forked from fedi/mastodon
Run brakeman in GitHub Actions (#23713)
This commit is contained in:
parent
3aa153694e
commit
e11032585b
40
.github/workflows/bundler-audit.yml
vendored
Normal file
40
.github/workflows/bundler-audit.yml
vendored
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
name: Bundler Audit
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches-ignore:
|
||||||
|
- 'dependabot/**'
|
||||||
|
paths:
|
||||||
|
- 'Gemfile*'
|
||||||
|
- '.ruby-version'
|
||||||
|
- '.bundler-audit.yml'
|
||||||
|
- '.github/workflows/bundler-audit.yml'
|
||||||
|
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- 'Gemfile*'
|
||||||
|
- '.ruby-version'
|
||||||
|
- '.bundler-audit.yml'
|
||||||
|
- '.github/workflows/bundler-audit.yml'
|
||||||
|
|
||||||
|
schedule:
|
||||||
|
- cron: '0 5 * * 1'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
security:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Clone repository
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: Install native Ruby dependencies
|
||||||
|
run: sudo apt-get install -y libicu-dev libidn11-dev
|
||||||
|
|
||||||
|
- name: Set up Ruby
|
||||||
|
uses: ruby/setup-ruby@v1
|
||||||
|
with:
|
||||||
|
ruby-version: .ruby-version
|
||||||
|
bundler-cache: true
|
||||||
|
|
||||||
|
- name: Run bundler-audit
|
||||||
|
run: bundle exec bundler-audit
|
9
.github/workflows/lint-ruby.yml
vendored
9
.github/workflows/lint-ruby.yml
vendored
|
@ -8,7 +8,7 @@ on:
|
||||||
- 'Gemfile*'
|
- 'Gemfile*'
|
||||||
- '.rubocop*.yml'
|
- '.rubocop*.yml'
|
||||||
- '.ruby-version'
|
- '.ruby-version'
|
||||||
- '.bundler-audit.yml'
|
- 'config/brakeman.ignore'
|
||||||
- '**/*.rb'
|
- '**/*.rb'
|
||||||
- '**/*.rake'
|
- '**/*.rake'
|
||||||
- '.github/workflows/lint-ruby.yml'
|
- '.github/workflows/lint-ruby.yml'
|
||||||
|
@ -18,7 +18,7 @@ on:
|
||||||
- 'Gemfile*'
|
- 'Gemfile*'
|
||||||
- '.rubocop*.yml'
|
- '.rubocop*.yml'
|
||||||
- '.ruby-version'
|
- '.ruby-version'
|
||||||
- '.bundler-audit.yml'
|
- 'config/brakeman.ignore'
|
||||||
- '**/*.rb'
|
- '**/*.rb'
|
||||||
- '**/*.rake'
|
- '**/*.rake'
|
||||||
- '.github/workflows/lint-ruby.yml'
|
- '.github/workflows/lint-ruby.yml'
|
||||||
|
@ -46,5 +46,6 @@ jobs:
|
||||||
- name: Run rubocop
|
- name: Run rubocop
|
||||||
run: bundle exec rubocop
|
run: bundle exec rubocop
|
||||||
|
|
||||||
- name: Run bundler-audit
|
- name: Run brakeman
|
||||||
run: bundle exec bundler-audit
|
if: always() # Run both checks, even if the first failed
|
||||||
|
run: bundle exec brakeman
|
||||||
|
|
2
Gemfile
2
Gemfile
|
@ -158,7 +158,7 @@ group :development do
|
||||||
gem 'letter_opener_web', '~> 2.0'
|
gem 'letter_opener_web', '~> 2.0'
|
||||||
|
|
||||||
# Security analysis CLI tools
|
# Security analysis CLI tools
|
||||||
gem 'brakeman', '~> 5.4', require: false
|
gem 'brakeman', '~> 6.0', require: false
|
||||||
gem 'bundler-audit', '~> 0.9', require: false
|
gem 'bundler-audit', '~> 0.9', require: false
|
||||||
|
|
||||||
# Linter CLI for HAML files
|
# Linter CLI for HAML files
|
||||||
|
|
|
@ -130,7 +130,7 @@ GEM
|
||||||
blurhash (0.1.7)
|
blurhash (0.1.7)
|
||||||
bootsnap (1.16.0)
|
bootsnap (1.16.0)
|
||||||
msgpack (~> 1.2)
|
