kosmos/mastodon
kosmos/mastodon
8
0
Fork 0
Code Pull Requests Activity

Run brakeman in GitHub Actions (#23713)

Browse Source
This commit is contained in:
Nick Schonning 2023-07-11 09:23:57 -04:00 committed by GitHub
parent 3aa153694e
commit e11032585b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 97 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.github/workflows/bundler-audit.yml vendored Normal file
View File

@ -0,0 +1,40 @@
name: Bundler Audit
on:
push:
branches-ignore:
- 'dependabot/**'
paths:
- 'Gemfile*'
- '.ruby-version'
- '.bundler-audit.yml'
- '.github/workflows/bundler-audit.yml'
pull_request:
paths:
- 'Gemfile*'
- '.ruby-version'
- '.bundler-audit.yml'
- '.github/workflows/bundler-audit.yml'
schedule:
- cron: '0 5 * * 1'
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Install native Ruby dependencies
run: sudo apt-get install -y libicu-dev libidn11-dev
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Run bundler-audit
run: bundle exec bundler-audit

9
.github/workflows/lint-ruby.yml vendored
View File

@ -8,7 +8,7 @@ on:
- 'Gemfile*' - 'Gemfile*'
- '.rubocop*.yml' - '.rubocop*.yml'
- '.ruby-version' - '.ruby-version'
- '.bundler-audit.yml' - 'config/brakeman.ignore'
- '**/*.rb' - '**/*.rb'
- '**/*.rake' - '**/*.rake'
- '.github/workflows/lint-ruby.yml' - '.github/workflows/lint-ruby.yml'
@ -18,7 +18,7 @@ on:
- 'Gemfile*' - 'Gemfile*'
- '.rubocop*.yml' - '.rubocop*.yml'
- '.ruby-version' - '.ruby-version'
- '.bundler-audit.yml' - 'config/brakeman.ignore'
- '**/*.rb' - '**/*.rb'
- '**/*.rake' - '**/*.rake'
- '.github/workflows/lint-ruby.yml' - '.github/workflows/lint-ruby.yml'
@ -46,5 +46,6 @@ jobs:
- name: Run rubocop - name: Run rubocop
run: bundle exec rubocop run: bundle exec rubocop
- name: Run bundler-audit - name: Run brakeman
run: bundle exec bundler-audit if: always() # Run both checks, even if the first failed
run: bundle exec brakeman

2
Gemfile
View File

@ -158,7 +158,7 @@ group :development do
gem 'letter_opener_web', '~> 2.0' gem 'letter_opener_web', '~> 2.0'
# Security analysis CLI tools # Security analysis CLI tools
gem 'brakeman', '~> 5.4', require: false gem 'brakeman', '~> 6.0', require: false
gem 'bundler-audit', '~> 0.9', require: false gem 'bundler-audit', '~> 0.9', require: false
# Linter CLI for HAML files # Linter CLI for HAML files

4
Gemfile.lock
View File

@ -130,7 +130,7 @@ GEM
blurhash (0.1.7) blurhash (0.1.7)
bootsnap (1.16.0) bootsnap (1.16.0)
msgpack (~> 1.2) msgpack (~> 1.2)
brakeman (5.4.1) brakeman (6.0.0)
browser (5.3.1) browser (5.3.1)
brpoplpush-redis_script (0.1.3) brpoplpush-redis_script (0.1.3)
concurrent-ruby (~> 1.0, >= 1.0.5) concurrent-ruby (~> 1.0, >= 1.0.5)
@ -765,7 +765,7 @@ DEPENDENCIES
binding_of_caller (~> 1.0) binding_of_caller (~> 1.0)
blurhash (~> 0.1) blurhash (~> 0.1)
bootsnap (~> 1.16.0) bootsnap (~> 1.16.0)
brakeman (~> 5.4) brakeman (~> 6.0)
browser browser
bundler-audit (~> 0.9) bundler-audit (~> 0.9)
capistrano (~> 3.17) capistrano (~> 3.17)

51
config/brakeman.ignore
View File

@ -102,6 +102,30 @@
], ],
"note": "" "note": ""
}, },
{
"warning_type": "Denial of Service",
"warning_code": 76,
"fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
"check_name": "RegexDoS",
"message": "Model attribute used in regular expression",
"file": "lib/mastodon/cli/domains.rb",
"line": 128,
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
"code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
"render_path": null,
"location": {
"type": "method",
"class": "Mastodon::CLI::Domains",
"method": "crawl"
},
"user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
"confidence": "Weak",
"cwe_id": [
20,
185
],
"note": ""
},
{ {
"warning_type": "Mass Assignment", "warning_type": "Mass Assignment",
"warning_code": 105, "warning_code": 105,
@ -148,6 +172,29 @@
], ],
"note": "" "note": ""
}, },
{
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/api/v2/search_controller.rb",
"line": 42,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
"render_path": null,
"location": {
"type": "method",
"class": "Api::V2::SearchController",
"method": "search_params"
},
"user_input": ":account_id",
"confidence": "High",
"cwe_id": [
915
],
"note": ""
},
{ {
"warning_type": "Cross-Site Scripting", "warning_type": "Cross-Site Scripting",
"warning_code": 4, "warning_code": 4,
@ -205,6 +252,6 @@
"note": "" "note": ""
} }
], ],
"updated": "2023-07-05 14:34:42 -0400", "updated": "2023-07-08 14:48:58 -0400",
"brakeman_version": "5.4.1" "brakeman_version": "6.0.0"
} }