Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
社会瑞弟呀
brakeman
提交
f15024d7
B
brakeman
项目概览
社会瑞弟呀
/
brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
f15024d7
编写于
11月 30, 2011
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add more debug messages to checks
上级
38c663d1
变更
16
隐藏空白更改
内联
并排
Showing
16 changed file
with
44 addition
and
1 deletion
+44
-1
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+5
-0
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+4
-1
lib/brakeman/checks/check_default_routes.rb
lib/brakeman/checks/check_default_routes.rb
+2
-0
lib/brakeman/checks/check_evaluation.rb
lib/brakeman/checks/check_evaluation.rb
+2
-0
lib/brakeman/checks/check_execute.rb
lib/brakeman/checks/check_execute.rb
+3
-0
lib/brakeman/checks/check_file_access.rb
lib/brakeman/checks/check_file_access.rb
+4
-0
lib/brakeman/checks/check_mail_to.rb
lib/brakeman/checks/check_mail_to.rb
+2
-0
lib/brakeman/checks/check_mass_assignment.rb
lib/brakeman/checks/check_mass_assignment.rb
+2
-0
lib/brakeman/checks/check_quote_table_name.rb
lib/brakeman/checks/check_quote_table_name.rb
+2
-0
lib/brakeman/checks/check_redirect.rb
lib/brakeman/checks/check_redirect.rb
+3
-0
lib/brakeman/checks/check_render.rb
lib/brakeman/checks/check_render.rb
+2
-0
lib/brakeman/checks/check_send_file.rb
lib/brakeman/checks/check_send_file.rb
+2
-0
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+5
-0
lib/brakeman/checks/check_strip_tags.rb
lib/brakeman/checks/check_strip_tags.rb
+2
-0
lib/brakeman/checks/check_translate_bug.rb
lib/brakeman/checks/check_translate_bug.rb
+2
-0
lib/brakeman/checks/check_without_protection.rb
lib/brakeman/checks/check_without_protection.rb
+2
-0
未找到文件。
lib/brakeman/checks/base_check.rb
浏览文件 @
f15024d7
...
...
@@ -19,6 +19,7 @@ class Brakeman::BaseCheck < SexpProcessor
@tracker
=
tracker
@string_interp
=
false
@current_set
=
nil
@debug_mode
=
tracker
.
options
[
:debug
]
@current_template
=
@current_module
=
@current_class
=
@current_method
=
nil
self
.
strict
=
false
self
.
auto_shift_type
=
false
...
...
@@ -376,4 +377,8 @@ class Brakeman::BaseCheck < SexpProcessor
"config/environment.rb"
end
end
def
debug_info
msg
Kernel
.
warn
msg
if
@debug_mode
end
end
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
f15024d7
...
...
@@ -62,9 +62,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
tracker
.
each_template
do
|
name
,
template
|
@current_template
=
template
template
[
:outputs
].
each
do
|
out
|
debug_info
"Checking
#{
name
}
for direct XSS"
unless
check_for_immediate_xss
out
debug_info
"Checking
#{
name
}
for indirect XSS"
@matched
=
false
@mark
=
false
process
out
...
...
lib/brakeman/checks/check_default_routes.rb
浏览文件 @
f15024d7
...
...
@@ -15,6 +15,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
:confidence
=>
CONFIDENCE
[
:high
],
:file
=>
"
#{
tracker
.
options
[
:app_path
]
}
/config/routes.rb"
else
#Report each controller separately
debug_info
"Checking each controller for default routes"
tracker
.
routes
.
each
do
|
name
,
actions
|
if
actions
.
is_a?
Array
and
actions
[
0
]
==
:allow_all_actions
warn
:controller
=>
name
,
...
...
lib/brakeman/checks/check_evaluation.rb
浏览文件 @
f15024d7
...
...
@@ -7,8 +7,10 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
#Process calls
def
run_check
debug_info
"Finding eval-like calls"
calls
=
tracker
.
find_call
nil
,
[
:eval
,
:instance_eval
,
:class_eval
,
:module_eval
]
debug_info
"Processing eval-like calls"
calls
.
each
do
|
call
|
process_result
call
end
...
...
lib/brakeman/checks/check_execute.rb
浏览文件 @
f15024d7
...
...
@@ -14,10 +14,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
#Check models, controllers, and views for command injection.
def
run_check
debug_info
"Finding system calls using ``"
check_for_backticks
tracker
debug_info
"Finding other system calls"
calls
=
tracker
.
find_call
[
:IO
,
:Open3
,
:Kernel
,
[]],
[
:exec
,
:popen
,
:popen3
,
:syscall
,
:system
]
debug_info
"Processing system calls"
calls
.
each
do
|
result
|
process
result
end
...
...
lib/brakeman/checks/check_file_access.rb
浏览文件 @
f15024d7
...
...
