Run brakeman in GitHub Actions (#23713)
This commit is contained in:
parent
3aa153694e
commit
e11032585b
40
.github/workflows/bundler-audit.yml
vendored
Normal file
40
.github/workflows/bundler-audit.yml
vendored
Normal file
@ -0,0 +1,40 @@
|
||||
name: Bundler Audit
|
||||
on:
|
||||
push:
|
||||
branches-ignore:
|
||||
- 'dependabot/**'
|
||||
paths:
|
||||
- 'Gemfile*'
|
||||
- '.ruby-version'
|
||||
- '.bundler-audit.yml'
|
||||
- '.github/workflows/bundler-audit.yml'
|
||||
|
||||
pull_request:
|
||||
paths:
|
||||
- 'Gemfile*'
|
||||
- '.ruby-version'
|
||||
- '.bundler-audit.yml'
|
||||
- '.github/workflows/bundler-audit.yml'
|
||||
|
||||
schedule:
|
||||
- cron: '0 5 * * 1'
|
||||
|
||||
jobs:
|
||||
security:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Clone repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Install native Ruby dependencies
|
||||
run: sudo apt-get install -y libicu-dev libidn11-dev
|
||||
|
||||
- name: Set up Ruby
|
||||
uses: ruby/setup-ruby@v1
|
||||
with:
|
||||
ruby-version: .ruby-version
|
||||
bundler-cache: true
|
||||
|
||||
- name: Run bundler-audit
|
||||
run: bundle exec bundler-audit
|
9
.github/workflows/lint-ruby.yml
vendored
9
.github/workflows/lint-ruby.yml
vendored
@ -8,7 +8,7 @@ on:
|
||||
- 'Gemfile*'
|
||||
- '.rubocop*.yml'
|
||||
- '.ruby-version'
|
||||
- '.bundler-audit.yml'
|
||||
- 'config/brakeman.ignore'
|
||||
- '**/*.rb'
|
||||
- '**/*.rake'
|
||||
- '.github/workflows/lint-ruby.yml'
|
||||
@ -18,7 +18,7 @@ on:
|
||||
- 'Gemfile*'
|
||||
- '.rubocop*.yml'
|
||||
- '.ruby-version'
|
||||
- '.bundler-audit.yml'
|
||||
- 'config/brakeman.ignore'
|
||||
- '**/*.rb'
|
||||
- '**/*.rake'
|
||||
- '.github/workflows/lint-ruby.yml'
|
||||
@ -46,5 +46,6 @@ jobs:
|
||||
- name: Run rubocop
|
||||
run: bundle exec rubocop
|
||||
|
||||
- name: Run bundler-audit
|
||||
run: bundle exec bundler-audit
|
||||
- name: Run brakeman
|
||||
if: always() # Run both checks, even if the first failed
|
||||
run: bundle exec brakeman
|
||||
|
2
Gemfile
2
Gemfile
@ -158,7 +158,7 @@ group :development do
|
||||
gem 'letter_opener_web', '~> 2.0'
|
||||
|
||||
# Security analysis CLI tools
|
||||
gem 'brakeman', '~> 5.4', require: false
|
||||
gem 'brakeman', '~> 6.0', require: false
|
||||
gem 'bundler-audit', '~> 0.9', require: false
|
||||
|
||||
# Linter CLI for HAML files
|
||||
|
@ -130,7 +130,7 @@ GEM
|
||||
blurhash (0.1.7)
|
||||
bootsnap (1.16.0)
|
||||
msgpack (~> 1.2)
|
||||
brakeman (5.4.1)
|
||||
brakeman (6.0.0)
|
||||
browser (5.3.1)
|
||||
brpoplpush-redis_script (0.1.3)
|
||||
concurrent-ruby (~> 1.0, >= 1.0.5)
|
||||
@ -765,7 +765,7 @@ DEPENDENCIES
|
||||
binding_of_caller (~> 1.0)
|
||||
blurhash (~> 0.1)
|
||||
bootsnap (~> 1.16.0)
|
||||
brakeman (~> 5.4)
|
||||
brakeman (~> 6.0)
|
||||
browser
|
||||
bundler-audit (~> 0.9)
|
||||
capistrano (~> 3.17)
|
||||
|
@ -102,6 +102,30 @@
|
||||
],
|
||||
"note": ""
|
||||
},
|
||||
{
|
||||
"warning_type": "Denial of Service",
|
||||
"warning_code": 76,
|
||||
"fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
|
||||
"check_name": "RegexDoS",
|
||||
"message": "Model attribute used in regular expression",
|
||||
"file": "lib/mastodon/cli/domains.rb",
|
||||
"line": 128,
|
||||
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
|
||||
"code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
|
||||
"render_path": null,
|
||||
"location": {
|
||||
"type": "method",
|
||||
"class": "Mastodon::CLI::Domains",
|
||||
"method": "crawl"
|
||||
},
|
||||
"user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
|
||||
"confidence": "Weak",
|
||||
"cwe_id": [
|
||||
20,
|
||||
185
|
||||
],
|
||||
"note": ""
|
||||
},
|
||||
{
|
||||
"warning_type": "Mass Assignment",
|
||||
"warning_code": 105,
|
||||
@ -148,6 +172,29 @@
|
||||
],
|
||||
"note": ""
|
||||
},
|
||||
{
|
||||
"warning_type": "Mass Assignment",
|
||||
"warning_code": 105,
|
||||
"fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
|
||||
"check_name": "PermitAttributes",
|
||||
"message": "Potentially dangerous key allowed for mass assignment",
|
||||
"file": "app/controllers/api/v2/search_controller.rb",
|
||||
"line": 42,
|
||||
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
||||
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
|
||||
"render_path": null,
|
||||
"location": {
|
||||
"type": "method",
|
||||
"class": "Api::V2::SearchController",
|
||||
"method": "search_params"
|
||||
},
|
||||
"user_input": ":account_id",
|
||||
"confidence": "High",
|
||||
"cwe_id": [
|
||||
915
|
||||
],
|
||||
"note": ""
|
||||
},
|
||||
{
|
||||
"warning_type": "Cross-Site Scripting",
|
||||
"warning_code": 4,
|
||||
@ -205,6 +252,6 @@
|
||||
"note": ""
|
||||
}
|
||||
],
|
||||
"updated": "2023-07-05 14:34:42 -0400",
|
||||
"brakeman_version": "5.4.1"
|
||||
"updated": "2023-07-08 14:48:58 -0400",
|
||||
"brakeman_version": "6.0.0"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user