Commit d874c821 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'brakeman' into 'master'

Add Brakeman - Static analysis security scanner for Ruby on Rails

See merge request !1616
parents 704d21f5 f850cff4
......@@ -15,6 +15,7 @@ v 7.9.0 (unreleased)
- Fix mass-unassignment of issues (Robert Speicher)
- Allow user confirmation to be skipped for new users via API
- Add a service to send updates to an Irker gateway (Romain Coltel)
- Add brakeman (security scanner for Ruby on Rails)
v 7.8.1
- Fix run of custom post receive hooks
......
......@@ -199,6 +199,7 @@ gem "virtus"
gem 'addressable'
group :development do
gem 'brakeman', require: false
gem "annotate", "~> 2.6.0.beta2"
gem "letter_opener"
gem 'quiet_assets', '~> 1.0.1'
......
......@@ -63,6 +63,16 @@ GEM
bootstrap-sass (3.3.3)
autoprefixer-rails (>= 5.0.0.1)
sass (>= 3.2.19)
brakeman (3.0.1)
erubis (~> 2.6)
fastercsv (~> 1.5)
haml (>= 3.0, < 5.0)
highline (~> 1.6.20)
multi_json (~> 1.2)
ruby2ruby (~> 2.1.1)
ruby_parser (~> 3.5.0)
sass (~> 3.0)
terminal-table (~> 1.4)
browser (0.7.2)
builder (3.2.2)
byebug (3.2.0)
......@@ -154,6 +164,7 @@ GEM
multipart-post (~> 1.2.0)
faraday_middleware (0.9.0)
faraday (>= 0.7.4, < 0.9)
fastercsv (1.5.5)
ffaker (1.22.1)
ffi (1.9.3)
fog (1.21.0)
......@@ -258,6 +269,7 @@ GEM
haml (>= 3.1, < 5.0)
railties (>= 4.0.1)
hashie (2.1.2)
highline (1.6.21)
hike (1.2.3)
hipchat (1.4.0)
httparty
......@@ -496,6 +508,11 @@ GEM
rainbow (>= 1.99.1, < 3.0)
ruby-progressbar (~> 1.4)
ruby-progressbar (1.7.1)
ruby2ruby (2.1.3)
ruby_parser (~> 3.1)
sexp_processor (~> 4.0)
ruby_parser (3.5.0)
sexp_processor (~> 4.1)
rubyntlm (0.4.0)
rubypants (0.2.0)
rugged (0.21.4)
......@@ -521,6 +538,7 @@ GEM
select2-rails (3.5.2)
thor (~> 0.14)
settingslogic (2.0.9)
sexp_processor (4.4.5)
shoulda-matchers (2.7.0)
activesupport (>= 3.0.0)
sidekiq (3.3.0)
......@@ -572,6 +590,7 @@ GEM
temple (0.6.7)
term-ansicolor (1.2.2)
tins (~> 0.8)
terminal-table (1.4.5)
test_after_commit (0.2.2)
therubyracer (0.12.0)
libv8 (~> 3.16.14.0)
......@@ -651,6 +670,7 @@ DEPENDENCIES
better_errors
binding_of_caller
bootstrap-sass (~> 3.0)
brakeman
browser
byebug
cal-heatmap-rails (~> 0.0.1)
......
......@@ -26,7 +26,7 @@ class Projects::ImportsController < Projects::ApplicationController
def show
unless @project.import_in_progress?
if @project.import_finished?
redirect_to(@project) and return
redirect_to(project_path(@project)) and return
else
redirect_to new_namespace_project_import_path(@project.namespace,
@project) && return
......
......@@ -15,15 +15,9 @@ class Projects::TeamMembersController < Projects::ApplicationController
def create
users = User.where(id: params[:user_ids].split(','))
@project.team << [users, params[:access_level]]
if params[:redirect_to]
redirect_to params[:redirect_to]
else
redirect_to namespace_project_team_index_path(@project.namespace,
@project)
end
redirect_to namespace_project_team_index_path(@project.namespace, @project)
end
def update
......
......@@ -97,7 +97,7 @@ class Projects::WikisController < Projects::ApplicationController
@project_wiki.wiki
rescue ProjectWiki::CouldNotCreateWikiError => ex
flash[:notice] = "Could not create Wiki Repository at this time. Please try again later."
redirect_to @project
redirect_to project_path(@project)
return false
end
......
......@@ -3,22 +3,53 @@ class UploadsController < ApplicationController
before_filter :authorize_access
def show
model = params[:model].camelize.constantize.find(params[:id])
uploader = model.send(params[:mounted_as])
unless upload_model && upload_mount
return not_found!
end
return not_found! if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
model = upload_model.find(params[:id])
uploader = model.send(upload_mount)
return redirect_to uploader.url unless uploader.file_storage?
if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
return not_found!
end
return not_found! unless uploader.file.exists?
unless uploader.file_storage?
return redirect_to uploader.url
end
unless uploader.file.exists?
return not_found!
end
disposition = uploader.image? ? 'inline' : 'attachment'
send_file uploader.file.path, disposition: disposition
end
private
def authorize_access
unless params[:mounted_as] == 'avatar'
authenticate_user! && reject_blocked!
end
end
def upload_model
upload_models = {
user: User,
project: Project,
note: Note,
group: Group
}
upload_models[params[:model].to_sym]
end
def upload_mount
upload_mounts = %w(avatar attachment file)
if upload_mounts.include?(params[:mounted_as])
params[:mounted_as]
end
end
end
......@@ -37,7 +37,10 @@ bundle install --deployment --path vendor/bundle (Setup)
cp config/gitlab.yml.example config/gitlab.yml (Setup)
bundle exec rake db:create (Setup)
bundle exec rake spinach (Thread #1)
bundle exec rake spec (Thread #2)
bundle exec rake spec (thread #2)
bundle exec rake rubocop (thread #3)
bundle exec rake brakeman (thread #4)
bundle exec rake jasmine:ci (thread #5)
```
Use rubygems mirror.
desc 'Security check via brakeman'
task :brakeman do
if system("brakeman --skip-files lib/backup/repository.rb -w3 -z")
exit 0
else
puts 'Security check failed'
exit 1
end
end
......@@ -9,5 +9,5 @@ unless Rails.env.production?
require 'coveralls/rake/task'
Coveralls::RakeTask.new
desc "GITLAB | Run all tests on CI with simplecov"
task :test_ci => [:rubocop, :spinach, :spec, 'coveralls:push']
task :test_ci => [:rubocop, :brakeman, 'jasmine:ci', :spinach, :spec, 'coveralls:push']
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment