Adding brakeman

author: Valery Sizov <vsv2711@gmail.com> 2015-03-11 14:50:06 +0200
committer: Valery Sizov <vsv2711@gmail.com> 2015-03-11 14:50:06 +0200
commit: 9993a749d0e9f753aa7ecd4590260c1730c319a1 (patch)
tree: 92e641649c49fe65b725f1e236e2ea120bf8b87a
parent: 1c10220fa8bb519c97e6aea1af9620ac38c8a285 (diff)
download: gitlab-ci-9993a749d0e9f753aa7ecd4590260c1730c319a1.tar.gz
6 files changed, 34 insertions, 5 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 33f4087..dcd3f51 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v7.9.0
   - Add scroll up/down buttons for better mobile experience with large build traces
   - Add runner last contact (Kamil Trzciński)
   - Allow to pause runners - when paused runner will not receive any new build (Kamil Trzciński)
+  - Add brakeman (security scanner for Ruby on Rails)
 
 v7.8.2
   - Fix the broken build failed email
diff --git a/Gemfile b/Gemfile
index 1b48144..73c6940 100644
--- a/Gemfile
+++ b/Gemfile
@@ -83,6 +83,7 @@ gem 'nprogress-rails'
 
 
 group :development do
+  gem 'brakeman', require: false
   gem 'rack-mini-profiler', require: false
   gem 'annotate'
   gem 'quiet_assets'
diff --git a/Gemfile.lock b/Gemfile.lock
index 7948015..ef2a25c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -47,6 +47,16 @@ GEM
       ice_nine (~> 0.9)
     bootstrap-sass (3.0.3.0)
       sass (~> 3.2)
+    brakeman (3.0.2)
+      erubis (~> 2.6)
+      fastercsv (~> 1.5)
+      haml (>= 3.0, < 5.0)
+      highline (~> 1.6.20)
+      multi_json (~> 1.2)
+      ruby2ruby (~> 2.1.1)
+      ruby_parser (~> 3.6.2)
+      sass (~> 3.0)
+      terminal-table (~> 1.4)
     builder (3.2.2)
     byebug (3.2.0)
       columnize (~> 0.8)
@@ -102,6 +112,7 @@ GEM
       railties (>= 3.0.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
+    fastercsv (1.5.5)
     ffaker (1.22.1)
     ffi (1.9.3)
     font-awesome-rails (3.2.1.3)
@@ -142,6 +153,7 @@ GEM
       haml (>= 3.1, < 5.0)
       railties (>= 4.0.1)
     hashie (2.0.5)
+    highline (1.6.21)
     hike (1.2.3)
     httparty (0.11.0)
       multi_json (~> 1.0)
@@ -176,7 +188,7 @@ GEM
     mime-types (2.4.3)
     mini_portile (0.5.2)
     minitest (5.5.1)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
     mysql2 (0.3.14)
@@ -267,6 +279,11 @@ GEM
       rainbow (>= 1.99.1, < 3.0)
       ruby-progressbar (~> 1.4)
     ruby-progressbar (1.7.1)
+    ruby2ruby (2.1.3)
+      ruby_parser (~> 3.1)
+      sexp_processor (~> 4.0)
+    ruby_parser (3.6.4)
+      sexp_processor (~> 4.1)
     safe_yaml (0.9.7)
     sass (3.2.19)
     sass-rails (4.0.3)
@@ -275,6 +292,7 @@ GEM
       sprockets (~> 2.8, <= 2.11.0)
       sprockets-rails (~> 2.0)
     settingslogic (2.0.9)
+    sexp_processor (4.5.0)
     shoulda-matchers (2.4.0)
       activesupport (>= 3.0.0)
     sidekiq (2.17.0)
@@ -314,6 +332,7 @@ GEM
     temple (0.6.7)
     term-ansicolor (1.2.2)
       tins (~> 0.8)
+    terminal-table (1.4.5)
     therubyracer (0.12.0)
       libv8 (~> 3.16.14.0)
       ref
@@ -357,6 +376,7 @@ DEPENDENCIES
   acts-as-taggable-on (~> 3.4)
   annotate
   bootstrap-sass (~> 3.0)
+  brakeman
   byebug
   capybara
   coffee-rails (~> 4.0.0)
diff --git a/app/controllers/builds_controller.rb b/app/controllers/builds_controller.rb
index 324aa4e..c8cb69f 100644
--- a/app/controllers/builds_controller.rb
+++ b/app/controllers/builds_controller.rb
@@ -41,7 +41,7 @@ class BuildsController < ApplicationController
     build = Build.retry(@build)
 
     if params[:return_to]
-      redirect_to params[:return_to]
+      redirect_to URI.parse(params[:return_to]).path
     else
       redirect_to project_build_path(project, build)
     end
diff --git a/config/application.rb b/config/application.rb
index ba0da4b..e2cea6b 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -45,14 +45,12 @@ module GitlabCi
     # This will create an empty whitelist of attributes available for mass-assignment for all models
     # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
     # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
+    config.active_record.whitelist_attributes = false
 
     # Enable the asset pipeline
     config.assets.enabled = true
 
     # Version of your assets, change this if you want to expire all your assets
     config.assets.version = '1.0'
-
-    config.active_record.whitelist_attributes = false
   end
 end
diff --git a/lib/tasks/brakeman.rake b/lib/tasks/brakeman.rake
new file mode 100644
index 0000000..c97efff
--- /dev/null
+++ b/lib/tasks/brakeman.rake
@@ -0,0 +1,9 @@
+desc 'Security check via brakeman'
+ task :brakeman do
+   if system("brakeman --skip-files lib/upgrader.rb -w3 -z -x ModelAttributes")
+     exit 0
+   else
+     puts 'Security check failed'
+     exit 1
+   end
+end
author	Valery Sizov <vsv2711@gmail.com>	2015-03-11 14:50:06 +0200
committer	Valery Sizov <vsv2711@gmail.com>	2015-03-11 14:50:06 +0200
commit	9993a749d0e9f753aa7ecd4590260c1730c319a1 (patch)
tree	92e641649c49fe65b725f1e236e2ea120bf8b87a
parent	1c10220fa8bb519c97e6aea1af9620ac38c8a285 (diff)
download	gitlab-ci-9993a749d0e9f753aa7ecd4590260c1730c319a1.tar.gz