msgpack (~> 1.2)
|
||||||
brakeman (5.4.1)
|
brakeman (6.0.0)
|
||||||
browser (5.3.1)
|
browser (5.3.1)
|
||||||
brpoplpush-redis_script (0.1.3)
|
brpoplpush-redis_script (0.1.3)
|
||||||
concurrent-ruby (~> 1.0, >= 1.0.5)
|
concurrent-ruby (~> 1.0, >= 1.0.5)
|
||||||
|
@ -765,7 +765,7 @@ DEPENDENCIES
|
||||||
binding_of_caller (~> 1.0)
|
binding_of_caller (~> 1.0)
|
||||||
blurhash (~> 0.1)
|
blurhash (~> 0.1)
|
||||||
bootsnap (~> 1.16.0)
|
bootsnap (~> 1.16.0)
|
||||||
brakeman (~> 5.4)
|
brakeman (~> 6.0)
|
||||||
browser
|
browser
|
||||||
bundler-audit (~> 0.9)
|
bundler-audit (~> 0.9)
|
||||||
capistrano (~> 3.17)
|
capistrano (~> 3.17)
|
||||||
|
|
|
@ -102,6 +102,30 @@
|
||||||
],
|
],
|
||||||
"note": ""
|
"note": ""
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"warning_type": "Denial of Service",
|
||||||
|
"warning_code": 76,
|
||||||
|
"fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
|
||||||
|
"check_name": "RegexDoS",
|
||||||
|
"message": "Model attribute used in regular expression",
|
||||||
|
"file": "lib/mastodon/cli/domains.rb",
|
||||||
|
"line": 128,
|
||||||
|
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
|
||||||
|
"code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
|
||||||
|
"render_path": null,
|
||||||
|
"location": {
|
||||||
|
"type": "method",
|
||||||
|
"class": "Mastodon::CLI::Domains",
|
||||||
|
"method": "crawl"
|
||||||
|
},
|
||||||
|
"user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
|
||||||
|
"confidence": "Weak",
|
||||||
|
"cwe_id": [
|
||||||
|
20,
|
||||||
|
185
|
||||||
|
],
|
||||||
|
"note": ""
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"warning_type": "Mass Assignment",
|
"warning_type": "Mass Assignment",
|
||||||
"warning_code": 105,
|
"warning_code": 105,
|
||||||
|
@ -148,6 +172,29 @@
|
||||||
],
|
],
|
||||||
"note": ""
|
"note": ""
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"warning_type": "Mass Assignment",
|
||||||
|
"warning_code": 105,
|
||||||
|
"fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
|
||||||
|
"check_name": "PermitAttributes",
|
||||||
|
"message": "Potentially dangerous key allowed for mass assignment",
|
||||||
|
"file": "app/controllers/api/v2/search_controller.rb",
|
||||||
|
"line": 42,
|
||||||
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
||||||
|
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
|
||||||
|
"render_path": null,
|
||||||
|
"location": {
|
||||||
|
"type": "method",
|
||||||
|
"class": "Api::V2::SearchController",
|
||||||
|
"method": "search_params"
|
||||||
|
},
|
||||||
|
"user_input": ":account_id",
|
||||||
|
"confidence": "High",
|
||||||
|
"cwe_id": [
|
||||||
|
915
|
||||||
|
],
|
||||||
|
"note": ""
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"warning_type": "Cross-Site Scripting",
|
"warning_type": "Cross-Site Scripting",
|
||||||
"warning_code": 4,
|
"warning_code": 4,
|
||||||
|
@ -205,6 +252,6 @@
|
||||||
"note": ""
|
"note": ""
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"updated": "2023-07-05 14:34:42 -0400",
|
"updated": "2023-07-08 14:48:58 -0400",
|
||||||
"brakeman_version": "5.4.1"
|
"brakeman_version": "6.0.0"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue