Skip to content

Commit

Permalink
Merge pull request #947 from presidentbeef/grab_ruby_version
Browse files Browse the repository at this point in the history 
Attempt to get and use Ruby version from app
  • Loading branch information
@presidentbeef
presidentbeef committed Oct 16, 2016
2 parents ff6232c + 87e5220 commit d81e90e
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 11 deletions.
1 change: 1 addition & 0 deletions lib/brakeman/checks/check_symbol_dos.rb
View file
Expand Up @@ -9,6 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck

def run_check
return if rails_version and rails_version >= "5.0.0"
return if tracker.config.ruby_version >= "2.2"

tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
check_unsafe_symbol_creation(result)
Expand Down
27 changes: 17 additions & 10 deletions lib/brakeman/processors/gem_processor.rb
View file
Expand Up @@ -21,19 +21,26 @@ def process_gems gem_files
end

def process_call exp
if exp.target == nil and exp.method == :gem
gem_name = exp.first_arg
return exp unless string? gem_name
if exp.target == nil
if exp.method == :gem
gem_name = exp.first_arg
return exp unless string? gem_name

gem_version = exp.second_arg
gem_version = exp.second_arg

version = if string? gem_version
gem_version.value
else
nil
end
version = if string? gem_version
gem_version.value
else
nil
end

@tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
@tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
elsif exp.method == :ruby
version = exp.first_arg
if string? version
@tracker.config.set_ruby_version version.value
end
end
end

exp
Expand Down
4 changes: 4 additions & 0 deletions lib/brakeman/scanner.rb
View file
Expand Up @@ -108,6 +108,10 @@ def process_config
tracker.config.escape_html = true
Brakeman.notify "[Notice] Escaping HTML by default"
end

if @app_tree.exists? ".ruby-version"
tracker.config.set_ruby_version @app_tree.read ".ruby-version"
end
end

def process_config_file file
Expand Down
11 changes: 10 additions & 1 deletion lib/brakeman/tracker/config.rb
View file
Expand Up @@ -5,7 +5,7 @@ class Config
include Util

attr_reader :rails, :tracker
attr_accessor :rails_version
attr_accessor :rails_version, :ruby_version
attr_writer :erubis, :escape_html
attr_reader :gems

Expand All @@ -16,6 +16,7 @@ def initialize tracker
@settings = {}
@escape_html = nil
@erubis = nil
@ruby_version = ""
end

def allow_forgery_protection?
Expand Down Expand Up @@ -92,6 +93,14 @@ def set_rails_version
end
end

def set_ruby_version version
return unless version.is_a? String

if version =~ /(\d+\.\d+\.\d+)/
self.ruby_version = $1
end
end

def session_settings
@rails[:action_controller] &&
@rails[:action_controller][:session]
Expand Down

0 comments on commit d81e90e

Please sign in to comment.