brakeman-lib 4.10.0 → 5.0.2

data/lib/brakeman/tracker/controller.rb

@@ -125,7 +125,7 @@ module Brakeman
         value = args[-1][2]
         case value.node_type
         when :array
-          filter[option] = value[1..-1].map {|v| v[1] }
+          filter[option] = value.sexp_body.map {|v| v[1] }
         when :lit, :str
           filter[option] = value[1]
         else

data/lib/brakeman/tracker/method_info.rb

@@ -0,0 +1,29 @@
+require 'brakeman/util'
+
+module Brakeman
+  class MethodInfo
+    include Brakeman::Util
+
+    attr_reader :name, :src, :owner, :file, :type
+
+    def initialize name, src, owner, file
+      @name = name
+      @src = src
+      @owner = owner
+      @file = file
+      @type = case src.node_type
+              when :defn
+                :instance
+              when :defs
+                :class
+              else
+                raise "Expected sexp type: #{src.node_type}"
+              end
+    end
+
+    # To support legacy code that expected a Hash
+    def [] attr
+      self.send(attr)
+    end
+  end
+end

data/lib/brakeman/util.rb

@@ -142,6 +142,14 @@ module Brakeman::Util
     nil
   end
 
+  def hash_values hash
+    values = hash.each_sexp.each_slice(2).map do |_, value|
+      value
+    end
+
+    Sexp.new(:array).concat(values).line(hash.line)
+  end
+
   #These are never modified
   PARAMS_SEXP = Sexp.new(:params)
   SESSION_SEXP = Sexp.new(:session)
@@ -321,7 +329,7 @@ module Brakeman::Util
       if node_type? current, :class
         return true
       elsif sexp? current
-        todo = current[1..-1].concat todo
+        todo = current.sexp_body.concat todo
       end
     end
 
@@ -334,7 +342,7 @@ module Brakeman::Util
     if args.empty? or args.first.empty?
       #nothing to do
     elsif node_type? args.first, :arglist
-      call.concat args.first[1..-1]
+      call.concat args.first.sexp_body
     elsif args.first.node_type.is_a? Sexp #just a list of args
       call.concat args.first
     else
@@ -368,8 +376,13 @@ module Brakeman::Util
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.relative.split("/")
+    names = path.relative.split('/')
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
-    names[(names.index("views") + 1)..-1].join("/").to_sym
+
+    if names.include? 'views'
+      names[(names.index('views') + 1)..-1]
+    else
+      names
+    end.join('/').to_sym
   end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.10.0"
+  Version = "5.0.2"
 end

data/lib/brakeman/warning.rb

@@ -275,6 +275,14 @@ class Brakeman::Warning
     self.file.relative
   end
 
+  def check_name
+    @check_name ||= self.check.sub(/^Brakeman::Check/, '')
+  end
+
+  def confidence_name
+    TEXT_CONFIDENCE[self.confidence]
+  end
+
   def to_hash absolute_paths: true
     if self.called_from and not absolute_paths
       render_path = self.called_from.with_relative_paths
@@ -285,7 +293,7 @@ class Brakeman::Warning
     { :warning_type => self.warning_type,
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
-      :check_name => self.check.gsub(/^Brakeman::Check/, ''),
+      :check_name => self.check_name,
       :message => self.message.to_s,
       :file => (absolute_paths ? self.file.absolute : self.file.relative),
       :line => self.line,
@@ -294,7 +302,7 @@ class Brakeman::Warning
       :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
-      :confidence => TEXT_CONFIDENCE[self.confidence]
+      :confidence => self.confidence_name
     }
   end
 

data/lib/brakeman/warning_codes.rb

@@ -119,6 +119,8 @@ module Brakeman::WarningCodes
     :CVE_2020_8159 => 115,
     :CVE_2020_8166 => 116,
     :erb_template_injection => 117,
+    :http_verb_confusion => 118,
+    :unsafe_method_reflection => 119,
 
     :custom_check => 9090,
   }

data/lib/ruby_parser/bm_sexp.rb

@@ -175,7 +175,7 @@ class Sexp
     start_index = 3
 
     if exp.is_a? Sexp and exp.node_type == :arglist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
 
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
-      self[3..-1].unshift :arglist
+      self.sexp_body(3).unshift :arglist
     when :super, :zsuper
       if self[1]
-        self[1..-1].unshift :arglist
+        self.sexp_body.unshift :arglist
       else
         Sexp.new(:arglist)
       end
@@ -218,13 +218,13 @@ class Sexp
     case self.node_type
     when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
-        self[3..-1]
+        self.sexp_body(3)
       else
         Sexp.new
       end
     when :super, :zsuper
       if self[1]
-        self[1..-1]
+        self.sexp_body
       else
         Sexp.new
       end
@@ -512,7 +512,7 @@ class Sexp
     self.slice!(index..-1) #Remove old body
 
     if exp.first == :rlist
-      exp = exp[1..-1]
+      exp = exp.sexp_body
     end
 
     #Insert new body
@@ -529,11 +529,11 @@ class Sexp
 
     case self.node_type
     when :defn, :class
-      self[3..-1]
+      self.sexp_body(3)
     when :defs
-      self[4..-1]
+      self.sexp_body(4)
     when :module
-      self[2..-1]
+      self.sexp_body(2)
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.10.0
+  version: 5.0.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-28 00:00:00.000000000 Z
+date: 2021-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -66,6 +66,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.10.2
+- !ruby/object:Gem::Dependency
+  name: parallel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.20'
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -184,14 +198,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -212,6 +226,20 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '4.1'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis. This package declares gem dependencies instead of bundling
   them.
@@ -301,8 +329,10 @@ files:
 - lib/brakeman/checks/check_template_injection.rb
 - lib/brakeman/checks/check_translate_bug.rb
 - lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_unsafe_reflection_methods.rb
 - lib/brakeman/checks/check_unscoped_find.rb
 - lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_verb_confusion.rb
 - lib/brakeman/checks/check_weak_hash.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
@@ -333,6 +363,7 @@ files:
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
 - lib/brakeman/processors/lib/call_conversion_helper.rb
+- lib/brakeman/processors/lib/file_type_detector.rb
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
@@ -363,12 +394,14 @@ files:
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
 - lib/brakeman/report/report_csv.rb
+- lib/brakeman/report/report_github.rb
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb
 - lib/brakeman/report/report_json.rb
 - lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_sarif.rb
+- lib/brakeman/report/report_sonar.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/report_text.rb
@@ -391,6 +424,7 @@ files:
 - lib/brakeman/tracker/constants.rb
 - lib/brakeman/tracker/controller.rb
 - lib/brakeman/tracker/library.rb
+- lib/brakeman/tracker/method_info.rb
 - lib/brakeman/tracker/model.rb
 - lib/brakeman/tracker/template.rb
 - lib/brakeman/util.rb
@@ -418,7 +452,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="