Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
社会瑞弟呀
brakeman
提交
a71b47de
B
brakeman
项目概览
社会瑞弟呀
/
brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
a71b47de
编写于
4月 30, 2013
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of github.com:presidentbeef/brakeman
上级
26ea28f6
c76a2f15
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
90 addition
and
18 deletion
+90
-18
lib/brakeman/app_tree.rb
lib/brakeman/app_tree.rb
+22
-11
lib/brakeman/options.rb
lib/brakeman/options.rb
+12
-7
test/tests/test_only_files_option.rb
test/tests/test_only_files_option.rb
+56
-0
未找到文件。
lib/brakeman/app_tree.rb
浏览文件 @
a71b47de
...
...
@@ -8,17 +8,20 @@ module Brakeman
root
=
options
[
:app_path
]
# Convert files into Regexp for matching
init_options
=
{}
if
options
[
:skip_files
]
list
=
"(?:"
<<
options
[
:skip_files
].
map
{
|
f
|
Regexp
.
escape
f
}.
join
(
"|"
)
<<
")$"
new
(
root
,
Regexp
.
new
(
list
))
else
new
(
root
)
init_options
[
:skip_files
]
=
Regexp
.
new
(
"(?:"
<<
options
[
:skip_files
].
map
{
|
f
|
Regexp
.
escape
f
}.
join
(
"|"
)
<<
")$"
)
end
if
options
[
:only_files
]
init_options
[
:only_files
]
=
Regexp
.
new
(
"(?:"
<<
options
[
:only_files
].
map
{
|
f
|
Regexp
.
escape
f
}.
join
(
"|"
)
<<
")"
)
end
new
(
root
,
init_options
)
end
def
initialize
(
root
,
skip_files
=
nil
)
def
initialize
(
root
,
init_options
=
{}
)
@root
=
root
@skip_files
=
skip_files
@skip_files
=
init_options
[
:skip_files
]
@only_files
=
init_options
[
:only_files
]
end
def
expand_path
(
path
)
...
...
@@ -76,14 +79,22 @@ module Brakeman
def
find_paths
(
directory
,
extensions
=
"*.rb"
)
pattern
=
@root
+
"/
#{
directory
}
/**/
#{
extensions
}
"
Dir
.
glob
(
pattern
).
sort
.
tap
do
|
paths
|
reject_skipped_files
(
paths
)
end
select_files
(
Dir
.
glob
(
pattern
).
sort
)
end
def
select_files
(
paths
)
paths
=
select_only_files
(
paths
)
reject_skipped_files
(
paths
)
end
def
select_only_files
(
paths
)
return
paths
unless
@only_files
paths
.
select
{
|
f
|
@only_files
.
match
f
}
end
def
reject_skipped_files
(
paths
)
return
unless
@skip_files
paths
.
reject
!
{
|
f
|
@skip_files
.
match
f
}
return
paths
unless
@skip_files
paths
.
reject
{
|
f
|
@skip_files
.
match
f
}
end
end
...
...
lib/brakeman/options.rb
浏览文件 @
a71b47de
...
...
@@ -91,13 +91,18 @@ module Brakeman::Options
opts
.
on
"--url-safe-methods method1,method2,etc"
,
Array
,
"Do not warn of XSS if the link_to href parameter is wrapped in a safe method"
do
|
methods
|
options
[
:url_safe_methods
]
||=
Set
.
new
options
[
:url_safe_methods
].
merge
methods
.
map
{
|
e
|
e
.
to_sym
}
end
end
opts
.
on
"--skip-files file1,file2,etc"
,
Array
,
"Skip processing of these files"
do
|
files
|
options
[
:skip_files
]
||=
Set
.
new
options
[
:skip_files
].
merge
files
end
opts
.
on
"--only-files file1,file2,etc"
,
Array
,
"Process only these files"
do
|
files
|
options
[
:only_files
]
||=
Set
.
new
options
[
:only_files
].
merge
files
end
opts
.
on
"--skip-libs"
,
"Skip processing lib directory"
do
options
[
:skip_libs
]
=
true
end
...
...
@@ -128,11 +133,11 @@ module Brakeman::Options
opts
.
separator
"Output options:"
opts
.
on
"-d"
,
"--debug"
,
"Lots of output"
do
options
[
:debug
]
=
true
options
[
:debug
]
=
true
end
opts
.
on
"-f"
,
"--format TYPE"
,
opts
.
on
"-f"
,
"--format TYPE"
,
[
:pdf
,
:text
,
:html
,
:csv
,
:tabs
,
:json
],
"Specify output formats. Default is text"
do
|
type
|
...
...
@@ -177,9 +182,9 @@ module Brakeman::Options
options
[
:relative_paths
]
=
true
end
opts
.
on
"-w"
,
"--confidence-level LEVEL"
,
[
"1"
,
"2"
,
"3"
],
opts
.
on
"-w"
,
"--confidence-level LEVEL"
,
[
"1"
,
"2"
,
"3"
],
"Set minimal confidence level (1 - 3)"
do
|
level
|
options
[
:min_confidence
]
=
3
-
level
.
to_i
...
...
test/tests/test_only_files_option.rb
0 → 100644
浏览文件 @
a71b47de
abort
"Please run using test/test.rb"
unless
defined?
BrakemanTester
Rails32OnlyFiles
=
BrakemanTester
.
run_scan
"rails3.2"
,
"Rails 3.2"
,
{
:only_files
=>
[
"app/views/users/"
],
:skip_files
=>
[
"app/views/users/sanitized.html.erb"
]
}
class
OnlyFilesOptionTests
<
Test
::
Unit
::
TestCase
include
BrakemanTester
::
FindWarning
include
BrakemanTester
::
CheckExpected
def
expected
@expected
||=
{
:controller
=>
0
,
:model
=>
0
,
:template
=>
1
,
:warning
=>
4
}
if
RUBY_PLATFORM
==
'java'
@expected
[
:warning
]
+=
1
end
@expected
end
def
report
Rails32OnlyFiles
end
def
test_escaped_params_to_json
assert_no_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
21
,
:message
=>
/^Unescaped\ parameter\ value/
,
:confidence
=>
0
,
:file
=>
/show\.html\.erb/
end
def
test_cross_site_scripting_slim_partial_param
assert_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
6
,
:message
=>
/^Unescaped\ parameter\ value/
,
:confidence
=>
0
,
:file
=>
/_slimmer\.html\.slim/
end
# This is the template that is skipped, should be no warning
def
test_xss_sanitize_css_CVE_2013_1855
assert_no_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
2
,
:message
=>
/^Rails\ 3\.2\.9\.rc2\ has\ a\ vulnerability\ in\ s/
,
:confidence
=>
0
,
:file
=>
/sanitized\.html\.erb/
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录