Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
89b67145
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
89b67145
编写于
12月 04, 2012
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Move more Sexp#[] calls to regular method calls
上级
9f5e7b16
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
21 addition
and
14 deletion
+21
-14
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+5
-1
lib/brakeman/checks/check_redirect.rb
lib/brakeman/checks/check_redirect.rb
+4
-4
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+9
-7
lib/brakeman/processors/alias_processor.rb
lib/brakeman/processors/alias_processor.rb
+3
-2
未找到文件。
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
89b67145
...
...
@@ -115,7 +115,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
:confidence
=>
CONFIDENCE
[
:high
]
elsif
not
tracker
.
options
[
:ignore_model_output
]
and
match
=
has_immediate_model?
(
out
)
method
=
match
[
2
]
method
=
if
call?
match
match
.
method
else
nil
end
unless
IGNORE_MODEL_METHODS
.
include?
method
add_result
out
...
...
lib/brakeman/checks/check_redirect.rb
浏览文件 @
89b67145
...
...
@@ -73,12 +73,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
elsif
call?
arg
if
request_value?
arg
return
Match
.
new
(
immediate
,
arg
)
elsif
request_value?
arg
[
1
]
return
Match
.
new
(
immediate
,
arg
[
1
]
)
elsif
arg
[
2
]
==
:url_for
and
include_user_input?
arg
elsif
request_value?
arg
.
target
return
Match
.
new
(
immediate
,
arg
.
target
)
elsif
arg
.
method
==
:url_for
and
include_user_input?
arg
return
Match
.
new
(
immediate
,
arg
)
#Ignore helpers like some_model_url?
elsif
arg
[
2
]
.
to_s
=~
/_(url|path)\z/
elsif
arg
.
method
.
to_s
=~
/_(url|path)\z/
return
false
end
elsif
request_value?
arg
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
89b67145
...
...
@@ -261,23 +261,25 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
def
check_scope_arguments
args
return
unless
node_type?
args
,
:arglist
scope_arg
=
args
[
2
]
#first arg is name of scope
if
node_type?
args
[
2
]
,
:iter
unsafe_sql?
args
[
2
]
.
block
if
node_type?
scope_arg
,
:iter
unsafe_sql?
scope_arg
.
block
else
unsafe_sql?
args
[
2
]
unsafe_sql?
scope_arg
end
end
def
check_query_arguments
arg
return
unless
sexp?
arg
first_arg
=
arg
[
1
]
if
node_type?
arg
,
:arglist
if
arg
.
length
>
2
and
node_type?
arg
[
1
]
,
:string_interp
,
:dstr
if
arg
.
length
>
2
and
node_type?
first_arg
,
:string_interp
,
:dstr
# Model.where("blah = ?", blah)
return
check_string_interp
arg
[
1
]
return
check_string_interp
first_arg
else
arg
=
arg
[
1
]
arg
=
first_arg
end
end
...
...
@@ -319,7 +321,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
def
check_by_sql_arguments
arg
return
unless
sexp?
arg
#This is kind of necessary, because unsafe_sql? will handle an array
#This is kind of
un
necessary, because unsafe_sql? will handle an array
#correctly, but might be better to be explicit.
if
array?
arg
unsafe_sql?
arg
[
1
]
...
...
lib/brakeman/processors/alias_processor.rb
浏览文件 @
89b67145
...
...
@@ -477,8 +477,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
#Join two string literals into one.
def
join_strings
string1
,
string2
result
=
Sexp
.
new
(
:str
)
result
[
1
]
=
string1
[
1
]
+
string2
[
1
]
if
result
[
1
].
length
>
50
result
.
value
=
string1
.
value
+
string2
.
value
if
result
.
value
.
length
>
50
string1
else
result
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录