@@ -6,12 +6,16 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
Brakeman
::
Checks
.
add
self
def
run_check
debug_info
"Finding possible file access"
methods
=
tracker
.
find_call
[
:Dir
,
:File
,
:IO
,
:Kernel
,
:"Net::FTP"
,
:"Net::HTTP"
,
:PStore
,
:Pathname
,
:Shell
,
:YAML
],
[
:[]
,
:chdir
,
:chroot
,
:delete
,
:entries
,
:foreach
,
:glob
,
:install
,
:lchmod
,
:lchown
,
:link
,
:load
,
:load_file
,
:makedirs
,
:move
,
:new
,
:open
,
:read
,
:read_lines
,
:rename
,
:rmdir
,
:safe_unlink
,
:symlink
,
:syscopy
,
:sysopen
,
:truncate
,
:unlink
]
debug_info
"Finding calls to load()"
methods
.
concat
tracker
.
find_call
[],
[
:load
]
debug_info
"Finding calls using FileUtils"
methods
.
concat
tracker
.
find_call
(
:FileUtils
,
nil
)
debug_info
"Processing found calls"
methods
.
each
do
|
call
|
process_result
call
end
...
...
lib/brakeman/checks/check_mail_to.rb
浏览文件 @
f15024d7
...
...
@@ -29,6 +29,8 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
#Check for javascript encoding of mail_to address
# mail_to email, name, :encode => :javascript
def
mail_to_javascript?
debug_info
"Checking calls to mail_to for javascript encoding"
tracker
.
find_call
([],
:mail_to
).
each
do
|
result
|
call
=
result
[
-
1
]
args
=
call
[
-
1
]
...
...
lib/brakeman/checks/check_mass_assignment.rb
浏览文件 @
f15024d7
...
...
@@ -20,6 +20,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
@results
=
Set
.
new
debug_info
"Finding possible mass assignment calls on
#{
models
.
length
}
models"
calls
=
tracker
.
find_call
models
,
[
:new
,
:attributes
=
,
:update_attribute
,
...
...
@@ -28,6 +29,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
:create
,
:create!
]
debug_info
"Processing possible mass assignment calls"
calls
.
each
do
|
result
|
process
result
end
...
...
lib/brakeman/checks/check_quote_table_name.rb
浏览文件 @
f15024d7
...
...
@@ -30,6 +30,8 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
end
def
uses_quote_table_name?
debug_info
"Finding calls to quote_table_name()"
not
tracker
.
find_call
([],
:quote_table_name
).
empty?
end
end
lib/brakeman/checks/check_redirect.rb
浏览文件 @
f15024d7
...
...
@@ -10,6 +10,8 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
Brakeman
::
Checks
.
add
self
def
run_check
debug_info
"Finding calls to redirect_to()"
@tracker
.
find_call
(
nil
,
:redirect_to
).
each
do
|
c
|
process
c
end
...
...
@@ -43,6 +45,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
#which can be used to enable/disable reporting output of method calls which use
#user input as arguments.
def
include_user_input?
call
debug_info
"Checking if call includes user input"
if
tracker
.
options
[
:ignore_redirect_to_model
]
and
call?
call
[
3
][
1
]
and
call
[
3
][
1
][
2
]
==
:new
and
call
[
3
][
1
][
1
]
...
...
lib/brakeman/checks/check_render.rb
浏览文件 @
f15024d7
...
...
@@ -5,12 +5,14 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
Brakeman
::
Checks
.
add
self
def
run_check
debug_info
"Checking all method bodies for calls to render()"
tracker
.
each_method
do
|
src
,
class_name
,
method_name
|
@current_class
=
class_name
@current_method
=
method_name
process
src
end
debug_info
"Checking all templates for calls to render()"
tracker
.
each_template
do
|
name
,
template
|
@current_template
=
template
process
template
[
:src
]
...
...
lib/brakeman/checks/check_send_file.rb
浏览文件 @
f15024d7
...
...
@@ -6,6 +6,8 @@ class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
Brakeman
::
Checks
.
add
self
def
run_check
debug_info
"Finding all calls to send_file()"
methods
=
tracker
.
find_call
nil
,
:send_file
methods
.
each
do
|
call
|
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
f15024d7
...
...
@@ -14,12 +14,17 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
def
run_check
@rails_version
=
tracker
.
config
[
:rails_version
]
debug_info
"Finding possible SQL calls on models"
calls
=
tracker
.
find_model_find
tracker
.
models
.
keys
debug_info
"Finding possible SQL calls with no target"
calls
.
concat
tracker
.
find_call
([],
/^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
)
debug_info
"Finding possible SQL calls using constantized()"
calls
.
concat
tracker
.
find_model_find
(
nil
).
select
{
|
result
|
constantize_call?
result
}
debug_info
"Processing possible SQL calls"
calls
.
each
do
|
c
|
process
c
end
...
...
lib/brakeman/checks/check_strip_tags.rb
浏览文件 @
f15024d7
...
...
@@ -24,6 +24,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
end
def
uses_strip_tags?
debug_info
"Finding calls to strip_tags()"
not
tracker
.
find_call
([],
:strip_tags
).
empty?
end
end
lib/brakeman/checks/check_translate_bug.rb
浏览文件 @
f15024d7
...
...
@@ -35,6 +35,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
end
def
uses_translate?
debug_info
"Finding calls to translate() or t()"
not
tracker
.
find_call
([],
[
:t
,
:translate
]).
empty?
end
end
lib/brakeman/checks/check_without_protection.rb
浏览文件 @
f15024d7
...
...
@@ -23,6 +23,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
@results
=
Set
.
new
debug_info
"Finding all mass assignments"
calls
=
tracker
.
find_call
models
,
[
:new
,
:attributes
=
,
:update_attribute
,
...
...
@@ -31,6 +32,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
:create
,
:create!
]
debug_info
"Processing all mass assignments"
calls
.
each
do
|
result
|
process
result
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录