Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
社会瑞弟呀
brakeman
提交
fc626c77
B
brakeman
项目概览
社会瑞弟呀
/
brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
fc626c77
编写于
4月 29, 2013
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' into better_file_name_handling_for_warnings
Conflicts: test/tests/test_rails3.rb
上级
51890407
0064a27a
变更
14
隐藏空白更改
内联
并排
Showing
14 changed file
with
119 addition
and
19 deletion
+119
-19
README.md
README.md
+5
-2
lib/brakeman.rb
lib/brakeman.rb
+4
-14
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+1
-1
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+7
-0
lib/brakeman/checks/check_model_attributes.rb
lib/brakeman/checks/check_model_attributes.rb
+1
-0
lib/brakeman/processors/controller_processor.rb
lib/brakeman/processors/controller_processor.rb
+6
-0
test/apps/rails2/app/views/home/_models.html.erb
test/apps/rails2/app/views/home/_models.html.erb
+1
-0
test/apps/rails2/app/views/home/test_model.html.erb
test/apps/rails2/app/views/home/test_model.html.erb
+3
-1
test/apps/rails3.2/app/views/users/show.html.erb
test/apps/rails3.2/app/views/users/show.html.erb
+4
-0
test/apps/rails3/app/controllers/nested_controller.rb
test/apps/rails3/app/controllers/nested_controller.rb
+9
-0
test/apps/rails3/app/views/whatever/wherever/nested/so_nested.html.erb
...ls3/app/views/whatever/wherever/nested/so_nested.html.erb
+1
-0
test/tests/test_rails2.rb
test/tests/test_rails2.rb
+57
-0
test/tests/test_rails3.rb
test/tests/test_rails3.rb
+11
-1
test/tests/test_rails32.rb
test/tests/test_rails32.rb
+9
-0
未找到文件。
README.md
浏览文件 @
fc626c77
![
Brakeman Logo
](
http://brakemanscanner.org/images/logo_medium.png
)
[
![Travis CI Status
](
https://secure.travis-ci.org/presidentbeef/brakeman.png
)
](https://travis-ci.org/presidentbeef/brakeman)
[
![Code Climate
](
https://codeclimate.com/badge.png
)
](https://codeclimate.com/github/presidentbeef/brakeman)
[
![Travis CI
Status
](
https://secure.travis-ci.org/presidentbeef/brakeman.png
)
](https://travis-ci.org/presidentbeef/brakeman)
[
![Code
Climate
](
https://codeclimate.com/github/presidentbeef/brakeman.png
)
](https://codeclimate.com/github/presidentbeef/brakeman)
# Brakeman
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
It targets Rails versions 2.x and 3.x.
There is also a
[
plugin available
](
http://brakemanscanner.org/docs/jenkins/
)
for Jenkins/Hudson.
For even more continuous testing, try the
[
Guard plugin
](
https://github.com/oreoshake/guard-brakeman
)
.
...
...
lib/brakeman.rb
浏览文件 @
fc626c77
...
...
@@ -77,17 +77,10 @@ module Brakeman
options
end
DEPRECATED_CONFIG_FILES
=
[
File
.
expand_path
(
"./config.yaml"
),
File
.
expand_path
(
"~/.brakeman/config.yaml"
),
File
.
expand_path
(
"/etc/brakeman/config.yaml"
),
"
#{
File
.
expand_path
(
File
.
dirname
(
__FILE__
))
}
/../lib/config.yaml"
]
CONFIG_FILES
=
[
File
.
expand_path
(
"./config/brakeman.yml"
),
File
.
expand_path
(
"~/.brakeman/config.yml"
),
File
.
expand_path
(
"/etc/brakeman/config.yml"
)
,
File
.
expand_path
(
"/etc/brakeman/config.yml"
)
]
#Load options from YAML file
...
...
@@ -103,12 +96,9 @@ module Brakeman
end
end
def
self
.
config_file
(
custom_location
=
nil
)
DEPRECATED_CONFIG_FILES
.
each
do
|
f
|
notify
"
#{
f
}
is deprecated, please use one of
#{
CONFIG_FILES
.
join
(
", "
)
}
"
if
File
.
file?
(
f
)
end
supported_locations
=
[
File
.
expand_path
(
custom_location
||
""
)]
+
DEPRECATED_CONFIG_FILES
+
CONFIG_FILES
supported_locations
.
detect
{
|
f
|
File
.
file?
