Run brakeman in GitHub Actions (#23713)

2023-07-11 09:23:57 -04:00 · 2023-07-11 09:23:57 -04:00 · e11032585b
commit e11032585b
parent 3aa153694e
5 changed files with 97 additions and 9 deletions
--- a/.github/workflows/bundler-audit.yml
+++ b/.github/workflows/bundler-audit.yml
@ -0,0 +1,40 @@
+name: Bundler Audit
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  pull_request:
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  schedule:
+    - cron: '0 5 * * 1'
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Install native Ruby dependencies
+        run: sudo apt-get install -y libicu-dev libidn11-dev
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Run bundler-audit
+        run: bundle exec bundler-audit
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@ -8,7 +8,7 @@ on:
      - 'Gemfile*'
      - '.rubocop*.yml'
      - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
      - '**/*.rb'
      - '**/*.rake'
      - '.github/workflows/lint-ruby.yml'
@ -18,7 +18,7 @@ on:
      - 'Gemfile*'
      - '.rubocop*.yml'
      - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
      - '**/*.rb'
      - '**/*.rake'
      - '.github/workflows/lint-ruby.yml'
@ -46,5 +46,6 @@ jobs:
      - name: Run rubocop
        run: bundle exec rubocop

-      - name: Run bundler-audit
-        run: bundle exec bundler-audit
+      - name: Run brakeman
+        if: always() # Run both checks, even if the first failed
+        run: bundle exec brakeman
--- a/2
+++ b/2
@ -158,7 +158,7 @@ group :development do
  gem 'letter_opener_web', '~> 2.0'

  # Security analysis CLI tools
-  gem 'brakeman', '~> 5.4', require: false
+  gem 'brakeman', '~> 6.0', require: false
  gem 'bundler-audit', '~> 0.9', require: false

  # Linter CLI for HAML files
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -130,7 +130,7 @@ GEM
    blurhash (0.1.7)
    bootsnap (1.16.0)
      msgpack (~> 1.2)
-    brakeman (5.4.1)
+    brakeman (6.0.0)
    browser (5.3.1)
    brpoplpush-redis_script (0.1.3)
      concurrent-ruby (~> 1.0, >= 1.0.5)
@ -765,7 +765,7 @@ DEPENDENCIES
  binding_of_caller (~> 1.0)
  blurhash (~> 0.1)
  bootsnap (~> 1.16.0)
-  brakeman (~> 5.4)
+  brakeman (~> 6.0)
  browser
  bundler-audit (~> 0.9)
  capistrano (~> 3.17)
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -102,6 +102,30 @@
      ],
      "note": ""
    },
+    {
+      "warning_type": "Denial of Service",
+      "warning_code": 76,
+      "fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
+      "check_name": "RegexDoS",
+      "message": "Model attribute used in regular expression",
+      "file": "lib/mastodon/cli/domains.rb",
+      "line": 128,
+      "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
+      "code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Mastodon::CLI::Domains",
+        "method": "crawl"
+      },
+      "user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
+      "confidence": "Weak",
+      "cwe_id": [
+        20,
+        185
+      ],
+      "note": ""
+    },
    {
      "warning_type": "Mass Assignment",
      "warning_code": 105,
@ -148,6 +172,29 @@
      ],
      "note": ""
    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v2/search_controller.rb",
+      "line": 42,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Api::V2::SearchController",
+        "method": "search_params"
+      },
+      "user_input": ":account_id",
+      "confidence": "High",
+      "cwe_id": [
+        915
+      ],
+      "note": ""
+    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 4,
@ -205,6 +252,6 @@
      "note": ""
    }
  ],
-  "updated": "2023-07-05 14:34:42 -0400",
-  "brakeman_version": "5.4.1"
+  "updated": "2023-07-08 14:48:58 -0400",
+  "brakeman_version": "6.0.0"
 }