Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
社会瑞弟呀
brakeman
提交
fe7512f8
B
brakeman
项目概览
社会瑞弟呀
/
brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
fe7512f8
编写于
2月 02, 2012
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add check descriptions for -k output
上级
4ce16d1f
变更
27
隐藏空白更改
内联
并排
Showing
27 changed file
with
57 addition
and
1 deletion
+57
-1
lib/brakeman.rb
lib/brakeman.rb
+3
-1
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+4
-0
lib/brakeman/checks/check_basic_auth.rb
lib/brakeman/checks/check_basic_auth.rb
+2
-0
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+2
-0
lib/brakeman/checks/check_default_routes.rb
lib/brakeman/checks/check_default_routes.rb
+2
-0
lib/brakeman/checks/check_escape_function.rb
lib/brakeman/checks/check_escape_function.rb
+2
-0
lib/brakeman/checks/check_evaluation.rb
lib/brakeman/checks/check_evaluation.rb
+2
-0
lib/brakeman/checks/check_execute.rb
lib/brakeman/checks/check_execute.rb
+2
-0
lib/brakeman/checks/check_file_access.rb
lib/brakeman/checks/check_file_access.rb
+2
-0
lib/brakeman/checks/check_filter_skipping.rb
lib/brakeman/checks/check_filter_skipping.rb
+2
-0
lib/brakeman/checks/check_forgery_setting.rb
lib/brakeman/checks/check_forgery_setting.rb
+2
-0
lib/brakeman/checks/check_link_to.rb
lib/brakeman/checks/check_link_to.rb
+2
-0
lib/brakeman/checks/check_mail_to.rb
lib/brakeman/checks/check_mail_to.rb
+2
-0
lib/brakeman/checks/check_mass_assignment.rb
lib/brakeman/checks/check_mass_assignment.rb
+2
-0
lib/brakeman/checks/check_model_attributes.rb
lib/brakeman/checks/check_model_attributes.rb
+2
-0
lib/brakeman/checks/check_nested_attributes.rb
lib/brakeman/checks/check_nested_attributes.rb
+2
-0
lib/brakeman/checks/check_quote_table_name.rb
lib/brakeman/checks/check_quote_table_name.rb
+2
-0
lib/brakeman/checks/check_redirect.rb
lib/brakeman/checks/check_redirect.rb
+2
-0
lib/brakeman/checks/check_render.rb
lib/brakeman/checks/check_render.rb
+2
-0
lib/brakeman/checks/check_response_splitting.rb
lib/brakeman/checks/check_response_splitting.rb
+2
-0
lib/brakeman/checks/check_send_file.rb
lib/brakeman/checks/check_send_file.rb
+2
-0
lib/brakeman/checks/check_session_settings.rb
lib/brakeman/checks/check_session_settings.rb
+2
-0
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+2
-0
lib/brakeman/checks/check_strip_tags.rb
lib/brakeman/checks/check_strip_tags.rb
+2
-0
lib/brakeman/checks/check_translate_bug.rb
lib/brakeman/checks/check_translate_bug.rb
+2
-0
lib/brakeman/checks/check_validation_regex.rb
lib/brakeman/checks/check_validation_regex.rb
+2
-0
lib/brakeman/checks/check_without_protection.rb
lib/brakeman/checks/check_without_protection.rb
+2
-0
未找到文件。
lib/brakeman.rb
浏览文件 @
fe7512f8
...
...
@@ -162,7 +162,9 @@ module Brakeman
require
'brakeman/scanner'
$stderr
.
puts
"Available Checks:"
$stderr
.
puts
"-"
*
30
$stderr
.
puts
Checks
.
checks
.
map
{
|
c
|
c
.
to_s
.
match
(
/^Brakeman::(.*)$/
)[
1
]
}.
sort
.
join
"
\n
"
$stderr
.
puts
Checks
.
checks
.
map
{
|
c
|
c
.
to_s
.
match
(
/^Brakeman::(.*)$/
)[
1
].
ljust
(
27
)
<<
c
.
description
}.
sort
.
join
"
\n
"
end
#Installs Rake task for running Brakeman,
...
