Skip to content

B
Brakeman

李少辉-开发者 / Brakeman

通知 1
Star 0
Fork 0
B
Brakeman

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 edaa05d0 编写于 作者: N Neil Matatall
浏览文件
操作

Shaves 3 seconds off a large project, cleans up some code, review for side effects

上级 f9d610a7
隐藏空白更改
内联 并排
Showing with 13 addition and 13 deletion
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @ edaa05d0
...@@ -71,6 +71,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck ...@@ -71,6 +71,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
end end
def check_for_immediate_xss exp def check_for_immediate_xss exp
return if duplicate? exp
if exp[0] == :output if exp[0] == :output
out = exp[1] out = exp[1]
elsif exp[0] == :escaped_output and raw_call? exp elsif exp[0] == :escaped_output and raw_call? exp
...@@ -79,7 +81,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck ...@@ -79,7 +81,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
type, match = has_immediate_user_input? out type, match = has_immediate_user_input? out
if type and not duplicate? exp if type
add_result exp add_result exp
case type case type
when :params when :params
...@@ -102,7 +104,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck ...@@ -102,7 +104,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out) elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
method = match[2] method = match[2]
unless duplicate? out or IGNORE_MODEL_METHODS.include? method unless IGNORE_MODEL_METHODS.include? method
add_result out add_result out
if MODEL_METHODS.include? method or method.to_s =~ /^find_by/ if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
......
lib/brakeman/checks/check_link_to.rb
浏览文件 @ edaa05d0
...@@ -34,6 +34,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting ...@@ -34,6 +34,8 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
end end
def process_result result def process_result result
return if duplicate? result
#Have to make a copy of this, otherwise it will be changed to #Have to make a copy of this, otherwise it will be changed to
#an ignored method call by the code above. #an ignored method call by the code above.
call = result[:call] = result[:call].dup call = result[:call] = result[:call].dup
...@@ -58,19 +60,15 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting ...@@ -58,19 +60,15 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
message = "Unescaped user input value in link_to" message = "Unescaped user input value in link_to"
end end
unless duplicate? result add_result result
add_result result warn :result => result,
:warning_type => "Cross Site Scripting",
warn :result => result, :message => message,
:warning_type => "Cross Site Scripting", :confidence => CONFIDENCE[:high]
:message => message,
:confidence => CONFIDENCE[:high]
end
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg) elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(first_arg)
method = match[2] method = match[2]
unless duplicate? result or IGNORE_MODEL_METHODS.include? method unless IGNORE_MODEL_METHODS.include? method
add_result result add_result result
if MODEL_METHODS.include? method or method.to_s =~ /^find_by/ if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
...@@ -92,7 +90,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting ...@@ -92,7 +90,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
message = "Unescaped parameter value in link_to" message = "Unescaped parameter value in link_to"
end end
if message and not duplicate? result if message
add_result result add_result result
warn :result => result, warn :result => result,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册