Home Explore Help
Sign In
SMusatov
/
sentry
mirror of https://github.com/getsentry/sentry
1
0
Fork 0
Files
Tree: cf7a13f8a2
Branches Tags
sentry
/
bin
/
scan

scan 2.8 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839 
  1. #!/bin/bash
    2. 

  2. 

  3. ignored=(
    4. 

  4.     # djangorestframework, installed 2.4.8, affected <3.1.1, id 25804
    5. 

  5.     # Description: Escape tab switching cookie name in browsable API.
    6. 

  6.     # Reason: We do not use the browsable API
    7. 

  7.     25804
    8. 

  8.     # django, installed 1.6.11, affected <1.7.11, id 25714
    9. 

  9.     # Description: The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
    10. 

  10.     # Reason: We don't leverage this feature.
    11. 

  11.     25714
    12. 

  12.     # django, installed 1.6.11, affected <1.7.6, id 25715
    13. 

  13.     # Description: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
    14. 

  14.     # Reason: We don't leverage this feature.
    15. 

  15.     25715
    16. 

  16.     # django, installed 1.6.11, affected <1.8.10, id 33073
    17. 

  17.     # Description: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
    18. 

  18.     # Reason: We have already patched around this and use our own `is_safe_url` function pulled from Django 1.10.
    19. 

  19.     33073
    20. 

  20.     # django, installed 1.6.11, affected <1.8.10, id 33074
    21. 

  21.     # Description: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests
    22. 

  22.     # Reason: We don't leverage this feature, nor would a timing attack be viable due to rate limiting.
    23. 

  23.     33074
    24. 

  24.     # django, installed 1.6.11, affected <1.8.15, id 25718
    25. 

  25.     # Description: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
    26. 

  26.     # Reason: We have backported the patch.
    27. 

  27.     25718
    28. 

  28.     # django, installed 1.6.11, affected >=1.5,<1.7, id 25725
    29. 

  29.     # Description: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
    30. 

  30.     # Reason: This does not apply to us with the cookie based session backend.
    31. 

  31.     25725
    32. 

  32. )
    33. 

  33. 

  34. args="--full-report"
    35. 

  35. for i in ${ignored[@]}; do
    36. 

  36.   args="$args --ignore=${i}"
    37. 

  37. done
    38. 

  38. 

  39. exec safety check ${args}
    40.