Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
d7217a29
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
d7217a29
编写于
1月 06, 2014
作者:
J
Justin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #419 from abedra/ssl_bypass_check
Adds a check for OpenSSL::SSL::VERIFY_NONE.
上级
caa2a309
ee8c5971
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
49 addition
and
1 deletion
+49
-1
lib/brakeman/checks/check_ssl_verify.rb
lib/brakeman/checks/check_ssl_verify.rb
+31
-0
lib/brakeman/warning_codes.rb
lib/brakeman/warning_codes.rb
+1
-0
test/apps/rails4/app/controllers/application_controller.rb
test/apps/rails4/app/controllers/application_controller.rb
+5
-0
test/tests/rails4.rb
test/tests/rails4.rb
+12
-1
未找到文件。
lib/brakeman/checks/check_ssl_verify.rb
0 → 100644
浏览文件 @
d7217a29
require
'brakeman/checks/base_check'
# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE
class
Brakeman::CheckSSLVerify
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
SSL_VERIFY_NONE
=
s
(
:colon2
,
s
(
:colon2
,
s
(
:const
,
:OpenSSL
),
:SSL
),
:VERIFY_NONE
)
@description
=
"Checks for OpenSSL::SSL::VERIFY_NONE"
def
run_check
check_open_ssl_verify_none
end
def
check_open_ssl_verify_none
tracker
.
find_call
(
:method
=>
:verify_mode
=
).
each
{
|
call
|
process_result
(
call
)}
end
def
process_result
(
result
)
return
if
duplicate?
(
result
)
if
result
[
:call
].
last_arg
==
SSL_VERIFY_NONE
add_result
result
warn
:result
=>
result
,
:warning_type
=>
"SSL Verification Bypass"
,
:warning_code
=>
:ssl_verification_bypass
,
:message
=>
"SSL certificate verification was bypassed"
,
:confidence
=>
CONFIDENCE
[
:high
]
end
end
end
lib/brakeman/warning_codes.rb
浏览文件 @
d7217a29
...
...
@@ -71,6 +71,7 @@ module Brakeman::WarningCodes
:CVE_2013_6416_call
=>
68
,
:CVE_2013_6417
=>
69
,
:mass_assign_permit!
=>
70
,
:ssl_verification_bypass
=>
71
}
def
self
.
code
name
...
...
test/apps/rails4/app/controllers/application_controller.rb
浏览文件 @
d7217a29
...
...
@@ -18,4 +18,9 @@ class ApplicationController < ActionController::Base
redirect_to
@model
end
end
def
bypass_ssl_check
# Should warn on self.verify_mode = OpenSSL::SSL::VERIFY_NONE
self
.
verify_mode
=
OpenSSL
::
SSL
::
VERIFY_NONE
end
end
test/tests/rails4.rb
浏览文件 @
d7217a29
...
...
@@ -15,7 +15,7 @@ class Rails4Tests < Test::Unit::TestCase
:controller
=>
0
,
:model
=>
1
,
:template
=>
1
,
:generic
=>
1
2
:generic
=>
1
3
}
end
...
...
@@ -258,4 +258,15 @@ class Rails4Tests < Test::Unit::TestCase
:message
=>
"Potentially dangerous attribute available for mass assignment: :admin"
,
:relative_path
=>
"app/models/account.rb"
end
def
test_ssl_verification_bypass
assert_warning
:type
=>
:warning
,
:warning_code
=>
71
,
:warning_type
=>
"SSL Verification Bypass"
,
:line
=>
24
,
:message
=>
/^SSL\ certificate\ verification\ was\ bypassed/
,
:confidence
=>
0
,
:relative_path
=>
"app/controllers/application_controller.rb"
,
:user_input
=>
nil
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录