Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Annotations #72

Closed
wants to merge 64 commits into from
Closed

Annotations #72

wants to merge 64 commits into from

Commits on Apr 7, 2012

  1. - Annotation file creation and loading 

    - Annotation filtering on demand
- Denotes the number of ignored warnings in reports
    Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    977749e View commit details
    Browse the repository at this point in the history

  2. Update README re: Annotations

    Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    fafdac2 View commit details
    Browse the repository at this point in the history

  3. Add json as a report format

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    de5a9e1 View commit details
    Browse the repository at this point in the history

  4. Use Set[] instead of Set.new([])

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    84a719a View commit details
    Browse the repository at this point in the history

  5. Ignore Model#id for XSS check

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    882b11e View commit details
    Browse the repository at this point in the history

  6. Standardize SQL methods to check 

    because before they were kind of all over the place
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    c1cf6b6 View commit details
    Browse the repository at this point in the history

  7. Update copyright

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    c208eb0 View commit details
    Browse the repository at this point in the history

  8. Fix check for nested targets in Rails 2 routes

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    6cbbfc1 View commit details
    Browse the repository at this point in the history

  9. Ignore resource routes if default routes already 

    fixes bug where resource routes attempted to merge into
:allow_all_actions
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    a49d60e View commit details
    Browse the repository at this point in the history

  10. Switch to 1.9.2 on Travis CI 

    since most development is done with 1.9.3 now
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    64a8b95 View commit details
    Browse the repository at this point in the history

  11. Add test for select vulnerability in Rails 3

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    43ba8dd View commit details
    Browse the repository at this point in the history

  12. Add check for select vulnerability in Rails 3 

    http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    fab6a9b View commit details
    Browse the repository at this point in the history

  13. Remove select() as an XSS safe method in Rails 2

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    e4d661e View commit details
    Browse the repository at this point in the history

  14. Oops, update expected warnings for Rails 2 tests

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    8525b2c View commit details
    Browse the repository at this point in the history

  15. Tests for SafeBuffer vulnerability

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    b58dee6 View commit details
    Browse the repository at this point in the history

  16. Add version check for SafeBuffer vulnerability 

    upgrading is recommended, no workarounds
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    087592a View commit details
    Browse the repository at this point in the history

  17. Add test for skipping CSRF with :except

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    150a67f View commit details
    Browse the repository at this point in the history

  18. Add check for skipping CSRF with :except 

    instead of using :only.
This is essentially a blacklist vs. whitelist issue.
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    29d98e7 View commit details
    Browse the repository at this point in the history

  19. Bump to 1.5.0 

    [ci skip]
    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    592b1d3 View commit details
    Browse the repository at this point in the history

  20. README updates

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    2ddbc6d View commit details
    Browse the repository at this point in the history

  21. More debug output for current item being processed

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    39322bd View commit details
    Browse the repository at this point in the history

  22. Print out stack trace when interrupted (only Ruby 1.9)

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    e3fe89b View commit details
    Browse the repository at this point in the history

  23. Debug output of which template is being rendered

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    08440cb View commit details
    Browse the repository at this point in the history

  24. Cache check result for disabled mass assignment

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    6cb527c View commit details
    Browse the repository at this point in the history

  25. Track class and module in BaseProcessor

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    c943903 View commit details
    Browse the repository at this point in the history

  26. Report module in Brakeman::FindCall results 

    but please don't ever use Brakeman::FindCall if it can
be avoided
    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    24712b1 View commit details
    Browse the repository at this point in the history

  27. Add additional check for global mass assign disable 

    that looks like this:

module ActiveRecord
  class Base
    attr_accessible
  end
end

Also, could be wrong, but I think old check was broken?
    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    82d0e24 View commit details
    Browse the repository at this point in the history

  28. Fix concatentation of module name

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    cad0c5a View commit details
    Browse the repository at this point in the history

  29. tracker.config[:rails3] => tracker.options[:rails3]

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    efd00fc View commit details
    Browse the repository at this point in the history

  30. Support Rails 3 partial render (no :partial => ...) 

    `render 'blah'` apparently noew renders the partial '_blah'
    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    e194040 View commit details
    Browse the repository at this point in the history

  31. Add test for Rails 3 partial rendoring

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    70b8b48 View commit details
    Browse the repository at this point in the history

  32. Remove duplicate method on Rails2XSSErubis

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    ce41f07 View commit details
    Browse the repository at this point in the history

  33. Update CHANGES

    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    3bb3331 View commit details
    Browse the repository at this point in the history

  34. Bump to 1.5.1 

    [ci skip]
    @presidentbeef
    presidentbeef authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    8b54267 View commit details
    Browse the repository at this point in the history

  35. Fixes to CheckLinkTo for Rails 2.0 and 2.3 

    and link_to with a block
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    d41f480 View commit details
    Browse the repository at this point in the history

  36. Add more tests for link_to

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    3d997b9 View commit details
    Browse the repository at this point in the history

  37. I was getting a NoMethodError when rescanning a file in the lib dire… 

    …ctory.

