Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
29f22580
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
29f22580
编写于
7月 17, 2012
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of github.com:presidentbeef/brakeman
上级
2d89fc35
cac6ae2c
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
84 addition
and
24 deletion
+84
-24
lib/brakeman/checks/check_file_access.rb
lib/brakeman/checks/check_file_access.rb
+39
-23
test/apps/rails3.1/app/controllers/users_controller.rb
test/apps/rails3.1/app/controllers/users_controller.rb
+7
-0
test/tests/test_rails31.rb
test/tests/test_rails31.rb
+38
-1
未找到文件。
lib/brakeman/checks/check_file_access.rb
浏览文件 @
29f22580
...
...
@@ -9,7 +9,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
def
run_check
Brakeman
.
debug
"Finding possible file access"
methods
=
tracker
.
find_call
:targets
=>
[
:Dir
,
:File
,
:IO
,
:Kernel
,
:"Net::FTP"
,
:"Net::HTTP"
,
:PStore
,
:Pathname
,
:Shell
,
:YAML
],
:methods
=>
[
:[]
,
:chdir
,
:chroot
,
:delete
,
:entries
,
:foreach
,
:glob
,
:install
,
:lchmod
,
:lchown
,
:link
,
:load
,
:load_file
,
:makedirs
,
:move
,
:new
,
:open
,
:read
,
:read
_
lines
,
:rename
,
:rmdir
,
:safe_unlink
,
:symlink
,
:syscopy
,
:sysopen
,
:truncate
,
:unlink
]
methods
=
tracker
.
find_call
:targets
=>
[
:Dir
,
:File
,
:IO
,
:Kernel
,
:"Net::FTP"
,
:"Net::HTTP"
,
:PStore
,
:Pathname
,
:Shell
,
:YAML
],
:methods
=>
[
:[]
,
:chdir
,
:chroot
,
:delete
,
:entries
,
:foreach
,
:glob
,
:install
,
:lchmod
,
:lchown
,
:link
,
:load
,
:load_file
,
:makedirs
,
:move
,
:new
,
:open
,
:read
,
:readlines
,
:rename
,
:rmdir
,
:safe_unlink
,
:symlink
,
:syscopy
,
:sysopen
,
:truncate
,
:unlink
]
Brakeman
.
debug
"Finding calls to load()"
methods
.
concat
tracker
.
find_call
:target
=>
false
,
:method
=>
:load
...
...
@@ -24,32 +24,48 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
end
def
process_result
result
return
if
duplicate?
result
add_result
result
call
=
result
[
:call
]
file_name
=
call
[
3
][
1
]
if
input
=
include_user_input?
(
file_name
)
unless
duplicate?
result
add_result
result
case
input
.
type
when
:params
message
=
"Parameter"
when
:cookies
message
=
"Cookie"
else
message
=
"User input"
end
message
<<
" value used in file name"
warn
:result
=>
result
,
:warning_type
=>
"File Access"
,
:message
=>
message
,
:confidence
=>
CONFIDENCE
[
:high
],
:code
=>
call
,
:user_input
=>
input
.
match
if
match
=
has_immediate_user_input?
(
file_name
)
confidence
=
CONFIDENCE
[
:high
]
elsif
match
=
has_immediate_model?
(
file_name
)
confidence
=
CONFIDENCE
[
:med
]
elsif
tracker
.
options
[
:check_arguments
]
and
match
=
include_user_input?
(
file_name
)
#Check for string building in file name
if
call?
(
file_name
)
and
(
file_name
[
2
]
==
:
+
or
file_name
[
2
]
==
:<<
)
confidence
=
CONFIDENCE
[
:high
]
else
confidence
=
CONFIDENCE
[
:low
]
end
end
if
match
case
match
.
type
when
:params
message
=
"Parameter"
when
:cookies
message
=
"Cookie"
when
:request
message
=
"Request"
when
:model
message
=
"Model attribute"
else
message
=
"User input"
end
message
<<
" value used in file name"
warn
:result
=>
result
,
:warning_type
=>
"File Access"
,
:message
=>
message
,
:confidence
=>
confidence
,
:code
=>
call
,
:user_input
=>
match
.
match
end
end
end
test/apps/rails3.1/app/controllers/users_controller.rb
浏览文件 @
29f22580
...
...
@@ -102,5 +102,12 @@ class UsersController < ApplicationController
redirect_to
User
.
find_by_name
(
params
[
:name
])
end
def
test_file_access_params
File
.
unlink
(
blah
(
params
[
:file
]))
Pathname
.
readlines
(
"blah/
#{
cookies
[
:file
]
}
"
)
File
.
delete
(
params
[
:file
])
IO
.
read
(
User
.
find_by_name
(
'bob'
).
file_path
)
end
include
UserMixin
end
test/tests/test_rails31.rb
浏览文件 @
29f22580
...
...
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
:model
=>
0
,
:template
=>
4
,
:controller
=>
1
,
:warning
=>
4
0
}
:warning
=>
4
4
}
end
def
test_without_protection
...
...
@@ -454,4 +454,41 @@ class Rails31Tests < Test::Unit::TestCase
:confidence
=>
0
,
:file
=>
/users\/mixin_default\.html\.erb/
end
def
test_file_access_indirect_user_input
assert_warning
:type
=>
:warning
,
:warning_type
=>
"File Access"
,
:line
=>
106
,
:message
=>
/^Parameter\ value\ used\ in\ file\ name/
,
:confidence
=>
2
,
:file
=>
/users_controller\.rb/
end
def
test_file_access_in_string_interpolation
assert_warning
:type
=>
:warning
,
:warning_type
=>
"File Access"
,
:line
=>
107
,
:message
=>
/^Cookie\ value\ used\ in\ file\ name/
,
:confidence
=>
0
,
:file
=>
/users_controller\.rb/
end
def
test_file_access_direct_user_input
assert_warning
:type
=>
:warning
,
:warning_type
=>
"File Access"
,
:line
=>
108
,
:message
=>
/^Parameter\ value\ used\ in\ file\ name/
,
:confidence
=>
0
,
:file
=>
/users_controller\.rb/
end
def
test_file_access_model_attribute
assert_warning
:type
=>
:warning
,
:warning_type
=>
"File Access"
,
:line
=>
109
,
:message
=>
/^User\ input\ value\ used\ in\ file\ name/
,
:confidence
=>
1
,
:file
=>
/users_controller\.rb/
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录