Class: Brakeman::Config

Inherits:
Object
  • Object
show all
Includes:
Util
Defined in:
lib/brakeman/tracker/config.rb

Constant Summary

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Constructor Details

#initialize(tracker) ⇒ Config

Returns a new instance of Config.



12
13
14
15
16
17
18
19
20
# File 'lib/brakeman/tracker/config.rb', line 12

def initialize tracker
  @tracker = tracker
  @rails = {}
  @gems = {}
  @settings = {}
  @escape_html = nil
  @erubis = nil
  @ruby_version = ""
end

Instance Attribute Details

#erubis=(value) ⇒ Object (writeonly)

Sets the attribute erubis

Parameters:

  • value

    the value to set the attribute erubis to.



9
10
11
# File 'lib/brakeman/tracker/config.rb', line 9

def erubis=(value)
  @erubis = value
end

#escape_html=(value) ⇒ Object (writeonly)

Sets the attribute escape_html

Parameters:

  • value

    the value to set the attribute escape_html to.



9
10
11
# File 'lib/brakeman/tracker/config.rb', line 9

def escape_html=(value)
  @escape_html = value
end

#gemsObject (readonly)

Returns the value of attribute gems.



10
11
12
# File 'lib/brakeman/tracker/config.rb', line 10

def gems
  @gems
end

#railsObject (readonly)

Returns the value of attribute rails.



7
8
9
# File 'lib/brakeman/tracker/config.rb', line 7

def rails
  @rails
end

#rails_versionObject

Returns the value of attribute rails_version.



8
9
10
# File 'lib/brakeman/tracker/config.rb', line 8

def rails_version
  @rails_version
end

#ruby_versionObject

Returns the value of attribute ruby_version.



8
9
10
# File 'lib/brakeman/tracker/config.rb', line 8

def ruby_version
  @ruby_version
end

#trackerObject (readonly)

Returns the value of attribute tracker.



7
8
9
# File 'lib/brakeman/tracker/config.rb', line 7

def tracker
  @tracker
end

Instance Method Details

#add_gem(name, version, file, line) ⇒ Object



64
65
66
67
68
69
70
71
# File 'lib/brakeman/tracker/config.rb', line 64

def add_gem name, version, file, line
  name = name.to_sym
  @gems[name] = {
    :version => version,
    :file => file,
    :line => line
  }
end

#allow_forgery_protection?Boolean

Returns:

  • (Boolean)


22
23
24
25
# File 'lib/brakeman/tracker/config.rb', line 22

def allow_forgery_protection?
  @rails[:action_controller] and
    @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
end

#default_protect_from_forgery?Boolean

Returns:

  • (Boolean)


27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/brakeman/tracker/config.rb', line 27

def default_protect_from_forgery?
  if version_between? "5.2.0", "9.9.9"
    if @rails[:action_controller] and
        @rails[:action_controller][:default_protect_from_forgery] == Sexp.new(:false)

      return false
    else
      return true
    end
  end

  false
end

#erubis?Boolean

Returns:

  • (Boolean)


41
42
43
# File 'lib/brakeman/tracker/config.rb', line 41

def erubis?
  @erubis
end

#escape_html?Boolean

Returns:

  • (Boolean)


45
46
47
# File 'lib/brakeman/tracker/config.rb', line 45

def escape_html?
  @escape_html
end

#escape_html_entities_in_json?Boolean

Returns:

  • (Boolean)


49
50
51
52
53
# File 'lib/brakeman/tracker/config.rb', line 49

def escape_html_entities_in_json?
  #TODO add version-specific information here
  @rails[:active_support] and
    true? @rails[:active_support][:escape_html_entities_in_json]
end

#gem_version(name) ⇒ Object



60
61
62
# File 'lib/brakeman/tracker/config.rb', line 60

def gem_version name
  @gems[name] and @gems[name][:version]
end

#get_gem(name) ⇒ Object



77
78
79
# File 'lib/brakeman/tracker/config.rb', line 77

def get_gem name
  @gems[name]
end

#has_gem?(name) ⇒ Boolean

Returns:

  • (Boolean)


73
74
75
# File 'lib/brakeman/tracker/config.rb', line 73

def has_gem? name
  !!@gems[name]
end

#session_settingsObject



148
149
150
151
# File 'lib/brakeman/tracker/config.rb', line 148

def session_settings
  @rails[:action_controller] &&
    @rails[:action_controller][:session]
end

#set_rails_versionObject



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/brakeman/tracker/config.rb', line 81

def set_rails_version
  # Ignore ~>, etc. when using values from Gemfile
  version = gem_version(:rails) || gem_version(:railties)
  if version and version.match(/(\d+\.\d+\.\d+.*)/)
    @rails_version = $1

    if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
      if @rails_version.start_with? "3"
        tracker.options[:rails3] = true
        Brakeman.notify "[Notice] Detected Rails 3 application"
      elsif @rails_version.start_with? "4"
        tracker.options[:rails3] = true
        tracker.options[:rails4] = true
        Brakeman.notify "[Notice] Detected Rails 4 application"
      elsif @rails_version.start_with? "5"
        tracker.options[:rails3] = true
        tracker.options[:rails4] = true
        tracker.options[:rails5] = true
        Brakeman.notify "[Notice] Detected Rails 5 application"
      end
    end
  end

  if get_gem :rails_xss
    @escape_html = true
    Brakeman.notify "[Notice] Escaping HTML by default"
  end
end

#set_ruby_version(version) ⇒ Object



110
111
112
113
114
115
116
# File 'lib/brakeman/tracker/config.rb', line 110

def set_ruby_version version
  return unless version.is_a? String

  if version =~ /(\d+\.\d+\.\d+)/
    self.ruby_version = $1
  end
end

#version_between?(low_version, high_version, current_version = nil) ⇒ Boolean

Returns true if low_version <= RAILS_VERSION <= high_version

If the Rails version is unknown, returns false.

Returns:

  • (Boolean)


121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# File 'lib/brakeman/tracker/config.rb', line 121

def version_between? low_version, high_version, current_version = nil
  current_version ||= rails_version
  return false unless current_version

  version = current_version.split(".").map!(&:to_i)
  low_version = low_version.split(".").map!(&:to_i)
  high_version = high_version.split(".").map!(&:to_i)

  version.each_with_index do |v, i|
    if v < low_version.fetch(i, 0)
      return false
    elsif v > low_version.fetch(i, 0)
      break
    end
  end

  version.each_with_index do |v, i|
    if v > high_version.fetch(i, 0)
      return false
    elsif v < high_version.fetch(i, 0)
      break
    end
  end

  true
end

#whitelist_attributes?Boolean

Returns:

  • (Boolean)


55
56
57
58
# File 'lib/brakeman/tracker/config.rb', line 55

def whitelist_attributes?
  @rails[:active_record] and
    @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
end