Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
add9e26a
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
add9e26a
编写于
2月 04, 2014
作者:
J
Justin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #437 from presidentbeef/support_lts_versions
Add support for RailsLTS versions
上级
0c37f7de
5d99f32b
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
49 addition
and
7 deletion
+49
-7
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+10
-3
lib/brakeman/checks/check_number_to_currency.rb
lib/brakeman/checks/check_number_to_currency.rb
+2
-0
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+10
-4
lib/brakeman/checks/check_translate_bug.rb
lib/brakeman/checks/check_translate_bug.rb
+1
-0
test/tests/brakeman.rb
test/tests/brakeman.rb
+11
-0
test/tests/rescanner.rb
test/tests/rescanner.rb
+15
-0
未找到文件。
lib/brakeman/checks/base_check.rb
浏览文件 @
add9e26a
...
...
@@ -452,10 +452,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
#Returns true if low_version <= RAILS_VERSION <= high_version
#
#If the Rails version is unknown, returns false.
def
version_between?
low_version
,
high_version
return
false
unless
tracker
.
config
[
:rails_version
]
def
version_between?
low_version
,
high_version
,
current_version
=
nil
current_version
||=
tracker
.
config
[
:rails_version
]
return
false
unless
current_version
version
=
tracker
.
config
[
:rails_version
]
.
split
(
"."
).
map!
{
|
n
|
n
.
to_i
}
version
=
current_version
.
split
(
"."
).
map!
{
|
n
|
n
.
to_i
}
low_version
=
low_version
.
split
(
"."
).
map!
{
|
n
|
n
.
to_i
}
high_version
=
high_version
.
split
(
"."
).
map!
{
|
n
|
n
.
to_i
}
...
...
@@ -478,6 +479,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
true
end
def
lts_version?
version
tracker
.
config
[
:gems
]
and
tracker
.
config
[
:gems
][
:'railslts-version'
]
and
version_between?
version
,
"2.3.18.99"
,
tracker
.
config
[
:gems
][
:'railslts-version'
]
end
def
gemfile_or_environment
if
@app_tree
.
exists?
(
"Gemfile"
)
"Gemfile"
...
...
lib/brakeman/checks/check_number_to_currency.rb
浏览文件 @
add9e26a
...
...
@@ -6,6 +6,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
@description
=
"Checks for number_to_currency XSS vulnerability in certain versions"
def
run_check
return
if
lts_version?
'2.3.18.6'
if
(
version_between?
"2.0.0"
,
"3.2.15"
or
version_between?
"4.0.0"
,
"4.0.1"
)
check_number_to_currency_usage
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
add9e26a
...
...
@@ -575,7 +575,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
end
def
check_rails_versions_against_cve_issues
[
issues
=
[
{
:cve
=>
"CVE-2012-2660"
,
:versions
=>
[
%w[2.0.0 2.3.14 2.3.17]
,
%w[3.0.0 3.0.12 3.0.13]
,
%w[3.1.0 3.1.4 3.1.5]
,
%w[3.2.0 3.2.3 3.2.4]
],
...
...
@@ -601,12 +601,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
:versions
=>
[
%w[2.0.0 2.3.15 2.3.16]
,
%w[3.0.0 3.0.18 3.0.19]
,
%w[3.1.0 3.1.9 3.1.10]
,
%w[3.2.0 3.2.10 3.2.11]
],
:url
=>
"https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
},
{
]
unless
lts_version?
'2.3.18.6'
issues
<<
{
:cve
=>
"CVE-2013-6417"
,
:versions
=>
[
%w[2.0.0 3.2.15 3.2.16]
,
%w[4.0.0 4.0.1 4.0.2]
],
:url
=>
"https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
].
each
do
|
cve_issue
|
}
end
issues
.
each
do
|
cve_issue
|
cve_warning_for
cve_issue
[
:versions
],
cve_issue
[
:cve
],
cve_issue
[
:url
]
end
end
...
...
lib/brakeman/checks/check_translate_bug.rb
浏览文件 @
add9e26a
...
...
@@ -7,6 +7,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
@description
=
"Report XSS vulnerability in translate helper"
def
run_check
return
if
lts_version?
'2.3.18.6'
if
(
version_between?
(
'2.3.0'
,
'2.3.99'
)
and
tracker
.
config
[
:escape_html
])
or
version_between?
(
'3.0.0'
,
'3.0.10'
)
or
version_between?
(
'3.1.0'
,
'3.1.1'
)
...
...
test/tests/brakeman.rb
浏览文件 @
add9e26a
...
...
@@ -41,6 +41,11 @@ class BaseCheckTests < Test::Unit::TestCase
@check
.
send
(
:version_between?
,
low
,
high
)
end
def
lts_version?
version
,
low
@tracker
.
config
=
{
:gems
=>
{
:"railslts-version"
=>
version
}
}
@check
.
send
(
:lts_version?
,
low
)
end
def
test_version_between
assert
version_between?
(
"2.3.8"
,
"2.3.0"
,
"2.3.8"
)
assert
version_between?
(
"2.3.8"
,
"2.3.0"
,
"2.3.14"
)
...
...
@@ -61,6 +66,12 @@ class BaseCheckTests < Test::Unit::TestCase
assert
version_between?
(
"3.2.9.rc2"
,
"3.2.5"
,
"4.0.0"
)
end
def
test_lts_version
@tracker
.
config
=
{
:rails_version
=>
"2.3.18"
}
assert
lts_version?
'2.3.18.6'
,
'2.3.18.6'
assert
!
lts_version?
(
'2.3.18.1'
,
'2.3.18.6'
)
assert
!
lts_version?
(
nil
,
'2.3.18.6'
)
end
end
class
ConfigTests
<
Test
::
Unit
::
TestCase
...
...
test/tests/rescanner.rb
浏览文件 @
add9e26a
...
...
@@ -252,4 +252,19 @@ class RescannerTests < Test::Unit::TestCase
assert_new
1
assert_fixed
0
end
def
test_gemfile_lock_rails_lts
gemfile
=
"Gemfile.lock"
before_rescan_of
gemfile
,
"rails_with_xss_plugin"
do
append
gemfile
,
"railslts-version (2.3.18.6)"
end
#@original is actually modified
assert
@original
.
config
[
:gems
][
:"railslts-version"
],
"2.3.18.6"
assert_reindex
:none
assert_changes
assert_new
0
assert_fixed
3
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录