mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
38 lines
811 B
JSON
38 lines
811 B
JSON
{
|
|
"description": "Unsafe constantize on user-controlled class name enabling arbitrary class instantiation",
|
|
"tags": [
|
|
"taint",
|
|
"reflect",
|
|
"constantize",
|
|
"sinatra",
|
|
"ruby"
|
|
],
|
|
"modes": [
|
|
"full",
|
|
"ast"
|
|
],
|
|
"expected": [
|
|
{
|
|
"rule_id": "rb.reflection.constantize",
|
|
"severity": null,
|
|
"must_match": true,
|
|
"line_range": [
|
|
3,
|
|
7
|
|
],
|
|
"evidence_contains": [],
|
|
"notes": "constantize on user input allows instantiation of arbitrary classes"
|
|
},
|
|
{
|
|
"rule_id": "taint-unsanitised-flow",
|
|
"severity": null,
|
|
"must_match": false,
|
|
"line_range": [
|
|
2,
|
|
8
|
|
],
|
|
"evidence_contains": [],
|
|
"notes": "params[:type] flows into constantize - aspirational taint finding"
|
|
}
|
|
]
|
|
}
|