New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check for CVE-2018-3760 #1241

Merged
merged 5 commits into from Aug 13, 2018
Merged
Diff settings

Always

Just for now

Next

Fix Rails 5.x configuration parsing

  • Loading branch information...
presidentbeef committed Jun 20, 2018
commit 515a2f9e185f2488e227f39ed930ef6cf2bcee3a
@@ -1,11 +1,14 @@
require 'brakeman/processors/base_processor'
require 'brakeman/processors/alias_processor'
require 'brakeman/processors/lib/rails4_config_processor.rb'
require 'brakeman/processors/lib/rails3_config_processor.rb'
require 'brakeman/processors/lib/rails2_config_processor.rb'

class Brakeman::ConfigProcessor
def self.new tracker
if tracker.options[:rails3]
if tracker.options[:rails4]
Brakeman::Rails4ConfigProcessor.new tracker
elsif tracker.options[:rails3]
Brakeman::Rails3ConfigProcessor.new tracker
else
Brakeman::Rails2ConfigProcessor.new tracker
@@ -0,0 +1,18 @@
require 'brakeman/processors/lib/rails3_config_processor'

class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)

# Look for Rails.application.configure do ... end
def process_iter exp
if exp.block_call == APPLICATION_CONFIG
@inside_config = true
process exp.block if sexp? exp.block
@inside_config = false
else
super
end

exp
end
end
Copy path View file
@@ -0,0 +1,9 @@
require_relative '../test'

class RailsConfiguration < Minitest::Test
def test_rails5_configuration
tracker = Brakeman.run(File.join(TEST_PATH, "apps", "rails5"))

refute tracker.config.rails.empty?
end
end
ProTip! Use n and p to navigate between commits in a pull request.