Class: Brakeman::Config

Inherits:
Object
  • Object
show all
Includes:
Util
Defined in:
lib/brakeman/tracker/config.rb

Constant Summary

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #kwsplat?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #remove_kwsplat, #request_env?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore

Constructor Details

#initialize(tracker) ⇒ Config

Returns a new instance of Config.



10
11
12
13
14
15
16
17
18
 
# File 'lib/brakeman/tracker/config.rb', line 10

def initialize tracker
  @tracker = tracker
  @rails = {}
  @gems = {}
  @settings = {}
  @escape_html = nil
  @erubis = nil
  @ruby_version = ""
end

Instance Attribute Details

#erubis=(value) ⇒ Object (writeonly)

Sets the attribute erubis

Parameters:

  • value

    the value to set the attribute erubis to.



8
9
10
 
# File 'lib/brakeman/tracker/config.rb', line 8

def erubis=(value)
  @erubis = value
end

#escape_html=(value) ⇒ Object (writeonly)

Sets the attribute escape_html

Parameters:

  • value

    the value to set the attribute escape_html to.



8
9
10
 
# File 'lib/brakeman/tracker/config.rb', line 8

def escape_html=(value)
  @escape_html = value
end

#gemsObject (readonly)

Returns the value of attribute gems.



7
8
9
 
# File 'lib/brakeman/tracker/config.rb', line 7

def gems
  @gems
end

#railsObject (readonly)

Returns the value of attribute rails.



7
8
9
 
# File 'lib/brakeman/tracker/config.rb', line 7

def rails
  @rails
end

#ruby_versionObject (readonly)

Returns the value of attribute ruby_version.



7
8
9
 
# File 'lib/brakeman/tracker/config.rb', line 7

def ruby_version
  @ruby_version
end

#trackerObject (readonly)

Returns the value of attribute tracker.



7
8
9
 
# File 'lib/brakeman/tracker/config.rb', line 7

def tracker
  @tracker
end

Instance Method Details

#add_gem(name, version, file, line) ⇒ Object 



59
60
61
62
63
64
65
66
 
# File 'lib/brakeman/tracker/config.rb', line 59

def add_gem name, version, file, line
  name = name.to_sym
  @gems[name] = {
    :version => version,
    :file => file,
    :line => line
  }
end

#default_protect_from_forgery?Boolean

Returns:

  • (Boolean) 


20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/brakeman/tracker/config.rb', line 20

def default_protect_from_forgery?
  if version_between? "5.2.0.beta1", "9.9.9"
    if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
      return false
    else
      return true
    end
  end

  false
end

#erubis?Boolean

Returns:

  • (Boolean) 


32
33
34
 
# File 'lib/brakeman/tracker/config.rb', line 32

def erubis?
  @erubis
end

#escape_filter_interpolations?Boolean

Returns:

  • (Boolean) 


45
46
47
48
49
 
# File 'lib/brakeman/tracker/config.rb', line 45

def escape_filter_interpolations?
  # TODO see if app is actually turning this off itself
  has_gem?(:haml) and
    version_between? "5.0.0", "5.99", gem_version(:haml)
end

#escape_html?Boolean

Returns:

  • (Boolean) 


36
37
38
 
# File 'lib/brakeman/tracker/config.rb', line 36

def escape_html?
  @escape_html
end

#escape_html_entities_in_json?Boolean

Returns:

  • (Boolean) 


40
41
42
43
 
# File 'lib/brakeman/tracker/config.rb', line 40

def escape_html_entities_in_json?
  #TODO add version-specific information here
  true? @rails.dig(:active_support, :escape_html_entities_in_json)
end

#extract_version(version) ⇒ Object 



126
127
128
129
130
 
# File 'lib/brakeman/tracker/config.rb', line 126

def extract_version version
  return unless version.is_a? String

  version[/\d+\.\d+(\.\d+.*)?/]
end

#gem_version(name) ⇒ Object 



55
56
57
 
# File 'lib/brakeman/tracker/config.rb', line 55

def gem_version name
  extract_version @gems.dig(name, :version)
end

#get_gem(name) ⇒ Object 



72
73
74
 
# File 'lib/brakeman/tracker/config.rb', line 72

def get_gem name
  @gems[name]
end

#has_gem?(name) ⇒ Boolean

Returns:

  • (Boolean) 


68
69
70
 
# File 'lib/brakeman/tracker/config.rb', line 68

def has_gem? name
  !!@gems[name]
end

#rails_versionObject 



116
117
118
119
120
 
# File 'lib/brakeman/tracker/config.rb', line 116

def rails_version
  # This needs to be here because Util#rails_version calls Tracker::Config#rails_version
  # but Tracker::Config includes Util...
  @rails_version
end

#session_settingsObject 



146
147
148
 
# File 'lib/brakeman/tracker/config.rb', line 146

def session_settings
  @rails.dig(:action_controller, :session)
end

#set_rails_version(version = nil) ⇒ Object 



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'lib/brakeman/tracker/config.rb', line 76

def set_rails_version version = nil
  version = if version
              # Only used by Rails2ConfigProcessor right now
              extract_version(version)
            else
              gem_version(:rails) || gem_version(:railties)
            end

  if version
    @rails_version = version

    if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
      if @rails_version.start_with? "3"
        tracker.options[:rails3] = true
        Brakeman.notify "[Notice] Detected Rails 3 application"
      elsif @rails_version.start_with? "4"
        tracker.options[:rails3] = true
        tracker.options[:rails4] = true
        Brakeman.notify "[Notice] Detected Rails 4 application"
      elsif @rails_version.start_with? "5"
        tracker.options[:rails3] = true
        tracker.options[:rails4] = true
        tracker.options[:rails5] = true
        Brakeman.notify "[Notice] Detected Rails 5 application"
      elsif @rails_version.start_with? "6"
        tracker.options[:rails3] = true
        tracker.options[:rails4] = true
        tracker.options[:rails5] = true
        tracker.options[:rails6] = true
        Brakeman.notify "[Notice] Detected Rails 6 application"
      end
    end
  end

  if get_gem :rails_xss
    @escape_html = true
    Brakeman.notify "[Notice] Escaping HTML by default"
  end
end

#set_ruby_version(version) ⇒ Object 



122
123
124
 
# File 'lib/brakeman/tracker/config.rb', line 122

def set_ruby_version version
  @ruby_version = extract_version(version)
end

#version_between?(low_version, high_version, current_version = nil) ⇒ Boolean

Returns true if low_version <= RAILS_VERSION <= high_version

If the Rails version is unknown, returns false.

Returns:

  • (Boolean) 


135
136
137
138
139
140
141
142
143
144
 
# File 'lib/brakeman/tracker/config.rb', line 135

def version_between? low_version, high_version, current_version = nil
  current_version ||= rails_version
  return false unless current_version

  low = Gem::Version.new(low_version)
  high = Gem::Version.new(high_version)
  current = Gem::Version.new(current_version)

  current.between?(low, high)
end

#whitelist_attributes?Boolean

Returns:

  • (Boolean) 


51
52
53
 
# File 'lib/brakeman/tracker/config.rb', line 51

def whitelist_attributes?
  @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
end