...
lib/brakeman/checks/base_check.rb
浏览文件 @
fe7512f8
...
...
@@ -396,4 +396,8 @@ class Brakeman::BaseCheck < SexpProcessor
"config/environment.rb"
end
end
def
self
.
description
@description
end
end
lib/brakeman/checks/check_basic_auth.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckBasicAuth
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for the use of http_basic_authenticate_with"
def
run_check
return
if
version_between?
"0.0.0"
,
"3.0.99"
...
...
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
fe7512f8
...
...
@@ -14,6 +14,8 @@ require 'set'
class
Brakeman::CheckCrossSiteScripting
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for unescaped output in views"
#Model methods which are known to be harmless
IGNORE_MODEL_METHODS
=
Set
.
new
([
:average
,
:count
,
:maximum
,
:minimum
,
:sum
])
...
...
lib/brakeman/checks/check_default_routes.rb
浏览文件 @
fe7512f8
...
...
@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckDefaultRoutes
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for default routes"
#Checks for :allow_all_actions globally and for individual routes
#if it is not enabled globally.
def
run_check
...
...
lib/brakeman/checks/check_escape_function.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckEscapeFunction
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for versions before 2.3.14 which have a vulnerable escape method"
def
run_check
if
version_between?
(
'2.0.0'
,
'2.3.13'
)
and
RUBY_VERSION
<
'1.9.0'
...
...
lib/brakeman/checks/check_evaluation.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckEvaluation
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Searches for evaluation of user input"
#Process calls
def
run_check
Brakeman
.
debug
"Finding eval-like calls"
...
...
lib/brakeman/checks/check_execute.rb
浏览文件 @
fe7512f8
...
...
@@ -11,6 +11,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckExecute
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Finds instances of possible command injection"
#Check models, controllers, and views for command injection.
def
run_check
Brakeman
.
debug
"Finding system calls using ``"
...
...
lib/brakeman/checks/check_file_access.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/processors/lib/processor_helper'
class
Brakeman::CheckFileAccess
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Finds possible file access using user input"
def
run_check
Brakeman
.
debug
"Finding possible file access"
methods
=
tracker
.
find_call
:targets
=>
[
:Dir
,
:File
,
:IO
,
:Kernel
,
:"Net::FTP"
,
:"Net::HTTP"
,
:PStore
,
:Pathname
,
:Shell
,
:YAML
],
:methods
=>
[
:[]
,
:chdir
,
:chroot
,
:delete
,
:entries
,
:foreach
,
:glob
,
:install
,
:lchmod
,
:lchown
,
:link
,
:load
,
:load_file
,
:makedirs
,
:move
,
:new
,
:open
,
:read
,
:read_lines
,
:rename
,
:rmdir
,
:safe_unlink
,
:symlink
,
:syscopy
,
:sysopen
,
:truncate
,
:unlink
]
...
...
lib/brakeman/checks/check_filter_skipping.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckFilterSkipping
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for versions 3.0-3.0.9 which had a vulnerability in filters"
def
run_check
if
version_between?
(
'3.0.0'
,
'3.0.9'
)
and
uses_arbitrary_actions?
...
...
lib/brakeman/checks/check_forgery_setting.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckForgerySetting
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Verifies that protect_from_forgery is enabled in ApplicationController"
def
run_check
app_controller
=
tracker
.
controllers
[
:ApplicationController
]
if
tracker
.
config
[
:rails
][
:action_controller
]
and
...
...
lib/brakeman/checks/check_link_to.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'brakeman/checks/check_cross_site_scripting'
class
Brakeman::CheckLinkTo
<
Brakeman
::
CheckCrossSiteScripting
Brakeman
::
Checks
.
add
self
@description
=
"Checks for XSS in link_to in versions before 3.0"
def
run_check
return
unless
version_between?
(
"2.0.0"
,
"2.9.9"
)
and
not
tracker
.
config
[
:escape_html
]
...
...
lib/brakeman/checks/check_mail_to.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckMailTo
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for mail_to XSS vulnerability in certain versions"
def
run_check
if
(
version_between?
"2.3.0"
,
"2.3.10"
or
version_between?
