brakeman-lib 4.10.0 → 4.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b264d50410107be24af470596fa3b5511eb8f174707f571f9884a6aea932d87
-  data.tar.gz: 4a8ab18c5e077e4b192ea52db29b52c7dd6006f66163862f0d4b1fd9973ba366
+  metadata.gz: 9433874563193068795eb4d4a90dd176132b04130cf68a9689753caff3c9df1e
+  data.tar.gz: 19e73894774e624624edecd48c28dd53aa4da68e7482afe272fec48398551040
 SHA512:
-  metadata.gz: 524c94b3b25e13273dea5707e315fde68fe5ad984433e3c0a11674bc7baf1c133a9e4becc528fabb092536ba9b5d02f05714dd10dd32014067cff8e301c37096
-  data.tar.gz: 349db7828699760d574a0534f21361eee617454647033f27ed7440e16a9ef38b7807f76b62fbd62fd1746d024c70a557f3d3fa5970cc390f3e92eaf3ca004f0c
+  metadata.gz: fbbd606baa82361d62752a44a0c3a095083d8e3b89c213cad7e8bdc97341a7fd09c3973c80c50d58349dc5bc9e98fe2ca390710d2419636a81f40d6dd75add6f
+  data.tar.gz: 89331cbf5168e088bdac777e65b3ee4cbe3244792f64f3c13db084e00db0fc3ebf792801d7c1f7fcc2b3c929cafd83e27381ecd03550d69b761cb94cf228856b

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
 # 4.10.0 - 2020-09-28
 
 * Add SARIF report format (Steve Winton)

data/lib/brakeman/checks/check_execute.rb

@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.values[1..-1])
+        if res = dangerous?(e.sexp_body.sexp_body)
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call[1..-1]
+    components = call.sexp_body
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/file_parser.rb

@@ -33,7 +33,12 @@ module Brakeman
       end
     end
 
+    # _path_ can be a string or a Brakeman::FilePath
     def parse_ruby input, path
+      if path.is_a? Brakeman::FilePath
+        path = path.relative
+      end
+
       begin
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout

data/lib/brakeman/processors/alias_processor.rb

@@ -236,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -941,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args[1..-1]
+      exp.arglist = args.sexp_body
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
+
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/tracker/controller.rb

@@ -125,7 +125,7 @@ module Brakeman
         value = args[-1][2]
         case value.node_type
         when :array
-          filter[option] = value[1..-1].map {|v| v[1] }
+          filter[option] = value.sexp_body.map {|v| v[1] }
         when :lit, :str
           filter[option] = value[1]
         else

data/lib/brakeman/util.rb

@@ -321,7 +321,7 @@ module Brakeman::Util
       if node_type? current, :class
         return true
       elsif sexp? current
-        todo = current[1..-1].concat todo
+        todo = current.sexp_body.concat todo
       end
     end
 
@@ -334,7 +334,7 @@ module Brakeman::Util
     if args.empty? or args.first.empty?
       #nothing to do
     elsif node_type? args.first, :arglist
-      call.concat args.first[1..-1]
+      call.concat args.first.sexp_body
     elsif args.first.node_type.is_a? Sexp #just a list of args
       call.concat args.first
     else

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.10.0"
+  Version = "4.10.1"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -175,7 +175,7 @@ class Sexp
     start_index = 3
 
     if exp.is_a? Sexp and exp.node_type == :arglist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
 
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
-      self[3..-1].unshift :arglist
+      self.sexp_body(3).unshift :arglist
     when :super, :zsuper
       if self[1]
-        self[1..-1].unshift :arglist
+        self.sexp_body.unshift :arglist
       else
         Sexp.new(:arglist)
       end
@@ -218,13 +218,13 @@ class Sexp
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
-        self[3..-1]
+        self.sexp_body(3)
       else
         Sexp.new
       end
     when :super, :zsuper
       if self[1]
-        self[1..-1]
+        self.sexp_body
       else
         Sexp.new
       end
@@ -512,7 +512,7 @@ class Sexp
     self.slice!(index..-1) #Remove old body
 
     if exp.first == :rlist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     #Insert new body
@@ -529,11 +529,11 @@ class Sexp
 
     case self.node_type
     when :defn, :class
-      self[3..-1]
+      self.sexp_body(3)
     when :defs
-      self[4..-1]
+      self.sexp_body(4)
     when :module
-      self[2..-1]
+      self.sexp_body(2)
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.10.0
+  version: 4.10.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-28 00:00:00.000000000 Z
+date: 2020-12-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -184,14 +184,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -212,6 +212,20 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '4.1'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -425,7 +439,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.2
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.