Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
ac2e6f06
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
ac2e6f06
编写于
7月 20, 2014
作者:
J
Justin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #527 from presidentbeef/add_rails4_option
Add -4 option to force Rails 4
上级
cf5b837c
6e26a0f0
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
41 addition
and
16 deletion
+41
-16
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+1
-1
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+1
-1
lib/brakeman/options.rb
lib/brakeman/options.rb
+5
-0
lib/brakeman/processors/gem_processor.rb
lib/brakeman/processors/gem_processor.rb
+9
-3
lib/brakeman/report/report_base.rb
lib/brakeman/report/report_base.rb
+10
-3
lib/brakeman/scanner.rb
lib/brakeman/scanner.rb
+15
-8
未找到文件。
lib/brakeman/checks/base_check.rb
浏览文件 @
ac2e6f06
...
...
@@ -177,7 +177,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
tracker
.
config
[
:rails
][
:active_record
][
:whitelist_attributes
]
==
Sexp
.
new
(
:true
)
@mass_assign_disabled
=
true
elsif
version_between?
(
"4.0.0"
,
"4.9.9"
)
&&
(
!
tracker
.
config
[
:gems
][
:protected_attributes
]
||
(
tracker
.
config
[
:rails
][
:active_record
]
&&
elsif
tracker
.
options
[
:rails4
]
&&
(
!
tracker
.
config
[
:gems
][
:protected_attributes
]
||
(
tracker
.
config
[
:rails
][
:active_record
]
&&
tracker
.
config
[
:rails
][
:active_record
][
:whitelist_attributes
]
==
Sexp
.
new
(
:true
)))
@mass_assign_disabled
=
true
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
ac2e6f06
...
...
@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
@sql_targets
=
[
:all
,
:average
,
:calculate
,
:count
,
:count_by_sql
,
:exists?
,
:delete_all
,
:destroy_all
,
:find
,
:find_by_sql
,
:first
,
:last
,
:maximum
,
:minimum
,
:pluck
,
:sum
,
:update_all
]
@sql_targets
.
concat
[
:from
,
:group
,
:having
,
:joins
,
:lock
,
:order
,
:reorder
,
:select
,
:where
]
if
tracker
.
options
[
:rails3
]
@sql_targets
<<
:find_by
<<
:find_by!
if
version_between?
"4.0.0"
,
"9.9.9"
@sql_targets
<<
:find_by
<<
:find_by!
if
tracker
.
options
[
:rails4
]
@connection_calls
=
[
:delete
,
:execute
,
:insert
,
:select_all
,
:select_one
,
:select_rows
,
:select_value
,
:select_values
]
...
...
lib/brakeman/options.rb
浏览文件 @
ac2e6f06
...
...
@@ -47,6 +47,11 @@ module Brakeman::Options
options
[
:rails3
]
=
true
end
opts
.
on
"-4"
,
"--rails4"
,
"Force Rails 4 mode"
do
options
[
:rails3
]
=
true
options
[
:rails4
]
=
true
end
opts
.
separator
""
opts
.
separator
"Scanning options:"
...
...
lib/brakeman/processors/gem_processor.rb
浏览文件 @
ac2e6f06
...
...
@@ -19,9 +19,15 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
@tracker
.
config
[
:rails_version
]
=
$1
end
if
@tracker
.
config
[
:rails_version
]
=~
/^(3|4)\./
and
not
@tracker
.
options
[
:rails3
]
@tracker
.
options
[
:rails3
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails #$1 application"
if
@tracker
.
options
[
:rails3
].
nil?
and
@tracker
.
options
[
:rails4
].
nil?
and
@tracker
.
config
[
:rails_version
]
if
@tracker
.
config
[
:rails_version
].
start_with?
"3"
@tracker
.
options
[
:rails3
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails 3 application"
elsif
@tracker
.
config
[
:rails_version
].
start_with?
"4"
@tracker
.
options
[
:rails3
]
=
true
@tracker
.
options
[
:rails4
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails 4 application"
end
end
if
@tracker
.
config
[
:gems
][
:rails_xss
]
...
...
lib/brakeman/report/report_base.rb
浏览文件 @
ac2e6f06
...
...
@@ -262,9 +262,16 @@ class Brakeman::Report::Base
end
def
rails_version
return
tracker
.
config
[
:rails_version
]
if
tracker
.
config
[
:rails_version
]
return
"3.x"
if
tracker
.
options
[
:rails3
]
"Unknown"
case
when
tracker
.
config
[
:rails_version
]
tracker
.
config
[
:rails_version
]
when
tracker
.
options
[
:rails4
]
"4.x"
when
tracker
.
options
[
:rails3
]
"3.x"
else
"Unknown"
end
end
#Escape warning message and highlight user input in text output
...
...
lib/brakeman/scanner.rb
浏览文件 @
ac2e6f06
...
...
@@ -28,14 +28,6 @@ class Brakeman::Scanner
raise
Brakeman
::
NoApplication
,
"Please supply the path to a Rails application."
end
if
@app_tree
.
exists?
(
"script/rails"
)
options
[
:rails3
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails 3 application"
elsif
not
@app_tree
.
exists?
(
"script"
)
options
[
:rails3
]
=
true
# Probably need to do some refactoring
Brakeman
.
notify
"[Notice] Detected Rails 4 application"
end
@processor
=
processor
||
Brakeman
::
Processor
.
new
(
@app_tree
,
options
)
end
...
...
@@ -48,6 +40,7 @@ class Brakeman::Scanner
def
process
Brakeman
.
notify
"Processing gems..."
process_gems
guess_rails_version
Brakeman
.
notify
"Processing configuration..."
process_config
Brakeman
.
notify
"Parsing files..."
...
...
@@ -147,6 +140,20 @@ class Brakeman::Scanner
tracker
.
error
e
.
exception
(
e
.
message
+
"
\n
While processing Gemfile"
),
e
.
backtrace
end
#Set :rails3/:rails4 option if version was not determined from Gemfile
def
guess_rails_version
unless
tracker
.
options
[
:rails3
]
or
tracker
.
options
[
:rails4
]
if
@app_tree
.
exists?
(
"script/rails"
)
tracker
.
options
[
:rails3
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails 3 application"
elsif
not
@app_tree
.
exists?
(
"script"
)
tracker
.
options
[
:rails3
]
=
true
# Probably need to do some refactoring
tracker
.
options
[
:rails4
]
=
true
Brakeman
.
notify
"[Notice] Detected Rails 4 application"
end
end
end
#Process all the .rb files in config/initializers/
#
#Adds parsed information to tracker.initializers
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录