"3.0.0"
,
"3.0.3"
)
and
result
=
mail_to_javascript?
message
=
"Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version "
...
...
lib/brakeman/checks/check_mass_assignment.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'set'
class
Brakeman::CheckMassAssignment
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Finds instances of mass assignment"
def
run_check
return
if
mass_assign_disabled?
...
...
lib/brakeman/checks/check_model_attributes.rb
浏览文件 @
fe7512f8
...
...
@@ -8,6 +8,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckModelAttributes
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Reports models which do not use attr_restricted and warns on models that use attr_protected"
def
run_check
return
if
mass_assign_disabled?
...
...
lib/brakeman/checks/check_nested_attributes.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckNestedAttributes
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for nested attributes vulnerability in Rails 2.3.9 and 3.0.0"
def
run_check
version
=
tracker
.
config
[
:rails_version
]
...
...
lib/brakeman/checks/check_quote_table_name.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckQuoteTableName
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
def
run_check
if
(
version_between?
(
'2.0.0'
,
'2.3.13'
)
or
version_between?
(
'3.0.0'
,
'3.0.9'
))
...
...
lib/brakeman/checks/check_redirect.rb
浏览文件 @
fe7512f8
...
...
@@ -8,6 +8,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckRedirect
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Looks for calls to redirect_to with user input as arguments"
def
run_check
Brakeman
.
debug
"Finding calls to redirect_to()"
...
...
lib/brakeman/checks/check_render.rb
浏览文件 @
fe7512f8
...
...
@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckRender
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Finds calls to render that might allow file access"
def
run_check
tracker
.
find_call
(
:target
=>
nil
,
:method
=>
:render
).
each
do
|
result
|
process_render
result
...
...
lib/brakeman/checks/check_response_splitting.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckResponseSplitting
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Report response splitting in Rails 2.3.0 - 2.3.13"
def
run_check
if
version_between?
(
'2.3.0'
,
'2.3.13'
)
...
...
lib/brakeman/checks/check_send_file.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/processors/lib/processor_helper'
class
Brakeman::CheckSendFile
<
Brakeman
::
CheckFileAccess
Brakeman
::
Checks
.
add
self
@description
=
"Check for user input in uses of send_file"
def
run_check
Brakeman
.
debug
"Finding all calls to send_file()"
...
...
lib/brakeman/checks/check_session_settings.rb
浏览文件 @
fe7512f8
...
...
@@ -4,6 +4,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckSessionSettings
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for session key length and http_only settings"
def
initialize
*
args
super
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
fe7512f8
...
...
@@ -11,6 +11,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckSQL
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Check for SQL injection"
def
run_check
@rails_version
=
tracker
.
config
[
:rails_version
]
...
...
lib/brakeman/checks/check_strip_tags.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckStripTags
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Report strip_tags vulnerability in versions before 2.3.13 and 3.0.10"
def
run_check
if
(
version_between?
(
'2.0.0'
,
'2.3.12'
)
or
version_between?
(
'3.0.0'
,
'3.0.9'
))
and
uses_strip_tags?
...
...
lib/brakeman/checks/check_translate_bug.rb
浏览文件 @
fe7512f8
...
...
@@ -5,6 +5,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckTranslateBug
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Report XSS vulnerability in translate helper"
def
run_check
if
(
version_between?
(
'2.3.0'
,
'2.3.99'
)
and
tracker
.
config
[
:escape_html
])
or
version_between?
(
'3.0.0'
,
'3.0.10'
)
or
...
...
lib/brakeman/checks/check_validation_regex.rb
浏览文件 @
fe7512f8
...
...
@@ -10,6 +10,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckValidationRegex
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Report uses of validates_format_of with improper anchors"
WITH
=
Sexp
.
new
(
:lit
,
:with
)
def
run_check
...
...
lib/brakeman/checks/check_without_protection.rb
浏览文件 @
fe7512f8
...
...
@@ -7,6 +7,8 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckWithoutProtection
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Check for mass assignment using without_protection"
def
run_check
if
version_between?
"0.0.0"
,
"3.0.99"
return
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录