    NoMethodError: undefined method `process_library' for #<Brakeman::Rescanner:0x10a8f5380>
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:77:in `rescan_file'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:50:in `rescan'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:47:in `each'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:47:in `rescan'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:46:in `each'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:46:in `rescan'
    /Users/neilm/workspace/brakeman/lib/brakeman/rescanner.rb:22:in `recheck'
    /Users/neilm/workspace/brakeman/lib/brakeman.rb:291:in `rescan'
    /usr/local/rvm/gems/ree-1.8.7-2011.12/gems/guard-brakeman-0.3.1/lib/guard/brakeman.rb:73:in `run_on_change'
    @oreoshake
    oreoshake authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    83d2d80 View commit details
    Browse the repository at this point in the history

  38. Output stack trace in debug on interrupt in 1.8.7

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    ccf4fe9 View commit details
    Browse the repository at this point in the history

  39. Only output stack trace on debug, use caller 

    Thanks @PragTob
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    f267043 View commit details
    Browse the repository at this point in the history

  40. Ignore user input in condition of if statements

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    b605bd7 View commit details
    Browse the repository at this point in the history

  41. Don't make file names symbols for --skip-files

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    ad06e39 View commit details
    Browse the repository at this point in the history

  42. Render path check should only warn on user input

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    0cf8c95 View commit details
    Browse the repository at this point in the history

  43. Medium confidence for user input in render strings

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    f4df29c View commit details
    Browse the repository at this point in the history

  44. Fix/add dynamic render path tests

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    70a2824 View commit details
    Browse the repository at this point in the history

  45. Add tests for application using rails_xss

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    23be7ca View commit details
    Browse the repository at this point in the history

  46. Fix handling of Erubis templates with xss escaping 

    either with rails_xss or Rails 3.
This was broken when Brakeman's Erubis output was
changed to match what rails_xss does. Unfortunately, that
broke the ErubisTemplateProcessor such that NO output
was detected. This should fix that.

Note that this code detects auto-escaping by the output variable.
@output_buffer is used in Brakeman's Erubis classes. _buf will
only show up if someone is using Erubis with auto-escaping turned
off.
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    108b722 View commit details
    Browse the repository at this point in the history

  47. Fix tests after merge

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    3177af7 View commit details
    Browse the repository at this point in the history

  48. Add utility script for generating tests

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    27dc2b8 View commit details
    Browse the repository at this point in the history

  49. Oops, need the rails_xss plugin directory for tests

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    fe35bbb View commit details
    Browse the repository at this point in the history

  50. Use old ruby_parser (2.3.1) for Ruby 1.8 parsing

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    697be03 View commit details
    Browse the repository at this point in the history

  51. Make sure Sexp patches load for Ruby 1.8

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    e727cb7 View commit details
    Browse the repository at this point in the history

  52. Fix some Ruby warnings

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    8cde2ee View commit details
    Browse the repository at this point in the history

  53. Bump to 1.5.2 

    [ci skip]
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    180ca45 View commit details
    Browse the repository at this point in the history

  54. Warn when user input is supplied to send 

    Model.send(params[:method]) == bad
    @oreoshake
    oreoshake authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    95c2046 View commit details
    Browse the repository at this point in the history

  55. Adding a debug statement

    @oreoshake
    oreoshake authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    5be94a3 View commit details
    Browse the repository at this point in the history

  56. Only warn if the target or the first arg contains user input 

    Add moar test cases
    @oreoshake
    oreoshake authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    a938139 View commit details
    Browse the repository at this point in the history

  57. Move parsers out of scanner.rb into lib/parsers/

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    487221b View commit details
    Browse the repository at this point in the history

  58. A little more whitespace when showing progress

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    5a8fc01 View commit details
    Browse the repository at this point in the history

  59. Track module names for controllers 

    because when the get re-processed the module information
is lost (just class code is stored)
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    8078779 View commit details
    Browse the repository at this point in the history

  60. Don't double the number of controllers reported 

    during progress. I don't really know why this was there...
    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    067b9c5 View commit details
    Browse the repository at this point in the history

  61. Add Util.hash_access to simplify accessing hashes

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    44ca23b View commit details
    Browse the repository at this point in the history

  62. Handle nested modules in ProcessorHelper

    Justin Collins authored and Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    6f65ac7 View commit details
    Browse the repository at this point in the history

  63. - Annotation file creation and loading 

    - Annotation filtering on demand
- Denotes the number of ignored warnings in reports
    Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    38e8d27 View commit details
    Browse the repository at this point in the history

  64. Merge branch 'annotations' of github.com:daveworth/brakeman into anno… 

    …tations

Conflicts:
	lib/brakeman/checks/check_send.rb
	test/tests/test_rails2.rb
    Dave Worth committed Apr 7, 2012
    Configuration menu
    Copy the full SHA
    0774b53 View commit details
    Browse the repository at this point in the history