From e11032585b68dde7119c667c3ef7c2438f285c17 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Tue, 11 Jul 2023 09:23:57 -0400 Subject: [PATCH] Run brakeman in GitHub Actions (#23713) --- .github/workflows/bundler-audit.yml | 40 ++++++++++++++++++++++ .github/workflows/lint-ruby.yml | 9 ++--- Gemfile | 2 +- Gemfile.lock | 4 +-- config/brakeman.ignore | 51 +++++++++++++++++++++++++++-- 5 files changed, 97 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/bundler-audit.yml diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml new file mode 100644 index 0000000000..6c4869f12d --- /dev/null +++ b/.github/workflows/bundler-audit.yml @@ -0,0 +1,40 @@ +name: Bundler Audit +on: + push: + branches-ignore: + - 'dependabot/**' + paths: + - 'Gemfile*' + - '.ruby-version' + - '.bundler-audit.yml' + - '.github/workflows/bundler-audit.yml' + + pull_request: + paths: + - 'Gemfile*' + - '.ruby-version' + - '.bundler-audit.yml' + - '.github/workflows/bundler-audit.yml' + + schedule: + - cron: '0 5 * * 1' + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - name: Clone repository + uses: actions/checkout@v3 + + - name: Install native Ruby dependencies + run: sudo apt-get install -y libicu-dev libidn11-dev + + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: .ruby-version + bundler-cache: true + + - name: Run bundler-audit + run: bundle exec bundler-audit diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml index 0395c8639f..c898b26325 100644 --- a/.github/workflows/lint-ruby.yml +++ b/.github/workflows/lint-ruby.yml @@ -8,7 +8,7 @@ on: - 'Gemfile*' - '.rubocop*.yml' - '.ruby-version' - - '.bundler-audit.yml' + - 'config/brakeman.ignore' - '**/*.rb' - '**/*.rake' - '.github/workflows/lint-ruby.yml' @@ -18,7 +18,7 @@ on: - 'Gemfile*' - '.rubocop*.yml' - '.ruby-version' - - '.bundler-audit.yml' + - 'config/brakeman.ignore' - '**/*.rb' - '**/*.rake' - '.github/workflows/lint-ruby.yml' @@ -46,5 +46,6 @@ jobs: - name: Run rubocop run: bundle exec rubocop - - name: Run bundler-audit - run: bundle exec bundler-audit + - name: Run brakeman + if: always() # Run both checks, even if the first failed + run: bundle exec brakeman diff --git a/Gemfile b/Gemfile index 24cb43e657..61b9588e4e 100644 --- a/Gemfile +++ b/Gemfile @@ -158,7 +158,7 @@ group :development do gem 'letter_opener_web', '~> 2.0' # Security analysis CLI tools - gem 'brakeman', '~> 5.4', require: false + gem 'brakeman', '~> 6.0', require: false gem 'bundler-audit', '~> 0.9', require: false # Linter CLI for HAML files diff --git a/Gemfile.lock b/Gemfile.lock index 9bd708d61e..29adaf9cff 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -130,7 +130,7 @@ GEM blurhash (0.1.7) bootsnap (1.16.0) msgpack (~> 1.2) - brakeman (5.4.1) + brakeman (6.0.0) browser (5.3.1) brpoplpush-redis_script (0.1.3) concurrent-ruby (~> 1.0, >= 1.0.5) @@ -765,7 +765,7 @@ DEPENDENCIES binding_of_caller (~> 1.0) blurhash (~> 0.1) bootsnap (~> 1.16.0) - brakeman (~> 5.4) + brakeman (~> 6.0) browser bundler-audit (~> 0.9) capistrano (~> 3.17) diff --git a/config/brakeman.ignore b/config/brakeman.ignore index d89591cfe6..93bee64af2 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -102,6 +102,30 @@ ], "note": "" }, + { + "warning_type": "Denial of Service", + "warning_code": 76, + "fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72", + "check_name": "RegexDoS", + "message": "Model attribute used in regular expression", + "file": "lib/mastodon/cli/domains.rb", + "line": 128, + "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/", + "code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/", + "render_path": null, + "location": { + "type": "method", + "class": "Mastodon::CLI::Domains", + "method": "crawl" + }, + "user_input": "DomainBlock.where(:severity => 1).pluck(:domain)", + "confidence": "Weak", + "cwe_id": [ + 20, + 185 + ], + "note": "" + }, { "warning_type": "Mass Assignment", "warning_code": 105, @@ -148,6 +172,29 @@ ], "note": "" }, + { + "warning_type": "Mass Assignment", + "warning_code": 105, + "fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd", + "check_name": "PermitAttributes", + "message": "Potentially dangerous key allowed for mass assignment", + "file": "app/controllers/api/v2/search_controller.rb", + "line": 42, + "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", + "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)", + "render_path": null, + "location": { + "type": "method", + "class": "Api::V2::SearchController", + "method": "search_params" + }, + "user_input": ":account_id", + "confidence": "High", + "cwe_id": [ + 915 + ], + "note": "" + }, { "warning_type": "Cross-Site Scripting", "warning_code": 4, @@ -205,6 +252,6 @@ "note": "" } ], - "updated": "2023-07-05 14:34:42 -0400", - "brakeman_version": "5.4.1" + "updated": "2023-07-08 14:48:58 -0400", + "brakeman_version": "6.0.0" }