Run brakeman in GitHub Actions (#23713)

This commit is contained in:
Nick Schonning 2023-07-11 09:23:57 -04:00 committed by GitHub
parent 3aa153694e
commit e11032585b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 97 additions and 9 deletions

40
.github/workflows/bundler-audit.yml vendored Normal file
View File

@ -0,0 +1,40 @@
name: Bundler Audit
on:
push:
branches-ignore:
- 'dependabot/**'
paths:
- 'Gemfile*'
- '.ruby-version'
- '.bundler-audit.yml'
- '.github/workflows/bundler-audit.yml'
pull_request:
paths:
- 'Gemfile*'
- '.ruby-version'
- '.bundler-audit.yml'
- '.github/workflows/bundler-audit.yml'
schedule:
- cron: '0 5 * * 1'
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Install native Ruby dependencies
run: sudo apt-get install -y libicu-dev libidn11-dev
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Run bundler-audit
run: bundle exec bundler-audit

View File

@ -8,7 +8,7 @@ on:
- 'Gemfile*'
- '.rubocop*.yml'
- '.ruby-version'
- '.bundler-audit.yml'
- 'config/brakeman.ignore'
- '**/*.rb'
- '**/*.rake'
- '.github/workflows/lint-ruby.yml'
@ -18,7 +18,7 @@ on:
- 'Gemfile*'
- '.rubocop*.yml'
- '.ruby-version'
- '.bundler-audit.yml'
- 'config/brakeman.ignore'
- '**/*.rb'
- '**/*.rake'
- '.github/workflows/lint-ruby.yml'
@ -46,5 +46,6 @@ jobs:
- name: Run rubocop
run: bundle exec rubocop
- name: Run bundler-audit
run: bundle exec bundler-audit
- name: Run brakeman
if: always() # Run both checks, even if the first failed
run: bundle exec brakeman

View File

@ -158,7 +158,7 @@ group :development do
gem 'letter_opener_web', '~> 2.0'
# Security analysis CLI tools
gem 'brakeman', '~> 5.4', require: false
gem 'brakeman', '~> 6.0', require: false
gem 'bundler-audit', '~> 0.9', require: false
# Linter CLI for HAML files

View File

@ -130,7 +130,7 @@ GEM
blurhash (0.1.7)
bootsnap (1.16.0)
msgpack (~> 1.2)
brakeman (5.4.1)
brakeman (6.0.0)
browser (5.3.1)
brpoplpush-redis_script (0.1.3)
concurrent-ruby (~> 1.0, >= 1.0.5)
@ -765,7 +765,7 @@ DEPENDENCIES
binding_of_caller (~> 1.0)
blurhash (~> 0.1)
bootsnap (~> 1.16.0)
brakeman (~> 5.4)
brakeman (~> 6.0)
browser
bundler-audit (~> 0.9)
capistrano (~> 3.17)

View File

@ -102,6 +102,30 @@
],
"note": ""
},
{
"warning_type": "Denial of Service",
"warning_code": 76,
"fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
"check_name": "RegexDoS",
"message": "Model attribute used in regular expression",
"file": "lib/mastodon/cli/domains.rb",
"line": 128,
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
"code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
"render_path": null,
"location": {
"type": "method",
"class": "Mastodon::CLI::Domains",
"method": "crawl"
},
"user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
"confidence": "Weak",
"cwe_id": [
20,
185
],
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 105,
@ -148,6 +172,29 @@
],
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/api/v2/search_controller.rb",
"line": 42,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
"render_path": null,
"location": {
"type": "method",
"class": "Api::V2::SearchController",
"method": "search_params"
},
"user_input": ":account_id",
"confidence": "High",
"cwe_id": [
915
],
"note": ""
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 4,
@ -205,6 +252,6 @@
"note": ""
}
],
"updated": "2023-07-05 14:34:42 -0400",
"brakeman_version": "5.4.1"
"updated": "2023-07-08 14:48:58 -0400",
"brakeman_version": "6.0.0"
}