(
f
)
}
def
self
.
config_file
custom_location
=
nil
supported_locations
=
[
File
.
expand_path
(
custom_location
||
""
)]
+
CONFIG_FILES
supported_locations
.
detect
{
|
f
|
File
.
file?
(
f
)
}
end
#Default set of options
...
...
lib/brakeman/checks/base_check.rb
浏览文件 @
fc626c77
...
...
@@ -26,7 +26,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
@active_record_models
=
nil
@mass_assign_disabled
=
nil
@has_user_input
=
nil
@safe_input_attributes
=
Set
[
:to_i
,
:to_f
,
:arel_table
]
@safe_input_attributes
=
Set
[
:to_i
,
:to_f
,
:arel_table
,
:id
]
end
#Add result to result list, which is used to check for duplicates
...
...
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
fc626c77
...
...
@@ -62,10 +62,17 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
initializers
=
tracker
.
check_initializers
:ActiveSupport
,
:escape_html_entities_in_json
=
initializers
.
each
{
|
result
|
json_escape_on
=
true
?(
result
.
call
.
first_arg
)
}
if
tracker
.
config
[
:rails
][:
active_support
]
and
true
?
tracker
.
config
[
:rails
][
:active_support
][:
escape_html_entities_in_json
]
json_escape_on
=
true
end
if
!
json_escape_on
or
version_between?
"0.0.0"
,
"2.0.99"
@known_dangerous
<<
:to_json
Brakeman
.
debug
(
"Automatic to_json escaping not enabled, consider to_json dangerous"
)
else
@safe_input_attributes
<<
:to_json
Brakeman
.
debug
(
"Automatic to_json escaping is enabled."
)
end
...
...
lib/brakeman/checks/check_model_attributes.rb
浏览文件 @
fc626c77
...
...
@@ -57,6 +57,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
warn
:model
=>
name
,
:file
=>
model
[
:file
],
:warning_type
=>
"Attribute Restriction"
,
:warning_code
=>
:no_attr_accessible
,
:message
=>
"Mass assignment is not restricted using attr_accessible"
,
:confidence
=>
CONFIDENCE
[
:high
]
elsif
not
tracker
.
options
[
:ignore_attr_protected
]
...
...
lib/brakeman/processors/controller_processor.rb
浏览文件 @
fc626c77
...
...
@@ -24,6 +24,12 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
def
process_class
exp
name
=
class_name
(
exp
.
class_name
)
if
not
name
.
to_s
.
match
(
/Controller$/
)
#Skip classes that are not controllers, but treat as a module because
#a class that is not a controller might contain a controller
return
process_module
exp
end
if
@controller
Brakeman
.
debug
"[Notice] Skipping inner class:
#{
name
}
"
return
ignore
...
...
test/apps/rails2/app/views/home/_models.html.erb
0 → 100644
浏览文件 @
fc626c77
<%=
model
.
id
%>
test/apps/rails2/app/views/home/test_model.html.erb
浏览文件 @
fc626c77
...
...
@@ -8,4 +8,6 @@ Bad for 2.x: <%= link_to User.first.name, "some_url" %>
It's just a model
<%=
link_to
"Hipster ipsum"
,
User
.
first
%>
It's just a couple of models
<%=
link_to
"Hipster ipsum"
,
[
Account
.
first
,
User
.
last
]
%>
\ No newline at end of file
It's just a couple of models
<%=
link_to
"Hipster ipsum"
,
[
Account
.
first
,
User
.
last
]
%>
<%=
render
:partial
=>
'models'
,
:collection
=>
all_the_things
,
:as
=>
:model
%>
test/apps/rails3.2/app/views/users/show.html.erb
浏览文件 @
fc626c77
...
...
@@ -18,3 +18,7 @@
<%=
link_to
'Edit'
,
edit_user_path
(
@user
)
%>
|
<%=
link_to
'Back'
,
users_path
%>
<script>
var
thing
=
<%=
raw
params
.
to_json
%>
;
</script>
test/apps/rails3/app/controllers/nested_controller.rb
0 → 100644
浏览文件 @
fc626c77
class
Whatever
module
Wherever
class
NestedController
<
ApplicationController
def
so_nested
@bad_thing
=
params
[
:x
]
end
end
end
end
test/apps/rails3/app/views/whatever/wherever/nested/so_nested.html.erb
0 → 100644
浏览文件 @
fc626c77
<%=
raw
@bad_thing
%>
test/tests/test_rails2.rb
浏览文件 @
fc626c77
...
...
@@ -293,6 +293,7 @@ class Rails2Tests < Test::Unit::TestCase
def
test_attribute_restriction
assert_warning
:type
=>
:model
,
:warning_type
=>
"Attribute Restriction"
,
:warning_code
=>
Brakeman
::
WarningCodes
::
Codes
[
:no_attr_accessible
],
:message
=>
/^Mass assignment is not restricted using /
,
:confidence
=>
0
,
:file
=>
/account, user\.rb/
...
...
@@ -908,6 +909,16 @@ class Rails2Tests < Test::Unit::TestCase
:file
=>
/test_to_i\.html\.erb/
end
def
test_cross_site_scripting_unresolved_model_id
assert_no_warning
:type
=>
:template
,
:warning_code
=>
2
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
1
,
:message
=>
/^Unescaped\ model\ attribute/
,
:confidence
=>
0
,
:file
=>
/_models\.html\.erb/
end
def
test_dangerous_send_try
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Dangerous Send"
,
...
...
@@ -992,3 +1003,49 @@ class Rails2Tests < Test::Unit::TestCase
end
end
Rails2WithOptions
=
BrakemanTester
.
run_scan
"rails2"
,
"Rails 2"
,
:collapse_mass_assignment
=>
false
class
Rails2WithOptionsTests
<
Test
::
Unit
::
TestCase
include
BrakemanTester
::
FindWarning
include
BrakemanTester
::
CheckExpected
def
expected
if
Brakeman
::
Scanner
::
RUBY_1_9
@expected
||=
{
:controller
=>
1
,
:model
=>
4
,
:template
=>
43
,
:warning
=>
45
}
else
@expected
||=
{
:controller
=>
1
,
:model
=>
4
,
:template
=>
43
,
:warning
=>
46
}
end
end
def
report
Rails2WithOptions
end
def
test_no_errors
assert_equal
0
,
report
[
:errors
].
length
end
def
test_attribute_restriction
assert_warning
:type
=>
:model
,
:warning_type
=>
"Attribute Restriction"
,
:warning_code
=>
Brakeman
::
WarningCodes
::
Codes
[
:no_attr_accessible
],
:message
=>
/^Mass assignment is not restricted using /
,
:confidence
=>
0
,
:file
=>
/account\.rb/
assert_warning
:type
=>
:model
,
:warning_type
=>
"Attribute Restriction"
,
:warning_code
=>
Brakeman
::
WarningCodes
::
Codes
[
:no_attr_accessible
],
:message
=>
/^Mass assignment is not restricted using /
,
:confidence
=>
0
,
:file
=>
/user\.rb/
end
end
test/tests/test_rails3.rb
浏览文件 @
fc626c77
...
...
@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
@expected
||=
{
:controller
=>
1
,
:model
=>
8
,
:template
=>
3
6
,
:template
=>
3
7
,
:warning
=>
54
}
...
...
@@ -834,6 +834,16 @@ class Rails3Tests < Test::Unit::TestCase
:file
=>
/test_params\.html\.erb/
end
def
test_cross_site_scripting_in_nested_controller
assert_warning
:type
=>
:template
,
:warning_code
=>
2
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
1
,
:message
=>
/^Unescaped\ parameter\ value/
,
:confidence
=>
0
,
:file
=>
/so_nested\.html\.erb/
end
def
test_cross_site_scripting_select_tag_CVE_2012_3463
assert_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
...
...
test/tests/test_rails32.rb
浏览文件 @
fc626c77
...
...
@@ -151,6 +151,15 @@ class Rails32Tests < Test::Unit::TestCase
:file
=>
/show\.html\.erb/
end
def
test_escaped_params_to_json
assert_no_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
21
,
:message
=>
/^Unescaped\ parameter\ value/
,
:confidence
=>
0
,
:file
=>
/show\.html\.erb/
end
def
test_cross_site_scripting_in_slim_param
assert_warning
:type
=>
:template
,
:warning_type
=>
"Cross Site Scripting"
,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录