db0de47a8dd343855a7ccfd928c42d7abf401e99d78d44ed2300725f401e385db01ff99285cd0c2af5c15395af58043623ed803e54c44b4efd10b7e59943
7
+ data.tar.gz: 075ef8c8b4df823d281ac1bab1ba593dd75acbb040e7c4037a8431a32072e77b6b5b4e3b11a41ca70c2b593dde1b888a7088483ec82cdf429fd05986b3da5db4
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- tainted_love (0.4.0)
4
+ tainted_love (0.4.1)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -4,6 +4,8 @@
4
4
 
5
5
  # TaintedLove
6
6
 
7
+ Note: [Ruby 2.7+ removed support of the taint checking mechanism](https://blog.saeloun.com/2020/02/18/ruby-2-7-access-and-setting-of-safe-warned-will-become-global-variable)
8
+
7
9
  TaintedLove is a dynamic security analysis tool for Ruby. It leverages Ruby's object tainting and monkey patching features to identify vulnerable code paths at runtime.
8
10
 
9
11
  - [Getting Started](https://github.com/Shopify/tainted_love/wiki/Getting-Started)
@@ -83,7 +85,6 @@ Model.order(tainted_input)
83
85
 
84
86
  After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
85
87
 
86
- To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
87
88
  To install this gem onto your local machine, run `bundle exec rake install`.
88
89
 
89
90
  ## Contributing
@@ -1,5 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require 'tainted_love/replacer/base'
4
+ require 'tainted_love/validator/base'
5
+ require 'tainted_love/reporter/base'
3
6
  Dir[File.dirname(__FILE__) + '/tainted_love/**/*.rb'].each { |f| require f }
4
7
 
5
8
  module TaintedLove
@@ -40,8 +40,12 @@ module TaintedLove
40
40
  mod = Module.new do
41
41
  [:find_by_sql, :count_by_sql].each do |method|
42
42
  define_method(method) do |*args|
43
- if args.first.tainted?
44
- TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string")
43
+
44
+ # skip if find_by_sql is coming from find_by because the where monkey-patch will catch it
45
+ unless Thread.current.backtrace(3).take(1).first["in `find_by'"]
46
+ if args.first.tainted?
47
+ TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string")
48
+ end
45
49
  end
46
50
 
47
51
  super(*args)
@@ -2,7 +2,7 @@ module TaintedLove
2
2
  module Replacer
3
3
  class ReplaceString < Base
4
4
  WRAP_METHODS = [
5
- :+, :*, :[], :[]= , :sub, :replace, :strip, :strip!, :inspect
5
+ :+, :*, :[], :[]= , :replace, :strip, :strip!, :inspect
6
6
  ]
7
7
 
8
8
  def replace!
@@ -27,28 +27,6 @@ module TaintedLove
27
27
  wrap_call(sym)
28
28
  end
29
29
 
30
- def gsub(*args, &block)
31
- # Context for this hack: https://stackoverflow.com/a/52783055/3349159
32
-
33
- match(args.first)
34
-
35
- unless block.nil?
36
- block.binding.tap do |b|
37
- b.local_variable_set(:_tainted_love_tilde_variable, $~)
38
- b.eval("$~ = _tainted_love_tilde_variable")
39
- end
40
- end
41
-
42
- result = super(*args, &block)
43
-
44
- result.tainted_love_tags += tainted_love_tags if tainted?
45
- args.select(&:tainted?).each do |arg|
46
- result.tainted_love_tags += arg.tainted_love_tags
47
- end
48
-
49
- result
50
- end
51
-
52
30
  def split(*args)
53
31
  result = super(*args)
54
32
 
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module TaintedLove
4
- VERSION = '0.4.0'
4
+ VERSION = '0.4.1'
5
5
  end
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ../..
3
3
  specs:
4
- tainted_love (0.4.0)
4
+ tainted_love (0.4.1)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
@@ -12,6 +12,11 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
12
12
  assert_report do
13
13
  Product.where("id = ?".taint, 1)
14
14
  Product.where("id = ?", 1)
15
+
16
+ # these should not report
17
+ Product.where(id: 1)
18
+ Product.where(id: "1")
19
+ Product.where(id: "1".taint)
15
20
  end
16
21
  end
17
22
 
@@ -23,9 +28,10 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
23
28
  end
24
29
 
25
30
  test "doesn't report when a hash is used with find_by" do
26
- assert_report(0) do
31
+ assert_report do
27
32
  Product.find_by(id: 1)
28
33
  Product.find_by(name: "name".taint)
34
+ Product.find_by("name".taint) # this should report
29
35
  end
30
36
  end
31
37
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tainted_love
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Benoit Cote-Jodoin
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-08-07 00:00:00.000000000 Z
11
+ date: 2020-02-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler